Wednesday, April 30, 2008

Fact (or fiction)

In Steven Pinker's new book 'The Stuff Of Thought', Pinker analyses US President Bush's veracity through his use of the verb learn in this (now famous) line

The British government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa.

Learn is what linguists call a factive verb - it concedes no ambiguity. To learn something is to be absolutely certain of it.
Verbs and other predicates that are factive presuppose that the proposition they introduce is true. It could of course be the case that the speaker/writer is mistaken and the proposition is false -- but if the rules of English pragmatics are being followed, the speaker/writer uses a factive only when he or she is honestly convinced that the proposition is true.

By using learn, Bush was effectively saying 'The Brits have discovered that Saddam bought uranium, and Gosh Darnit I believe them!'.

Note: There is an alternative (and only slightly less worrying) explanation.

Non-factive verbs give the entity using them some leeway or wiggle-room.

A partial list: think, suppose, expect, allege, assume, believe, guess, maintain, believe, hazard.

Is it not strange that the two verbs most commonly used to describe the act of an IDP representing some set of a user's attributes to a relying party are claim and assert - both non-factive?

I see the lawyers at work
Your Honour, my client made it perfectly clear that they were only 'claiming' that the user had logged in. If the defendant chose to grant access to their resources based on my client's beliefs then surely my client cannot be held responsible.

Too needy?

I appled for the beta at Evernote.

And was very quickly granted an invite.

Too quickly. I'm not sure I want that which I can have.

Visual Identity

Just came across Vittorio's notation for visually representing web services security keys, signatures, and encryption.

Very nice.

As Vittorio points out, the diagrams can give a sense of key management scaling issues
Here you can clearly see that a client needs to own the public keys of every service it wants to deal with; furthermore, it is clear that the service can use the client's public key found in the message and it doesn't need to keep in the local store the public keys of all possible clients.

The private/secret crypto division of labour that enables scaleable key management and efficient processing is captured in the wonderfully concise

Scalability issues arise if you encrypt or sign directly with a static
which motivates
Madsen's Law of Security & Fashion: Blue before green should never be seen.

I can imagine adding an extra visual layer for the identifiers & attributes that the messages would carry. The notation for identifiers would indicate the entity for which they are targetted/directed. That for attributes could indicate the source.

Survival of the fittest (err largest)

I confess that my tongue was firmly positioned in cheek when I made this suggestion about rewarding large OPs with preferred visual placement in a selection UI.

But now I see the the jist of the idea implemented.

Next providers are added to the list based on the estimated number of users they have, for example Yahoo and AOL have many users and will likely always be in the list.

And isn't this a sort of 'preemptive whitelist'?

Relying Parties may then manually add your provider to their ID Selector from the configure page.

Rahter than filter out OPs at authorization time, filter them at selection time.

Darwin would love it.

Monday, April 28, 2008

US Centric Assurance

NRI's Nat Sakimura considers how OpenID's PAPE deals with NIST 800-63 assurance levels.

Especially for the financial applications, there may be country specific guidelines and it would probably be better to be able to state the compliance level with that standard or legislation.

e.g., instead of just having openid.pape.nist_auth_level, having something like this may do…


As it is, NIST is hard-coded into PAPE. Another assurance framework could be retrofitted in, but it would be (relative to the NIST integration) tacked-on.

The fact that a new group is being spun-up to standardize PAPE would appear to present an opportunity to remedy the situation, except for the stipulated requirement of 'maintaining compatibility for existing Draft 2 implementations'.

Thursday, April 24, 2008


Spring in Canada is not just about dog feces peeping through the melting snow - another sure sign is when you see your first motorcycle.

Motorcycles and cars differ in the security model they offer their riders - bikes offer increased 'primary security', i.e. the ability to avoid accidents through greater braking, greater manoeuverability, etc; cars offer increased 'secondary security', i.e. the ability of the driver to survive an accident should one occur (through airbags, passenger cage, crumple zones, etc).

Is there an analogy for identity systems, i.e. some identity systems offer increased protection against 'accidents' (through strong crypto, privacy features, etc), whilst others offer increased survivability for such accidents by minimizing the damage that occurs (through support for audit & forensic mechanisms)?

Any club that wouldn't have me ....

I just took the test as an experiment anyways. I wouldn't join your dumb YASN if you paid me.

And I didn't try my hardest either - I barely used my left brain at all.

And also, my Mom says I'm very smart, just not in 'testable ways'.

(Highly) Asynchronous Security Token Exchange

Out with the old, in with the shiny.

At least

this guy wasn't using Twitter.

Nearing enemy base. 2 mins ago from mobile
Sneaking across border. 1 hr ago from mobile
Leaving base for secret operation. 2 hrs ago from mobile


Wednesday, April 23, 2008

In which I become irritable

I so desparately want to understand Higgin's r-cards - I get a sense they could be important.

But, this, this, this, this, and this are not giving me the assistance I need.

Is there a diagram?

As is my wont, when I don't understand something I think I should, I get peevish. Just ask my wife.

OAuth & ID-WSF Authz Models

(rev'd to clarify Andy's comment/question about the ID-WSF sequence)

(ignoring message authentication mechanisms)

OAuth Sequence

1) Alice is at - the site wants her X identity attribute
2) Alice indicates that X is maintained at
3) redirects Alice to
4) asks Alice 'OK for to get X?'
5) Alice says yes
6) asks for X
7) returns X to

ID-WSF Sequence

1) Alice is at - the site wants her X identity attribute
2) discovers that X is maintained at
3) asks for X
4) Not yet having Alice's permission, asks for Alice to be redirected to it
5) asks Alice 'OK for to get X?'
6) Alice says yes
7) re-asks for X
8) returns X to

Cardspace & U-Prove Integration Scenario

rev'd to reflect Christian's correction of U-Prove branding.

A conjectured integration

Tuesday, April 22, 2008

Shared Credentials

Axel likes the idea of using network authentication as a second factor.

So if you are using your home DSL connection then this access is used as a second factor for your T-Home account. And If you have a T-Mobile internet connection using your mobile phone then that access is used as a second factor for your T-Home authentication. I like that.

Of course, network authentication isn't only relevant as providing support for some other primary credential - in some cases it can provide sufficient assurance in its own right.

For example, in Axel's DSL scenario above, the network authentication itself could enable access to some class of resources without requiring an additional password or other factor.

Here is the rub though. If mere access to the DSL line is going to be considered as providing sufficient assurance for access to some set of resources - then those resources have to be appropriate for all users that can access the DSL line.

A shared credential implies shared resources.

For instance, the 'DSL Access Authentication (by its very nature shared amongst the members of the household) could enable access to a shared family calendar and a family photo album. Access to a non-shared resource (e.g. daughter's Inbox) would require presentation of a non-shared credential.

In a federated scenario (ie. the entity to which the shared credential was presented asserts to that fact to an RP), the last implies the need for an RP to be able to phrase the request

'I know that you've previously asserted to me that the user was authenticated, but at the time you only told me he/she was a member of the group that had access to some shared credential. Now I need you to actually tell me which member of that group he/she is.'

The sequence might be

1) User presents shared credential (i.e. network authentication) to IDP
2) IDP asserts shared identity to RP
3) User given access to shared resource
4) User attempts to access non-shared resource
5) RP indicates it needs non-shared authentication
6) IDP authenticates user as individual (password etc)
7) IDP asserts individual identity to RP
8) User given access to individual resource

NTT & France Telecom (interested as we are in leveraging the value of network authentication) have proposed an extension to SAML 2.0's Authentication Request to support this distinction.

A mobile phone network authentication, as the phone is not typically shared amongst a set of users, doesn't present the same twist.

Proceed at your own risk

Shouldn't there be a warning on the click-through for every install of Relying Party software?
I acknowledge that federated identity is based on the premise 
of my accepting claims as to users' identity attributes from
separate business/policy entities. These claims can be
completely wacky (and in no way veridic).

I accept full responsibility for continuing.

Yes | No

Even before the Net, Voltaire knew the game

Those who can make you believe absurdities can make you commit atrocities.

- Voltaire (Francois-Marie Arouet)

There is a dragon in my garage

Well not really. What with the bikes and roller blades, there is no room in mine, I had to put the thing in the shed.

This quote jumped out at me
Claims that cannot be tested, assertions immune to disproof are veridically worthless

Note to self: look up 'veridically'. Use it pervasively in subsequent posts.

URI Sweatshops

The picture below was taken at a so-called 'URI factory' in an undisclosed Third World location.

Workers toil there in shocking conditions, stitching together personal URIs for the users of the wealthier nations.

Said one worker on condition of anonymity, "They work us hard, When one of the big providers puts in an order we'll work steady for days. Right now we have this big order from Yahoo! for a bunch of URIs with crazy random strings. How are we supposed to keep track of what we've already made? Tell your readers what's happening here."

Added another worker, "The only good thing about the job is the personal gratification we get when we hear back that some new RP has come on board and is accepting the URIs we make. Well, you know, I expect to get some personal gratification when that happens."

Most Web users in Europe, North America and Japan are completely unaware of this unattractive underside of the user-centric identity movement - others, having become dependent on the SSO that the URIs enable, simply choose to ignore the awkward reality.

Monday, April 21, 2008

Keyboard Diorama

Original cut-out art by Sophie. Matching forest background by Google.


I had hoped it wouldn't come to this, but I will soon be enforcing bandwidth throttling on my children's internet connections.

In defending the move to my kids, I've pointed out that there is a precedent for this sort of trickle-down enforcement policy.


A sentence in Vikram's rollercoaster ride of enthusiasm/concern caught my eye
The critical question of course is whether or not Snapper is based on MiFare Classic chips. There is no publicly available information that I could find which confirms or denies this.

Makes me think of accepted best-practice in crypto of making public the details of any new algorythm, i.e. rely for security on the inherent difficulty of some one-way function and not secrecy about the nature of that function.

And this sort of openness & transparency (in some sense providing a headstart to the very attackers that aim to crack your crypto) makes me think of the practice of stotting in the animal kingdom.

Stotting is a bouncy straight-legged gait that some species of gazelle engage in when confronted by a predator. Rather than run immediately away (as common sense would seemingly dictate), the gazelles jump up and down in the same area, effectively giving to the lion a headstart in the race should it choose to run one.

Why hang around clear and present danger?

The game-theory explanation for the behaviour is that the gazelle is sending a message to the lion, along the lines of

Hey lion, look at me, I'm so confident that I can outrun you should you try to chase me that I'm still here, bouncing up and down in this extremely silly manner. Your time would be much better spent chasing that other gazelle over there trying to sneak away.

If the gazelle can indeed beat the lion (which a healthy adult likely can), then it is in the interests of both to not even run the race. Why bother when the result is predetermined? Better for the lion to save energy for a future race that it might actually win. Better for the gazelle to keep grazing.

Critically, to convince the lion that there is indeed no point in the race, the gazelle has to back the "Dont Bother, I'm fast" message up with a behaviour with associated risk, e.g. jumping up and down in place. If there were no risk involved, then even gazelles with a gimpy leg or smoker's lungs would perform it, and the lion would learn to distrust it.

For gazelle's and crypto, if you can walk the walk, it's best to talk the talk.

I am being suppressed

'Big Identity', threatened by my SCIENTIFIC research into user-centric identity because it exposes the fabric of amoral lies on which it is built, is suppressing me.

The evidence for this suppression is clear - embarassingly low blog readership, minimal speaking invitations, and an overall lack of interest all point to an organized and efficient program designed to prevent my ground-breaking ideas from reaching a wider audience.

While user-centric identity proponents argue that HTTP URIs are a desirable and appropriate identifier format for the Web, my extensive research (a bit of book-reading down at the library and lots of Googling) has determined that HTTP is an acronym for 'Hell - Time To Party' and, as such, should play no part in a family-oriented Internet & Web.

Big ID wants your kids typing this over and over every time they want to log-in to some site. Think about the long term consequences of that.

What's more, Big ID is actively suppressing further research into many other Devil-based acronyms on which Big ID builds.

For instance, initital evidence points to the first 3 letters of 'SAML' as representing 'Satan - A Major'. While I am hoping to be able to finish off the research and determine the meaning of the final letter 'L', I fear that Big ID's program of harassment will succeed before such time. I am tantalizingly close to a break-through - I have determined that the 'L' word has 5 letters and starts with 'L O V E _' but the final piece has so far eluded my team's investigations.

Let's not let Big ID suppress true SCIENTIFIC research.

Sunday, April 20, 2008

Assurance Architecture

If an SP is to grant access to some valuable resource based on a federated identity, it will want some convincing that the relevant IDP is kosher (in the vernacular, not dietary, sense). The SP will want to be courted (in the wooed, not legal, sense) by the IDP. The IDP's courtship will consist of 'opening the kimono' with respect to its identity management infrastructure and processes in order to convince the SP. The more valuable the resource, the more 'leg' the SP will want to see. (can you count how many metaphors the above used?)

The bower bird gets its name from the thatched structure (bower) that the male builds in order to court the ladies. The bower is constructed in the undergrowth from twigs and coarse grass, and may be as much as 3 feet across. Each species builds its own shape of bower (e.g. a mat, a tower, or an archway) and prefers a different decorating scheme. A few surround their bowers with carefully planted lawns of moss. Others strew blue objects all around the structure in order to cultivate the right romantic mood.

Compare the following bower facts to identity assurance for federated identity partners:

- Bower birds are naturally territorial. Neighbouring birds may pilfer decorations from each other and even attempt to trash nearby bowers.

- One theory is that bowers, by providing a sort of a fence separating them from the male, allow the females to feel sufficiently comfortable to approach - the bower allows females to get close enough to get a good look without feeling threatened.

- The birds are polygynous and a male may mate with many females.

- Bowers are an elusive species and difficult to photograph. The actual mating act is rarely witnessed.

- Researchers have noticed a link between the showiness of a bower bird's plumage and the intricacy of its bower: drab species often build large monstrosities, while the bright plumed species may only use leaves to decorate.

Creole Cooking

A pidgin is a low-end language that arises in order to bridge the interoperability gap between two communities - each with its own full featured language.

Pidgins consist largely of nouns, verbs and adjectives with few or no articles, conjunctions or prepositions and no consistent grammar. Pidgins aren't elegant, but they serve a purpose - typically facilitating commerce and trade between the two groups that find themselves thrown together.

Hmm, I'm seeing some links
  • Hawaiian Pidgin is a creole that developed on Hawaii, based on English but influenced by Japanese, Portuguese, and Cantonese (and others).
  • Eve grew up in Hawaii.
  • Eve informally chairs Project Concordia.
  • Concordia's mandate is to explore the issues that arise at the boundaries between identity languages like Infocards, SAML, WS-Federation, ID-WSF, etc. While Concordia is not developing any new languages (convention not invention), the motivation is the same, ie. let's do just what we need to in order to get the money flowing.
  • Like Australian, Hawaiian Pidgin doesn't pronounce the 'r' when it follows a vowel, e.g. "I'm gonna drive my blooody cah down to the blooody grog shop to buy some blooody beya. Emma chisit?'
  • New England American English is similar.
  • Patrick Haading is an Australian living in Boston - and pronounces the name of his company as Peeng.
  • In the Russo-Norsk pidgin that developed between Russian traders & Norwegian fishermen in the last century, 'Peeng' was the name of the ceremony by which representatives of the two communities would establish their bona fides before trading their goods.
If kids grow up listening to and speaking a given pidgin, then they will often push it to new heights of functionality - the result is a creole. A creole is more advanced than a pidgin, having a more extensive vocabulary, a consistent grammar and the ability to express anything a regular language can. It's as if the kids, impatient with the limitations of the pidgin, decide to create a real language on their own.

It's reassuring to think that there will be plenty of work for the next generation of identity system designers.

Wholely Crap

This is surely one step closer to this.

The end state of this inexorable slide towards biological openness is in sight.

I predict automatic porcelain update clients.


According to Andreas, simpleSAMLphp is up for an award at next week's European Identity Conference. (it seems the organizers opted to go with only one of my two suggested award recipients - perhaps they felt the 'Incredible Insight from an Ottawa-based identity bloggger" award was too broad?)

simpleSAMLphp also has a new logo.

On the topic of the conference itself, I would have been presenting at the Liberty Alliance pre-conference workshop if not for the bureaucratic mix-up that resulted in my not being asked.

Confirmed Site Identity?

Update: based on a recent thread on the OpenID list, George's supposition below about the meaning of the warning is correct, Yahoo attemps to verify the RP through Yadis discovery. If the RP doesn't support the feature, the warning is the result.
Wishlistr is one of the sites that Yahoo! hilites as one that you can use your Yahoo! OpenID to log-in to.

But, when I tried to do so, Yahoo! showed me the following warning

What would Wishlistr need to do to 'confirm its identity' to Yahoo such that users wouldn't see this (likely enthusiasm killing) warning?

If the warning just reflects OpenID's default trust model, why is Yahoo! giving the impression that something better (in the sense of not causing scary warnings) might be possible through Wishlistr undergoing 'site identity confirmation'?

Tags: ,

Friday, April 18, 2008

Who's asking?

Consider a user Alice who stores her attributes at some provider. If Alice were to define rules for the release of her attributes, what are the permutations that she might need to account for?

At its most basic, a request for identity takes the logical form of
'A is asking to perform action B on C's resource D on behalf of User E (for purpose F)'
A is who is asking, i.e. what network actor is sending the request.
B is some operation, ie. read, write, delete etc
C is Alice, the owner of the resource in question, i.e. the one whose privacy will be potentially damaged should it be released inappropriately.
D is the resource in question, e.g. Alice's email address
E is the user on whose behalf the question is being posed, i.e. for which user's benefit are the attributes being sought.
F is the intended usage & processing for which the attribute is sought (distinct from for whom it is sought, E)

The resource owner C could conceivably define access rules in terms of each of the other request parameters. For instance, Alice could

1) specify that Amazon (A) can have access to her current shipping address
2) specify that all interested parties can read (B) her presence info, but none modify (B) it
3) specify that her list of upcoming business trips (D) is public
4) specify that her spouse (E) can always see her free/busy schedule
5) specify that her political allegiance be released only for polling purposes (F)

  • You can think of an SSO request for authentication as having the resource in question (D) as the 'authentication status', and the owning user (C) left empty (because its unknown when the request is sent)
  • Many use cases are satisfied by a request in which C and E are the same. However, this is the degenerate case of the more general situation.
  • As clients become more capable, requests for identity may not always be sent by some business (and legal) entity on the behalf of user, but will be sent instead by a client directly associated with that user.
  • OAuth is designed to support #1 (motivation being to ensure that Alice doesn't have to give Amazon her password at the Profile provider)
  • OpenID Attribute Exchange distinguishes between read & write, so can support #2 (in the sense that Alice could define differentiated policies)
  • The default FOAF model is #3.
  • Liberty's ID-WSF Identity Model & People Service supports #4, and I believe that the same could be said of XDI.
  • Liberty's emerging Identity Governance Framework supports #5, XDI as well?

Social Invite Rejection Songs

There is a certain satisfaction to rejecting social invites. Certain but insufficient I think.

For myelf, the enjoyment would be increased if the rejection communication channel allowed more expressiveness than a simple 'no thanks'.

Below is my first cut at a list of 'rejection songs'.

on the chance I accept an invite, I'll use

Some Link Love?

Given the heritage (as evidenced from the duplicated phrasing of the introductory texts of the two specs), shouldn't Avery and I, co-authors along with Dave of the (deprecated) OpenID Authentication Quality Extension (AQE) specification, be getting some 'contribution love' for the OpenID Provider Authentication Policy Extension (PAPE)?

For instance,

AQE - "Other aspects (e.g. security characteristics, credential provisioning, etc) could be dealt with in the future"
PAPE - "Other aspects (e.g. security characteristics, credential provisioning, etc) could be dealt with in the future"

AQE - "while none of the information expressed via this extension can be verified by the Relying Party in a technological fashion"
PAPE - "While none of the information transmitted using this extension can be verified by the Relying Party using technology alone"

Maybe something as simple as 'the authors would like to acknowledge the incredible insight & expertise of ...'? Whatever, you guys decide.

Tags: , ,

Thursday, April 17, 2008

Like flies to .... honey

As soon as you put a stake in the ground and say you are not courting social invitations, they start to flood in

Have some pride man. It's embarassing.


SFBWBLNY (Safe for Brazilian Work But Likely Not Yours)

It has long been a dream of mine to write an entry for which the tags would include 'SAML' & 'scantily clad'.

That's why I have had mixed emotions about SAML's successes in enterprise, higher education, and e-government scenarios. Nice, but not really bringing me any closer to realizing my dream.

Today, I am happy to announce that I can place a checkmark besides this goal. Done.

Globo is a Brazilian media site, and they've implemented SAML.

Brazil. Photos. Videos.

'Nuff said.

I encourage readers to fully explore the Globo site in order to better understand their identity management requirements. It might be an idea to restrict such exploration to your home internet connection.

It seems telling

that an OpenID provider named mymobile-id is, other than an initial SMS-based registration mechanism, in no way optimized for mobility.

Perhaps the marketing department pushed back on 'myPrettyMuchNailedInPlace-id'?

You know, I actually think this mobility thing might have legs .....

Trip microformat?

Were there were a microformat for marking up travel schedules such as Pat's, then I could set my reader with some sort of rule like

If dest = 'Brazil', do not display, elseif dest = 'Iowa', send mocking email with body text 'Have fun in %dest% :-) '

Pat, on the matter of thongs, the 'when in Rome' model should be applied cautiously.

Asocial Business Travel

I'm trying out TripIt for travel management.

The possible switch from the incumbent Dopplr is motivated by some actual functionality accidentally sneaking through TripIt's 'Web 2.0 Criteria Review' process, i.e. the value I derive from the application is more than mere curiosity as to which of my colleagues is visiting Topeka or other exotic locales.

TripIt does of course allow me to invite connections to create accounts so that I can see how our schedules mesh. They will of course want to leverage the same 'social trap' that Dopplr rides, i.e. get 1, have them invite 5, repeat. But TripIt's distinguishing feature is its ability to auto-add trips from booked itineraries - rather than doing it by hand you forward your booking confirmation emails to TripIt and they parse out the bits you need.

The fact that TripIt's real value (to me) is in no way dependent on my 'social graph' (maintained there or elsehwere) is why I have decided to keep TripIt 'asocial' - I will neither send invites nor, should I receive any, will I accept them.

As I know this may be difficult for people to comprehend, I will repeat.

I will neither send TripIt invites nor, should I receive any, will I accept them.

I'm sorry it had to come to this.

I may not even say hello if I see you in the airport lounge.

Wednesday, April 16, 2008

Ice & Snow?

In a piece on Hitachi's acquisition of M-Tech, Dave characterizes Canada as 'the land of ice & snow'.

Oh yeah?

Sorry, I have nothing.


I'd ask for Kim's help but he bowed to the southward pull. Quitter!



In a comment to a post of mine, a Dutchman living in Finland clarifies Swedish visa requirements for Canadians, these obtained from the Danish government, said clarification expressed in terms of (overly complicated) RP policies.
1) Sweden does trust the Canadian authorities if you're only visiting as a tourist, i.e. only access certain resources: the bars, restuarants, etc. And not come to impose your thought provoking ideas on those super efficient Swedes-at-work; think about the danger if they might loose their concentration for a while.

2) Sweden does not trust all assertions issued by Canada: those ugly brown Canadian Certificates of Identity are not good for anything as far as Sweden is concerned. Whereas Sweden is willing (as it has some agreement with partners in the Schengen zone that is has accepted as IDP Proxies) to treat the blue Canadian Travel Document as a token with which you can apply for a Swedish visa. And a real Canadian passport is good for tourist activities.

Even XACML would be challenged.

Tuesday, April 15, 2008

They must be joking

Visa requirements for travel to Sweden (perversely, obtained from the Danish embassy in Ottawa) follows.

I have a valid Canadian passport, do I need a visa? Not at all clear from the novel below.

How do I apply?

Based on a global agreement on division of labour between the Nordic countries, the processing of visa applications in Canada for travellers going to Sweden is handled by the Embassy of Denmark in Ottawa.

You can apply for a visa at one of the Swedish Consulates around Canada or at the Embassy of Denmark in Ottawa.

Visiting as a Tourist

You may be granted a visa if the Embassy judges that you intend leaving the Schengen zone after your visit.

Please notice that if you are a Canadian citizen holding a valid Canadian passport, you do not need a visa for a tourist visit not exceeding 90 days.

When applying for a visa for Sweden, you must submit all of the following documents:

- Application for Schengen Visa (form #119031).

- Application for supplementary Visa Application (J1-Form)

- Appendix D: Family appendix for applicants (form #201031).

- Valid passport (must be valid at least 3 months after trip to Sweden). Please note the following The Canadian Certificate of Identity (brown cover) is NOT valid for travel to the Schengen countries. The Canadian Travel Document (blue cover) IS valid for travel to the Schengen countries with a visa. The validity of travel documents should exceed that of the visa by at least 6 months.

- Permanent Resident Card or other permit for Canada (employment authorization, visitor's record etc).

- One passport photograph size 3,5 x 4,5 cm - full face, colour, light background, not more than 6 months old, bareheaded unless special religious reasons exist.

- Information on how you support yourself in Canada (e.g. letter from employer, bank statements etc) approximate CAD 56 per day.

- Hotel reservation. If you intend to stay with a friend/relative, provide invitation document (appendix E with "personbevis" - original).

- Copy of plane reservation/flight itinerary.

- Once the Embassy is able to confirm that a visa can be issued, proof of medical travel insurance with a minimum coverage of the equivalent of EUR 30,000 must be presented. The insurance has to be valid for the entire Schengen area and for the entire stay in Schengen PLUS an additional 14 days.

- Visa application fee of CAD 90 per person, children over the age of 6 included, payable when applying.


This makes me think of Microsoft's U-Prove crypto and selective disclosure
you’ll be able to quickly break off just as much as you want to use, no more

Remains to be seen what the impact on spoilage will be.

Tradesman's Entrance

Niall Kennedy describes schemes like OAuth for attribute sharing authorization as 'Using the Front Door'.

Actually, I think of the current default model of a site requesting login credentials in order to access a user's attributes as already entering through 'the front door' - and that's the problem. By impersonating them with their account & password, the requesting site enters as if they were the customer themself, with consequently no granularity possible as to what they are allowed to do once in the candy store.

The proprietary Google (AuthSub), Yahoo! BBAuth, and standardized OAuth & ID-WSF effectively have the requesting site enter through the tradesman's entrance - their own affiliation displayed clearly on their company shirt, and watched closely by store personnel and security cameras.

Saturday, April 12, 2008

Conventions not Inventions

A prefect phrase to describe Projct Concordia's mandate.

All identity initiatives could be slotted into this taxonomy, e.g. Data Portability is convention, SSTC is invention etc.

But how to deal with 'reinvention'?

Friday, April 11, 2008

I am a successful and respected identity professional

At least that's what I tell myself as I descend into the role of glorifed Windows tray email notification tool.

Salutation from an email from my sister-in-law to my wife, myself cc'd
Hey Julie, Sending to paul too cuz I don't know if your check your email very much ....

Yelling "You've got mail!" up the stairs is soooo demeaning.

Thursday, April 10, 2008

Why you need us ... please?

HowRealtorsHelp purports to 'give you the information you need to make an educated decision' on whether to 'go it alone (in buying or selling a house) or use a REALTOR'.

I admit to previously being undecided, but the use of uppercase resolved the lingering doubts I had about paying exorbitant fees for questionable value.

Some representative warnings
Will you really “save” the real estate commission?

When buyers see a home for sale ‘by the owner’, they see a bargain. They imagine the REALTORS® fee going into their pocket, not yours.

Are you familiar with real estate law?

Complicated and ever changing, real estate law governs nearly every phase of selling your home. One mis-step, and an entire deal can fall through, or worse, a lawsuit can come your way.

I sense some panic from the realtor industry.

I can imagine similar 'educational sites' from the major IDPs, e.g. 'Things you Need to Know Before Self-Asserting'.

Tenuous Domain Creepage

This is a perfect example of domain creep, trying to get us to use those nice smelling anti-static sheets 'beyond the dryer'.

There are comparable examples of creep in the identity world.

For the record, I tried the sheets in my hockey bag. I think 4 boxes might have made a dent on the smell.

Social Sails and Peacock Tales

Dimetrodon is one of those 'dinosaurs' (technically, not actually one) that people recognize from school days - it's the one with the big sail sticking up out of its spine. (I had a tiny green plastic one that constantly battled the army men).

There seem to be two leading theories as to the purpose of the sail (it had to have some value because it assuredly would have had drawbacks (e.g. in windstorms) that would otherwise put the owner at a net disadvantage).

The first theory is that the sail was used for thermal regulation, either to warm up a cool animal basking in the sun or cool down an over-heated one through increased evaporation.

The other theory is that the sail, like a male peacock's tail, was used for sexual advertisment to other dimetrodons - the message (from a male) being
'How you doin', I must have a pretty fine set of genes if I can survive even while walking around with this huge &#(*$@!* sail on my back. You and I would make healthy babies'.

If it were used for thermal regulation, the sail would have created (or not) intrinsic value for the owner, i.e. it would have been just as useful to an isolated beast as to another in a herd. On the other hand, the sexual avertisement theory would mean that the value of the sail to its owner was dependent on some other dimetrodon's 'perception' of the sail - there is no point in advertising healthy genes if no potential partner is around to 'click on the banner' (FYI, a euphemism for the sex act).

Some things we do for our own benefit. Other things we do with others in mind (with hopefully advantageous downstream effects for ourselves).

So it is for an Identity Provider's security processes & mechanisms - an IDP would perform certain processes (e.g. backups, file encryption, etc) even if not connecting to partners for federated identity. These processes are the equivalent of the thermal regulation theory for the Dimetrodon's sail functionality - they provide direct and intrinsic security value to the IDP.

Other security processes are the equivalent of the sexual advertisement theory for the Dimetrodon sail - the IDP's motivation in supporting such processes is to create for candidate SPs a feeling of 'That IDP would be a Good Partner'. The list might include maintaining logs for 3rd party audit, supporting vulnerabiltiy scanning, publishing metadata, etc.

This insight of mine (like the parent blog itself) has no practical worth - its potential value lies only in it possibly impressing others. So I guess I lean to the social sail theory.

Wednesday, April 09, 2008

Sorry Eve

I used Flickr's Friend Finder to import Eve from my Gmail contacts list as a Flickr friend.

After giving to Google the necessary authorization for Flickr, my contacts were sent over, after which Flickr was able to match against existing Flickr users. I was able to individually control which of those users I wanted to add as a Flickr 'friend'.

the process was smooth and painless. Eve showed up as a friend afterwards.

The sequence was definitely not slowed down by any mechanism by whicn Eve might have been able to express her willingness to be added to my Flickr friends list. I guess by her sending me that mail last year she granted implicit consent to such operations.

Who's the Boss

One of the side-effects of working from home is that, if I answer the family line, I can get pulled into the subtle politics of 'play-dates'.

Follows is a call from this morning
Me: Hello
Mom of kid: Hi, is Julie there?
Me: No, sorry, I think she's at the gym with her personal trainer Sven.
Mom of kid: Oh that's too bad, I was hoping to set up a play date with Sophie and my son.
Me: Oh, is your son in my daughters social network? We only accept invitations from those kids.
Mom of kid: (pause) Pardon me?
Me: Ha ha, just joking, a play date sounds great, Sophie would love that. What time?
Mom of kid: Err, perhaps I'll just phone back when Julie gets home ..
Me: No need, I can bring Sophie over.
Mom of kid: Weell, maybe we should just wait for Julie to decide ...

She was clearly not convinced that I had the authority to make the decision (nor was she swayed by the clear evidence in support).

If only my wife had explicitly delegated to me
<Right uri="playdate"/>

Justified Party? err no

An OpenID provider built on top of Google's App Engine, while cool, is not the same as Google itself acting as an OP, as this screen from Google makes clear

Google seems to be maintaining a certain aloofness don't they?

The phrase 'OpenID Provider may use your email address to personalize your experience on their website' is interesting. Is this an actual restriction that Google has placed on the app creators (or one they committed to) as to how the app can use my email address, i.e. for personalization only?

If so, it would preclude them from releasing the address in response to an OpenID sreg request.

Tuesday, April 08, 2008

How appropriate

that Nova will broadcast 'Cracking the Mayan Code' during the week of the RSA Conference.

Is that a credential in your container , or .....

My NTT colleague YukioTsuruoka gave a presentation on NTT's Virtual Credential Container (VCC) at yesterday's Liberty Alliance workshop at the RSA Conference.

NTT & Intel demoed a PoC of our VCC, used alongside Intel's Intelligent Client Platform (ICP) (as separately presented by Conor), for secure provisioning & storage of identity credentials into a client using Liberty's Advanced Client specs.

The provisioning sequence, along with the different roles played by VCC & ICP (ICP gets the credentials using ID-WSF, VCC stores them), are shown below (screenshot extracted from the VCC presentation).

X-ray Vision?

Faster than a speedy audit
More powerful than legislation
Able to see through SP firewalls
It's SuperIDP!

In discussing the relevance of the New Zealand government playing a role in citizen interaction with non-government applications (responding to Vikram's assertion that governments can do so when allowed to by the constituent citizens) Kim pulls a familiar arrow from his quiver
If I lived in New Zealand I would be working to see that the Commission’s system is based on a minimal disclosure technology like U-Prove or Idemix. I would also be working to make sure the system avoids “redirection protocols” that give the identity provider complete visibility into how identity is used. (Redirection protocols unsuitable for this usage include SAML and WS-Federation, as well as OpenID).
(emphasis mine)

That must be some magic redirect sequence if it somehow gives to the IDP 'complete visibility' into, beyond the where, the what, why, who and when of an SP's use of any identity it received from that IDP.

Personally, if I was an IDP that had such corporate X-ray vision (and no scruples about misusing it), I think I'd be applying it to see what Google was up to rather than on my federation partner SPs. And of course, on the girl's change room at school.

Separately, should not Kim's list of mechanisms that give the IDP partial visibility into a user's SP activities be extended?

Wasted Days and Wasted Nights

From the point of view of his genes, there is no worse fate for a male animal than to invest time & energy in the raising of offspring that aren't his, i.e. when they were sired by another (and not closely related) male.

Quite literally, it is a fate worse than death (again, from the genes PoV, which of course genes do not have, but it can be useful to imagine they do). It's wasted effort - his time is better spent siring his own progeny and investing his energies in their survival.

Note: clearly, human Dads are able to transcend the selfishness that the genes would impose on them.

On the other hand, there is no sweeter result for a male's genes than getting a free ride, i.e. the host male impregnating some female such that the resultant offspring will be reared by some other (almost certainly unsuspecting) male. The lothario enjoys the milk (genetic legacy) without the cost (time & effort spent rearing the small genetic packages in which that legacy is manfested) of purchasing the bovine, and is free to repeat the strategy with other females and other 'duped' husbands - potentially vastly expanding his genetic output.

(Lest I be accused of casting the female as only a passive player; the ladies play
the game of maximizing genetic output for minimal effort just as well - just differently).

'Fathers' can follow a number of strategies to ensure that any offspring of their mate are indeed their own - including restricting access to their mates in order to prevent impregnation, combating any sperm able to get past such access controls, and killing offspring resulting from any sperm able to defeat the other controls.

Forced exclusivity in partner selection taken to the extreme.

Hmmm. Might an IDP want to impose an exclusive whitelist on its partner SPs? Either explicitly, or implicitly, through incentives or UI?

From the other side, under what conditions might an SP be willing to accept such a constraint (i.e. how good a deal would it have to be?)

Note: answering 'enterprise' doesn't count, as both IDP and SP are in the same policy domain.

Monday, April 07, 2008

Despite myself

Against my better judgement, I find myself intrigued by Sun's teasing marketing campaign.

What is a fedlet?

Might it be related to the wonderfully successful campaign that preceeded it?

How could they hope to better it?


If my wife and I had no kids, I bet we would maintain orderly & organized cupboards like this.

Everything would be clean & simple - there would be one type of large plate, one small plate, one bowl, etc. Just think how easy and fast unloading the dishwasher would be!

Alas, the price for diversity is the messiness of heterogeneity

Not so bad in the long run.

I stand corrected (again)

In comments a post of mine on Xero, Xero representatives correct my (mis)characterization of how Xero pulled bank data
Xero absolutely does NOT ask for customers' bank login. Xero customers must submit signed authorization to their banks.

We are working on secure host-to-host connections with the banks, similar to the model you describe. That means with Xero you get a great web 2.0 experience that's backed by uncompromising host-to-host security.
as you said, asking customers for their internet banking credentials is a bad model and this is not how Xero works.

Xero's bank feeds are setup by the customer giving authority directly to their bank, requesting their data to be provided to Xero.

Still curious as to the form the authorization takes. Does the bank account owner pick from a list of 'Authorized Requestors'? Is the actual data flow push or pull? If pull, does the bank log who initiated the request. Does 'host-to-host security' mean SSL?

Xero offers a free 30-day trial. I'd be tempted if not that it seems pretty Kiwi/UK centric. On that note, I wonder if Xero is aware of the New Zealand governments commitment to identity standards that would serve their use cases very well.

Sunday, April 06, 2008

My submission

for the '2008 Confusing IDP Selection UI Award' is Plaxo.

If this were a 'work day' I'd count the 'sign-in permutations' that a user is expected to filter. Too much effort for the Sabbath though.

Depressingly, I have no expectation that my entry will win the award. There are other strong contenders.

Tags: ,

Friday, April 04, 2008

Registration Hurdles

I sent my sister-in-law an invite to view some family videos using Orb.

When I asked her if she had been successful, her response
I did try and I got to the Orb page where I had to "create an account " and that's when my ADD kicked in so I put it on the backburner.

Identity management MUST NOT interfere with sharing hokey family memories.

Delegation - social and provider

I came across Xero - an online accounting package for small businesses.

Two aspects of the online accounting use case seem a particularly good fit for Liberty Alliance ID-WSF - and they both deal with delegation.

First, as Xero is online, you can collaborate with your advisors (i.e. get them to review your entries, correct the mistakes, assess your financial health, etc) simply by granting them access to your account, rather than sending them files or print-outs of your books.

Xero's model is for the business owner to send an invite to their advisor, who would then create an account at Xero themselves. The same model for such social delegation as used for every other Web 2.0 social application.

This model presumes that each advisor is explicitly called out for permissions, and so doesn't easily support the possibility of those advisors changing. For instance, what happens when your accountant goes on vacation and somebody else in her firm takes over your account for the interim. (yes, of course your original accountant wrote down their Xero credentials on their desktop blotter, but the financial regulators might have an opinion on this).

If this were the only online interaction between the business owner and their financial advisors, this might be OK. But, often times, a business owner will need to make similar delegations to their advisors elsewhere, e.g. at some online government application in order to, for instance, allow the advisor to file taxes on behalf of the business owner.

In this case, Liberty's People Service makes social delegation more scaleable by providing a shared social layer across the various applications, and allowing the delegation permissions to be expressed in terms of this layer, e.g. allow the business owner to specify 'allow anybody from Peabody Financial Advisors to view my books' at Xero, but specify 'allow only Warren B. Uffet to submit my taxes' at the small business tax application.

The second interesting delegation aspect of Xero is what it describes as 'automatic bank feeds', allowing your bank transactions to be automatically brought into your Xero account.

I'd venture that Xero makes this work by asking the business owner for their bank credentials, and so armed, accessing the account stream through whatever API they've convinced the banks to offer up.

As has been pointed out, this is a bad model for sharing identity attributes.

A better model for provider delegation is for the user (the bank account owner) to delegate to the requesting application (Xero) specific rights for accessing its identity resources at some service provider (the bank) - and for subsequent requests for identity from Xero to the bank to be authorized (or not) based on such delegation rights.

Liberty ID-WSF's identity model allows for differentiated rights to be assigned based on both who is asking (Xero in this case), as well as who initiated the request (the business owner or somebody else). For instance, perhaps it's the advisor, looking through her client's books on Xero, that requests that their latest bank data be pulled in. The bank has to be able to differentiate this request from the default 'just getting the daily transactions' request that Xero sends each night.

Thursday, April 03, 2008

A nice summary

Kuppinger-Cole's Felix Gaehtgens looks at the Credentica acquisition - the benefits, the industry fears, and the standardization context.


Ahish is blunt in describing the likely end result of next week's Ping Party at RSA.
Most end up getting wasted and missing out on their next day appointments.

As I won't be attending RSA, I will be participating in the Ping event in spirit by, at that time (3 EST!), drinking too much, eating hor d'oeuvres of uncertain provenance, and engaging in witty 'identity banter' with my 5 yr old daughter

Q: Sophie, how many OpenID RPs does it take to screw in a light bulb?
A: I don't know Daddy, but I bet it's more than exist.

I'm sure it will be just like I was there (but alas, without the conference swag).

Wednesday, April 02, 2008

When Is Good is Good for 'When?'

When is Good is a great tool for coordinating schedules for a specific event, i.e. getting multiple people to indicate 'when is a good time for X?'

The sequence is simple

1) the organizer specifies a span of time/dates within which other 'attendees' will choose
2) the organizer supplies their email address
3) the organizer is sent a URL for distribution to attendees
4) attendees specify their own preferred times within the prescribed span
5) the organizer sees an aggregate view of all chosen times

What is so incredibly refreshing is that it

a) does not require everybody create accounts
b) only the meeting organizer need share their own email address
c) nary a mention of 'friends' or 'buddies'.

3D Credentials

Editor's note: of course this post should have been entitled '3D Secure'. I am deeply ashamed.

Think of the possibilities if you combined a mechanism for provisioning credentials down to the client, with one of these.

Cut out the middle-man and print your own tokens.


From Boing Boing, a library for clothes
a perfect example of a Product Service System (PSS) where you get the service of an item without having to own it and all the cost and upkeep time that requires.

Library as analogy for federated identity?

We are casting for the part of the severe-looking librarian who, given the chance, shows their 'wild side' amongst the stacks.

Tuesday, April 01, 2008

A modest proposal

for adjuticating the IDP real-estate battle for sign-on buttons (ala Yahoo! & Clickpass).

Base button dimensions on IDP size as for news stories.

Let's not pretend that all IDPs are equal by granting them equal space on an SP sign in page.

I thought they only hired PhDs?

Jeff put me on to a Google/Virgin application form to become a space pioneer (Virgle, how cute).

Question 4 on the application.
I ________ 1/3rd gravity (as the inverse-square electro-magnetic force binding me to the surface of my planet).

Unless there has been some significant progress on a Grand Unified Theory I am unaware of, gravity is not an electro-magnetic force.

Good work on the 'inverse square' bit though. Sharp folks there.

Does the Higgins Boson really exist?

An interesting explanation of the Higgins particle, the finding of which is a primary goal of the Large Hadron Collider.

Ummmm, before spending billions, how 'bout just googling for it?

I bet the experimentalists are just spending the grant money on fast cars and conference boondoggles, and will proudly announce success in a few years.

Be All That You Can Be (but no pressure)

Wired "reports" that the US Military considered hiring bloggers in order to help shape pubic opinion about the (entirely justified & moral) Iraq War.
Information strategists can consider clandestinely recruiting or hiring prominent bloggers or other persons of prominence... to pass the U.S. message. In this way, the U.S. can overleap the entrenched inequalities and make use of preexisting intellectual and social capital.

Preposterous. What blogger with any integrity at all would even consider selling out like this for a few bucks (that would probably only buy the blogger and their family a nice, but not super nice (e.g. not the Alps or anything), ski vacation)?