Friday, November 28, 2008

When dislike isn't sufficient

A demo of a preferences-based authentication system, i.e. your registered likes and dislikes used to authenticate you for password resets etc.

You register your preferences


and then try to remember them to log-in


For myself  to remember, there would need to be a continuum of disliking  from mild aversion to virulent loathing. Lumping in gardening with show tunes is just too coarse a granularity.

Thursday, November 27, 2008

One profile too far

Just flicked past the National Dog Show on my way to the Lions-Titans blow-out.

Dogs with legs 2 inches long are a perfect example of the profiling of a core specification gone horribly wrong.

Other examples do come to mind.

Wednesday, November 26, 2008

Amen to that

One of Google FriendConnect example sites is BibleApps, at which you can test your knowledge of  Old Testament scripture.


I did not fare well on the quiz. It seems that no matter how much I study, I always confuse Ezekiel and Numbers. And don't ask me to conjugate 'begat'.

BibleApps also allows you to 'Post A Prayer', my two favourites of which


The second makes me think that perhaps all those working on open identity standards are doing God's work.  I must remember to look into the possibility of a tax break.

Friday, November 21, 2008

Attribute-based authz

A sign on my 6 yr old daughter's bedroom door

Please note the exception for parties playing the role of 'Daddy'. I asked her to instead define the policy in terms of me specifically but she declined, citing the 'administrative burden of updating'.....

Does she know something I don't?

Would that the other policy persist (or at least until she meets a nice SAML boy in her 30s).

Identity in the cloud

God sues Microsoft for copyright infringement

In a move described by copyright lawyers as 'ground breaking', the Supreme Deity has filed a lawsuit against Microsoft (MSFT) for copyright infringement of her  The 10 Commandments work. The suit alleges that Microsoft's 'Laws of Identity', as popularized by Kim Cameron, has violated its copyright.

"The so-called 'Laws' are a deliberate and complete knock-off. It's quite unconscionable, even bordering on egregious. It's perfectly clear that they are based on my client's earlier work" said God's attorney Smitty James."Pretty much the only thing that's different is that there are only 7 laws, compared to our 10 commandments. Did they run out of time or something?"

James added "We believe that the Laws were created with deliberate intent to interfere in God's economic affairs and interest and to deceive the marketplace regarding the origin, nature and identity of the Supreme Being. We'll be seeking commensurate, i.e. 'huge', damages".

The suit provides examples of infringement - alleging that, Law #3, that of Justifiable Parties, derives from the Commandment stipulating that God's worshipers MUST 'have no other other Gods before me'.

Kim Cameron has not responded directly to the allegations, writing on his blog only "We are committed to copyright protection and believe this suit will be resolved in Our favour."

Microsoft representatives were quick to issue a statement clarifing "that the unfortunate capitalization of  'Our' was nothing more than a typographical error".

Thursday, November 20, 2008

Just the facts ma'am

I was wondering about the parental rating of the new Hellboy movie, so I went to the IMDB.

Their parent's guide eschews any moralizing, instead simply asking reviewers for a description of the potentially age-inappropriate content. Arm the parental relying party with information, and let them make the access control decision.

Of course the downside is that some parent's want to off-load the responsibility, it's very easy to say no to a pleading child with a "Sorry, but the rating says it isn't appropriate". Much more thought would be required to actually analyze the content.

This is the model SAML's Authentication Context took for handling assurance - i.e. the IDP doesn't make any 'moral' judgements about the factors that impact assurance, but rather just describes them.

Pretty much the exact opposite of that taken by those uptight old ladies at NIST.

Default behaviour

From the Free Dictionary
claim n. A statement of something as a fact; an assertion of truth

If you buy this definition, then any identity attribute an STS delivers as a 'claim' to an RP should, by default, be interpreted by that RP as that STS asserting it as a true fact.

Consequently, more appropriate than an STS indicating that a particular claim had been 'verified', would be for the STS to instead indicate which attributes had not (and thereby guide the RP's default interpretation).

OpenID/OAuth hybrid extension

There is a proposal for an OpenID extension to effectively create a hybrid protocol between OpenID and OAuth - this to optimize the combination and thereby minimize consent pages and redirects.

Interestingly, Ping's Patrick Harding was proposing a similar optimization  between SAML & OAuth at DIDW.

Starting at Slide 23 in the below deck

Hopefully, the pattern that OpenID defines to carry the OAuth parameters/messages can be appleid to SAML.

Hammer & Nail

When all you have is a 'X', everything looks like a 'Y'

Not sure where to go with this.

'URI' & 'resource'?

'browser' & 'redirect'?

'SOAP message' & 'Header'?

Public and private keys

One of the factors that contributed to the Crimean War was a struggle over control of Christianity's Holy Places - this between Roman Catholic and Easter Orthodox monks (and France and Russia's respective backing of the two factions).

Control over the various divine churches, shrines, and sepulchres had shifted back and forth over the years between the Catholic and the Orthodox churches. By the 1840s, it was the Orthodox Church that was dominant.

In 1850, Louis Napoleon (Napoleon III) of France decided to try and change the balance of  power and champion the Roman Catholics to control the Holy Places. Russia favoured the Orthodox Church. Caught in the middle (but not MITM) between the two superpowers was the Ottoman Empire that ruled over the Holy Land at the time.

Hoping to resolve the issue without upsetting either, the Ottoman Turks engaged in a wonderful bit of crypto bamboozlement. In February 1850 they sent a diplomatic note to the French, giving them two keys to the door of the Church of the Nativity. At the same time, they assured the Orthodox Church that the French keys would not fit the lock.

Sounds like a poorly implemented KDC.

Tuesday, November 18, 2008

Is it meaningful

that the intersection between my LinkedIn network, (loosely representative of the 'federated identity' community I would claim) has a minimal intersection with the LinkedIn group focused on 'User Experience'

Is the real intersection larger than Luke and Ariel (who I hope both do not object to my publicizing our possibly compromising connection)?

Monday, November 17, 2008

Sound and fury

In one of the IIW intro sessions, Google's Kevin Marks made the point that relying on what attributes users provide themselves is risky as what they too often provide is 'noise'.

When asked for zip code, more than statistically appropriate numbers answer '12345' or '90210' (Schenectady NY and Beverly Hills respectively).

Myself, I assert that self-asserted attributes are  'full of sound and fury, signifying nothing'.

'A tale told by an idiot' is maybe a bit strong.


Playing with the new CardSpace.

It seems I have no personal cards


but neither do I seem to be able to create any ...

Should I not see a 'Create Card' option?

I appeared to be successful adding a managed card from the Verisign PIP, but no card appears when I then tried to use it to log-in to PIP. to become OpenID Provider

Reiterating a campaign promise for his administration to be more 'user-centric', President Elect Barack Obama has indicated that one of his first moves once in office will be to direct the Central Intelligence Agency to add support for the OpenID authentication protocol to the web site.

Obama is reported to have said "We've got all this data on our citizens, why not use it to help our them get around the Web. In this day and age, why should a US citizen have to manually enter a detailed record of their sexual history at some dating site when their govenment has that very same data and will serve it up when asked?"

The CIA and other departments already share large amounts of identity data on Americans (and other nationalities). The promised support for OpenID's Attribute Exchange is seen as different because OpenID, through its inherent user-centrism, will give citizens the ability to monitor and control such sharing. An Senior CIA Officer said 'Yes, consent is critical for us. We would never dream of sharing a citizen's identity attributes without first asking a judge'.

Rumours are that the CIA OP will distinguish itself from other large OpenID providers with a major print & web marketing campaign built around the slogan 'Let us tell you about yourself'.


RL "Bob" Morgan held a session at IIW on verified claims, what they are, how to ask for them, how to express them etc.

The Information Card Foundation is using a 'by reference' model for the last.

For an STS to indicate that a particular claim value has been verified, it includes that claim identifier in the (separate) 'verified' claim. If there are other attributes that are also veified, they get added in the same way (space separated).

To indicate that claim as to age of majority was verified (and not self-asserted), the STS would assert
age-18-or-over = true
Verified = age-18-or-over

This model does not allow for 'shades of verification', all the verified claims are treated equally - you are either verified or not, with no middle ground. Discussed in Bob's IIW session was the possibility of 'verification context', the additional information about how verification was achieved, akin to OpenID PAPE or SAML Authentication Context for authentication. As always, some RPs might want this extra context, others not.


1) Isn't the verified claim a meta-claim, ie a claim aboot a claim(s)?

And as such, would not standardization fall under the purview of the group tasked with all things meta?

2) How does a RP indicate it desires a verified claim? The same mechanism?

3) Does the following combination make sense?
age-18-or-over = unknown
Verified = age-18-or-over
Can the STS hedge its bets, i.e. "I've verified the age, but I'm not telling"? Where else would the STS indicate this policy?

Naval gazing

Chris Messina posts the results of a more comprehensive survey of OpenID 'awareness'.

One key distinction between OpenID and SAML is that the SAML community doesn't spend its time on this particular type of naval gazing (concentrating on others) - there has never been any expectation that the end users would be at all aware of whether SAML was being used or not.  It's freeing to not have to care. (I expect we'd have picked a better name if we thought the users might be aware, and a cool icon.)

OpenID definitely started out with a conscious design for a brand with users, and so measuring awareness of that brand made sense. But it seems to me that the current trend for UI (at least with big OPs) is to downplay OpenID itself, and concentrate on helping the user with the more basic task of distinguishing between the choices of a local or non-local identity.

Look at the recent guidelines from Google and Yahoo! for federated login - neither mention OpenID in their initial UI. Google segues into federated login through a generic 'Help me login', and Yahoo! replaces the OpenID brand with its own.

Are surveys of OpenID awareness asking the right question?

Is federated identity made easier, or more difficult, when the user is expected to be aware of not only where a non-local identifier is, but also what sort it is?

That would be interesting research.

Friday, November 14, 2008

Purpose & Usage Policy

An email from my daughter's teacher

Yeah right, like I want my kids establishing social relationships of uncertain career advantage to me. Tell me what the parents do and then we can talk.

Damned with (implicit) faint praise

I'm choosing to interpret the 'different standards' and 'different communities' mentions from this theSocialWeb.TV interview done at IIW as a 'shout-out' to SAML.

It's very cool for a niche identity technology to get such recognition. Even to be (implicitly) mentioned alongside the identity juggernaut of XRIs shows how far SAML has come.

Why must social invites be so blah

Could we not spice up the existing 'X wants to be your friend/colleague'. For example

For an invite

An invite through a colleague

An acceptance (with conditions)

A rejection

A rejection with explanation

A response back to a rejection

Wednesday, November 12, 2008

Useful to remember

When attending an event like IIW - where worlds and terminologies collide - it's easy to fall into the following trap
An Englishman, a German, and a Frenchman are debating the merits of their languages. The German claims 'German is off course ze best language. It is ze language off logic and philosophy, and can be used to communicate viz great clarity and precision!'. 'Zut Alors' shrugs the Frenchman ' French, is ze language of lurve. In la Francaise, we can convey all ze subtleties of romance with elegance and flair'. The Englishman thinks about both claims, and then says 'Yes,chaps, that's all very well. But think about this. Take the word 'spoon', for instance. You French call it 'cuillere', and you Germans call it a 'Loffel'. But in English, it's simply called a 'spoon'. And when you stop to think about it for a bit, isn't that exactly what it is?'

From 'The Unfolding of Language' by Guy Deutscher


Pat has some pics up of the "2nd Annual Liberty Alliance Tokyo Football-based Sporting Event" - this time futsal.

I was torn - there was a primarily Liberty team and a primarily NTT team. Which to honour with my skills?

In the end I resolved the conflict by playing for the Liberty team but scoring for the NTT team.

We seem to be going at it backwards

Biblical version

1) start with single unified language
2) build big tower in self-congratulation
3) upset Deity
4) deal with multiple incompatible languages

Not that I expect we'll end up with a single identity 'language', but a tower would be nice. And a happy Deity.

Karaoke 2.0

identity Puzzle: Place these pictures in order


identity Model for Requests

Consider the LinkedIn '10 of your trusted connections can introduce you to X. Please choose one:',

Let's say Bob asks Alice to introduce him to Mary. In this case a request will be sent that

- has Mary as the target identity
- has LinkedIn as the sender
- has Alice as the identity against which permissions will be performed (in order to determine whether she is allowed to proxy invites to Mary)
- on the behalf of Bob

If Bob maintained his social network somewhere other than LinkedIn, there would be another identity in the mix - that of his SNS.

Monday, November 10, 2008

An admittedly ingenuous question

Why, using SAML, is Google willing to act as an RP but, using OpenID, not?

Anyone? Class? Anyone?


Anyone? Assur-ance. That's right.

Saturday, November 08, 2008

Living dead (or proxying claims)

Some African cultures distinguish between the recently deceased (for whom there still lives someone who actually knew the deceased) and those for whom no such survivors remain. The sasha are those whose memory remains alive in the minds of their friends and family, but once they themselves die, the sasha move to the zamani. (the concept resonates for me. While I lost my brother-in-law 2 years ago, every family get together is a boisterous celebration of his existence in the sasha).

According to the book 'Lies My Teacher Told Me' by James Loewen, US high school history textbooks too often fall into the trap of discussing only history's zamanis, because by definition there is nobody to interject with a 'hey, that's not how it happened'. Easier to avoid such controversy (and subsequent thinking by the students) by avoiding the sasha.

It behooves those of us considering proxying of identity claims to acknowledge the distinction between first and second hand knowledge


Picture this.

A bunch of tired & sweaty (due to futsal) identity people (Ingo, Hiroki, Sampo, Nat, Joni, Pat, Dervla, Tatsuo, Fulup, Colin, Yuki) in a crowded Tokyo dining room, me laying down a mean karaoke groove to a Hasidic Jewish reggae song.

Now stop picturing it.

You can't can you.

Wednesday, November 05, 2008


I think we can now safely step back from our recent frequent messaging. But do please feel free to give me a call should you need an IdM Advisor.

p.s. Did you not get my Facebook invite? I'll resend.

Tuesday, November 04, 2008

Palin inadvertenty votes for Obama

apparently she though the ballot was to determine which hockey tournament her kid's team should compete in and she figured a southern state would be a nice warm change.

For good times, Suntory times

Anticipating some sleepless nights in Tokyo this week, I brought 'Lost in Translation' on my laptop. The movie perfectly captures the sense of jet-lagged spaciness that I typically experience here.

I watched it at 2am this morning.

And noticed that the hotel I'm staying in appears in the pan of the skyline as Bob drives away from Charlotte to Narita.

My room is on the 36th floor at the left. If you cant sleep, drop by and we can go the cocktail lounge.

Monday, November 03, 2008

I did what?

A quote from Frederick Nietzsche 

"I have done that," says my memory "I cannot have done that" -- says my pride, and remains adamant. At last -- memory yields.”

Facebook is changing this dynamic