Monday, December 24, 2007


5 yr old to me: So, is Keon (best friend) home from her trip?

Me to 5 yr old: No, she is still in Toronto. She won't be back till after Christmas.

5 yr old to me: So, she won't be at home for Christmas? How will Santa know where to bring her presents?

Me to 5 yr old: Geolocation.

5 yr old to me: Oh, so Keon added Santa to her People Service - so that he could be granted access to her various identity services like geolocation in a controlled & privacy-respecting manner?
Me to 5 yd old: Don't tell your brothers but you are my favourite.

Fah who foraze! Dah who doraze!

When providers are young, federated identity is all about the assertions they get. They wake up each morning excited about just what identity they'll receive that day, hoping for that shiny new red attribute they saw in the catalogue.

As providers mature however, they realize that it's actually giving identity that matters - the pleasure an IDP enjoys in seeing the face of an SP light up as they unwrap a claim, the satisfaction of choosing attributes wisely.

Myself I'm still an SP at heart.

Saturday, December 22, 2007

I stand (somewhat) corrected

In a comment to my 'Its not just mashups' post, Wesabe's Marc Hedlund corrects me

Unlike all of the other companies you mentioned, we do *not* require you to give us your bank or credit card usernames, passwords, or account numbers in order to use our service. We allow you to upload a file downloaded from your bank -- in which case no software but the bank has your password -- or use one of our downloadable agents, the Wesabe Uploaders, which store your passwords on your own computer.

The export/import model may be appropriate for Wesabe's model of exploring the broad patterns in your finances, but I (as a consumer) want real-time aggregated numbers.

Update: it seems that Wesabe does support dynamic update - through a desktop tool. I should do some research ....
In a separate comment, Yodlee's Jordan appears t0 blame the banks

The challenging is having the large financial institutions of the world understand that there is a compelling driver for them to support these news technologies.

but cites a willingness to change
Yodlee is an innovative technology company and we are always pushing towards the best and most secure way to do things and we are able to implement quickly.

Friday, December 21, 2007


By allowing me to create meaningful content like this, my new tablet has more than justified its cost.

It's not just mashups

Web 2.0ish mash-ups seem to get all the attention for the (dubious) authentication model in which user's must provide their account credentials at some 3rd party site in order to allow the mashing site to access their data there.

If the data being pulled is inane or worthless, you might even be able to defend the model (until you realize how people reuse passwords across sites of different sensitivity).

Yodlee, Geezio, Mint, and Wesabe all use this 3rd party authentication model, but for financial data.

All profess to be 'obsessed with security'. Not surprising.

They all need to look at ID-WSF or OAuth.

Thursday, December 20, 2007

LiMo Foundation

A colleague gave me the Coles/Cliffs Notes summary of the LiMo Foundation

Android is to LiMo as Passport was to Liberty Alliance

If so, I predict that, in 3-4 years, LiMo'ites will be saying
"It's a gross over-simplification to say that we were formed to counter Android"


George climbs down off his SOAP box to count a number of recent proposals for various types of discovery.

Given the numbers, it seems clear that we need a meta-discovery mechanism, i.e. how to discover the latest discovery proposal.

Do other identity bloggers

have Olympic medalists leaving comments?

No, I thought not.

Wednesday, December 19, 2007

In other words

The 'Identity Law of Minimal Disclosure' can be summed up as

Least said, soonest mended

China Syndrome

Robin's analogy for PII half-life makes me think of the China Syndrome - the hypothetical consequence of the escape of fissionable material from a nuclear reactor core.

If PII 'burns through' the containment vessel, will it end up in China?

Given the ever increasing amount of Russian spam I get, I'd guess an address somewhat to the West.

More Identity Management for Indoor Rowing

My son and I are participating in an indoor rowing Concept 2 Holiday Challenge, each of us attempting to row a certain distance before midnight on Dec 24.

My goal is 200km, but as 100km is a milestone for some, when I crossed that threshold my challenge page added a link from which I could download a Certificate acknowledging the accomplishment.

The URL for the 100k certificate looks like*******/challenge/holchal/HRC07_100cert.pdf

On a whim, I replaced '100' with '200' in the above and tried the resulting address. The URL worked and rewarded me with a nice 200k certificate.

Given that nothing prevents someone from completely fabricating their rowing distances, this is not an egregious security hole.

People Service & Last Minute Shopping

I'm scrambling to get a last-week XMas gift for my 10yr old, it's a Lego Mindstorm NXT Book.

The book store can guarantee it will arrive in time, but only if I ship it to an address in Toronto.

I do not live in Toronto. My brother does live in Toronto. My family will be seeing his family at my parents.

An idea begins to form.

As it is, I can make this happen by providing my brother's address (I've already sent the email asking him, this easier than searching through my wife's daytimer) by hand to the book store as an alternate 'Use this address'.

Much preferable would be for the book store to get my brother's address on its own. A sequence that would accomplish this is

1) discover and query my People Service
2) show me a list of possible 'shipping recipients'
3) once I chose my Toronto-based brother, discovery and query his personal profile service for his address
4) ship book
5) create me a nice card to give to my son on the 25th, saying 'Be patient, your uncle has the NXT book'.

Xmas Card(s)


An email exchange with a colleague after a shared conference call

Friend to me: Why aren’t you on IM? Or have you blocked me from seeing you?

Me to friend: i dont have the IM client that speaks AIM as an auto start.

do you not use Skype?

Friend to me: Not very often. AIM, Yahoo messenger and google AIM are the 3 that I have up/running most often.

But for my colleague's apparent neediness and the resultant suggestion of stalking, this reads like two partners contemplating federated identity operations exchanging metadata to determine how best to communicate.

Tuesday, December 18, 2007

A Certain Irony

There is a certain irony to using Sxipper to manage authentication to the site.

It took me a while to get it to work. Sometime ago I had turned off Firefox's Password Manager (but not cleaned out already saved data). After than, I installed Sxipper and it worked quite happily with the existing store of account names passwords. was the first site I've created a new account at subsequent to turning off the Firefox feature so Sxipper was understandably lost.

Monday, December 17, 2007

SSOCircle & Google

Daniel describes how SSOCircle and Google use SAML for SSO.

A video version

p.s. in the past week, I've received 3 comments for the above video, all bitching about the sound quality.

As I see it, I have two choices for dealing with the complaints. The first is to take the criticism as constructive advice and invest in a better microphone and learn a bit about recording levels etc.

Alternatively, I can just block the commenters. Hmmm ...

The microphone I have seems fine.

Promiscuity Linked to Small Brains

In species where females are sexually promiscuous there is an evolutionary advantage for the males to have large testes capable of generating large amounts of sperm. If a male is uncertain about the constancy or duration of a female's affections, there will be strong motivation for him to ensure against some subsequent competitor sneaking in at the wire and impregnating the female, by choosing 'quantity over quality'.

Nothing portrays this clearer than the following diagram of the relative sizes of body, penis and testicle size (also showing relative body, breast, and ovary size for females)

Chimpanzees are promiscuous, and their testicles are many times larger than those of gorillas, in which a single dominant male has exclusive access to a “harem” of females. Because the male gorilla does not worry about (day to day) competition, he need not invest excessive energy creating sperm through growing large testicles. Humans testicles are intermediate in size (on average of course).

A study of testicle size in bats produced similar results. In the study, a team looked at testicle and brain size in 334 different species of bat. They determined that the size of testicles increased markedly in species with promiscuous females, and that the males' brains were correspondingly smaller.

All else being equal, an animal has to chose between making sperm and making brain cells - there is no free lunch. For those species that choose the former in order to protect their genetic interests in the face of loose females, the males brain size 'shrinkages' accordingly.

The reader can draw their own conclusions as to the relevance of these studies to identity system trust models.

Project Concordia Screencast

An experiment with my new tablet device

The screencast (with no audio) shows the flow of a Concordia use case showing a SAML domain connected to an Infocard domain - a user authenticating with a managed card followed by SAML-based SSO. The hybrid Infocard RP/SAML IDP in the middle is the glue.

The interesting piece of the scenario (to be demoed at RSA in April) is determining how 'authentication policy' can persist across the domain boundaries - mapping from SAML's authentication context mechanisms to comparable support in WS-Trust & the card selectors.

Please note the festive colours.

Sunday, December 16, 2007


Ben is thinking about discovery.
when I first arrive at a site, how does it know who I’ve chosen to be my IdP? When I turn up at Unicorns-R-Us, how do they know that they should go to Amazon to verify that I’m logged in and that I’m the same guy as shopped there last time?

This question is, of course, the question of IdP discovery, and although we’re not worrying about it much right now (at least in the user-centric world - I know Liberty has worried about it forever), I predict that we’ll be worrying about it a lot, Real Soon Now.
It's true that the Liberty Alliance did spend time on this sort of discovery, that where an RP determines the place where the user can be authenticated. It was in ID-FF that the 'common domain cookie' discovery mechanism that SAML 2.0 now standardizes was first defined (after ID-FF was submitted as input).

These days however, Liberty doesn't spend much time thinking about this sort of IDP discovery.

For Liberty, discovery now primarily refers to Unicorns-R-Us, once given an authenticated user through (likely) SAML SSO, determining where the various identity attributes (e.g. profile, calendar, geolocation, social, etc) of that authenticated user can be found. It is through the user's Discovery Service (a sort of personalized identity search engine) that Unicorns-R-Us is able to find these various services, as well as obtain security tokens that can be used to authenticate to those services.

For the most part, Liberty ID-WSF defers to the SSO protocol that precedes it (with the link between the two worlds known as the bootstrap) to deal with the type of IDP discovery Ben is interested in.

Flynn Effect

The Flynn Effect is the observed fact that, around the world, the average score for people taking intelligence tests are rising year to year.

Lest you think we are getting collectively smarter, please consider the counter evidence.

If people aren't getting smarter, then the tests must be getting easier. One explanation for the rising scores comes from Ulric Neissner, who argues that the scores are climbing because of the tests' reliance on visual questions, and the familiarity of test subjects with such through the ever-increasing visual world.
Schoolchildren of all ages devote far more time to visual "projects" today than they did a generation ago.

So people aren't smarter across the board, just in those aspects of intelligence that IQ tests find easiest to test.

When talking about the usability of identity systems, you'll often hear somebody say something along the lines of
It has to work for my Mother

the idea being that older web users may have different capabilities with respect to getting around on the Web (or programming the VCR, turning on the flat screen, etc) and that usability of identity systems has to account for these restricted skills (or willingness to learn new ones).

But if Neissner's explanation of the Flynn Effect is correct, then Mom may be a lost cause. Her ability to understand web identity systems through visual cues, without years of early training through video game playing, YouTube browsing, or Viagra spam filtering, is just not there and unlikely to be trainable. Sorry Mom.

With respect to the value of the tests themselves, I think Neissner sums it nicely
no serious scholar claims either that IQ tests measure nothing important or that they measure everything important.

Friday, December 14, 2007

Claims Transformation

I have a small amount of OnePass miles (collected I know not when).

Thinking I might be able to transfer them to Aeroplan (my preferred disloyalty program), I came across Mileage Converter.

My conversion calculation is shown here

Even with the egregious, bank-like conversion rate, I'd be tempted to transfer the miles were it not for the implication of having to create accounts at the intermediate AmTrak, Midwest, and HHonours (actually I think I have one there) to enable the flow.

If only there were an easier mechanism for the controlled transfer of identity to and from entities that I may or may not have a 'credentialled' account with ....

Does FutureShop sell metasystems?

FutureShop being my preferred electronics dealers, I wonder if I might be able to pick up a meta-system there, as my wife has been dropping hints for her Xmas present - hints like leaving little notes around the house about about how much she hates passwords, or asking over breakfast 'Sigh, Is there anything that can be done about phishing', etc. Subtle, real subtle.

Pam seems to suggest that an identity metasystem would have a SKU.

would like to see Enterprises adopt technologies such as the Identity Metasystem

I assert that the metasystem (of which we more and more see tantalizing glimpses of) is not a technology in and of itself, but rather separate identity technologies (each of which you can go out and buy to put under the tree) that are, at the very minimum, not incompatible, and ideally, optimized to be compatible & composable.

I will be on the lookout for Boxing Day sales though ....

As for the original question of the relevance of user-centric in the enterprise, I'm staying out of it - I claim no expertise on the pressures today's enterprises experience that might drive them to abdicate some level of control over how the identities of its employees are used. I will say this. I have been an enterprise employee in the past and cannot recall an instance where I said to myself
Wow, this authentication/identity system empowers me. The Company is really putting my interests first.

Thursday, December 13, 2007

At the other end of the assurance spectrum

from EV Certs is this proposal for more extensive use of self-signed TLS server certs.

While it wouldn't help with phishing, it's interventionist ISPs that the more ubiquitous TLS is meant to thwart.

Tags: , ,

Who needs browser tabs

when your ISP is willing to enable 'enhanced browsing' for you.

As a Rogers customer, I am actually happy they are thinking of new ways to alienate me, I long ago grew tired of the old ways.

From Boing Boing

Claimed Identity

Perkin Warbeck's card selector

It wasn't just Perkin self-asserting. For their own (dynastic and/or political) reasons, lots of 3rd parties chose to profess themselves convinced of his authenticity - and even affirmed it themselves.

Just goes to show that sometimes you have to take even the claims of authorities with a certain amount of skepticism and qualify your confidence.

Wednesday, December 12, 2007

Mixed Emotions

I am no longer Co-Chair of the Technology Expert Group (TEG) within the Liberty Alliance.

I have mixed emotions about the change; part of me is ecstatic, the other part giddy.

I'll miss being pushed around by Carolina & Joni, but I expect my wife will be willing to pick up the slack so that my level of cowed-ness will remain constant.

To help prepare Prateek for Carolina's return from maternity, I have taught him to say "I apologize", "You are right. It was silly of me to think otherwise", and "Sorry, I will stop interrupting" in Spanish. These at least will get him through the first call.

I plan on filling my time with

- Identity Governance Framework
- Project Concordia
- profiling SAML & ID-WSF for new SSO Use Cases
- Identity Assurance Framework
- VRM explorations
- the next phase of Liberty's client capabilities evolution
- continuing to add to my comprehensive Nihongo vocabulary (next lesson is saying 'Good Night'!)

Costus Interuptus

As I see it, the key aspect of the VRMish "Magazine Subscription Use Case" is the value of services providers being able to deliver uninterrupted services to users - even when confronted with changeable endpoints (e.g. a mailing address, etc).

But it's not just a changed endpoint that can interrupt service. Modified payment information can be an even quicker show-stopper.

I received the below from Sirius Canada.

Were Sirius to have obtained my credit card info from a 'wallet provider' the first time, and subscribed to be notified should the card information subsequently change, I would have been spared the hassle of changing the info myself if I renew.

Note: I thought about obfuscating the ESN above but couldn't see the danger. Was I wrong? Have I just made it possible for CSIS to track my listening habits? (For the record, I listen to the PlayBoy Radio Channel for the interviews).


Usage Abuse

Received the following from my new wireless provider.

Now I clearly gave them the date of my birthday, but my sharing would have been in the context of 'security verification info' and not 'undesirable marketing spam'.

Somebody with more motivation than I might go take a look at the privacy policy and see what clause they've violated by collecting identity in one context and using it in another.

Secondly, what is the value of free calling on my birthday if constrained to only 'from us to you'? Big deal! I don't want them calling me anyways.

Tuesday, December 11, 2007

Phone Tag

Me to I'd like to cancel my wireless account when the contract expires in 5 days to me: Name and Password please.
Me to Paul Madsen & XXXX to me: Thank you, now for cancellations I have to send you to Customer Service.
Me to OK

phone redirect

Me to I'd like to cancel my wireless account when the contract expires in 5 days. to me: Name and Password please.
Me to Paul Madsen & XXXX to me: Thank you, now for cancellation of bundled accounts, I have to send you to Customer Service for Consolidated Accounts.
Me to Sigh. OK

phone redirect

Me to I'd like to cancel my wireless account when the contract expires in 5 days. to me: Name and Password please.
Me to Paul Madsen & XXXX to me: Thank you, now I'm sorry to hear you are canceling your account. Do you mind telling me why?
Me to (stunned silence)

Terminology Dispute

Jeff loathes terminology debates.

Actually, I think a better term than 'debate' would be 'dispute'. To my mind, debate implies a more structured format than supported by blog post threading.

Fountain of Youth

It's stuff like this that keeps me feeling young and sarcastic.

describes itself as a service that allows users to
Stop Junk Mail and Protect Against Identity Theft for Free

I signed up and played around a bit some time ago. And then forgot about it as the service wasn't available to Canadians.

I was reminded of ProQuo yesterday. I received 2 (yes 2, deux, zwei, etc) 'newsletters' from them, thanking me for signing up.

Looking at ProQuo's registration page, it is indeed opt-in for getting the newsletter so my bad - I must have been feeling tired. I definitely didn't opt-in twice though.

Monday, December 10, 2007

Look at that escargot!

Reading through SAML 2.0 Bindings, I noticed the diagram for the Enhanced Client or Proxy (ECP) Profile flow.

The call-out on the left for Step 3 states
ECP determines Identity Provider to use (methods vary, details not shown)

Well how timely. One such mechanism for choosing the Identity Provider will be an S-card within the Higgins identity selector - as selected by the user (once candidate IDPs are determined by mapping the criteria of the request against the capabilities of the different providers.)

Specifically, an S-card will represent the relationship the user has with a SAML-based IDP, just an an M-card represents the relationship with a WS-Trust based IDP.

A new twist on passwords (a bad one)

Booking some travel at Priceline, I saw the following

This is twisted.

Not only is a password authentication equated with the type of question typically used as part of a password reset (with security supplemented through a known verified email address), but Priceline explicitly encourages the user to provide their 'preferred' password, i.e. the same one they use everywhere else.

ID-WSF and the VRMish "Magazine subscription use-case"

Update 2: in a comment, Robert clarifies and expands. First, that ID-WSF allows for 'first level permissions' to be defined at the Discovery Service, i.e. the user can control which requestors are even allowed to find their identity services, much less actually obtain identity. Secondly, interaction can happen either through browser redirects, or through the back-channel. Robert points out that, if the user is online and available, the redirect option is simpler. Agreed, but there can be security advantages to using a separate communication channel than the browser.

Update: fixed below where I mistakenly attributed the 'push out new address' operation to - this actually performed by


Alice is a customer of British Airways, and has BA's monthly in-flight magazine delivered to her work mailing address (as the bulk of her travel is work related). Alice maintains her mailing address at an online Identity Provider If and when Alice changes jobs, changing her address at will serve to automatically change all copies of the address held by the various mailers she has signed up for.


  1. Alice, a frequent flyer with British Airways.
  2., Alice's cellular provider.
  3., the Identity Provider at which Alice stores her delivery/shipping address.
  4. BritishAirways, the airline wants to know if and when Alice's shipping address changes so that her subscription to the BA in-flight magazine Impressions can be delivered without interuption


These following sequences describe how Liberty Alliance ID-WSF could be applied to support the use case. There are two phases, the first in which Alice facilitates BA getting her mailing address the first time, followed some time later by BA automaticaly receiving her new address when it changes.


  1. On a business trip, prompted in the departure lounge by an offer for additional miles if she subscribes to BA Impressions, Alice uses her phone to navigate to the BA mobile site
  2. After asking her for consent, BA redirects Alice to, using SAML to ask for Alice's authentication
  3. After authenticating Alice, sends her browser back to BA with a SAML assertion carrying a pseudonym for Alice (specific to the connection). Also in the SAML assertion is information about Alice's Discovery Service (DS) – the place where BA can go to find out where Alice's Personal Profile Service is – this the place to get her mailing address.
  4. BA asks Alice for her consent for it to discover her Personal Profile. She gladly gives it, as this will mean she doesn't have to enter it on the phone herself.
  5. BA queries Alice's DS for the location of her Personal Profile, specifying it's her work address it is interested in (as guided by Alice) as a search parameter. At the same time as making this request, BA asks to be notified if and when Alice's address changes in the future.
  6. Alice's DS returns to BA Alice's work address. Likely accompanying the data itself are the associated obligations BA assumes, e.g. allowed uses, deletion rules, etc.
  7. BA displays the address to Alice and asks 'Use this one?'
  8. Alice notices that the address has an old office building listed (she having changed departments), she changes that bit through BA's interfaces (the phone OK for entering numbers)
  9. BA sends the changed address back to
  10., uncertain about whether it should accept the changed data, reaches out through the ID-WSF Interaction Service (IS) to send Alice an SMS asking for guidance
  11. Alice indicates should accept the changed data and store the new building.Her consent is routed back through the IS.
  12. BA now has Alice's mailing address and Alice enjoys reading on a monthly basis about up-scale hotels in exotic locations her company's travel policy will never allow her to stay in.
Later On
  1. Alice switches companies, her new role has similar travel load so she still wishes to receive BA's magazine.
  2. Alice visits her account management page at
  3. She enters her new work mailing address.
  4. Based on the previously subscription created when BA first obtained Alice's mailing address, pushes Alice's new mailing address to BA(and other chosen mailers).
  5. Alice receives Impression magazine without interuption.
  1. ID-WSF can work much the same way for all the other slices of Alice's identity, e.g. calendar, wallet, geo-location, reputation, etc. It's all about discovery & invocation of identity services, with appropriate security & privacy.
  2. there need be no existing trust and/or business relationship between and BA. can effectively broker trust between the two of them.
  3. ID-WSF supports variations where Alice's phone can play a more active role, e.g. either or both of Discovery Service & Personal Profile Service could hosted on her phone

Friday, December 07, 2007

A Framework for Identity System Confusion (Reduction)

I gave the below presentation on Monday's IIW 2007b Introductory Session.

I hope it's a fair treatment of the design goals and capabilities of each identity system.

I do need to update the matrix of functionality to reflect, at minimum, OAuth.

Do I still get a t-shirt?

Update 4:I am shirted (along with everybody else who attended IIW).


Update 3:in a comment, Dale reassures me that my wardrobe will be appropriately extended. Related to Dale's comments about user experience, I'll be troubleshooting this with Pam at IIW.

Huzza to the Bandit team for their great help-desk support. Both Dale and Pam literally offered me the shirt off their backs (albeit the first stained and the second a so-called girly version)


Update 2: Andy clarified for me that my problem with the Firefox extension was indeed 'my' problem, as I was expecting the plug-in to enable card selection for Firefox on XP. But, the extension actually just calls out to a Digital Me exe, a Windows version of which doesn't yet exist.


Update: in comments, Andy & Carolyn encouraged me to try the latest Digital Me Firefox extension.

Alas, I still see errors

Saw the same messages at different RPs.

Perhaps relevant, the instructions indicate

Launch DigitalMe. Under the "File" menu, select "Import". This will bring up a file chooser dialog.

How do I 'launch' Digital Me?

The shirts look like tight in the collar anyways.

I've been trying to log-in to Bandit T-Shirts using a managed card from the Bandit Cards.

I'm stuck in a strange loop. Steps are

1) create account at Bandit Cards
2) after authenticating with account/password from Step 1, create a personal card for alternative authenticating mechanism (I predict that users are going to have trouble keeping such cards separate in their minds, I sure did)
3) download and install a managed card to the Cardspace selector (couldn't get Digital Me selector to work in Firefox
4) go to Bandit T-Shirts RP and ask to log-in.
5) (seemingly) successfully present the managed card to the RP
6) get shown a screen indicating that the email address from the card needs to be validated. Told to click on link in the mail just sent to me (it's not clear to me whether it's the IdP or the RP validating the email address. If the former, why not do the validation earlier when I created the account? If the latter, why not trust the IdP?)
7) Click on link, get taken to what appears to be the same page as Step 4 above. Noticeably missing is any 'Hi Paul, you have successfully presented a card, your t-shirt is on its way" message.
8) Rinse and repeat.

I do like those shirts.

Wednesday, December 05, 2007


As yet, I don't know exactly what Wingaa is, but I do love the name regardless.

Sounds like an Aussie Rules position.


Your reputation precedes you

Dave agrees with Phil that reputation will be 'the next big thing for IIW', and seemingly by implication, perhaps for the identity world.

Reputation did indeed seem to be a 'topic of interest' at IIW.

Abbie Barbir presented on a proposed OASIS TC for 'Open Reputation Management Systems'. (I wonder if we could all agree to simply take the 'open' on faith and stop prefacing everything we do with the descriptor?).

Additionally, Phil's BYU grad students were always around to talk about their reputation work, which I assume was presented at some time but I missed it.

And of course, IIW itself is a forum where people's reputations get reconciled with reality.

But I question whether reputation is yet ready for 'Big Thing' status. I contend that a necessary underpinning of meaningful reputation is a consistent social layer, so that my reputation can be informed by those that best know me, in addition to or instead of those with whom I've simply interacted with online (a la eBay's or Slashdot's model etc.)

Sometimes reputation needs to be based on real and not merely transactional experience. Employers base a hiring decision on both references and past employment history, not one or the other.

And while it may make less sense to talk about a provider's 'Buddy List' when thinking about its reputation, I would likely want to give greater weight to the opinions of my own friends when calculating that reputation than somebody named 'NotMyRealName2007'.

So, I believe that an individual's social network (I've decided to alternate between using 'network' and 'graph' on a weekly basis) can feed into both their own reputation, as well as how they calculate the reputations of other parties.

For reputation to be the next big thing would imply that the necessary social footings are in place - that we've 'solved' social identity. Notwithstanding the recent gush of enthusiasm over the potential for freshly final OpenID and OAuth, in combination with XFN and FOAF, to do this, or alternative systems like Liberty People Service, we have not solved social identity.

New social app


Dale Olds
Ashish Jain
Mike Jones
Mike Beach
Andy Dale
Kim Cameron
Dave Kearns

As I get ready to go to the airport for travel to IIW 2007b, an idea for a new social site came to me.
People I know only through blogging but look forward to actually meeting

Probably need to spiff up the name, perhaps Or ...

I hope I'll be able to cross some entries off my list by the end of the week.

The sister project
People I actually have met but wish I knew only through blogging.

is searching for angel investors.

Tuesday, December 04, 2007


Kaliya opened IIW this morning by presenting the 4 principles of Open Space.

1) Whoever comes is the right people.
2) Whatever happens is the only thing that could have.
3) Whenever it starts is the right time.
4) When it’s over it’s over.

Isn't this OpenID's trust model?

Selective Pressure

In its purest form, the OpenID philosophy forbids Relying Parties from showing any preferences for particular OpenID Providers from whom they might accept authentication claims. Thus the current tension between the 'promiscuity purists' and those who want to use whitelists & blacklists in order to allow RPs to select their OP partners with more discernment.

I'll argue that RP promiscuity (in which the RP cares little about which specific OPs it partners with) works just fine in situations where both of the below are true
  1. the resources the RP protects are such that the RP assumes no different levels of risk in accepting authentication claims from different OPS
  2. there is no other factor that differentiates OPs

At least currently, OpenID is being used in low value (money & sensitivity) applications. When there is little risk to start with, an RP will feel little different about how various OPs change that risk. So, for now, #1 is true.

And #2 has been true. Except for varying levels of support for particular authentication methods (e.g. Infocards) or different extensions (e.g. Simple Reg or PAPE), the different OPs are a level playing field from the RPs point of view.

And then Vidoop has to tip the apple cart and skew the above balance by announcing that they, as an OP, are going to start paying RPs by sharing their advertising revenue. No longer is #2 true - even if #1 is still equal (i.e. no risk differential), an RP will now be motivated for favour Vidoop as an OP, above other OPs that don't pay.

I predict two consequences
  1. RPs will attempt to guide users to Vidoop in order to maximize revenue (e.g. "I'm sorry, the OpenID you presented doesn't seem to work. Would you like to use/create a Vidoop OpenID?")
  2. Other OPs will be forced to match the Vidoop revenue sharing model in order to restore the balance and ensure they are not excluded by RPs at selection time. There will be a bidding war as OPs fight to ensure market. A single OP with big pockets will emerge.

I think I'll go reserve ''. Maybe they can reuse the old code.

Sunday, December 02, 2007

Federated unauthorization

We have designated no-screen days on which the kids are forbidden from any activity involving looking at a screen, e.g. TV, computer, PSP, etc (homework & music-players exempted).

My neighbours, the kids of which my kids play with, use a different system - their kids can earn screen time through compensatory good deeds (e.g. homework,chores, etc).

Different authorization schemes between interacting policy domains.

And there is the rub, both sets of kids are constantly back and forth between the households, knowing full well that the two sets of parents have been unable to agree on authorization policy and are consequently ripe for the screen-time picking.

Me to neighbour kid: Hey, are you allowed screen time?
Neighbour kid (with straight face): Oh yes.
Me to neighbour kid: Well I guess so ....

I suppose audit could help prevent the abuse. But, busy life etc.

I'm thinking of adopting a system in which, every time my kids went over to the neighbours, and vice versa, there was pinned to their shirt a note (signed & sealed) listing what they were NOT allowed to do.

<Forbidden action="TV"/>
<Forbidden action="pre-dinner snacks"/>
<Forbidden action="criticizing their Father's rules"/>

Federated unauthorization.

And yes, XACML.

Saturday, December 01, 2007

Is she really going out with him?

Joe Jackson obviously wrote this a long time ago.

All he'd need to do these days is check out his ex's Facebook page.

Friday, November 30, 2007

Now it's personal

It just occurred to me that, as Blogger now supports OpenID authentication for comments, this blog (and consequently myself) now become an OpenID Relying Party.

Up till now the ongoing thread on the need (or even 'morality') of whitelists or blacklists for OpenID has been abstract for me. I've had an opinion but the issue didn't hit home in any personal way. That's all changed.

I'd like to not have to actively moderate comments for this blog (it takes up a solid 30 secs of my day). Theoretically, by requiring someone to authenticate with an OpenID in order to post a comment, I might be willing to allow such authenticated comments to be automatically published without my intervention.

Currently, Blogger gives me blunt control over accepting OpenIDs, it's on/off.

But, as a potential consumer of authentication assertions from various OPs, a consumer willing to base a 'business decision' (publish or not publish comment) on the authenticity of those assertions, should I not have the right to be selective about which OPs I choose to 'partner' with? After all, if a bad comment makes it through the filter, it's my own reputation that suffers (please, no snickers).

Maybe I wake-up one day on the wrong side of the bed and decide 'Damnation, today, I'm blacklisting!'. Or instead decide "Any OP that does 'pape.phishing-resistant' is good enough for me".

Isn't it my right as a relying party to decide who I rely on?

New wallpaper

OpenID for blog commenting!

As per Blogger in draft, Blogger now supports OpenID authentication for post commenting.

I enabled it for this blog.

This is an exciting new application of OpenID. It's when a technology is applied in ways unforeseen by its original designers that you know it's reached some sort of tipping point.


Wednesday, November 28, 2007

My cup runneth over

In a post entitled A Cup of Tea / Dynamic Federation Ashish performs what can be the trickiest part of any identity operation - introductions.

SAML. Meet OpenID; OpenID. Meet SAML.
Once all interested parties know about each other and their intentions and capabilities, things get much easier.

But it's not like OpenID and SAML have never met before....

Ashish, I confess the Zen thing totally lost me. Is it OpenID's cup that needs emptying, or SAML's? Or is it that Andre is meant to be Nan-in?

Vanity, thy name is .... Reverend?

From the Toronto Star, a story about a retired minister who had her vanity license plates yanked by the Ontario Ministry of Transportation.

The plates read 'REV JO'.

An application to renew them was rejected because the 'REV' was deemed to imply that the ministry endorsed either or both of excessive driving speed or Christianity (or fast Christians perhaps?).

Apparently, the 'JO' was not considered offensive.

I can only hope that someone with the same diligence and highly attuned political correctness is monitoring the creation of vanity URIs.

YouTube as IdP?

Passfaces and Vidoop both rely on a user's ability to recognize graphical images in order to authenticate.

How long before it's videos?

It could take Vidoop's revenue model to the next level.

I'm sure it will be attempted, but I'd bet it would be horribly unusable - just imagine the cacophony if the sound was turned up.

Tuesday, November 27, 2007

Annoying Social Meme

Post a picture of your workspace (or not). I guess if I really cared I would 'tag' people. Perhaps you can tag yourself?

Yes indeed, those walls are unfinished. In the depths of winter I either wear half-gloves or dip my hands in the hot tub at regular intervals.

I do believe I am a better person for the discomfort.

Nebulous Pontification

I suspect Ping's Patrick Harding is referring to me (or my ilk) when he says in the inaugural post of his new blog (with a wonderfully creative play on words in the title 'The Patrick Harding Blog')
My goal is to make sure there is a practical aspect to this blog rather than a bunch of nebulous theorizing. In the event that I am forced down the path of pontification I will promise to at least warn people up front.

I actually considered calling this blog 'Nebulous Pontification' but preliminary search tests returned too many French bridge links.

Patrick is Australian, but quite smart nonetheless (I feel comfortable saying this as I myself am part Australian - having lived there as a teenager, drank beer there as a recent university grad, and been jet-lagged there as a business traveller).

Consequently, I will be reading Patrick's posts going forward.

He is off to a fine start I think

Post # 2 - he discusses the relevance of user-centric identity within the enterprise and comes to the conclusion - 'not much', citing the seeming incompatibility between the a user desiring control over their identity and an enterprise with the same desires. Umm, junior file clerk or the CIO, who wins?

Post #3 - he presents a proposal from Ping for so-called 'Dynamic Federation', essentially tweaking SAML 2.0 for faster & easier federation between partners (taking a page from OpenID's book by having the user facilitate IdP discovery).

Bonza stuff.

I will however predict that, before long, Patrick will discover that it is not easy to maintain such a high level of insight & expertise (as evidenced here) and will then descend to the sort of nebulizing theory he is so scornful of as a rookie blogger. At that time, expect embedded YouTube videos of historic Australian beer commercials or equally inane content.

I'll take this opportunity to submit an alternative blog title (admittedly without the pizazz of the current choice)

  • Between a Rock and a Harding Place

A Dark Day

Leaving Sydney Airport 19 years ago at the end of a 5 month trip, I purchased an over-priced souvenir 6-pack of Australian beer.

Yesterday, confronted by a wife with no sense of nostalgia and focused solely on 'getting rid of clutter', I poured them out.

The empty cans now stare at me reproachfully as I type, tears falling gently onto the keyboard.

I do indeed 'feel like a Tooheys or two'.


Ransom 2.0

Monday, November 26, 2007

Perhaps we have it backwards?

There is irony in always thinking about identity systems that can enable meaningful control by users over their identity attributes, and then coming across this.

I suggest there should be a set of companion sites, including

Hey, can I get that $1m you owe me?

James McGovern asks me
I wonder if Paul has any thoughts on how to hold identity providers liable if you are a relying party?

With the caveat that I am not a lawyer and nor do I play one on the Web ....

Indemnification MAY be an important issue, but ultimately what the RP wants is to transfer risk such that whatever amount remains is acceptable. If the existence of an indemnity from the IDP to the RP helps to this end, then it could be relevant.

Note: I think James conflates indemnification & 'IDP liability'. If the IDP screws up, it may indeed be held liable, but this is likely irrespective of whether the RP & IdP have an indemnity clause in their agreement. Additionally, there is no requirement that any indemnity the RP receives for harm it suffers need come from the IdP - there already exists quite a large business for 3rd-party indemnification.

But indemnification is not the only mechanism by which the RP can mitigate risk. Nor is it always appropriate.

With respect to James' assertion that the conversation on liability hasn't yet occurred, I draw his and the reader's attention to the work of the Liberty Alliance's Identity Assurance Expert Group.

From the recently released 'Identity Assurance Framework':

A CSP may be liable solely under the terms of an existing agreement with a relying party for losses suffered by the relying party where the cause is attributable to conduct by the CSP that was carried out in material non-compliance with these business rules or with certification requirements. Conflict resolution will be directed to the appropriate Federation Operator. A CSP may offer credentials at a band of monetary recourse set independently from levels of assurance. A CSP shall disclose the monetary recourse it will or will not make available with respect to IAEG credentials and any applicable terms or limitations governing the recourse according to Table 5.1

Band Amount
No recourse Zero monetary recourse
By agreement By agreement of the parties

By coincidence, there is a webinar on the Identity Assurance Framework this Thursday. Register here.


Bi-lin-gu-an-them-o-phob-is-m, n.,

1) The fear English-speaking Canadian's have of being seen on camera as only mouthing the French parts of the national anthem at sporting events.


I wasn't planning on making any online purchases today but, given that it appears to be a certified holiday, perhaps I need to reconsider?

Will there be a 'Check Order Status Wednesday' two weeks hence? Or 'Cancel Order in Outraged Huff When Customer Service Tells You it Hasn't Actually Shipped Friday' in three weeks?

A Tudor Social Network (Graph)


The definition would suggest that it might be applicable to some social applications, e.g. "Please provide your friend's sobriquet."

A sobriquet is a nickname or a fancy name, usually a familiar name given by others as distinct from a pseudonym assumed as a disguise, but a nickname which is familiar enough such that it can be used in place of a real name without the need of explanation.

Admittedly, there is potential for confusion amongst some demographics
Hell yes, I'm sober, and I don't see what business it is of yours whether I am or ain't!

Sunday, November 25, 2007

These must be worth something?

Early millenium conference swag.

The shirt saw some initial wear for a few years, but has since been relegated to the bottom drawer.

The .net My Services tee is pristine - unblemished by wear of any kind.

I looked and looked but couldn't track down my Passel or DIX hoodies.

Name your Poison

or axe I suppose.

Legend has it that Charles II learned of the execution in 1649 of his father Charles I by the English Parliament when his private chaplain walked into the new King's room in Holland and addressed him as 'Your Majesty'.

For Charles, the name was enough, no additional explanation was required. The name made it clear that his father was dead and that he had assumed the crowns of England, Scotland, and Ireland (this disputed of course by Cromwell and co.)

Another (more likely apocryphal) legend claims that Charles, in a last desperate attempt to save his father's life, sent to the parliamentary captors a signed blank sheet of paper, in order to allow them to write in their own terms for the release of Charles I. Seems a shame that modern crypto won't support this use case.

Friday, November 23, 2007


My brother's family is moving to sunny Austin, TX.

Not actually sure what made me think of that.

Wednesday, November 21, 2007

More Identity Management for Indoor Rowing

My son was creating an account in order to record his rows for the Concept2 Holiday Challenge.

After successful account creation, he was shown the following

I was curious to know how they might ascertain my presence so I followed the link in the message.

In order for your child to enjoy all of the features of this website, including training logs, online ranking, and challenge honor boards, your child may wish to create an online "ranking and logbook profile."

The registration process begins when you child visits the new profile section of the online ranking. If based on your child's reported birthdate, we determine that the child is under the age of thirteen (13), then we will not store personally identifiable information associated with your child. This means that only the first letter of their last name will be stored, that no email address will be associated with your child's profile and that no city information will be recorded.

If you, as a parent or guardian, wish to have your child's full last name, and home city displayed on publicly accessible ranking web pages, honor boards and other Concept2 associated web pages, you must indicate your consent by entering your credit card number in the space provided and checking the appropriate consent box. Your credit card number is neither stored nor processed in any way - however it will be analyzed to determine that it is a valid credit card number. The use of a credit card number is necessary in order to comply with the terms of COPPA.

I confess I had never heard of COPPA before. It was written in 1998, probably time to update to reflect new reality. COPPA 2.0?


I wonder if Joni cites her friendship with me in order to up her 'geeky' score, as I do for her for my own 'cool' score?

From Pat

I definitely would not have missed this except for this super important thing I had to do on my last night in Tokyo, i.e. sleep.

I do wish though that I had stuck with my recorder lessons.


Play the cards you were dealt

Update: Drummond corrects me, diagrams revised accordingly below.

Higgins has created a taxonomy of i-cards.

I believe the following captures the relationships as expressed.

In his recent announcement of about upcoming SAML support in Higgins, Paul suggests the possibility of an 'S-card', shown here

Where an S-card would be some XML instance pointing at a SAML IdP including necessary endpoints for the client to send/forward SAML protocol messages, with metadata about what identity attributes that IdP can provide, possibly with particular policy characteristics (e.g. security and/or authentication mechanism etc). Sounds likea a profile of SAML metadata.

NTT's SASSO 'SAML IDP on your phone' model balances things out nicely.

Tuesday, November 20, 2007

Identity is Elemental

Dow Chemical's 'Human Element' ad campaign (you know, I have to admit I was a little unsure of what to think about Dow because of the whole Bhopal thing but that was before I knew they valued humans!) prompted

My 'atomic weight' estimate, i.e. that a typical user will have more than 100 identities is, admittedly, less than scientific. Tell it to Mendeleev.

Jung & Trendy

Update: in a comment, Mike clarifies the address and the nature of the CardSpace integration. It's a downloadable shopping application. I'm even more interested to see how CardSpace works in a non-browser scenario but highly doubt I'd get it installed & working without translation assistance ("Ich möchte ein Bier, bitte.")

Mike Jones lists Cardspace sites, including - a German retailer (actually it's that is the retail site).

Wanting to try out a production deployment of Cardspace, and feeling the need to update my wardrobe before IIW 2007b, I navigated through purchasing a stylish black & white pullover (only 29.99 euros, scarf not included).

Acknowledging that my Deutsche stretches just far enough to order beer at Oktoberfest and so I may well be missing some menu option, I can find no mention of a Cardspace option on the log-in or registration pages.

Not to say there is no reference at all to Cardspace.

So I got that going for me

As of today, Japan has begun fingerprinting and photographing arriving foreign travelers.

I'd be worried about the implied increased processing time except for the fact that I'm told that the list of exemptions includes:
  • persons engaged in diplomatic activities.
  • persons under 16.
  • special permanent residents.
  • persons invited by the Japanese government
  • tired Canadian persons engaged in identity standards activities.

Buy or Build

Don Schmidt defines federated identity as
an approach to identity management that allows one organization to grant or deny access to its protected resources based on digital identities managed by another [trusted] organization. The key point is that the resource provider relies on an externally managed identity, rather than creating another locally managed identity for the subject requesting access
My thoughts:
  1. an exclusive focus on 'grant or deny access' seems too narrow as there are lots of other ways that the identity requestor might use the externally managed identity it receives beyond access control, e.g. simple customization like a 'Hi Bob' welcome screen.
  2. stipulating 'organization' would seem to preclude those cases where the user hosts their own identity attributes (e.g. CardSpace personal cards, Liberty ID-WSF clients). But perhaps that is the intent?
  3. is specifying 'trusted' meant to rule out the opt-described OpenID dynamic model? Even in this case, I'd argue that the RP trusts the OP (it is willing to accept the OP's claims after all), albeit probably not very much.
Nevertheless, I completely agree with Don's key point, that federated identity involves/requires identity outsourcing - essentially, an RP decides to 'buy' identity rather than 'build' it, and thereby enjoys some reduced set of responsibilities (and possibly associated risk) for identity operations.

By this criteria, of course all key identity initiatives, as they all make possible the 'buy' option, can be described as 'federated'.

One Shibboleth down, only a few more to go.

Monday, November 19, 2007

20 Questions (is 19 too many)

In "The One Percent Doctrine", there is a story of a US Intelligence Officer meeting with a Soviet counterpart during the Cold War.

Each was allowed to pose exactly one question to the other, who would be 'honour' bound to either answer truthfully, or not at all. Nice model, if not prone to abuse.

Business partners considering federated identity operations between themselves get to ask far more than a single question when attempting to assess the 'assurance capability' of the other. They can ask about identity proofing, authentication mechanisms, audit etc - the list is long.

The value of an assurance framework like that of the Liberty Alliance is that partners need only pose a single question when considering doing federated business with another, that being
"What IAF assurance levels do you support, and how can you prove it?"

OK, two questions, but still an improvement. And without even needing Stoli.