Monday, November 05, 2007


Pam throws ground turkey, albeit oh so politely
I apologize for continually throwing rocks at other people’s glass houses

I see no glass (which, I admit, is sort of a defining characteristic of the 'glass house' phenomenon) and I think Pam's aim is off - she just splattered the big plate glass window of the Jones's next door.

She challenges my claim/assertion that a self-asserted card can create only technical confidence, and not legal or business confidence.
I see absolutely no reason why I would hesitate to associate a self-issued information card ... If I read Paul’s taxonomy correctly, there would be technical confidence but no legal confidence, even though I as an end user do indeed have a contract with my bank.

But my arguments were expressed in terms of the level of assurance that the RP can ascribe to the authentication - not whatever the user can. It's not the user that may think differently about the comparative assurance made possible by a 3rd party IdP, it's the RP (99.8% of users will be completely oblivious to the fact that they are even different).

And while yes, there may well be a contract between the self-asserted-card-presenting user and the RP, am I naive in thinking that an RP protecting sensitive and/or valuable resources, one worrying about potential damages should a spurious authentication occur, one for which authentication & associated management is not a core capability, might rather rely on a contract with a business entity that had a bank account balance not determined by the ebb & flow of monthly mortgage & car payments?

Would it help if I drew my business confidence diagram such that there was a non-zero amount of assurance for self-asserted cards? But that I maintained the potential advantage that a card managed by a 3rd party IdP can provide?

With respect to Pam's other stone,
Let’s go past an authentication-only scheme and say that my bank will trust everything I assert from my self-issued card. That boils down to contact information — the same stuff that many websites let me change already.

I have never attempted to extend the argument beyond authentication to attributes. As Pam points out, attributes introduce a whole different set of issues around sourcing & verification.

Pam closes off with

there is certainly no reason to malign either card mechanism until proof exists that either one is more vulnerable than the other

I guess this is for Gerry because I was in no way trying to malign self-asserted cards, merely pointing out that introducing a 3rd party into the mix (through a managed card) makes possible (but does not guarantee) a higher level of assurance for the RP (through business constructs like a "good ol' fashioned I'll sue the a$% off you if you break it" contract). Heck, I like self-asserted cards, some of my best friends are self-asserted.

Pam, I hope you have insurance - the Jones' are very litigious. :-)

And of course, the privacy characteristics of self-asserted vs managed cards is a completely different issue. But that doesn't stop Ben from trotting it out. I must get 'Liberty Dude' added to my business cards (the self-asserted ones).


Pamela said...

Hi Paul!

When I noted that I as an end user happen to have a contract with my bank, the goal was not to talk about end user assurance, but instead to point out that the RP has a contract with the Identity Provider, no matter which kind of card is used. Sure, one of the two types of Identity Providers may have mortgage payments, but the other kind of Identity Providers will most likely have a team of very expensive lawyers.

So - what kind of spurious authentications do you see leading to a lawsuit big enough that it would be worth an RP suing the IdP? The only ones I can see as likely are cases where the IdP was negligent --- but wait, if users are allowed to use self-issued cards, then there is no IdP to become negligent in the first place...

BTW I have a deal for you: I'll wear a nametag at IIW that says "Mindy" if you'll wear a nametag there that says "Liberty Dude" :)


Eric Norman said...

This is starting to be fun!

Allow me to offer a technical respite. In Paul's graph of technical confidence, the line from self-asserted to managed should descend. I.e. managed cards provide less technical confidence than self-asserted.

With managed cards, there's more messages being sent around, there's more data that must be protected, there's more parties involved. In other words, there's more machinery that must operate correctly. Which means far more things that can go wrong; hence, less confidence.

I'll return you now to the identity community's version of Meerkat Manor.