Friday, September 28, 2007

Congrats to Prateek

Although I haven't seen an official announcement, I'll go out on a limb and offer my congratulations to Oracle's Prateek Mishra on the big news - undeniably well-deserved.

Oh, and there is also that DIDW thing for IGF. That's nice too.

Tags: ,

Encrypted Protocol Messages

Zlango defines a 'universal icon language', emoticons having been deemed to provide insufficient cuteness for real business messaging.

At the top is a SAML protocol message translated into Zlango-ese. Undeniably way more fun than plain ol' XML.

Any guess as to the message?

Hint: Below is the same message with captions turned on.

Answer: it's an <AuthnRequest> in which the SP is stipulating that the IDP should not actively interact with the user for authentication, and username/password is unacceptable.

Tags: ,

Thursday, September 27, 2007

It takes a village

Andy Dale ponders the 'juju' that OpenID has, in comparison to SAML. He uses the analogy of a village to tease out differences.

My thoughts
  1. OpenID is designed for 'fun' use cases. It's just more fun to talk about Twitter than an enterprise employee accessing their health records.
  2. Inversely correlated to their 'fun' level is the value of the applications being accessed through OpenID SSO. With low value apps, OPs & RPs need not overly concern themselves with the mundane issues of business relationships, contracts, and lawyers (which would be the opposite of fun).
  3. Because of #2, there are more visible places for users to play with OpenID. Being able to play with a technology is key. It's highly likely that you have benefited from SAML-based operations, but you were unaware of it.
  4. OpenID has a video.
  5. OpenID has a logo.

Personally, I enjoy the infrastructure services (e.g. water, sewage, electricity, cable, etc) that modern city living provides me. Actually I live in the suburbs, perhaps that's the ideal compromise?

p.s. Andy throws in an evolutionary twist to his analogy
If two teams of engineers looked out over an early version earths eco-system and one designed ‘the perfect organism’ and the other designed an ameba capable of rapid reproduction and innovation which would you bet on for long time survival?

This sounds too much like Intelligent Design.

A Tangled Web (not so much)

Johannes compiles a nice list of identity initiatives.

There is some 'appling & oranging' going on, I think more useful would be to categorize the various groups & initiatives. Here is my stab at a taxonomy:


OpenID, SAML, WS-*, ID-WSF, ID-FF, Shibboleth, YADIS, XRI/XDI, OAuth, XACML

Spec Definition Bodies

OASIS, OpenID community, Liberty Alliance, IETF, W3C, ID Commons, ITU, Internet 2, Google groups

OpenSource Software

Bandit, Higgins, OpenLiberty, OpenID for PHP, OpenSAML, ZXID, SimpleSAMLphp

Discussion Forums

ID Gang

Metasystem initiatives

Concordia, Cardspace & OpenID 'partnership'


Catalyst, RSA, DIDW, IOS

Use cases

User-centric, VRM, enterprise, mobile

With this we can write sentences like

[Specification], defined by the [Spec definition Body] has been optimized to support [Use Case] identity. Work is underway to create software libraries at [Open Source Software]. There will be an interop demonstration of [Specification] and [Specification] working together, as profiled at [Metasystem initiative] at [Conference/Meeting]. Meanwhile, bickering continues on the [Discussion Group].

Maybe we could even standardize the above boiler plate to ensure consistency of PR?


CoScripter is a Firefox extension from IBM (a real Web 2.0 company):

for recording, automating, and sharing processes performed in a web browser such as printing photos online, requesting a vacation hold for postal mail, or checking bank account information. Instructions for processes are recorded and stored in easy-to-read text here on the CoScripter web site, so anyone can make use of them. If you are having trouble with a web-based process, check to see if someone has written a CoScript for it!

As I have to assume that the recent alarming drop in readership of this blog is due to my erstwhile readers now having trouble with the surfing process (e.g. scrolling and clicking), I have created a Coscripter script to automate the steps.

I must remember to upgrade my account in anticipation of the surge in traffic.

Wednesday, September 26, 2007

Biblical Proportions

I wonder if a year of living by the Laws of Identity would have the same effect on facial hair as did a year following the Old Testament's MUSTs & MUST NOTs (very few SHOULDs & MAYs if I recall).

Not at all equine-centric

Slate reports on the practices of the thoroughbred horse naming authority.

But who speaks for the horses?

Tuesday, September 25, 2007


NTT was awarded one of the 'proof of concept' IDDY awards for our development of a smart identity client for mobile phones - SASSO.

Monday, September 24, 2007


A genealogy of theoretical physicists.

It looks like Enrico Fermi wins the 'Kevin Bacon' award.

And yes thanks I am aware that FOAF doesn't define a <thesisAdvisorOf>.

Thursday, September 20, 2007

What I did, and how I did it

For an SP accepting an IdP's assertion that some user has authenticated, the 'what & how' will often matter. All else being equal, an assertion issued after the user authenticated with an OTP is 'better' that one resulting from presentation of a password, better in the degree of confidence that the SP can ascribe to it.

Frameworks that enable the SP & the IDP to have the discussion of the 'what & how' (whether that discussion happens in a board room with the suits or 'on the wire') can be categorized as:
  1. those that simply provide a syntax for describing technologies & processes that impact assurance, (e.g. SAML 2.0 Authentication Context)
  2. those that define buckets into which combinations of technologies & processes can be placed, (e.g. SAML 2.0 AC classes)
  3. those that define buckets into which combinations of technologies & processes can be placed, distinguished by the security characteristics they can provide (e.g OpenID PAPE)
  4. those that define buckets into which combinations of technologies & processes can be placed, distinguished by the level of assurance they can provide (e.g NIST 800-63 combined with OMB 04-04
I'd argue that 1) is the most powerful/flexible, 4) is the simplest.

Identity Pop-up Video

If you wanted to play around with a new video annotation service, and you wanted to pick a video that everybody in 'identityland' would know and recognize, what video would you pick?

Anything come immediately to mind? Anything?

Or here.

My experiments end at 2.42 in.

Even Bob has covered it.

Tuesday, September 18, 2007

How ironic

Identity assertions would benefit from markup to express undertones of meaning. Imagine how much richer would an IdP's claims to an SP be if they could express the following:

"She is a Senior VP"

"His credit rating is average"

"She has a wonderful personality" ¡

Topcoder & SAML

Topcoder runs software competitions in order to bring companies together with programmers and to create a library of software components.

Presumably a previous competition resulted in their SAML Framework.

If only there were a competitive category for 'snideness'. Is it even possible to code snidely?

Monday, September 17, 2007

You know you're old

when your social network provides games designed to maintain your brain.

Maybe there needs to be a Twitter designed specifically for Seniors, a place where they can bitch about their sore backs and tell their friends when they last moved their bowels.

Wednesday, September 12, 2007

Liberty Certification --> GSA Certification

GSA E-Authentication news

GSA will accept applications from SAML 2.0 providers for interoperability testing based on the SAML 2.0 technical architecture and interface specifications. As a pre-requisite for such testing, GSA requires that providers complete the Liberty Alliance SAML 2.0 interoperability testing requirements for the Liberty Interoperable certification program.

HRM (Hooker Relationship Management)

Phone rings

John: Hello
Babs: Hi Sugar, this is Babs calling. I saw your RFI on your blog.
John: (puzzled) RFI?
Babs: 'Request for Intercourse'. Did'ya forget about putting that up?
John: Oh jeez, I was drunk, I didn't think I actually hit the submit button.
Babs: Gotta luv those microformats - they do sneak out. But never mind that, I still think I can make you an offer that will meet your intercourse criteria.
John: OK, well I guess it wouldn't hurt to talk ....
Babs: Not a bit honey. Now, are you thinking about a long-term relationship? I can give a volume discount
John: Err, I think I'll wait and see ...
Babs: Fair enough, now the RFI didn't mention toys, you like them?
John: Toys? Like in Webkinz?
Babs: Oh my, you are the kinky one, sure we can work something out for Webkinz....But, that'll be extra.
John: Hey, you know, I uh, this doesn't feel right, I'm not interested..
Babs: Oh, that's too bad Sugar, But maybe you have some friends that might be?
John: Just grab the FOAF from my blog, but don't tell them I sent you OK.

Tuesday, September 11, 2007


I grudgingly believe that chiropractic can offer real value & benefit to sufferers of back-pain. While it never did anything for me when I had back troubles, others swear by it. So, I concede there is probably something real going on, whether it's the relaxation of 'subluxations' or something else.

What I find to be complete quackery are those assertions by some that chiro has benefits far beyond the spine & vertebrae. There are claims for fixing sleep apnea, the common cold, allergies, Erectile Dysfunction (which by the way is a serious issue for many men - normal every-day young healthy men who should not be mocked) etc.

When I hear these claims for chiro, I think to myself 'They're over-reaching', i.e. attempting to apply a therapy beyond a valid & justifiable scope. Ultimately, these claims do more harm than good, tainting the reputation of the profession for more legitimate applications as they do.

I think the same thing when I hear OpenID described as possibly appropriate for high-value applications like banking - it's over-reaching, claiming scope that is unsupported by the security characteristics that the protocol affords (irrespective of how the user was initially registered or subsequently authenticated). And ultimately, like for chiro and cancer, the reputation of the valid application is damaged.

Kim seems to agree (on the over-reaching thing, I'm not sure where he stands on ED). Stefan clearly thinks that even claims that OpenID can help mitigate back pain are quackery.

Monday, September 10, 2007

Persona Roulette

urlsplit allows you to map multiple URLs into a single.

I created for 3 of my OpenIDs. Each time you try the URL you'll get one of the 3 OpenIDs (or a mystery link).

I think this service could be really useful for someone suffering from multiple personalities. Provide the split URL to an OpenID RP and sit back and wait to see which persona you get.

Identity Session KIller

David, on Dilbert, on the term 'Web 2.0', and its ability to derail meetings.

'User-centric' will just as effectively kill the productivity of a session at an identity together. 'Trust' is a close second in lethality.

I must remember that the next time my slides aren't done in time. Just put up a single slide with 'User-centrism & Trust - diametrically opposed?' in a big font and sit back.

'The bar is open' has also been known to work

Sunday, September 09, 2007

Full Points

to someone named 'Anonymous' (is this a Greek name?) for decoding my QR riddle.

Hey, faith is a very personal thing.

Friday, September 07, 2007

A Social Network you dont want to join

From Boing Boing, a social network that, uniquely, likely won't duplicate your buddy list.

I can see the invites now

Hi, you've received an invite from a friend to swap body organs.

They are asking for a
- a kidney    (X)
- a lung ( )
- a liver ( )
- bone marrow ( )

and in return are offering you a
- a kidney    ( )
- a lung ( )
- a liver ( )
- bone marrow (X)
Click here to accept the swap. You'll be asked to arrange a date for surgery (or we can just send one of our trained 'removal technicians' right over).

The Team at Organz

There is even a game (soon to be a Facebook app I expect).

Thursday, September 06, 2007

My Boys

Canadians - Just More Trustworthy

See this for proof.

"No particular reason we chose Canada," cast member Chris Taylor was quoted as saying.

Yeah right, that from an Aussie. You just can't trust them.

Early morning kvetch

In response to an enquiry regarding my wireless account, I received the following from my provider

Dear Paul Madsen,

Thank you for taking the time to write to us, we appreciate your use of online customer service.

In your recent email, you have informed us that you would like to know when your current commitment expires.

We do apologize but we are unable to locate your account with the
information provided. To answer your question more precisely please reply to this e-mail with your account/wireless number, date of birth and full billing address including the postal code. Please note if there is a password on your account you will need to provide it or we will not be able to access your account. Once we are able to locate and access your account and provide you with the information requested. We will reply within 24 hours.

Some phisher either lucked out on timing, or Rogers is incredibly blind & obtuse on the issue of identity theft.

My response

Dear Rogers,

Thank you for taking the time to canvass me to send personal information & account details over an insecure network to a possibly malicious email address.

I will NOT be sending my personal information and account password over email.

I am surprised and disappointed that, in today's reality of ID theft, Rogers would encourage me to do so. Had I not actually sent the enquiry about my existing account, I would have automatically categorized this mail as a phishing attempt.

I read with interest Perhaps Rogers should alert its customers that they themselves will occasionally send emails with some of the patterns associated with a phish.

I have cc'd Rogers Privacy Officer in order to hilite for that office this unacceptable privacy & security practice.

Wednesday, September 05, 2007

Have they never been?

From a booking for an upcoming trip to Tokyo

'Having a set of wheels' in Tokyo would most certainly NOT make my trip more fun. It WOULD make it more expensive, stressful & (most likely) litigious.

They should do a little research into local driving conditions before they suggest that a traveller should make the attempt neh?

Just asking

Why don't we use the term 'rhetorical messaging' instead of 'asynchronous', e.g.
'as the messaging pattern is rhetorical, the sender need not wait for a response'
Far more intuitive I think.

Just asking.

Tuesday, September 04, 2007

Nuremburg to Helsinki

The Nuremuburg Code is a set of ethical best-practices for dealing with human subjects in experiments such as clinical trials for drugs. The Code arose in response to the horrors of the so-called experiments of Nazi doctors performed on prisoners.

Not surprisingly given its genesis, consent of the individual involved is the uppermost principle
The voluntary consent of the human subject is absolutely essential. This means that the person involved should have legal capacity to give consent; should be so situated as to be able to exercise free power of choice, without the intervention of any element of force, fraud, deceit, duress, over-reaching, or other ulterior form of constraint or coercion; and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding and enlightened decision.

The Declaration of Helsinki, its first edition appearing in 1964, is in some sense an evolution of the Nuremburg Code. The Declaration more specifically deals with clinical research like drug trials. A key change is that the rule for consent has been wattered down, instead of consent being clearly expressed as 'absolutely essential', we have

In any research on human beings, each potential subject must be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail. The subject should be informed of the right to abstain from participation in the study or to withdraw consent to participate at any time without reprisal. After ensuring that the subject has understood the information, the physician should then obtain the subject's freely-given informed consent, preferably in writing.

In a sense, this is useful clarification of the basic principle, i.e. calling out the different steps that warrant gathering consent. But, there are a number of SHOULDs in the above that might give those setting up clinical trials inappropriate leeway. At least, this is the argument made by Sonia Shah in her book 'The Body Hunters'. Shah lays out the current outsourcing model in which 'Big Pharma' conducts drug trials in third world countries, but brings any resulting benefits back to those first world customers who can pay.

Those running the trials argue that obtaining informed consent from some impoverished and illiterate non-English speaking subject is, at best, challenging and at worst, pretty much impossible. So, they argue, they shouldn't be held responsible if it turns out that trial participants turn out to not understand what they signed up for. Shah suggests that a simple solution to would be to quiz trial candidates for their understanding before they sign up. If they pass, they can participate. Otherwise, not.

This model might work in other consent contexts.