Tuesday, March 31, 2009

Good thing there is no federation agreement

between Ontario and New South Wales.

A Sydney parking ticket from 1988.

My defense? The sign was in Australian!

Bottom feeders

This feels like fishing for carp - not much fun and you're going to throw back anything you catch.

I do like that Twitter's response is to encourage suspicious users to change their password - after first presenting the old one of course...

Down to the wire

By my count, IIW has approximately 50 of the required 75 attendees - with the deadline tomorrow.

C'mon people, I will be needing a NorCal sunshine break from Ottawa spring showers right about mid-May. Let's make this happen.

Monday, March 30, 2009

Calorie burner

Garbage in, garbage out

Thought of a perfect use case for the Twitter model.

Litter.com, i.e. tracking the where, when and how much of people picking up litter in their neighborhoods.

Form teams, compete etc.

A niche demographic admittedly.

Punctuation is Key

MyID.is Certified prepends some identity verification on OpenID-based authentication.

MyID.is also an OpenIDprovider, but a certified OpenID provider as we have previously certifed the Microformats embeded in your OpenID

The string 'Certified OpenID Provider' in the above can be interpreted in two different ways - distinguished by what gets certified.

MyID.is is a 'Provider of Certified OpenIDs' - this not the same as a 'Certified Provider of OpenIDs'. It's the OpenIDs that MyID.is issues that are certified, not MyID.is itself.

Consequently, any RP for which 'certified OpenIDs' is important will need to trust MYID.is's own claims as to the rigor of the verification process. But how will the RP know?

I'm sensing some more assurance math, something along the lines of 'the amount of assurance in the process that certified the OP must be greater than or equal to the amount of assurance in the process that certified the OpenID....'

Ultimately, MyID.is needs to be a 'Certified Provider of Certified OpenIDs'......

Separately, I do like the idea of a 'random fee as shared secret'

You will also need a credit card with the same namethat you are certifying. We will charge you only once a random certification fee between €2 and €5. Then you will have to check your bank statement and fill in on the MyID.is site the exact amount in Euro you’ve been charged.

Although actually checking the statement would make for a slow process.


Friday, March 27, 2009


I was orderling internet service the other day. As I was selecting the plan options, a new browser frame appeared, with a hello from 'Sara' asking if I needed help.

For the initial part of our conversation, I honestly couldn't tell if Sara was human or scripted.

Maybe Sara's conversations are all this stilted.

She definitely had her eyes firmly set on the 'Proceed to Checkout' goal.

Separately, what do I care if she didn't want to friend me on Facebook? Her loss right?

Thursday, March 26, 2009

How Concordia like

From SEED magazine, an article on the need for shared terminology amongst the nuclear powers.

At the height of the Cold War, American and Soviet scientists wrote handbooks for each other that attempted to bridge their language gap. Helping to explain some of the era’s more arcane nuclear terminology, these handbooks were a crucial diplomatic tool that helped prevent potentially disastrous misunderstandings.

Having a forum for talking through sensitive issues, like the meaning of “limited deterrence,” he says, is worthwhile for building trust.
While the glossary is an important first step for improved relations, Li says more bilingual security experts are ultimately necessary

Translation oddity

Sun's Kimimasa Sato posts on identity management challenges and progress.

Sato-san courteously provides links to 3 translation services for non-Nihongo speakers - Yahoo!. Google, and Microsoft.

I was comparing the three translations to see if any was appreciably better (my conclusion, no) when I noticed an oddity in Yahoo!'s text.

See if you can notice the difference in the three as to how they translate the final bits of the post. Look carefully, it is admittedly quite subtle.




I wonder if Yahoo!'s translation engine was written in Australia?

May look into this.

I've actually always thought of myself as ducal.

With a Title in front of your name you will experience a difference in people's attitudes. The moment they know you are a "Sir, Lady, Lord, etc", you will be treated like some sort of Royalty or famous Film star.

About bloody time I say.

I wonder if they'll throw in a corresponding Openid so I could enjoy the same privileged treatment online......

Wednesday, March 25, 2009

Get an OpenID, live forever

This article makes me think that OpenID should be playing UP the usability issues.
"transhumanism," is premised on the idea that people degenerate and die in part because they live in spaces that are too comfortable. The artists' solution: construct abodes that leave people disoriented, challenged and feeling anything but comfortable.

C'mon Asa, I need this

Update: Asa came through!

Currently narrowing down laser implant locales. The eyes are just so 90s Terminator.

Tuesday, March 24, 2009

God Bless Amerka

Dear Last.Fm

I applaud your decision to charge non-Americans for your service. For too long the people of the non-American parts of the world have been riding our coat tails and enjoying our cultural exports (e.g. Britney, that whimpy guy from American Idol, the non-racist Mel Gibson, etc) for free.

That has to change.

Keep America Free! (by charging the non-Americans)


                                 A Proud (North) American

                                 Paul Madsen
You can have my gun when you tear it from my cold dead hands.

Identifier confusion

Hey I drink beer!

and have an Internet connection too.

Will I get a badge?

And what is the policy on mistreating prisoners? No, not the official policy, the real one.

From Jeff.


Eve introduces what she and some Sun colleagues (dare I describe it as a 'Sun-led initiative'?) are calling ProtectServe -  what appears to be a set of extensions to (and around) OAuth to allow users to define permissions centrally, and yet maintain their identity in a distributed manner.

In 'classic' OAuth, a user:

1) facilitates a Consumer and Service Provider establishing  keying material in the context of him/herself so that the Consumer can subsequently use those keys when requesting from the SP the user's attributes
2) can define permissions at the SP specific to the Consumer (i.e. read not write etc) - these access rules stored at the SP against the keys of 1)

From the 'access control management' PoV, the above model has the user making lots of access control management decisions - one each time a given Consumer wants identity from a given SP. What's more, subsequent management of all those decisions will be tough because the rules are spread out all over the place (at all the various SPs).

ProtectServe keeps the data distributed, but centralizes the access control management. Rather than directly collecting, storing, and managing a user's access control decisions for the attributes it stores, an SP will abdicate these duties to what Eve calls a 'Relationship Manager'. The Relationship Manager itself holds no identity attributes, only permission sets for identity attributes stored elsewhere (at the user's SPs).

User's create, manage (and hopefully can reuse) access rules at the Relationship Manager, rather than at the various and disparate SPs.

The implication is that, if and when an SP gets a request for a user's identity attributes from some Consumer, the SP, rather than looking at some locally stored access rule, instead queries the user's Relationship Manager for the decision (this query seemingly protected by Oauth as for any other identity query). Upon receipt of such a query, the Relationship Manager would

a) check to see if the SP (acting as an OAuth Consumer) was 'OK', i.e. that the User had introduced the two
b) check to see if the original request from the original Consumer to the SP should be approved based on the rules the User had defined
c) return the results of b) to the SP

Some thoughts

1) Because the Relationship Manager gets lots of queries of the sort

'Consumer1 is trying to access Alice's calendar at SP3'

the RM would be able to get quite the glimpse into Alice's online activities. Some creative crypto might help

2) Eve didn't describe the mechanism by which Alice, when visiting 3rd National Visa (an OAuth Consumer) would get over to CopMonkey (her RM) to specify permissions for Visa accessing her calendar at schedewl. Perhaps something like

i) Alice helps OAuth between Visa and Schedewl
ii) Schedewl responds back with a 'Talk to CopMonkey'
iii) Alice helps with Oauth between Visa and Copmonkey
iv) CopMonkey records the access rule for Visa accessing schedewl
v) later, when Visa asks schedwel for Alice's calendar, schedewl knows to ask CopMonkey before granting

3) Most powerful would be for the Relationship Manager to also track (or be able to access) the user's social relationships - thereby allowing Alice to define rules like

Visa can access my work calendar at schedewl if doing so on behalf of my Boss, but can also access my personal calendar if doing so on behalf of my sisters.

4) The Liberty Alliance has recently been collecting use cases around the idea of a  'Citizen Dashboard', the hypothetical place where a citizen could go and see (amongst other things) a record of all the queries for their identity made from one government department to another - and the results of those queries. Such an application would be a key piece of a Relationship Manager.

Liberty has also toyed for some time with the idea of defining protocols in support of such a centralized policy point - but never did anything with it. So, no duplication here! Huzzah.

A close race

According to WeFollow, President Obama has more followers than Britney Spears.


An RSS feed of the delta would provide an indicator of society's ebb and flow between the trivial and the meaningful.

When she passes him, the end is surely nigh.

Brand awareness

Jeff questions Nico's assertion that it is a given that OpenID needs a visible brand.

Jeff would have the particular OP brand front and center on any UI, with OpenID itself de-emphasized. Nico would do the opposite, i.e. deemphasize the individual OP in favour of the protocol.

Some random thoughts

1) If you believe that there needs to be a brand above that of the particular OPs, is 'OpenID' the best choice for that brand? 'Interac' is a valuable brand, but it's not named after the protocols that enable it.

2) If the protocol brand is hilited when the protocol is OpenID, what of federated operations when the protocol is not OpenID, i.e. SAML? How confusing will it be for users to sometimes see a protocol brand, and sometimes not?

3) why spend time arguing when some usability tests would verify whether users find federated operations more or less intuitive with the various (OP first, OpenID first, hybrid, neither) branding options?

Monday, March 23, 2009

I love you, man!

Say it without the copious amounts of precursor booze with these macho "man cards".

I'd like one of these as a card graphic for my 'Ballcap wearing, spitting, and swearing' persona. Definitely not some mamby-pamby flower arrangement or beach scene.

For the record, my frequent references to Dale on this blog (which he never ever responds to!) merely reflect my great professional respect for him and should in no way be interpreted as some sort of 'bromance'.

Unless he wants them to.

Information is power

Through Facebook, I just learned that my talented pianist nephew was accepted into an excellent music program at a nearby college.

Without Facebook, I would have learned of this tidbit of family gossip only at the whim of my wife. Some months down the road we'd have a conversation along the lines of

Me: I wonder if nephew got accepted...
Wife: What! Of course he was accepted, you knew that!
Me: No I didn't.
Wife: Oh you definitely did. My sister told me back in March and I told you right away. Don't be stupid!
Me: Yes dear, I'm sure you are right.

As it is, I know the news and my wife, not having talked to her sister in the past 2 hours (a record), doesn't.

Going to be a good day.

Tuesday, March 17, 2009

Unprecedented defense

From Wired, the developer of a (way cool) Android app for initiating torrent downloads through a phone barcode scanner defends himself against possible (i.e. certain) illegal use

"I could feel bad about creating a tool that could be used for piracy," says the 23-year-old Holmes, a Bournemouth University software systems student. "However if I didn't create the tool, someone else would have."

If I didn't point out that this defense against immorality has been seen before, someone else would have.

Separately, the use case would benefit from an identity/security layer as provided by Multi-Device SSO.

Monday, March 16, 2009

Etiquette 2.0

I was happy to receive a LinkedIn invite to connect from Trent Adams.

Even happier because Trent spent the extra time to perform the following laborious process

1) use mouse to select default invite text
2) backspace
3) type new slightly more personal invite text

If you care enough to ask me to connect, you should care enough to personalize the invitation.

We need a Miss Manners 2.0.

My brothers and I

are not what you might call 'huggy'.


Even this outpouring of emotion will have him wondering if I've gone soft.

Saturday, March 14, 2009

By analogy


A language is a dialect with an army and navy

        often attributed to linguist Max Weinreich

I propose

An open standard is a community spec with a Google implementation and its own web domain

Friday, March 13, 2009

Kitchen sink optional

If ever there is an ID Award for most inclusive scenario, I nominate Asa, Iain, Markus and co for their PoC of a VPI scenario involving XRI, OpenID, Cards, and ID-WSF.

Asa, I do not mean to quibble but, cmon, where's the Passel?

Assurance Math

A thread on the OpenID list is exploring the capability of OpenID to meet the requirements of different  NIST LOAs, and thereby be relevant for SSO to US government services.

I submit the following 


Areq = the level of assurance requried by a given RP for a given resource
Aid = the level of assurance engendered by the OP/IDP's  identification & registration processes
Aauthn =  the level of assurance engendered by the OP/IDP's authentication mechanism
Aprotocol = the level of assurance engendered by the protocol by which the IDP delivers 'assertions' to the RP\

So, the smallest of the factors that determine assurance (i.e. Aid, Aauthn, and Aprotocol) must be greater than the level of assurance required by the RP (i.e. Areq). Nothing  more than the 'weakest link' principle as formula.


1) For the sake of simplicity, Aid is a catch-all factor for any process the OP follows that is not authentication   
2) Any of  Aid, Aauthn, and Aprotocol serve to constrain the maximum assurance possible. Consequently, there is no benefit in any one factor being significantly greater than the others - it's just wasted cost. The corollary to this is that no one assurance factor is more critical than another.

Thursday, March 12, 2009


I fear that Eve`s blatant ShamWow bait-and -switch will have organizers (i.e. Britta) dealing with many disappointed guests expecting a miracle of absorbency.

Nevertheless, come to my presentation at RSA Conference`s Harnessing the Power of Digital Identity: 2009 and the Promising Road Ahead on `Bridging Assurance between OpenID & SAML` and you`ll be saying WOW everytime!

Disclaimer: SAML does not easily removes cola, wine and pet stains, nor is OpenID machine washable and bleachable.

Tsk Tsk

Searching for an 'identity podcast', I came across Mike's post regarding an interview he and Kim did for MySuccessGateway.

In trying to access the podcast, Firefox warned me with

Gentlemen, you didn't need to resort to this. If you had just asked I would have been happy to install the new Cardspace.

When worlds collide

The fact that my Facebook friends list is an aggregation of both work and non-work hit home yesterday.

On what started as an innocuous thread on the relative merits of curling and football, comments were made by a non-work friend that, while completely appropriate to the relationship between myself and the commenter (we having a long history of questioning each other's masculinity and mental health), were not appropriate for a work context (or 98% of any other contexts it must be said).

Facebook allows me to create lists but not, AFAICT, use those lists to compartmentalize through differentiated permissions, e.g. allow members of one list to participate in a thread and not another.

If I had that ability, there wouldn't have been a problem. Nothing fancy, just something like

- those friends who find playground potty humour hilarious
- those who pay income tax

Fortunately, Facebook provides a delete function.

Cloud 'Eh Weather

Jackson questions the viability of cloud jingoism - specifically of the Canadian type
Frankly, I'm not quite sure how you prove the nationality of the cloud. If I look at a server can I see what cloud is sitting on or in it? When I look at a cloud can I see what nationality that cloud is? How do your prove the cloud is a certain nationality?

I propose a simple test - ask the cloud the following questions

- what is a timbit?
- Paul Henderson, good or bad?
- standup or butterfly?
- would you like to apologize for something?

A Canadian cloud's answers will be unequivocal.

Wednesday, March 11, 2009

Twitter & SAML in a single sentence


Socialcast also integrates with the actual Twitter, Del.icio.us, and other social networks like YouTube, Digg, Facebook, and Google (NSDQ: GOOG) Reader.

According to Young, Socialcast will integrate with 45 public services in all as well as certain wiki's that companies might be running on their own. For single sign-on, Socialcast integrates with directory services likeMicrosoft (NSDQ: MSFT)'s Active Directory via the Security Assertion Markup Language, aka SAML.

OK, well two sentences.

New SOAP Fault

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">

It's the redirects

that make travel so tiring

The times, changing they are

One of my best friends from high school and university informed me last week that he and his wife of 17 years were 'deprovisioning' (he didn't call it that) their marriage.

He used Facebook to inform his wedding party of the news.

I grant you that it's more personal than the alternative.

Tuesday, March 10, 2009

That'll teach me

Trying to register for RSA 2009 in order to attend the Concordia, DataPortability, ICF, and OpenID pre-conference workshop.

Used the password reminder mechanism. Saw this screen.

1 hour? They expect me to sit patiently for an hour before registering? Is somebody hand typing the emails?

Ended up creating a new account, with username 'paulmadsenyetagain'. Saw this screen

Then, when registering and providing more info, saw this

Ah yes, of course they need to know whether I'm a 'Ms', 'Mrs' or 'Miss'.

Must remember, it's a security conference, not a usability conference.

Just out of spite, I made up spurious answers for their mandatory survey questions.

Time to short 3M

How much money do you think 3M makes from its Post-it Notes division?

And how much of that comes from the notes used for writing down passwords and stuck to the monitor?

And how much of that business will disappear as users buy into federated authentication?

Clear sell.

If 3M were as visionary as me, they'd adapt their digital notes product to be a visual front-end to an identity selector. Users already think of the notes as a paradigm for differentiating their online identities.

p.s. I also expect monitor frames to get smaller as the need for note mounting surface area decreases. Start to offload your plastic holdings.

Monday, March 09, 2009

Placeholder quotation

A placeholder, in anticipation of hopefully using it at some point in the future to mock some markup protocol/syntax.

Basque is really a strange language . . .
It is said that they understand one another,
but I don't believe any of it.
Joseph Justus Scaliger (1540-1609)

Too good to risk forgetting.

And yes of course I considered the semantic web. It just seemed too easy.


EdgeKeep  introduces a new term (AFAIK) for what feels very VRMish.

Our tagline, Securing the Edge™, reflects our corporate mission: to maximize user sovereignty and minimize business risk at the edge of network space where users and businesses meet.

Maximizing user sovereignty drives our focus on privacy. Minimizing business risk drives our comprehensive, innovative approaches to policy and procedure development and to security inspections and audits.

The distinction between de jure and de facto sovereignty is noteworthy, i.e. between the user having theoretical or real control.

Friday, March 06, 2009

My hitch-hiking days are over thank

PickupPal is a ride-sharing service, i.e. matching drivers and passengers.

The economic model sounds wonderfully flexible
Passenger pays the Driver the agreed amount in cash (or otherwise, if agreed upon) at the end of the ride.
'Otherwise' would seem to encompass a whole range of payment options.

Separately, the 'Help' pages add a new dimension to trust mechanisms

Send them a message via our messaging system and get a sense of who they are – a simple message will give you a good idea if they are someone you can start to trust.
Sit in the front passenger seat, if you can. Rear doors often have child locks on them, meaning they cannot be opened from the inside. If you must sit in the back, check the child lock is off before you close the door.
Note the vehicle licence plate, and its make, model, and color before you take ride. If you have a cellphone, text this information to a friend and have them confirm they got your text. For example (AYDL 098, VW GOLF, Black) - do not be shy to tell the driver you are texting this information -
Have these people heard of a little thing called 'public transportation'? In which passengers need not worry about child-locks?

All the reputation systems in the world aren't getting me in a car if I need to text a license plate to feel safe.

Tuesday, March 03, 2009

IP (irritating poetry)

There once was a standards body from Tobermory
Whose IP policy was nothing if not discriminatory
Reasonable? licensees would ask "A definition please"
The licensors response? "Don't worry, we'll talk later about the fees"
And as to fairness, well that's an entirely different story.