Monday, April 30, 2007

OpenID bootstrap to ID-WSF

In last week's Brussel's IOS session called 'Metasystem - Slice & Dice', the group identified that a meaningful piece of work towards a 'Concordic' (love the word, I'm even using it to scold when my kids fight) metasystem would be to define the 'OpenID bootstrap to Liberty Alliance ID-WSF' (the scenario diagrammed here).

So what would this entail?

OpenID is (primarily) a front-channel SSO system, ID-WSF is (primarily) a back-channel attribute sharing system. The work being proposed would define how you segue from the former to the latter, e.g. how an OpenID RP, once an authenticated OpenID user has arrived, can transition into the ID-WSF world in order to discover and obtain other identity attributes of the user (this seen as an alternative mechanism to having the attributes delivered inline through the OpenID protocols).

To play in the ID-WSF world, the RP needs two things:

- the SOAP endpoint at which the relevant user's Discovery Service is located. The Discovery Service is like a personalized search engine for identity attributes. It's the Discovery Service that will be able to tell the RP where the user's various identity attributes (e.g. profile, calendar, presence, geolocation, wallet, social, VRM, etc) are located.
- a security token that, if presented to the Discovery Service, will serve to identify both the user in question and the RP asking the question (so that permissions can be applied).

In Liberty's architecture, the container for the above pieces of information (there are other bits as well) is an <EndPointReference>, an XML data structure defined by the W3C's WS-Addressing spec.

If an OpenID RP can obtain the EPR for the user's Discovery Service, then it has the necessary information and credentials to start participating in the ID-WSF world because, with the DS EPR, it can search for and retrieve the EPRs of other identity services (like calendar, etc) that it is ultimately interested in.

So, the challenge for connecting OpenID and ID-WSF is 'simple', define how the OpenID RP can obtain the DS EPR and, so armed, start discovering and invoking the identity services of interest. Liberty has always referred to this step as the bootstrap, and so the title of this post.

In our Brussels' IOS session, we discussed two broad options for making this work.
  1. Having the OpenID protocol response carry (in an extension) a URI at which the DS EPR could be retrieved.
  2. Having the DS EPR available as part of the user's Yadis document.
The first is aligned with how the existing bootstrap from SAML SSO works, the second perhaps more consistent with the existing OpenID model. More later on the pros/cons of each.

Marcus Brittanicus

BT's Mark Nijdam is blogging.

Refreshing to see a European with the same internal thermostat as my own.

Finnish participants notwithstanding, I'm very grateful that not all aspects of the typical sauna process were observed.

Sunday, April 29, 2007


From a March 2007 German IDM conference, a paper from Microsoft entitled 'Microsoft's Identity and Access Management Strategy' that does not mention, even in passing, Cardspace.

Contents may have shifted in flight

On a flight from Brussels to Heathrow I noticed the following diagram in the back of BMI's in flight magazine.

It describes the permutations in the process for passengers connnecting at LHR - the options distinguished by where from & to the passengers are connecting.

I can see something similar for guiding deployers of interconnected identity systems.
  • For users arriving through SAML SSO and not arriving with 'carry-on' attributes, for connection to ID-WSF, please proceed to the bootstrap. Otherwise, please join the queue for Attribute Processing.
  • For users arriving through OpenID SSO and not arriving with 'carry-on' attributes, for connection to ID-WSF (either SOAP or AJAX bindings), please proceed to the bootstrap (either SAML & YADIS-based respectively). Otherwise, please join the queue for Attribute Processing.
  • Should any user arrive through WS-Federation SSO, please contact an agent on arrival for specific instructions. Expeditious processing will be enabled by removing all jewelry, belts, shoes, and inhibitions about cavity searches.

Consent Context Markup Language

How tricky/tough/political would it be for proponents of various identity systems to agree on how to phrase a consent query, if not necessarily how/where/when to present such a query to users? As trivial as picking the text for

"X is asking for Y, wadda ya think?"

Beyond the simple yes/no, accept/deny, proceed/stop options (I've seen them all), there could be agreement on phrasing of the 'remember this decision' prompt and its options.

Alternatively (and far more work), how about a CCML 'Consent Context Markup Language' - a syntax describing how consent was obtained, comparable to SAML's Authentication Context and OpenID's Authentication Quality Extension for describing how authentication occurred.

Quick list of contexts.
  • Who obtained consent? For what?
  • How was the question phrased (as per above)?
  • How was the question presented, e.g. by directly asking the user when they were 'at' the provider, or indirectly a la Liberty's Interaction Service , or by direct user-mediation of the flow a la Cardspace or SAML ECP? (hopefully avoiding the complexity of describing authentication because there would be no temptation to try and say that one consent mechanism was 'better' than another for ranking.)
  • When was consent obtained, e.g. a priori, real-time?
Basic W5 stuff.

Of course, the question is who would care? It would be the provider making the access control decision for a particular bit of identity that would need to know about consent, so in what scenarios is it relevant for the details of said consent to be recorded? Audit would be one. Supporting a 'User Dashboard' where a user can see past identity transactions (and the specifics of the corresponding consent) would be another.

No identity system does this, so nobody should (you'd think) have resistance to collaborating.

Thursday, April 26, 2007

For solid meeting results

Notwithstanding the name of the meeting room, we had a very useful IOS session this afternoon on the topic of 'Metasystem - slicing & dicing'.

From my viewpoint I saw only the normal amount of evasiveness.

Details of discussion to follow on the IOS wiki.

When convergence goes bad

The restaurant at which we had dinner last night in Brussels had an interesting 'washroom convergence model'. The Gals & Guys rooms' shared a single wash basin - this located in a hole in the wall between the two.

Art by Alex.

Was this a result of customer complaints about duplication & redundancy in sink infrastructure?

And the clear privacy compromise was deemed an acceptable trade-off?

Wednesday, April 25, 2007


Premise: a single identity 'session' theoretically (a real instance would be unlikely to have them all) consists of the following stages:
  1. Authentication
  2. Single SignOn
  3. User-agent mediated attribute exchange
  4. Server-to-server attribute exchange
  5. Single Log Out
Our various identity systems can be categorized as to whether they address the 5 stages. My best guess

  • Cardspace
  • ID-WSF
Single Sign On
  • OpenID
  • SAML
  • Cardspace (smart client)
  • ID-WSF (smart client)
  • WS-Federation
User-agent mediated attribute exchange
  • SAML
  • Cardspace
  • OpenID (Attribute Exchange)
Server-to-server attribute exchange
  • ID-WSF
Single Log Out
  • SAML
  • WS-Federation

Only 60 combinations to work out. Easy peasy.

Tuesday, April 24, 2007

Not being boastful

In yesterday's Liberty Alliance eGovernment workshop, a representative of an EU government made a distinction between 'claim' and 'assertion' - the impression he gave was that the semantics of the latter are stronger, e.g. anybody can make a claim, but you'll want to be sure about your facts before you make an assertion.

The 'Castle Team' mulled on this over iced tea at the day's end.

While the group agreed that there actually was no such distinction (claim and assertion used interchangeably) our discussion did hi-lite what seems to be a gap in today's taxonomy - this being the distinction between 3rd party and self-asserted identity.

The feeling was that something so fundamental as the relationship of the actor making the assertion to the subject of the assertion warranted more than merely an adjective. Additionally, we felt that the nature of the assertion, (i.e. positive or negative) should be explicit.

We came up with the following taxonomy
  • brag: an assertion made by X in which some attribute(s) of X is enhanced or exaggerated
  • boast: an assertion made by Y in which some attribute(s) of X is enhanced or exaggerated
  • pity: an assertion made by X in which some attribute(s) of X is accurately described
  • slag: an assertion made by Y in which some attribute(s) of X is accurately described
Feedback is welcome. We will have a call to review any such comments. Who knows, we might even attempt to account for it.

Monday, April 23, 2007

Standardized naming

In listening to various governments describe their online initiatives at today's Liberty Alliance organized eGovernment workshop, I've extracted the following shared requirements and/or patterns.
  1. Security.
  2. Privacy.
  3. Categorizing risk/confidence levels into 4 types.
  4. No centralized database.
  5. A citizen portal name starting with the language appropriate equivalent of 'my' (e.g. MonServicePublic in France and MyPage in Norway.)
  6. A claim that their country's culture, geography, politics, & history present unique requirements for e-services.

Saturday, April 21, 2007

Military Intelligence

My father has always said that 'military intelligence' is a contradiction in terms (and he should know because that was his business).

Nevertheless, I'm enjoying reading John Keegan's Intelligence in War which describes the history of how different sides have tried to learn what, when, and where the other guys are doing.

Keegan describes the 5 fundamental stages of the intelligence game
  1. Acquisition - collecting or finding it, whether from public or secret sources.
  2. Delivery - once collected, the intelligence data has to be sent to its potential user.
  3. Acceptance - intelligence has to be believed - this likely only after the bona fides of the source are verified.
  4. Interpretation - scraps of intelligence have to be pieced together into a consistent whole.
  5. Implementation - ultimately, you have to act on the data for it to prove valuable.
Two thoughts
  1. This must be easier with everybody, from grunt to general, blogging. Do a Technorati search on posts tagged with 'enemy strategy' and you're halfway home.
  2. Identity and intelligence data share a very similar lifecycle.

Thursday, April 19, 2007


Twittervision is a cool application built on an exceedingly silly premise.

Individual twits display on a Google map. Not only can you learn the most trivial details of what people are doing, but also where they are doing it!

As posts appear and disappear, the map repositions. Most fun is seeing the focus shift back and forth from one side of the globe to the other - from somebody in Singapore describing what they ate for breakfast to somebody in Hoboken describing what they ate for dinner.

I plan on getting up early tomorrow so I can see the 'breakfast horizon' pass over the globe - from miso soup in Japan, through the UK's black pudding, ending up with a West Coast fruit cup and Espresso. Now that's a global community.

Just to be perverse

I created a TinyURL for my ProtectNetwork OpenID

I was fortunate enough to be given an abbreviated url from the very prestigious '323' series, namely

18 characters compared to the original's 29 characters - that will add up.

Wednesday, April 18, 2007

Temple 2.0 bubble

It's clear from this that they were just waiting to be acquired.

You have to have an exit strategy.

SAML 2.0 Enabling a Wiki

Andreas posts a PDF on how they used SAML 2.0 for SSO to the PHP-based DokuWiki.

Whoa, using something as 'heavy' as SAML for a wiki? Is this legal?

Tags: ,

At least one

Kim Cameron writes (actually wrote, it's quite an old post)
I think the SAML protocol suffers from having a single-token design.

A snippet from SAML 2.0's protocol schema seems appropo

<element name="Response" type="samlp:ResponseType"/>
<complexType name="ResponseType">
<extension base="samlp:StatusResponseType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:Assertion"/>
<element ref="saml:EncryptedAssertion"/>

In the same vein, from the SAML 2.0 profiles.

the <Response> element MUST conform to the following:

- It MUST contain at least one <Assertion>.

Kim's post discusses delegation, specifically (for him) better support for delegation in WS-Trust/WS-Fed than in SAML because of the ability to carry multiple tokens.

The above makes it clear that there is no such distinction in the browser SSO case - a SAML IDP can return as many assertions as necessary, each of which with a different subject identity.

What's more, in a SOAP service invocation scenario, WSS/STP don't constrain how many SAML Assertions would be included in the security header either.

So, go to town. You want an assertion for your Aunt Ida? Sure, toss it in.

Identity cataclysm

Well, not quite. But weird nonetheless.

I was registering for Burton Catalyst. Had to ask for a password reset, received the following.

Great, perfectly normal. I had to leave before my registration was complete, so I 'saved' it. Received this email.

Ok, not sure of the point but fair enough.

The above was immediately followed by:

They gave me a (another) new password solely because of my saved registration. Do they bill clients by the message?

Tuesday, April 17, 2007

Early Social Networks

Two identity standards die in bizarre circumstances

Des Moines - In a freakish coincidence, two top-ranked identity protocols have died as they travelled separately to the 'Me 2.0' identity conference.

SAML, widely regarded as the top contender for federated identity management in the masters age group, perished when the single-engine Piper Cherokee it was travelling in crashed into a densely-wooded hillside soon after take-off from Topeka Municipal Airport. Forensic data experts are currently attempting to process the 'artifact' sent out by the pilot just before losing contact in order to determine the cause of the crash.

In a bizarre twist, one of SAML's colleagues, scheduled to fly on the same flight, cancelled at the last moment - narrowly avoiding even greater tragedy. Liberty Alliance, citing concerns over the insurance, declined to travel. Unconfirmed reports say that Shibboleth was also scheduled to be on the flight but was denied boarding after attending a frat party the night before.

The youthful OpenID, well-known on the celebrity party circuit, was seen by many as SAML's main competition. At almost exactly the same time as SAML's accident, OpenID died when the Kombi Van in which it was a passenger veered off the highway and crashed into a sign for a home security vendor. Toxicology results are pending. Also in the van was Attribute Exchange, who suffered severe injuries and is in critical condition at Topeka General Hospital awaiting a token transplant. Police attempts to contact OpenID's partner XRI are being hampered by uncertainty as to just exactly what it is.

Remaining identity specification WS-Federation, when contacted at her Redmond estate for comment, read from the following prepared announcement:

"This is sad, sad, news. Very sad. I personally am sad, saddened even. Even though they had both the market & mind share that I desperately wanted, and were crushing me in deployment numbers, I thought of both SAML and OpenID as true friends. I am completely confident that my friends, now dead and no longer a threat to my success, want me to continue on as before. Consequently, my 'response' to this tragedy is to say there will be 'No change'. Thank You."

When asked about the rumour that WS-Federation was seen in the vicinity of the aircraft maintenance shed in the hours before the flight, Detective Cameron Shaft of the Topeka Police Department replied 'We are investigating a number of promising leads at the moment. WS-Federation and her 10 lawyers are cooperating completely. No further comment.'

Monday, April 16, 2007

Playoff Hockey

A handshake and a smile?

From Boing-Boing, an article on an FBI proposal for unnerving would-be bank robbers with kindness.

What's the best way to make a bank robber turn around and walk out the door empty-handed? Try a handshake and a smile.

I can see this model working against identity hackers and thiefs. Make your protocol so inviting that they turn away either out of courtesy or because they suspect a trap.

There are even existence proofs.

Thursday, April 12, 2007

Identity Management for Indoor Rowing

I've had a Concept 2 indoor rower for over 15 years. It's been an on and off again part of my fitness program - an excellent full body workout but a hard sell compared to a nice run through the woods. Lately however, as my knees degrade, the low-impact nature of rowing has become more and more attractive.

As partial motivation to get back into it, I upgraded the rather basic speedometer that came with my rower to a new model with more bells and whistles for tracking workouts and progress.

One nice feature of the new monitor is the ability to connect to a PC through a USB cable so that rowing data (e.g. time, distance, pace, frequency of vomiting, etc) can be analyzed. Once on your PC, analysis can provide clear confirmation that your rowing technique and fitness level has plateaued as expected.

A software program called Row Pro takes advantage of this connectivity by providing real-time visuals of your workouts - as you row you see all your numbers as well as a nice animation of a boat on an scenic course. You can even race against a pre-programmed pace boat, a previous workout of your own, or somebody else through the Net.

Row Pro also allows you to upload your rowing workouts to an Concept 2 online logbook so that you can compare your results and distance to others. When I saw this option within Row Pro I expected that I'd be presented with the normal Web 2.0 style prompt of 'Please enter your email & password, we promise not to share with anybody'.

Instead all I had to enter was a 6-digit 'Ranking ID' that I had previously been given by Concept 2. No password necessary for the desktop software to enter rowing workouts to my online log.

I could really screw up a good rower if I were able to guess their Ranking ID as I'd be able to push my workouts into their log. Imagine the shock of some competitive 20-yr old female sculler to discover that she's actually a 43-yr old identity standards architect with poor technique and no stamina.

Clear need for standardized secure & privacy respecting identity web services and a 'rowing workout service interface'.

Wednesday, April 11, 2007

Race Registration

I was registering my wife for a 10K run (lately, with my knees, I register 'em, she runs 'em)

After entering the requested profile data, I was presented with the following (numbers manipulated to create the illusion of a much younger wife)

The Birthday that you input of 1978/08/17 (y/m/d) would
indicate an age on race day May 26, 2007 of 29.

This does not match the age on race day May 26, 2007 that
you input of '28'.

Please go back and change the one that is not correct.

Use Your browser's back button to return to the form page

If you already know the answer, why ask the question?

Dear 216K

Canada provides the Canada Education Saving Grant (CESG) program to encourage parents to save for their children's education. For every contribution you make to a Registered Education Savings Plan (RESP), the government will match 20% (with a whole bunch of constraints and limitations).

In practice, the CESG mechanism is that the investment company at which you've created an RESP makes a purchase on your behalf for the appropriate amount (i.e. 20% of whatever you've contributed yourself). You can see this in the pic of a transaction confirmation I received below

I plan on inviting 'Representative 216K' to my child's university convocation. If they can't attend I'm sure they can send a proxy.

Wednesday, April 04, 2007

History T'ID'bits

Overheard on the shores of Lake Tanganyika
"Dr Livingston I presume you are aware that it's been over 6 years since I invited you to join my LinkedIn network? Don't mean to sound stuffy old chap but you could have saved me this rather tiring trip if you had just given me the courtesy of a reply what?"

User-centric tax filing

Yesterday evening, I used an online service to do the family's Canadian personal income taxes.

The mechanism for electronic filing of the returns to the Canada Revenue Agency captures both the benefits and issues of the 'user-mediated' channel for identity flow through the user-agent.

The process is illustrated here:

You download the special .tax file to your desktop, and then in a separate browser session, upload it to the CRA site. Repeat for spouse.

How very empowering! I am in complete control of transfer of our tax/identity information from the tax provider to the CRA. In fact, without my explicit consent and actions, the info just will not flow.

For me personally, I would have much preferred for the tax service provider to interact directly with the CRA to submit the files 'on my behalf' - saving me
  • the effort
  • the security risk of having such sensitive information sitting on my laptop.

Tuesday, April 03, 2007

One of these things is not like the others,

One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?

Did you guess which thing was not like the others?
Did you guess which thing just doesn't belong?
If you guessed this one is not like the others,
Then you're absolutely...right!

Would that I was this happy

about anything, much less my keyboard or mouse settings.

Plausible deniability

Webkinz is all the rage for my kids and their friends. It's inane and senseless but I try not to judge it as simply juvenile because, well, Twitter.

From the Webkinz site
Webkinz pets are lovable plush pets that each come with a unique Secret Code. With it, you enter Webkinz World where you care for your virtual pet, answer trivia, earn KinzCash, and play the best kids games on the net!
The 'lovable plush pets' are $2 stuffed animals that sell, when you can find them, for over $10.

The animals are quickly forgotten - it's the 'Secret Codes' that the kids want. Without the code that comes with the pet you can't enter the fun exciting virtual world. Consequently, kids place great value in the codes. Search on the Web and you'll see a whole marketplace for them.

That explains why, when my 7-yr old son was playing at a friend's house the other day, and they were logging into the Webkinz site, my boy left the room when his friend entered the code (as reported to me by the Dad). I asked my son about it before he went to school today. I asked him if he left the room because he wanted to, or because his friend has asked him to. His reply

I wanted to, I never want to know somebody's else code in case something goes wrong and they might think I did it.

Smart boy. I'm all verklempt from pride.