Saturday, September 30, 2006

Conor's Bi (directional argument)

I'm sure he would have preferred to actually get in and invoke 'editorial privileges' to modify my post but Conor has settled for a response.

While I'll admit there's a certain level of consistency to Paul's proposal, I still think that the right way is to put the identifier in the NameID value rather than the SPProvidedID. My reasons include:
* The NameID carries the value chosen by the "IdP" to represent the user at the "SP". In this case, the Former-SP-Now-Acting-As-An-IdP has chosen to use the identifier that it had received from the Former-IdP-Now-Acting-As-An-SP. Therefore that value belongs in the NameID elementnot in the SPProvidedID attribute.
The other interpretation is that, when playing their initial roles, the SP and IDP made the following commitment to each other:

SP: Dear IDP, when I communicate with you I will use the 'abc' identifier (in the NameID) that you created for me.
IDP: Dear SP, when I communicate with you I will use the 'def' identifier (in the SPProvidedID) that you created for me.

The question is, does this commitment still apply when the two providers switch roles?

Conor will argue that the initial commitment is more along the lines of:

SP: Dear IDP, when I (acting as an SP) communicate with you I will use the 'abc' identifier (in the NameID) that you created for me. When however I (acting as an IDP) might communicate with you, I will use the 'def' identifier (in the NameID) that I created for you.
IDP: Dear SP, when I (acting as an IDP) communicate with you I will use the 'def' identifier (in the SPProvidedID) that you created for me. When however I (acting as an SP) might communicate with you, I will use the 'abc' identifier that I created for you.

I don't know which it is (and don't really care). I just don't believe its straighforward to infer the right choice from the specs.

* The SAML 2.0 Core Specification does not allow for a null value in a persistent identifier (see section 8.3.7).

I wasn't arguing that the Former-SP-Now-Acting-As-An-IDP should insert the null string, but rather that consistency with the double identifier case as he laid it out forced it to. More precisely, consistency with the double identifier case required it to insert the identifier previously created by the Former-IdP-Now-Acting-As-An-SP in the SPProvidedID attribute, and that it had no other identifier to place in the NameID element - thus 'null'.

So, consistency between the single and double identifier cases breaks SAML (as SAML doesn't define a null.

Reductio ad absurdum.

* Lines 3326-3332 and 3350-3356 of the SAML 2.0 Core Specification actually discuss the case of an SP using the same identifier provided to it by an IdP when that SP-now-acting-an-IdP issues assertions pointing out that they would need to identify the original issuing party using the NameQualifier attribute.
As I read them, these two paragraphs from the SAML spec require that the Former-SP-Now-Acting-As-An-IDP, if they use an identifier initially created by the Former-IDP-Now-Acting-As-An-SP, to use the NameQualifier attribute. So, the example from my first response was incorrect, it should have been

<saml2:NameID Format="persistent" SPProvidedID="def" NameQualifer="">
Ironically, I believe that this sentence (Line 3352):
If a service provider that receives such an identifier takes on the role of an identity provider and issues its own assertion containing that identifier, the NameQualifier attribute value does not change (and would of course not be omitted).
supports my model as it implies that the SP, in a reverse assertion, would use (in the NameID element) the identifier previously created by the IDP, and not the identifier it has previously created.

Badges? we don't need no stinkin' badges

Central Scrutinizer proposes a new twist for those 'Web 2.0'y badges

Identity start-ups should not be ignored.

Friday, September 29, 2006

Never Say Never

I don't have quite the same amount of faith as Bavo De Ridder does in Liberty Alliance's new intro to our specification set.

I know I've heard 'recalculating' countless times from another system that makes the same claim.

Let your users do the walking

Wired has an article on how map data companies get their information. Assuming sufficiently accurate GPS data from a phone or PDA, they could get real-time data from users themselves.

Maybe everytime a user alerts the system to the status of a road changing, they get 50 cents off their morning coffee. Extra points for new road construction. You'd need a Karma-like reputation system or rely on duplicate reports.

When in Rome

I'm reading through the OpenID Authentication Service, which profiles how to use XRI and OpenID together.

The initial document metadata leaves no doubt that this doc is coming from XRI enthusiasts/advocates.

Fair enough, they are eating their own dogfood (no pejorative connotation intended).

Interestingly, although Drummond Reed is also an editor of the comparable document profiling how XRI and SAML can be composed (XDI SAML Authentication Service), in that document's metadata, he goes by just plain ol' 'Drummond Reed, Cordance'.

Drummond appears to be managing his identity just fine - choosing the right persona for the particular context. And he's not even using desktop software.

Thursday, September 28, 2006

Give me a 'P'!

A certain unnamed business class traveller alerted me to the fact that, if you closed one eye and leaned sideways, his upcoming travel itinerary spelled out a 'C' when mapped onto the globe.

I hereby vow to fly IAD-SFO-YVR-YYC-DEN-SFO before I die.

Bi-directional federation in SAML

Conor proposes a model by which the federated identifier(s) established in one "direction" can be made to serve double duty in the other direction.

For instance, if an IDP and SP agree to use 'abc' whenever they communicate in order to refer to a particular user (either in an IDP Response or some SP message), then that same identifier could be used were the two to switch roles. So, if the SP (acting as an IDP) were to issue an Assertion for the user in question, the SP would use 'abc' in its NameID rather than some other identifier that the two providers might feel the need to establish for this direction).

Seems to make sense.

But if, instead of there being a single federated identifier 'abc' for the user between the two providers, as will happen if the SP avails itself of its right to specify 'def' as the identifier (called the SPProvidedID) it desires the IDP use when referring to the user, then things don't seem as clear.

Conor recommends that, in this case, when the SP switches roles and creates an Assertion for the user to be delivered to the IDP, the SP also effectively switch identifiers, and use that identifier it previously specified as the SPProvidedID as the primary identifier. So, the NameID of the reverse direction Assertion would look like

<saml2:NameID Format="persistent" SPProvidedID="abc">
This model can be justified because the 'abc' identifier was initially generated by the IDP (but now consuming it playing the role of an SP). So, placing it in the SPProvidedID attribute makes sense. In this model, providers use the identifiers appropriate to whatever current role they are playing, rather than whatever role they might have been playing when the id was established.

Problem is, I think the alternative option, in which providers, once they've agreed upon an identifier(s) to use, use that identifier regardless of the roles they may find themselves playing in the future. In this case, because the two providers initially agreed that, when communicating from the SP to the IDP, the 'abc' identifier is the right one to use, the SP would do just that in its Assertion to the IDP. Consequently, the NameID would be the mirror image of the above

<saml2:NameID Format="persistent" SPProvidedID="def">
There is I think justification for this model in trying to stay consistent with the case where there is only the single 'abc' identifier. For this case, to be consistent with the model where the choice (and location) of an identifier is determined by the current role of the provider using it, then the NameID in the reverse direction would necessarily appear as:

<saml2:NameID Format="persistent" SPProvidedID="abc">
As it was the IDP that originally created the 'abc' identifier, then (when acting as an SP) that identifier needs to appear in the SPProvidedID attribute of the reverse Assertion (phew, say that 5 times fast). And, because the SP had never generated its own identifier to give to the IDP, it has to insert 'null' as the value of the NameID element. But, the above is different than what Conor proposes for this simple single identifier case.

Conor appears to acknowledge the choice, as he writes:

With that minor understanding, the remaining SAML 2.0 profiles, including Browser SSO, all work out-of the box bi-directionally.

Tokyo Liberty Alliance Day 2006

I'm looking forward to participating in the Liberty Alliance Day 2006 in Tokyo on October 30th. I'll be presenting the Liberty Alliance People Service.

I have to work in the 'Web 2.0' theme/meme into my existing material. Liberal sprinklings of 'mashup' and 'remix' should get me close. Must remember to get a 'long-tail' graphic.

I'm not looking forward to the air travel for this trip quite so much (I did have the option of a much shorter itinerary but couldn't resist the somewhat toroidal shape of this set of flights).

Taking pictures of the various economy traytables I will be sitting behind will consume, oh perhaps, 1 minute of the total 40 hours of flying time. No matter, I find the pain from my knees hitting the aformentioned seat backs makes the time just fly by.


FutureMe allows people to send email messages to themselves at some designated time in the future. Depending on how far forward into the future the send time is set, it's either a reminder service or a personalized time capsule service.

The FAQ attempts to address a fundamental issue with the time-capsule model:

but what if i don't have the same e-mail address in the future?

a possibility for sure. we recommend using an address with some potential for longevity (hotmail, yahoo, your own domain). in addition, we created a account management system so that you can change the addresses of your future letters. (though that's kind of cheating.)
I expect the XRI people would have something to say about this.

When I signed up for an account (Conor, do these sort of test accounts count towards my total?) I specified an email address (which was not verified). When I attempted to use the system to send a future message, I provided a different address to see if I would be allowed. I was. Consequently, I can send into the future helpful 'reminders' to my friends and colleagues.

Examples might include 'Hey, if you owe Paul any money it's time to pay up' or 'Are you still taking credit for the work of your Liberty Alliance colleagues?". Endless fun ahead for me.

Unrelated, I love the disengenuity of the following:

how can i make a cash payment to said fellas for providing such a nifty service?

we're glad you asked. we've set up an amazon honor system thing. it's fresh. you can use paypal too if you'd prefer. they take less money away. see, if you donate a tiny amount of money, we spend less of our money. FutureMe is a free service and will remain so, but it does cost us a bit of cash to maintain the site and ensure proper delivery of your so-very-precious future letters.
Fair enough except for this from the privacy policy:

it is important to recognize that "public letters" submitted on become solely the property of reserves the right to edit and reproduce any "public letters" as the sole copyright holder (i.e. we're putting together a book and it's very exciting).
So, while we are waiting for the book royalties to come in we'd appreciate some micro-love sent our way.

Wednesday, September 27, 2006

Identity systems as fried pastries

Pete (like Mark before him) jumps on the toroidal shape I used to depict the "spatial scope" of identity systems.

All I can say is that these shapes, misleading as they may be, are better than my first attempts at 3D drawing.

Speaking of Canadian pastries, Tim Hortons sells Timbits, tiny 'bite-sized' donuts. Timbits are sometimes presented (by me at least) as the remnants of the donut manufacturing process - the mythical 'bit' from the middle that would be otherwise discarded.

An offering of questionable value and necessity made viable by positioning in opposition to a well-established existing solution - purportedly filling holes in these existing alternatives? I'm just glad the identity standards industry is beyond such shenanigans.

Tuesday, September 26, 2006

There has to be an identity analogy

From Boing Boing, a mechanism for ensuring the security of checked luggage.

What could you put in a SAML Assertion to ensure that nobody would try to peek inside? Maybe Bush's inaugural speech? Village People lyrics?

I know a Base-64 encoded pic of Celine Dion would keep me and 25 million Canadians out.

Liberty Alliance top ground

Pam had previously pointed out the deficiencies with the Liberty Alliance Web site, implicitly asking 'Where's the Beef?'.

At the time, I hinted that a new version of the Liberty Alliance site was coming that would hopefully address the concerns she raised. Well it came.

Worth noting in the new site:

Monday, September 25, 2006

2d is just sooo last year

My friend Patrick Harding from Ping ID has blogged a nice graphic in which he plots various identity protocols onto a 2D grid.

I question the boundaries and positioning of many of Patrick's ellipses:
  • SAML's ability to cover the user-centric use cases is minimized.
  • Cardspace's relevance to the enterprise is marginalized.
  • Managed Cardspace is shown as enabling more valuable transactions than SAML.
  • Liberty WSF isn't shown.
  • The extreme of the 'user-centricity' axis is typified by 'self-asserted identity (suggesting to me that 3rd party asserted identity is somehow incompatible with "pure" user-centrism)
Regardless of the details (Patrick and I have disagreed before) I think such diagrams are valuable in providing a framework for discussion. So, I was prompted to update my own similar analysis and plot another "identity system" onto the 3 (yes Patrick, 3, count 'em) axes I proposed.

Consequently, below is a plot for the SAML 2.0 Enhanced Client Profile (ECP), distinguished by:
  1. how identity flows 'through' the user agent and thereby enables direct control by the user
  2. the possibility of an asymmetric relationship between the SP and the IDP (as the client can mediate)

By any definition I've seen, SAML ECP is user-centric and so, at minimum, the SAML ellipse in Patrick's diagram should be streched to the right (and a separate, much smaller, ellipse created for WS-Fed, maybe used a dotted line).

Blog names I'd like to see





Saturday, September 23, 2006

An apt description of our relationship

Conor giving me a hard time (in his own words).

I have to stop blogging about him. He's like a sore tooth that you can't help probing.

With my choice of words for that last sentence, and knowing how his minds works, I do realize I have guaranteed myself a follow up.

Friday, September 22, 2006


I've been really happy with my Vonage VoIP service. So, I was willing to fill out a survey to which they sent me a link (the promised $5 discount helped) even it was presented by a 3rd party named Intellicontact.

I was giving Vonage high points with my answers ... until I saw the last two requests for info.

On some machine at Intellicontact, a process lies dormant, patiently waiting for survey data to be submitted.

I won't give away the ending

There is a line in Lucky Number Slevin (an excellent movie by the way) in which the Rabbi says:
Names, even made up ones, can bring about quite a bit of trouble.
This reads like a line from a Liberty best practices document.

Thursday, September 21, 2006

Definition of Serendipity

Notwithstanding the excellent food & drink, getting together with Liberty friends, nice progress on our specification development, and interesting demonstrations and feedback from a number of Liberty implementations, this on its own would have made my trip to Paris all worthwhile.

New French Smoking Laws

Compared to my last visit to Paris 4 years ago, it seems that France has relaxed its smoking laws.

What had been a MUST (as in 'everybody MUST smoke') appears to have been loosened to a SHOULD.

Wednesday, September 20, 2006

That's not a knife

And neither is this much of an Eiffel Tower picture.

Now this is a picture of the Eiffel Tower.

Conor's picture is derivative and bland, mine is innovative and daring. Much like how we go about our Liberty specification work. I expect that Conor will somehow now make mods to my picture, claiming 'Editor Prerogative'.

Saturday, September 16, 2006

I am at liberty to comment

Or, more precisely, I will be at liberty to comment (and deride) in 3 days.

The Liberty Alliance Technology Expert Group is meeting at France Telecom facilities in Paris.

Sync-ups with Egalite and Fraternite are planned.

Friday, September 15, 2006

My Frequent Flyer Sensei

Conor complains about a United miles promotion.

It's a tough call but I'd venture that Conor might have even more expertise and insight on the subject of business travel than he does on identity (although he does get 'awards' in both domains).

Amazingly, he is also equally opinionated in both. Do normal people care whether they sit on the left or right-hand side of the plane? Conor appears to (and I bet he has statistics to justify his preference).

Thursday, September 14, 2006

They must want me to call them

I'm trying to reset a password on a site I don't use much and I see the following

The Q&A would have been previously supplied by myself sometime ago.

Unfortunately, for each Q, there are a couple of possible A's that I might have provided. For instance, I was born in Moscow but maybe I entered 'Russia' or 'USSR'. Who knows. The same for the questions about names, did I enter full names or shorter versions?

So, since each Q has at least two variant A's, and they give no hints as to which A is wrong, the odds are 1 in 8 that I, the valid account holder, will be able to reset without calling them for help (or spending the time trying the permutations).

The help desk staff must have a strong union protecting themselves from redundancy layoffs.

No visible signs of support

The virus scanning from my email provider has been flaky lately. When I asked for support, the message below was their response:

This is either the worst support response ever or a diabolically clever interactive phish.

The user has 2 pages of instructions thrown at them, the only one that they can easily perform is the 'provide user name and password' step. It's even first in the list to make sure Vern from Mattawa sees it. "Well jee wiz, why don't I do #1 and see how that helps".

Dear Paul Madsen,

Thank-you for your email. We strive to provide you with the highest level of customer support, and hope we can be of assistance in addressing your questions.

We understand your concern.

Please confirm the following so we can determine the source of the

1. Username and Password being used to download the software
2. Exact error message received and at what step in the process
3. Steps taken that led to this error and the step where the error is
4. Operating System and the version of the browser being used
5. Do you have any firewall software installed?
6. Any other anti-virus software installed prior to installing YOP and
has it been removed?
7. Please ensure that your proxies are disabled and that Active X is
8. Any changes were made on computer prior to the occurrence of the
issue (for example: Windows updates or software install/removal)
9. All information from WINIPCFG or IPCONFIG (PC IP,DNS Server IP's,
DHCP Server IP, Hostname, Nic mac address, Lease times)


For details on Active X, please refer to the URL shown below. Also, you
may refer to Microsoft at (905) 568-4494.;en-us;154544

To turn proxies off using I.E.:


2) Click on the CONNECTION tab near the top of the window.

3) Click the LAN SETTINGS button.

4) Click the ADVANCED button.

5) Make sure that all of the address fields are clear and click on OK

6) A dialog box will appear asking if you do not want to use a proxy
server. This is normal - click on YES.

7) Click OK.

Your connection to the proxy server should now be disabled.


To view your IP configuration settings, run the 'winipcfg' utility
provided by Windows 95/98/ME. To do this, follow the steps below:

1. Click on START then RUN...
2. In the RUN... dialogue box, enter the following command:

'winipcfg' (without the quotations)

3. This will display an IP Configuration window. At the top of this
window, there is a drop down box that allows you to specify a hardware
device. Make sure you select your Ethernet Adapter (and not your PPP
adapter for instance).

4. Once you have selected your network card (your ethernet adapter),
your IP information will be displayed in the boxes below. Click the MORE
INFO button to view all the configuration information.

5. Once you have released and renewed your IP configuration, click OK to
close the IP Configuration window.


If you are running Win2000 or Win XP, you must first goto the command
prompt by following the options below:

1. Click START - RUN , and then type 'CMD' and press Enter.

2. At the command prompt, type "IPCONFIG /ALL" (to view IP address).
3. At the command prompt, type "IPCONFIG /RELEASE" (to release IP).
4. At the command prompt, type "IPCONFIG /RENEW" (to renew IP).
5. At the command prompt type "EXIT" (to exit back to the desktop).


In addition, please ensure that you have the following minimum system

Windows 98SE, Windows 2000, or Windows XP
Internet Explorer 6.0 (or later) with ActiveX enabled or Rogers Yahoo!
Browser 3.0 (or later) with ActiveX enabled
350MB free hard disk space
RAM: 196MB for Windows 98SE and Windows 2000; 256MB for Windows XP
Network Access via Rogers Yahoo! for Broadband

To install further requires:

Administrator rights on intended computer
All other antivirus software must first be removed

If you have any further questions or comments regarding our service,
please fill out the online form on our Customer Support page listed
below or contact us by phone at ...

Electronic Support Group

Thursday, September 07, 2006

Would it even things up

if I blogged only with my left hand?

I'm trying to think of ways by which I can give Conor a fair chance at approaching my blog readership lead (thanks for the link Mom!). His latest response convinces me that something is necessary.

So far, I've come up with the following possibilities
  1. switch the blog focus to fly fishing
  2. start a charity for the 'interesting challenged'
  3. pay neighborhood kids to create blogs that link to him
  4. vow to not use vowels in my posts
But, come to think of it, I think I'll just continue to pad my lead. It'll be all over when Kim eventually reaches down and creates a 'pity-link' in his blog roll to the guy.

Wednesday, September 06, 2006

In the spirit of pointless bit flow

My travelling colleagues and I are proud to announce TrayTable.

Take a look, you might recognize some of them.

Whether or not you do, you'll definitely recognize the cramped feeling (notwithstanding Conor's ridiculously frequent upgrades).

Jamie Murray (1973 - 2006)

I lost my brother-in-law and friend last week. As they say in the Ottawa Valley, he 'took a heart attack'. At 33 years of age. The world seems a whole lot more perverse than before.

I like to argue, learn new things, drink beer, and build things. Jamie was a willing and able partner in all these. He was also the best damn Uncle to my kids that could be spec'd out.

The doctors tell us it could have happened while he was pumping gas or filling out a Web form - neither a fitting end to a life of activity and love. Jamie died in his treasured boat after wake boarding on the river he loved, surrounded by the nieces and nephews that adored him, and close to his wife and family.

I will continue to argue, learn, drink beer and build sheds at the cottage. It just won't be as fun.

My lead feels safe

In his first salvo of the 'Great Blog Readership War', Conor fires off

a) a stirring account of how he fixed his kitchen drawer.
b) a hard & driving story describing his purchase and plans for some computer equipment.

I expect we'll next hear about some problem with his farm tractor that he was able to repair with a USB cable and a patch made from chewed-up Cheerios paste.

Blatant attempt at targetted marketing for those searching on 'hardware'. He can have them - my readers pay their "people" to fix & install things. Much like the distinction between 'Jeopardy' and 'Who Wants to be a Millionaire' demographics.

I think I can safely take the week off from any further posts. Or the month. Maybe just start up again in January. I do need to ensure that I'm active before the Internet makes it to Ireland - Conor's numbers will jump when his relatives get online.

Note: I choose to believe that it was coincidence that Conor chose his blog address to begin with 'C O N' - the same three letters as does mine. Not intentional typo squatting I'm sure. I might have to revisit this opinion if Conor's metrics (number of linking blogs and Technorati rank) pass mine.