Wednesday, May 27, 2009

A Mathematical Model for Risk Scaling

We posit that the risk (R) for identity leakage from some authority is proportional to both the volume (V) of identity data held and the surface area (A) by which identity can leak.
Therefore, we can deduce

Figure 1: Risk as function of size

where r is a measure of size as determined by number of users.


We can therefore see that risk scales with the fifth power of size. As an example, an OP with twice as many users as another is 32 times more vulnerable to identity leakage.


This research was made possible by generous financial assistance from TAPPOP (The Association of Pure Play OpenID Providers).

Monday, May 25, 2009

Burnt Sienna?

That is Orange with a red tint isnt it?

I don't know whether the vulnerability is real or not, but if so, the ramifications don't stop there.

I expect there might be some French RPs temporarily taking down those cute square Orange buttons from their sign-in pages.

Tracking Chip Provenance

No, not from Intel, the other kind of chips. It seems that consumers feel less guilt in gobbling down a bag of crisps once they determine that the potatoes were 'local grown'.

'Locally grown' reminds me another trendy term for which there is no agreed upon definition.

Deployment stats

Some surprises here

Thursday, May 21, 2009

Playing with Flock browser

Liking the Facebook & Twitter integration.

Under the guise of a 'Normal' & 'Advanced' setup choice, the installer tries to sneak in

  • making Flock default browser
  • sending anonymous usage stats

Are these choices really only relevant to 'advanced' users? I can see proxy configuration ....
Blogged with the Flock Browser

Tuesday, May 19, 2009

Monday, May 18, 2009

Violent agreement

I'm sure the sounds of confirmation from this panel must have been deafening.

Photo from Trent.

Sunday, May 17, 2009

IIW Submission

While I may not be attending in person, I do feel that there are still significant contributions I can make towards identity progress - specifically the following idea for a skit for the IIW Untalent show.

The following idea for a skit for the IIW UnTalent show is licensed under Creative Commons as 'Ignore & Forget'.

Here follows my idea for a skit for the IIW Untalent Show.

My idea for a skit for the IIW UnTalent Show is a take-off on the Dating Game. On stage will be an RP/SP (I see somebody from eGov or Health in the role, ideally in a dress for comic effect) asking all sort of hilarious and probing questions of the 3 candidate issuing parties (an IdP, OP, & STS) also on stage.

Questions such as

1) #1, there is nothing I find more romantic than a moonlight stroll down an audit trail. What parts of assurance do you find romantic?
2) #3, have you ever been proprietary? Are you still taking medication for it?
3) #2, My girlfriends say I'm a risk taker when it comes to choosing partners. How would you describe your own attitude towards risk, using, oh lets say, a scale from 1 to 4?
3) #3, Pop-up or redirect - I go both ways, what about you?
4) All, if you want to 'do business' with me, its WS-Federation or nothing. Ha ha just joking, just wanted to see if you were listening.

And of course the answers to the questions will be filled with all sorts of identity innuendo and protocol double-meanings. I'm laughing already. A guaranteed riot.

Thursday, May 14, 2009

A pain in the neck

Johannes has a pain in the neck.

As someone who has had a headache (the same one, to varying intensity) for approximately 12 years now, I am totally with Johannes on the importance of posture, neck, back & abs strength to fighting back.

My headache began one week after I started a job which had me at a desk the whole day. I will not bore you with the countless fixes I tried over the years (suffice to say Neti pot). It's only the fact that I now work from home, with the flexibility for work location, integrated stretching/exercise, G&Ts etc that has given me control.

I do all the same neck stretches that Johannes describes. Ultimately though, for myself, the only thing that can effectively kill a headache in its tracks are pressure point massagers that I found in the Tokyu Hands department store in Tokyo (the Japanese take stress reduction very seriously). If you have neck pain and find yourself anywhere west of San Francisco, make a trip to Tokyu Hands.

Early friend request

A letter from Prince Henry (future Henry VIII) to King Philip of Castile

I commend myself unto you in most hearty and affectuous
manner. And because the Chamberlain of my dear and best-
beloved consort, the princess my wife, goeth presently to you,
for certain matters which, as he says, concern him there, he has
besought and required me that I should write to you in his
behalf. Right excellent, right high and mighty Prince, very
cordially I pray you that you will hold him recommended in
these his affairs; and that from time to time you will ascertain
me and let me know of your good health and prosperity, the

which most singularly and with all my heart I do desire to be
of long continuance as in manner mine own. And tor my part,
whensoever I may find fit bearer, I am entirely resolved to do the

like for you.
Furthermore, on your signifying if there he anything here,
in the which I may do you honour and pleasure, I will take the
pains to satisfy you therein with all my heart, with the help of
our Lord, whom I pray, right high, right excellent and mighty
Prince, give you good life and long.

Written at the manor of Greenwich, the yih day of April,
Your humble cousin,


Tuesday, May 12, 2009

Choices choices

On Twitter today I saw a thread between Nishant and others bemoaning the negative impact of Twitter on their blog statistics (posting not readers).

I see the effect on my blogging as well. Why go to the effort of a 1 minute blog post when a 30 sec tweet can scratch the itch?

For myself, I think I need to define some criteria to help me assess when a given topic warrants the 'weight & complexity' of a full blog post, or is such that the 'lightweight & open' Twitter will suffice.

Hmmm. Might be able to apply those sort of criteria elsewhere....

Monday, May 11, 2009

AA not AAA

Hey Phil, how about a variation of this for a KNX use case?

Problem drinker (intentionally) gets a card from AA, KNX scripts filter his web content to remove any ads for booze.

All the other 12 step programs would issue their own cards to their members.

Addictive personalities could get hybrid cards as an efficiency.

Thursday, May 07, 2009

Buy page area, they aren't making any more of it (well not enough)

Phil responded to my post with his own balanced analysis comparing GreaseMonkey and the KNX model for page augmentation/customization. I don't doubt that the KNX model is more powerful, secure and flexible than GreaseMonkey - my original point was only that it was evolutionary more than .... well you know.

Whatever mechanism you use to augment/annotate the page at the browser, there is only so much page real-estate to go around.

I upgraded my version of Xmarks, a Firefox extension that syncs bookmarks across multiple browsers and afterwards saw the following on Google's search page.

The blue icon is the extension's 'Smart Search', appending its own links to Google's search results page based on some criteria I know not what. It snuck onto my page.

Makes me wonder how many different extensions, GreaseMonkey scripts, and information cards/selectors are going to be fighting for those precious few square centimetres (even fewer square inches) of real-estate besides the search results.

How will the user manage these? Cards, if grouped into personas (e.g. I'm in shopping mode), could be useful.

Also makes me think there is a market for SAO - search augmentation optimization.


Wednesday, May 06, 2009

OAuth & OpenID CX

Nat Sakimura lays out the similarities and differences between OAuth and the proposed OpenID Contract Exchange extension, and argues that CX, even though using a similar protocol flow, is not vulnerable to OAuth's Session Fixation attack - this because CX makes identities explicit where OAuth doesn't.

Of course, making identities explicit is pretty straight forward when you're using a global identifier - gets alot messier if you want to inhibit correlation through pairwise pseudonyms.

Question 3

Concordia's survey on federation technologies & deployments is here.

I find the results for the third question most interesting
3. How many identity-based federated relationships do you have?
A. As a Service Provider / Relying Party?
                 a. One     7
                 b. Two to Ten   42 
                 c. More than Ten    21
B. As an Identity Provider?
                 a. One      11
                 b. Two to Ten   34
                 c. More than Ten  27
21 and 27 respondents have more than 10 federation partners, when acting as an SP and IDP respectively. So much for small deployments with limited numbers of partners.

It would be interesting to see how many OPs participated in the survey as that could skew the 'as an Identity Provider' number. Regardless, it's the comparably high 'as a Service Provider' value that indicates federation is passing the ultimate test.

One aspect of Question 4 confuses me. What does it mean to have a 'federation operator' when the federation topology is 'bilateral/explicit'? What value does the federation operator provide when agreements are bilateral? Legal templates? Dispute resolution?

What would the deductible be?

On the Concordia call yesterday, we discussed the relevance of a survey around assurance (e.g. what do people understand it to be, what are the preferred frameworks, etc) - motivated in part to determine whether the poster child of LOA, NIST 800 63, is actually the assurance model that RPs would choose (if other pressures didn't impose it).

NIST 800 63 is meant to provide (indirectly) to SP/RPs information about the processes and technologies used by the IdP making some claim/statement about a subject - this info presumably useful to the RP deciding whether or not to accept the claim.

What other sort of information would help to convince an RP to accept the assertions of an IdP, if not an (abstracted) glimpse into the IdP's identity infrastructure?

If an RP felt it was adequately protected against any damages that would arise from a 'bad' claim, would it care about the IdP's processes? Claim insurance (filing a claim could get confusing)?

A number of analogies with sexual partner selection, undesirable consequences, and protection mechanisms spring to mind.

Tuesday, May 05, 2009

Breakfast in bed? Pah!

Well I know two mothers who are going to be pretty darn happy come this Sunday morning.

Friday, May 01, 2009

Snakes and Ladders

The level of assurance  (LoA) an SP/RP can ascribe to the assertions of an IDP/OP is determined by a number of factors- some of which, with respect to an SPs ability to ask for them to be changed, are fixed, and some mutable.

The fixed factors are those that the IdP, even if asked by an SP to modify in order to increase assurance, can't realistically change. Things like how the identity was proofed, how the credentials were issued, how the certification audit was performed etc.  While on any given SAML Authn Request, an SP can ask that the IdP follow greater rigor in the identity proofing process for a given identity, it shouldn't hold its breath waiting for the response (as it will take some time to get the user to come to the office and show their passport).

The mutable factors that impact assurance are those for which it is meaningful for the SP to ask for the OP to do something differently in order to increase the resultant assurance. How the user authenticates to the OP is the best (perhaps only?) example. Maybe asking to switch to a different federation protocol is another.

LoA depend on both fixed and mutable factors.


Because in run-time (ie at the time of the authentication request) an SP can only ask for (by definition) changes to the mutable factors, any run-time movement in the above 'assurance space' can only be along the horizontal axis. There are snakes to take you sideways, but no ladders to move you higher.

The fact that you can only move sideways in assurance space at run-time has consequences for LoA. If you want to be able to transition from one level to a higher level at run-time, the point in assurance space from where you start must already meet the criteria of the higher level (because there is no 'ladder' you can climb at run-time to move up).

You can see this in the following diagram. Starting point 1 exceeds the threshold of LoA 1 for both the fixed and mutable factors. But, after we move sideways in assurance space (by the SP requesting and getting a stronger authentication etc) so that the threshold for the mutable factors exceeds LoA2, the assurance from the fixed factors has not changed. Consequently, the ending position in assurance space does not meet the fixed threshold for LoA2, nor consequently the combined threshold.

Even though the assurance from the mutable factors increased, that of the fixed factors prevents the combination from jumping to the next LoA.

Starting point #2 however, because it already exceeds the fixed threshold for LoA2, does not prevent a transition from LoA1 to LoA2 if a move sideways along the mutable axes allows it.

The moral of the story? Ayn Rand said it for me

"The ladder of success is best climbed by stepping on the rungs of opportunity."