Tuesday, September 30, 2008

All dressed up

Kumbaya



Someone's singing.

VRM Humour

Update:  http://cyber.law.harvard.edu/lists/arc/projectvrm/2008-10/msg00000.html

Three VRMers go discuss going into a bar.

Security geniuses they're not

Mensa's member login page hilites a less than secure password reminder mechanism


They send out passwords in a magazine.

I'm tired of waiting

for the identity metasystem to come.

I'm gonna upload this photo, and make me one of my own.



I think I'll make it in blue - a nice big blue.

Monday, September 29, 2008

Not drawn to scale

What, Excel not good enough for you?

A specialized social network.

I wonder if you could import a Google bidness time calendar. Otherwise, it sounds like it would be just too much effort tracking events across all the silos ( well at least for me, probably not so much an issue for my typical readers).

I expect the invitations to 'join my network' would have a similar success rate to existing modalities.

Doctors discover gene for 'Login paralysis'

Two Topeka-based scientists of the Login Dynamics Laboratory have announced that they have discovered the gene responsible for 'Login Paralysis syndrome' - a neuromuscular condition first identified in lab rats but more and more common amongst the human web-surfing population. When confronted by confusing Web login UI, those affected by the gene suffer symptoms such as catatonia, excessive sweating, and twitching of the mouse hand.

According to the research, the fault is in the gene of the protein kinase A of chromosome 17. The mutation increases the quantity of cortisol in the blood, this increased cortisol resulting in the typical symptoms when patients face non-intuitive user interfaces for logging in to Web sites. 

"It's a horrible condition, absolutely debilitating", said Eugene Swan, PR Director for the Laboratory. "Suffererers can't do their online banking,  make online purchases, or, God help them, even update their Twitter status. We thought we had a handle on it, but then federated identity comes along and numbers of patients just explode. We now think that these high numbers of patients have always been there, we just weren't aware of the full extent of the problem because the gene doesn't manifest itself fully till those patients try to decipher some of the user interfaces for federated log-in."

When asked about the prevalence of the anomalous gene amongst the population, head researcher Dr Adam Ventner responded 'Oh, it's 100%. Everybody has it. Except the Inuit, we're not sure why'.

Work begins on a vaccine.

Friday, September 26, 2008

Cost benefit analysis for SP relationships

Today's identity reality has users pay a large up-front cost (in their effort) when establishing a relationship with an SP, the value of that relationship only to be (hopefully) realized in the future. Kinda like front-loading in mutual funds (but without bailouts). Users have to decide too early, and based on insufficient data, whether a relationship will be net positive at some point.

Federated (in the inclusive sense) models can enable a cost curve that more closely matches the expected/hoped for value curve.


The up-front costs are minimized relative to today's model.

The relationship may still go sour (or prove of little value), but the user won't have invested as much sweat equity in it.

Your financial advisor will of course make their commission either way.

Award for Best Phish URL

And the winner is

http://commercial.wachovia.online.financial.service.renewmirror.1x8qkzwirljheg1.ptcontrol.onlineupdate.mbeioes.com

Congratulations to our friends at mbeioes.com

Fence straddling

Microsoft HealthVault accepts OpenID login from two specific OPs, Verisign and TrustBearer. All good, it's the RP's prerogative.

But they seem strangely ambivalent about their choice


Important: Microsoft doesn't provide OpenIDs and doesn't endorse OpenID or any particular OpenID provider.

if Microsoft's saying 'we will work with these OPs' is not an endorsement, what is it? I have to believe that Verisign and TrustBearer think of it that way.

3D persona management

Axel's drag-and-drop for cards makes me think something like this will eventually be relevant.

Bump one card into another to create a hybrid persona. Cut one in half to split. Drag an opaque screen over a card to change its privacy characteristics. Make a default card the largest.

Marketer's Dilemma

The Assurance Game

Thursday, September 25, 2008

Complaints Department

Update: crossed some items off

As I go about my day, I often see things that make me think 'I should complain about that to someone'. Subsequently, with a decreased ire level, I almost always forget about the issue and never actually send the complaint.

But how can people improve if they don't know how they are disappointing me?

In hindsight, perhaps I should not have been surprised that maintaining a list on the fridge for the 'household' category of complaints was not strategic. So why can I not track my complaints online? Existing services are too geared towards consumers, but the things that irritate me cover all aspects of life.

Until such time as there is an online service, here is the first cut at a list by which I will track my undelivered complaints.
  1. the kid who is delivering the weekly community newspaper is leaving the plastic bundle ties on the street
  2. lackadaisical 'clicking' from readers of this blog has ensured that my Adsense revenue has yet to make a trip south possible.
  3. I have to walk through clouds of employee smoke to get into the local grocery store.
  4. nobody passes to me when I play hockey. How can I reach my goal-scoring potential without the puck?
  5. the drive through at the Tim Horton's is covered in litter
As the above complaints are delivered, I will cross them off the list (I guess I can already delete #2 ...).

Wednesday, September 24, 2008

Bad User! Bad!

It was gratifying to see George echo (in the sense of saying the same thing, but later) on the OpenID list the same concern I expressed for Google's proposed RP UI model for federated login.

I didn't find the Google response on the OpenID list particularly convincing - essentially that if the user does mistakenly give their IDP password to the RP, then the RP can just alert the user to this, and so teach them proper behaviour.

Warning: it seems that you have mistakenly provided us with your AOL password. When logging in to Buy.com through your AOL.com account, you should only present this password to AOL. To reinforce this lesson, please provide the following additional identity attributes in order to allow us to chastise you more completely.
- SSN
- Blood type
- Sexual Orientation

Could someone hand me that hammer please?

I have a dead horse here that needs some beating.

Does  'identity metasystem' not imply "a pluralism of operators and technologies"? Isn't this even almost a law?

If so, should a TC focused on a single (albeit important) identity technology claim within its name the 'meta' scope?
The OASIS Identity Metasystem Interoperability (IMI) Technical Committee will work to increase the quality and number of interoperable implementations of Information Cards
The IMI TC's mandate respects the 'pluralism of operators' required by the metasystem definition, but not the other piece.

Nb: Any comment that includes any combination of  'forgot SAML token' will be summarily rejected.

A Modest Proposal

I'm down to actively managing my social network in only 3 places - LinkedIn, Facebook, and Plaxo. It's fun and exciting to watch them battle it out.

I've mentally categorized the 3 different networks as, respectively
  1. where I connect to people that I might at some point in the future ask for a job
  2. where I connect to people who take photos, mistakenly think I care about their taste in music, and constantly update their statuses (stati?), and 
  3. the annoying 3rd one that I wish would go away
I expect that everybody has an  'SNS I'd lose if I could', (SILIIC) i.e. a network they are forced to maintain, not by choice based on their own criteria for functionality and value, but rather through the social pressure exerted on them through invites from that network. I'd love to lose Plaxo, but fear doing so because, in deleting the account, I might lose a connection maintained there and only there.

So, the problem isn't that there are too many social networks, but rather that there is no standardized mechanism by which 2 users can determine whether they share a SILIIC and could therefore safely drop it from their list.

If everybody were to list their social networks in a ranked metadata format, bots could crawl the links and suggest a path towards simplification, e.g. "You and Bob have both listed LinkedIn as your preferred SNS, you can safely ditch Plaxo."

This model allows users to continue to actively manage their social network in duplicate places (which they clearly enjoy) but keeps this number manageable, i.e. approximately 4-5.

Copy-editing

From Rajeev, Salesforce adds support for SAML 1.1 SSO.

From the post

Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms.

The first phrase suggests that SAML is an actual actor in SSO, rather than just a protocol. And even I wouldn't make the claim in the second. So, I humbly suggest the following re-write
Also, SAML is not used to send your user's passwords to Salesforce, so it can offer security, privacy, and management advantages compared to direct authentication mechanisms.

Tuesday, September 23, 2008

I just knew the models were overly simplistic!

Damn, damn, damn!

Despite my early successes in getting mice to authenticate, this casts doubt on my whole research program!

Now who will fund my attribute sharing trials?

A prescription for trouble

I went to my optometrist/optician to pick-up my prescription, with the intent of using it to buy contact lens online.

I was fully prepared to do battle over who owned the prescription, expecting some resistance from them to enabling my shopping around. A little bit of Googling Canadian Privacy Law, a couple of all-nighters writing up my argument, and I was ready.

In the end however, clearly sensing my determination and preparedness, they caved immediately - handing it over without even a token protest.

I don't envy somebody else in that situation lacking my grasp of the legal & identity issues.

Too much to hope for?

Subject: WARNING!!! VERIFY YOUR YAHOOMAIL ACCOUNT NOW

Dear Sarah Palin,

You are advise to verify your account details below to enable us upgrade your account. E.G Your YahooMail ID, Password, Date Of Birth etc.

In failure of doing this, you will Automatically lose your YahooMail Account.

Thanks for using YahooMail


VERIFY YOUR YAHOOMAIL ACCOUNT NOW TO AVOID IT BEING CLOSE!!!
Dear Sarah Palin,

This message is from YahooMail message center to all YahooMail account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused YahooMail account to create more space for new accounts.

To prevent your account from closing, you will have to verify it below before One (1) week from now!

VERIFY YOUR YAHOOMAIL ACCOUNT NOW TO AVOID CLOSE!!!

Click here to verify your YahooMail account!
Warning!!! Account owner that refuses to update his or her account before One (1) week of receiving this warning will lose his or her account permanently.

Sincerely,
YahooMail Team

Say hi to Dewey

As predicted, Andy's head bobs up above the surface.

Andy, this is somewhat embarrassing but I'm wondering if, in your new role, you might put in a good word for me with my local librarian in regards to some fines? I really thought I had returned the books. Thanks in advance.

And I really did have a librarian named Dewey in Grade 5.

Monday, September 22, 2008

Actually yes it does matter

From Simon Willison, Google research on login UI

Google is proposing a UI model for federated sign-in, and arguing that, user confusion notwithstanding, the model fails gracefully.

Fortunately, even though they are confused, nearly all users did enter their E-mail address and clicked the login button. As long as they do that, it does not matter whether they chose Yes or No in the UI, nor does it matter whether they typed a password.

If a user enters an @aol.com email address, they may feel it appropriate to enter their AOL password into the Buy.com UI.

And that will definitely matter.

Vittorio and me

Vittorio warns that a post listing the contents of a personal bookshelf contains no 'useful identity information'.

Au contraire my Redmond friend. Almost the first 3 books I saw on my own shelves were matches.


(Eternal Golden Braid's cover lost as a result of frequent 'frustration tosses' over the years).

These and other overlaps (e.g. Code Book, Linked, Black Swan, etc) in our reading identify Vittorio as a man of rare insight, intellect, and wit.

Vittorio, seeing your enthusiasm for narcissistic DNA, I feel safe recommending a story of retrograde motion.

Zune Privacy Policy

Playing around with Microsoft's Zune desktop software (I think I was #3 to download) I saw the following 'Privacy' tab.



The privacy policy linked to does not, of course, provide any Zune specific information, e.g. whether it is anonymized, aggregated, etc.

I do appreciate the implication that a user who opts out bears the responsibility for Microsoft software being less than it could be. Jeez, I just knew Vista's crashes were my fault.

Introductions

Shouldn't these folks be talking to these?

I saw no concept of authentication in the bill payment use case.

And without persona control, I can imagine some embarrassing photo-sharing scenarios. Not for myself of course, but others.

Thursday, September 18, 2008

I'm insulted

Received this this AM

Pardon me for not having the pleasure of knowing your
mindset before making you this offer and it is utterly
confidential and genuine by virtue of its nature.I write to solicit your
assistance in a funds transfer deal involving US$3.5M.This
fund has been stashed out of the excess profit made last year by my
branch office the International Commercial Bank which I am
the 

3.5M? C'mon, I don't get out bed for 3.5!

Wednesday, September 17, 2008

Why I have no friends

For any given possible contact, I can either send them an invite to connect, or not.

Should I send such an invite, they have the choice to accept, or decline.

The permutations are shown below, displaying whether or not we end up connected at the end.

 

Given that there are 3 possible ways for us to NOT get connected, against only 1 way for the connection to be established, I actually think its amazing I have any friends at all.

Monday, September 15, 2008

Not yet

Google's demo page for their SAML-based SSO does not yet reflect whatever fix they've implemented to address this vulnerability.

You can tell because the generated <Response> still doesn't include an InResponseTo attribute.


Of course, it is not Google that actually creates the <Response> message, they consume it. It is the partner IDPs that create the response (which, if they use Google's reference implementation of SAML won't avail themselves of the mechanisms SAML provides to scope an assertion to the intended audience.)

I wonder how the Google SP would deal with a <Response&g; from a conformant implementation?

The necessary conditions for the attack are not quite as simple as I first imagined
Now, any other SP off ering the very same SAML SSO solution as Google and attractive enough to convince the AI-Lab to include one of its remote services (e.g. free access to online scientific books) is able to mount the above attack and thus to impersonate any user of the AI-Lab IdP that accesses its resources at any Google Application.
So, the attacker has to set themselves up as a SAML SP (using Google's library) and then convince a good IdP to send some assertions its way with (as Conor points out and Jeff castigates him for) a name identifier within that Google wll recognize (and not expect only to see coming from the good IDP).

Related, Andreas lists SAML messages from a variety of implementations.

Census Sensitivity

I just listened to a story on CBC Radio about some Canadians who refused to fill out the 2006 Census, and are now facing the consequences of going against the Statistics Act.

Every person who, without lawful excuse,
 
(a) refuses or neglects to answer, or wilfully answers falsely, any question requisite for obtaining any information sought in respect of the objects of this Act or pertinent thereto that has been asked of him by any person employed or deemed to be employed under this Act, or

(b) refuses or neglects to furnish any information or to fill in to the best of his knowledge and belief any schedule or form that the person has been required to fill in, and to return the same when and as required of him pursuant to this Act, or knowingly gives false or misleading information or practises any other deception thereunder

is, for every refusal or neglect, or false answer or deception, guilty of an offence and liable on summary conviction to a fine not exceeding five hundred dollars or to imprisonment for a term not exceeding three months or to both. 1970-71-72, c. 15, s. 29.

For one of the accused interviewed by the CBC, the concerns were privacy (i.e. why are you asking me, what will you do with it, etc). The Liberty Alliance's Identity Governance Framework would allow StatsCan to answer these sorts of questions in a machine readable manner (perhaps relevant if more people object).

But we'd probably need to define a 'purpose' URI for
"whatever we feel like, we're the government dummy!"

For the other refusnik, the objection was moral. StatsCan had hired Lockheed Martin to create the program for processing the 2006 data and the accused felt he could not in good conscience support sending Canadian tax dollars to a (US-based) weapons manufacturer.

All the technology in the world won't help with this one.

Do not try this at home

Dick feels he has to leave the planet to satisfy his appetite for risk.

Myself, whenever I feel the urge to 'push the envelope' and break out of my 'comfort prison', I just click on a link in a manifestly phishy email to see where it takes me. Or even reuse a password. Once I ignored a browser warning about an untrusted cert.

Clearly not for everybody, but that's just how I roll.

Teaser

Naymz just notified me that somebody viewed my reputation profile there. Below is the associated free report.


Took me a while to sort my way through the depth of information. I honestly don't know how their business model can support them just giving away all this data.

To be fair to Google

it could be argued that the SAML Web Brwoser SSO profile isn't sufficiently clear on the processing of the InResponseTo attribute
Regardless of the SAML binding used, the service provider MUST do the following:

Verify that the InResponseTo attribute in the bearer equals the ID
of its original message,

Oh, well actually I guess that couldn't be argued.....

To Kim's credit, he places blame where it belongs.

My favourite line from the paper outlining the flaw in Google's implementation:
The protocol discussed above results from a considerable
e ffort we put into a careful scrutiny and interpretation of
the modular and open, but informal and bulky SAML 2.0
specifications.

I have some ideas for 'simplifying' the rail gauge standard. Off I go with my crowbar for some experiments on a local track.

The rumors of my injury have been greatly exaggerated

While touching, the expressions of best-wishes and fast healing I received after yesterday's post are based on an erroneous assumption, i.e. that I was actually injured.

I apologize for any confusion and what were surely some sleepless nights of worrying for my many friends and colleagues.

With respect to the level of assurance readers can confidently ascribe to my posts, I work on a 'best effort' model of truthfulness. Just call me 'Opey'.

Sunday, September 14, 2008

Had me in stitches

I cut the lawn yesterday wearing flip flops.

My wife gave me a hard time over it, citing the danger.

I explained that sometimes the actual security measures (e.g. steel-toed boots etc) applied were less important than understanding the risk profile created by whatever measures are in place, and then acting accordingly (e.g. keeping my feet well back, always pushing and never pulling, putting my drink down when starting the engine etc).

She was unconvinced but - let's be honest, she's not the security expert in the family right?

The emergency room doctor on the other hand seemed far more impressed with the principle.

Saturday, September 13, 2008

A bit extreme I'll grant you

but tasers could be appropriate for 'ensuring compliance' to the higher NIST 800 63 assurance levels.

Excuse me Mr. CEO of a Strong Authentication IdP, your identity proofing process has been determined to not meet the stipulated LoA criteria. Please prepare for punishment.

It would be immoral at Level 1 though. Shame on you for even thinking of it.

Friday, September 12, 2008

The Attribute

I bet if you did this for some user's identity attributes, you'd see everything draining down to Google headquarters like water in a tub. With occasional splashing.

Of course, it would spin the other way in the Southern Hemisphere.

Liberty Alliance releases the ID-WSF Relationship Service specification

Hey, we can spot a trend too


More seriously, Liberty People Service allows a user to manage (e.g. CRUD operations) their social relationships with their peers.

2nd Annual Liberty Alliance Tokyo Cup

I am happy to announce that, due to the unparalled lack of interest in the previous match, organizers have decided to put on the '2nd Annual Liberty Alliance Tokyo Cup', to be held following the November Liberty Alliance meetings in Tokyo Japan.

The match will take place Thursday November 6th. The location will not be announced till match day, to keep down the riff raff and papparazi.

Acknowledging that any football pitch sized piece of land in downtown Tokyo already has 6-7 office buildings and a temple, organizers have decided that the game will be a futsal match. Futsal is a fast-paced 5-a-side indoor variation of football, known for its exciting foot-work, quick passing and attractive referees.

Futsal has quickly become very popular amongst SAML & Liberty proponents. Fans of other football variations point to the fact that the rules run to 72 pages as a representative of the complexity and bloat of futsal, and advocate simpler alternatives. Indeed, games such as 'balancing on one foot' and 'standing around staring at each other' are very popular in some locales - typically those without the resources to buy balls, goal nets and other equipment.

Work is under way to reconcile these differences. Proponents of the various Somewhat Silly Football Variations (SSFV) recognize that, unless the community can present to the market a cohesive & integrated approach to SSFV , the viewing public will look elsewhere for entertainment, leaving the door open for competing sports - such as Somewhat Silly Cricket Variations (SSCV) like baseball. And nobody wants that to happen.

Organizers of the Liberty Tokyo match have announced a strict drug & alcohol policy, namely that all participants MUST  partake in one or the other - either during or directly following the match. Random urine testing of all participants is expected (beginning as of today).

Conor "One-Sock" Cahill, when asked whether he would be participating, responded 'Only if I can get an upgrade to First. Currently, I'm booked in business on a Triple 7 in from SFO, but I'm trying to switch that because I'm in seat 4A and I hate that seat because the power plug is about 2 inches too high and I have to unbuckle my seatbelt to reach it. I generally like 3F but the window shade was broken last time and the sun woke me up, even though I had taken my Ambien.'

Thursday, September 11, 2008

The only metric that matters

Notwithstanding my general level of scorn for Twitter, I do see its value when used to indirectly compliment me, as with Nishant's coverage of the DIDW panel I participated in with Mary Ruddy and Patrick Harding.
Conversation at the end of the session was the liveliest of any keynote/session I attended so far

The 'liveliness' that Nishant refers to pleased the presenters as well.

No thanks, I'm in a relationship

Should I ever be propositioned by an attractive lady (not the one with whom I cohabitate), I plan on using the above phrase to decline.

I would then follow up with an overview of Bob's relationship paradigm for identity. I expect that a 10-15 minute powerpoint presentation discussing the subtleties of relationship types, actors, and life cycle would both dampen any remnant ardor (I know it does for myself) and mitigate any embarassment the lady would be feeling at the rejection.

I do feel it's best to prepare for all eventualities - even those with no historical precedent.

Lipstick on a Pig

In his DIDW presentation, Conor showed how Cardspace's security characteristics could be enhanced if underpinned by the Intel Identity Capable Platform.

In the demo, a strong authentication token (one stored in a secure region of the client) was issued by the IdP & provisioned into the client - this happening in a session based on a username/password authentication.

So, a strong credential hinged off a weak credential.

Conor acknowledged the perverseness of this - if you issue a credential that purports to give greater assurance than a password, you shouldn't do based solely on a password authenticated session - in practice you would need to supplement the password authentication with extra security, e.g. challenge questions, or something out of band etc.

To use an analogy (certain to spike my readership, even if only till the US political process spits out some other triviality to focus on) you can put lipstick on a pig, but all you'll end up with is a cosmetically enhanced porker.

Similarly, you can plaster on the lipstick of strong authentication like Tammy Faye but, if you are smearing it onto a pig of an identity proofing procesess, you'll still be eating the bacon of low assurance ...

I'm tired of the analogy. And hungry.

Wednesday, September 10, 2008

Lonely People

I could make any number of identity analogies on the topic of how Andre, despite a long history between the two of us, failed to recognize me last night at the Ping party.

I could write about the tenous nature of trust, the challenges of biometrics, or the  ups and downs of relationships.

But for now, the pain is too fresh, the wound too raw.

I'll just sit here in the darkened hotel room, listening to my music.

Monday, September 08, 2008

Virtual Quill to Join IDTBD

Reading between the lines, it is clear Dave is on board. As (surely) the only journalist member of IDTBD, think of the scoops Dave will get.

He even (quickly) spins up 2 new groups for inclusion - YAUG and SOLA.

I'm putting the final touches on the charter of the nascent 'Yet Another Acronym Joke'.

Interop - Horizontal and Vertical Boxes

It's insight like this that keeps me employed

How rude!

English (and I venture all other languages) provides a range of mechanisms for its speakers by which they can pose a request of another in such a manner that both participant's face is protected. (By 'face' I mean that nebulous attribute that people have when they are not being embarrassed or their status is being diminished.)

For instance, 'Can I ask you you to pass the milk?'.

Because the speaker hasn't actually asked the listener for the milk, merely for permission to do so, their face need not automatically be impacted if the milk is not passed (by a presumably 'lactose intolerant' dining mate)- they can just pretend that that they didn't even really want the milk. 'Milk, who wants milk, not me!'.

And from the listener's PoV, their face is protected if they DO pass the milk - as the request was phrased so indirectly and not as a command, they won't appear to be a subservient flunky if they send the pitcher down the table.

We call these 'conversational best practices' being polite - 'rude' people (or communities) don't apply them, polite people (or communities) do.

I'd argue that, by this definition, the SAML protocol is rude, and WS-Federation is polite. A SAML RP comes right and and demands of the IdP that the user be authenticated with the <saml:AuthnRequest> message; a WS-Trust requestor, (who wants the same thing, poses their query in a more roundabout and indirect manner by asking for a token with the <wst:RequestSecurityToken>.

This is of course mere coincidence - I know some very polite SAML contributors, and some (well one) quite rude WS-Federation contributor.

Tact

n

  1. Acute sensitivity to what is proper and appropriate in dealing with others, including the ability to speak or act without offending.

Seems to me that a key part of tact is knowing what NOT to say.

IDPs should be tactful.

Sunday, September 07, 2008

What goes around ....

In a curiously abbreviated fashion, Nat wonders about PAPE vs AQE.

I have to say I'm surprised - I thought AQE was as dead as Passel or DIX.

There would, dare I say it, be a certain irony in functionality duplication in the assurance space within the OpenID world.

Dumb and dumber

There are lots of situations where its better to lack information
  • a sports fan who taped a game for later viewing, and actively resists learning the score
  • a couple choosing not to learn the sex of their unborn baby
  • a reader who makes her friends promise to not 'ruin the ending' of the book
  • manuscript reviewers not knowing the identities of the authors
  • juries not knowing the past criminal record of the accused 
So there is plenty of precedent for a service provider deciding not to bear the responsibility (and risk) of holding PII.

Saturday, September 06, 2008

Friday, September 05, 2008

First things first

In a comment, Axel asks how I will deal with claim conversion - his claim in metric, my policy expressed in Imperial.

I have an assertion from my government IdP that says that I am over 1,8 meters tall. Does the Concordia RP accept claims in meters per se or do you have an RP-STS that converts meter-claims to inch-claims. I fear that my assertion gets rejected.

-Axel

Axel, before we deal with prosaic matters such as 'units', we must confront the unfortunate reality of the  'assurance hurdle'. Gerry's recent posts gives me little reason to ascribe much assurance to a German IdP's assertions these days.

Might you be able to obtain a height claim from a Canadian IdP? They are generally accepted everywhere in the world (although admittedly they have been weakening lately against US height claims)

Or, if all else fails, simply self-assert?

Grade 1 IdM angst

My 6yr old daughter, on hearing that she would have 'Computer Lab' in Grade 1, in a voice filled with trepidation that cut straight to her Father's heart
'Will we haf' to log-on?'

I fully understand that you can't protect them from everything. But no 6yr old child should be exposed to credential management!  She can barely write her name! How is she supposed to use Post-Its? And how hard would it be run a dictionary attack on words that rhyme with 'cat'?

I'm sorry Sweetie, yes you will. But hang in there, things are changing.

I'm going to Disneyland!

well, actually as close to Disneyland as I ever want to get.

Coincidentally, for safety reasons you must be over 48 inches tall to attend the Project Concordia presentation Tuesday at 4.15. This will be strictly enforced.

Thursday, September 04, 2008

Eve needs an InterVENNtion

I see Corbin Benson as Lawyer1

Lawyer1: Good morning ladies, please have a seat.
Lawyer2: Thank you. Can we get to the point, I have a tee time in 50 minutes..
Lawyer1: Of course, I'm playing later as well. My client is interested in exploring the possibility of adding your client to his Plaxo Contacts. At this point we are just considering our options of course.....
Lawyer2: (sighs) Oh, so that's it...
Lawyer1: Pardon me? My client is a 'Big Name' in identity. I would have thought it would be quite a coup for your client to be added ...
Lawyer2: Well, my client gets quite alot of these sorts of invites. And many are, well let's just say, a little bit self-serving.
Client1: Self-serving! What's that supposed to mean? I don't host my own blog, I use .....
Lawyer1: (whispering to his client) Please! I'll do the talking .... (too other lawyer) Self-serving?
Lawyer2: Look, I'm sure your client is reasonably popular but let's be honest - mine is in a different league. I can show you her blog's numbers if you want. And so the value of any social connection would be highly skewed towards your client. Bottom line, what's in it for us?
Lawyer1: Skewed! You have got to be kidding. My client is very hooked-in, I mean, he even has an iName..
Lawyer2: And that impresses me how? That and 4 bucks will get me a Starbucks.
Client1: (indignantly) I'll have you know that iNames are built on XRI and are the future ...
Lawyer1: (under his breath to client) PLEASE!
Lawyer1: Forget the iName thing. But my client does twit - that has to be worth something.
Lawyer2: Do you mean tweets? Big deal, my garbageman tweets.
Lawyer1: OK, OK, lets take the tweeting thing off the table and talk numbers. I am authorized to offer the following - if your client accepts the invitation to connect, my client will link to 10 of your client's blog posts over the next 6 months.
Lawyer2: 20 posts.
Lawyer1: I can only go up to 15.
Lawyer2: (to client) OK, we're out of here, I think I can still make my tee time.
Lawyer1: OK, OK, 20 posts.
Lawyer2: And the link test has to be positive & approving. We'd want to see things like 'rare insight' or 'a wonderful wrap-up' etc.
Lawyer1: Sure sure, we'll have the associates work out a list of approved phrases later. But of course my client will want to maintain his 'blogging integrity'.
(all laugh)
Lawyer1: (still chuckling) So, are we getting close to a deal here?
Lawyer2: Yeah, send the draft invite over and we'll look it over and send back our changes.
Lawyer1: Perfect. You know, coincidentally I think you represent a Facebook friend of another client of mine that is trying to end their relationship.
Lawyer2: Could be. Those are always messy drawn out affairs - (under her breath to other lawyer) Lots of billables.
(both smile)

Wednesday, September 03, 2008

Ironic

Passpack is an online password manager.

They now allow users to access their store of passwords through OpenID - the supposed antithesis of online password managers.

Separately, if you stored your OP password on Passpack, could you use Passpack to login to your OP, in order to login to Passpack? Or would this create a hole in the space-time continuum?

More songs from my iPod

that seem appropro of the web identity world
  • It's a Question of Trust - Depeche Mode
  • Come Into My World - Fischerspooner
  • Connected - Stereo MC
  • Dashboard - Modest Mouse
  • Everyone Knows Everyone - Helio Sequence
  • Here you Come Again - Dolly Parton