Monday, June 30, 2008

Monkey See

I like how illustrates a 'privacy disclosure continuum'

A nit.

The tagline implies to me that, were the user able to 'own' their identity, they'd be able to 'evolve' beyond the current chimp-like reality of Web identity.

Humans are not evolved chimpanzees. We are evolved from a common ancestor with the chimpanzees.

I do grant that '' is not optimal as a base URI for entering into the OpenID box.

Separately, if I get a identity, I'm definitely going to be a Bonobo. - the other type is just so Common. And Bonobos have all the fun.

Sunday, June 29, 2008

Superbad (use case)

Mike is  excited (but in a mature age-appropriate way) about IDology's verified age cards.

IDology brags of the endorsement of Wine America.
“IDology’s age verification solution gives wineries an important, effective and efficient way to instantly confirm someone’s age when making remote wine sales”

Bill Nelson, President, WineAmerica
Let me get this straight.

I'm an underage drinker trying to work out how to get some booze for the weekend party (because I told this cute girl who might like me that I could get some). All my usual sources are dried up - my older brother is out of town, my parents liquor cabinet is locked, and the crazy bearded guy who hangs out at the beer store is in detox. My chances with the cute girl are looking slim.

Then it comes to me, I will buy wine for the party online. Wine has alcohol in it right? (I've seen my father do the Bird Dance countless times at weddings after drinking wine, there must be some). And it comes in  different flavours and colours. And there is no way that the online wine store will know I'm underage. Sweet!

So the plan is as follows

1) I go to my chosen online wine retailer (a member of Wine America)
2) I learn that, in order to buy my Cabernet I must be able to prove my age. They provide a convenient link to IDology for the service
3) I create an account at IDology, claiming whatever age is necessary for me to be able to buy the wine
4) IDology asks me lots of tricky questions in order to verify my claimed age. Questions that only somebody of the right age would know - like ''Who was the ugly sister on the Brady Brunch?' (a trick, only Marsha wasn't ugly) and ''Janet Jackson's "wardrobe malfunction" displayed what part of her insecurities?'
5) With the aid of online search engines, I ace the test.
6) IDology gives me a card for the verified age.
7) I present the card to the wine retailer.
8) I place my order (30 bottles of a nice red from South Australia)
9) I wait for my order to arrive
10) 10-14 days later, I get my wine
11) the (disappointingly sober) party long ended, the cute girl ends up with the crazy bearded guy. 


1) I believe there are lots of real online use cases where verified age is important - but stopping underage drinking isn't one (until such time that bandwidth expands to allow immediate product delivery and thereby creates a channel of interest to teenagers).

2) I have no idea how IDology actually verifies age. I presume they do not use 'general cultural knowledge quizes' (it was always lack of baseball trivia that caught out the prisoner-of-war camp stooges in World War II movies).

3) I expect that somewhere in the IDology card is a claim URI that includes the string 'age:verified'. As I see it, this approach conflates the claim with the 'metaclaim', i.e. as AuthnContext does for SAML, and PAPE does for OpenID - the justification for why an IDP is making a claim should not be part of the claim itself.

Saturday, June 28, 2008

So you think you can assert?

I'm pitching an idea for a new reality show to the networks. Working title is 'So you think you can Assert?'.

The idea is that we have a big name RP (TBD, I'm in conversations with some strong candidates but negotiations are still underway) looking for suitable OPs. We do an initial interview where the RP complains about how hard it is to find good OPs, how it's not their specialty to assess security processes, and how they really just want the whole decision made for them, etc (we'll do the interview in a boardroom). We'll have lots of shots of our charming and attractive host making sympathetic faces in close-up, head-nodding etc.

If the RP doesn't feel up to the job of choosing OPs, let's let "The People' TM decide!

For each episode we'll bring in 3 new candidate OPs, who will all pitch why they should be that week's winner. Maybe one uses 2-factor, another a snazzy picture grid, the other has a large user base, etc.

Lots of candid interviews with each OP tearing apart the other 2, e.g. 'Yeah, I know thats how many users they say they have but ask me how many women I've slept with and I might exaggerate too' and 'Well he supports 3-factor if you count his fat ass as two of them '. Juicy stuff.

I see the charming & attractive host asking probing and insightful questions like 'So how about mobile?' and 'Users really want this?' etc. The drama will be great.

Here's the magic. At the end of each episode, we let the viewers decide which OP the RP will add to their whitelist.
If you want RP to accept identity assertions from OP1, text 'OP1'

Lots of shots of the screaming, happy winner OP, the bitter losers shaking their heads, the RP smiling idiotically, etc

Series ends with the RP being sued for multiple privacy breaches. Shot of RP CEO  running after cameraman, etc.

Sure winner. You in or out?

Cat, call me, let's do lunch. The hosting role is perfect for you. So what if you know nothing about security & privacy - it's the viewers that need to understand that stuff.

Passive phish prevention policy

Clients have an important role to play in preventing the FPA (federated phish attack), as I discovered.

Separate from any role the client might play for authentication to the OP (and thereby actively prevent a phish), it has a role in passively spotting mismatches between the 'where I think I am going' and the 'where I am actually going'.

But this sort of functionality is invisible to the OP (and has nothing to do with the authentication of the user) so it can't be factored into PAPE (nor easily into SAML AuthnContext).

Were clients to advertise this functionality through some header (a la SAML PAOS advertisement), then the OP could include it in PAPE (with a new URI to distinguish this from the active sort of phish prevention).

Thursday, June 26, 2008


In the press surrounding the formation of the Infocard Foundation, and on the ICF site itself, the new & improved authentication experience is described as
When you go to a website that accepts Information Cards or "I-Cards" you can "click-in" without the need to type in a user name and password.

Two comments:

1) Click-in? is this going to be trademarked for Infocards only? I already 'click in' using Sxipper.

And you know, I never actually presented a 'log' or 'signed' anything before to authenticate. Do we need a new descriptor?

2) all the talk of 'without the need to type in a user name and password' ignores the possibility of the user needing to present a) a PIN to the selector to open the card or b) authenticate to the IDP.

Isn't the real difference 'without the need to give to the RP a user name and password'?

In which I clarify

Often times, in trying to be clever and sarcastic, I dive too deep into the 'satire pool'. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the 'point' I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.

As happened with my recent post on HealthVault's chosen model for OP acceptance.

With that post, I have confused Kim, and for that I here apologize.

I was responding to a post of Simon Willison, in which he defended HealthVault's right to choose OPs selectively - and not be compelled to accept any ol' OP coming in off the street presenting an identity claim.

My post might have given some the impression that I disagreed with Simon. For instance, I wrote
I disagree

Admittedly, this set a tone.

But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs - the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question 'Is this OP appropriate for the resources I protect/manage?'. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to 'em. Partner selection is tough and fraught with risk - they are right to be careful.

I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user's shoulders. User's can't even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don't know much about it ...
Patient: Oh, you'll work it out as you go

So yes Kim, I agree. Resources, and gall bladders, do have rights.

Wednesday, June 25, 2008

Cart                   Horse

On visiting a geographically eponymous retailer, was welcomed by

They don't even know why I'm there, why presume to need my postal code?


Hearing a song I liked on Sirius Satellite yesterday, I went onto iTunes to buy it. Couldn't find it. Searched on the Web. Nope. Searched music sites. No trace of either artist name or track anywhere.

After about an hour I realized that I had been searching on the text of the message that Sirius used to notify users that the channels had been updated and they could proceed with listening

Sub updated
Press any Key

Once more. Idiot.

The name 'Press Any Key' would be great for a band, except for the fact that, as the string occurs in just about every software/hardware manual out there, the band site would never be found on the Web , flooded into obscurity by false hits.

Tuesday, June 24, 2008

Outsourcing Assurance

HealthVault whitelists two (and only two) OPs.

Liberty Alliance announces Identity Assurance Framework.

What's the connection?

Microsoft whitelisted the Verisign and TrustBearer OPs after (presumably) their own review of the processes and authentication mechanisms of those OPs.

Will this scale if they want to assess other OPs (who will presumably clamor for the chance to assert to a big Microsoft RP)? Not well.

Just as OpenID allows HealthVault to outsource the authentication of users to OPs, Liberty IAF allows HealthVault to outsource the assessment of those same OPs to accredited 3rd parties (or at least provide a common assessment framework should Microsoft want to continue to perform the job)


SAML recommends against this, but doesn't rule it out.

Who are we to judge different regulatory domains right?


Simon Willison defends HealthVault's choice of OPs.

I disagree. It is I, as a user, that should be able to dictate to HealthVault the OPs from which they are to accept identity assertions through OpenID.

Just as I, as a user of Vista, should be able to dictate to Microsoft which software partners they work with to bundle into the OS (I particularly like the Slow Down to Crawl install).

Just as I, as a Zune user ... oh wait, there are no Zune users....

The mechanism by which I (the user) am able to indicate to HealthVault, or Vista, my preferences for their partners is called 'the market'.

Monday, June 23, 2008

Physician, heal thyself

Microsoft's HealthVault will accept 2 factor based OpenID authentication from an outside OP, but doesn't expect the same level of assurance from its own in-house authentication system.

What are the other factors that somehow balance out the 'assurance equation'?

The SSO protocol used, i.e. OpenID vs LiveID? Identity proofing? Insurance?

Holiday in Amsterdam

Just got my invite for FireEagle.

FireEagle touts its privacy controls, one of which is to allow the user to temporarily hide their location from any and all otherwise authorized applications.

Similar to the 'Break Glass' use case for medical emergencies, this scenario is known as the 'Red Light District Vacation' use case.

Another mechanism allows the user to purge the Yahoo! database of their location info

With respect to the final caveat, why not? This permission page for authorizing Dopplr to access FireEagle makes it clear that applications can both read and write.

So presumably FireEagle itself doesn't expect the applications to themselves offer up endpoints to which FireEagle could send a 'purge' message.

SAML puts users closer to their identity

Pictures don't lie.

Friday, June 20, 2008

Choices Choices

iOptOut is a Canadian service that allows me to manage a personal 'do not call' list.

The Canadian government passed legislation in 2005 mandating the creation of a do-not-call registry. The registry is scheduled to take effect in mid-2008, yet many Canadians may be disappointed to learn about the exemption of a wide range of organizations (registered charities, business with prior relationships, political parties, survey companies, and newspapers). Under the law, exempted organizations are permitted to make unsolicited telephone calls despite the inclusion of the number in the do-not-call registry. However, organizations must remove numbers from their lists if specifically requested to do so.

IOptOut takes advantage of this approach by allowing Canadians to create and manage a personal do-not-call list that begins where do-not-call legislation ends.

Once you create your account, you can pick and choose from categorized lists of services you do not wish to receive calls from

iOptOut then sends an email notification to each organization requesting that your name, email address and phone number(s) be removed from their active marketing lists.

My only objection is that the opposite of 'do not call' is not 'do call', but simply 'I wont hang up if you do call'.

And you thought XRIs created complex identifiers?

Check out the rules for coats of arms

To provide for contrast and visibility, metals (generally lighter tinctures) must never be placed on metals, and colors (generally darker tinctures) must never be placed on colors. Where a charge overlays a partition of the field, the rule does not apply.

The field of a shield in heraldry can be divided into more than one tincture, as can the various heraldic charges. Many coats of arms consist simply of a division of the field into two contrasting tinctures. Since these are considered divisions of a shield the rule of tincture can be ignored. For example, a shield divided azure and gules would be perfectly acceptable. A line of partition may be straight or it may be varied. The variations of partition lines can be wavy, indented, embattled, engrailed, nebuly, or made into myriad other forms.

Two or more coats of arms are often combined in one shield to express inheritance, claims to property, or the occupation of an office. Marshalling can be done in a number of ways, but the principal mode is impalement, which replaced the earlier dimidiation which simply halves the shields of both and sticks them together.

Thursday, June 19, 2008

Cut 'n' paste identity


It would be a travesty were this ACM meeting, solely because of geographic distance, to not garner sufficient attendees.

I, for one, will do all that I can to ensure that this travesty does not happen.


Tuesday, June 17, 2008

(Not) the Biggest Drawing in the World

This is brilliant.

Here is my projected summer well-trodden path. You won't need GPS to track me.

For myself

more useful than 'appearing to be in the office while working from home' is appearing to be working from home while working from the cottage.

Liberty Alliance contemplates name change

Focus group studies (an example of which Robin stumbled upon in Sapporo and snapped the below) have determined that 82% of people (if forced to give an answer) prefer the name 'Betsy' to the existing choice.

The 'Veronica Alliance' was also considered but the connotations of promiscuous relationships were deemed incompatible with the organization's exclusive enterprise & eGov focus. Consequently the name is available should another identity organization desire it.

Monday, June 16, 2008

Phishus Interuptus

Where are the points at which you can throw a spanner into the works of a federated phish (fphish?) (that for which OpenID gets attacked but other browser-redirect SSO protocols are vulnerable).

0) in the email app
- this is status quo
1) at the initiating RP?
- the phish presumes the RP is bad.
2) at the client?
- by having sufficient client smarts to either passively recognize (and warn) or actively circumvent (by not allowing the client to be sent to the phish site) a phish
3) at the IDP?
- by the IDP using an authentication mechanism that is phishing proof/resistant, i.e not reliant on a shared secret (Infocard)
- by the IDP using an authentication mechanism that constrains the damage of a phish (OTP)
- by recognizing the presentation of phished credentials (pattern analysis?)
4) at a secondary (authentic) RP?
- by recognizing a federated claim arising from the presentation of phished credentials? Good luck.

My money is on the client.

Friday, June 13, 2008

A Firmo handshake

NTT's Firmo transmits data across the surface of user's skin to let them communicate with electronic devices simply by touching them (or sitting on them I guess).

Firmo consists of a card-sized transmitter that the user would carry. The card would convert stored data (e.g. credentials, personal profile, favourite TV shows, etc) into a weak AC electric field that extends across the body. When the user touches a device or object embedded with a compatible receiver, the electric field is converted back into a data signal that can be read by the receiver. Firmo is based on NTT's RedTacton HAN technology.


1) I was not involved in the naming of Firmo.
2) The bar scene will never be the same again.
3) NTT Canada (Ottawa Division) not being granted a demo device, I tried to rig up my own version with a car battery and a coathanger wire. Thanks for all your cards, the burns are healing quite nicely.


This video from Mozilla on UI concepts for a mobile Firefox made me think of the possibilities of using a touch screen for authentication.

Given iPhone and derivatives, I was expecting this might be a hot area of research, but a search of 'touch screen authentication' found only an MIT 2004 project called 'distinctive touch'.
The project surrounded building a system called distinctive touch for enabling lightweight authentication using gestures on touchscreen displays. Using this system, users were identified by their passdoodle, a gestural equivalent of a username and password, which consisted of one or more strokes that they drew on the screen with their finger within a short duration of time.

I'd venture that an 'easily memorable' touch screen gesture would manifest as 'obscene'. Or a puppy's face.

In addition to authenticating through gestures, you could use them to perform other identity operations.

Wednesday, June 11, 2008

LOA Song

To the tune of the Rolling Stones 'You Can't Always Get What You Want'
You can't always get what you want
You can't always get what you want
You can't always get what you want
But if you try sometimes you might find
You get what you need

Tuesday, June 10, 2008


By some arbitrary (and clearly non-Pangeaic) ruling, Canada has been deemed to be 'not part of Europe', and so excluded from participating in Euro 2008. An obvious strategy to eliminate a sure tournament favourite.

Alas, Denmark has no such excuse.

Game On

My ex-Entrust colleague Ranjeet Vidwans is blogging. Ranjeet terrified me when we went to conferences together because his idea of a night out has it starting when my idea of the same has it ending.

Looking at his early posts (I assume he is still experimenting somewhat because of their haphazard & confused nature), it appears Ranjeet is trying to merge wry musings about family life, the world of security & identity, sardonic stories of business travel, and pointless graphics.

An interesting mix I guess, if you like that sort of thing.

I may not live in New York, I don't drink martinis, and I may have performed poorly on tests he excelled at, but no one, I repeat no one, is going to out sarcasm me.

Bring it my sharp-dressed friend.

p.s. Jeez, could you not leave me physics? Is that too much to ask?

Phishing Hole

You can get an 'anonymous' OpenID at (is it a coincidence that the URL almost spells out 'joking'?)

When you use such an OpenID at an RP, after providing the URI, you'll see only a flicker of web redirection before arriving back at the RP. No explicit authentication step, no consent step, no hassle.

Were this OP to fill in the PAPE blanks, which of the pre-canned policy identifiers should it use?

The PAPE definition for 'phishing resistant' is
An authentication mechanism where the End User does not provide a shared secret to a party potentially under the control of the Relying Party.

I assert/claim that as there is no shared secret, the End User surely can't provide it to a phisher, and so the above OP can claim 'phishing resistant'.

Monday, June 09, 2008

Authentication tain't authorization

The DIDW conference uses LinkedIn for a 'who else is attending' mechanism.

When taken to LinkedIn, I get this

Instead of asking me to authenticate, and then grant DIDW the desired permissions for my network, LinkedIn saves me precious time by conflating the two operations.

I saved even more time by choosing to not participate.

Gloved or non-gloved?

I confess that we did not anticipate the need to describe an authentication event in which the user made no claim to a particular identity.
the right to travel without showing ID--providing that passengers are willing to be subject to a pat down and a bit of probing:

The SAML TC would be remiss if we did not define a new 'probing' class post-haste.

I expect that it will be in dealing with the many and subtle variations of probing that we will face our challenges.

For instance, should 'orifice' be an element or an attribute?

What of lubing?

And should we constrain the location of the probing to a pre-defined list of 'probeable' cavities?

Or should we give the authorities the ability to determine just what cavities are probeable and what aren't - this by leaving the schema open?.

I think I speak for the members of the TC when I say that we would make no claims to authority on this topic, and we definitely wouldn't want to artificially constrain the inventiveness of customs & security officers around the world.

Get a room why don't you

Andre engages in some self-love (of a sort).

Hey Mr CEO, some free advice. When a customer says
we’re interested in a more strategic, long-term alignment with you, not just a customer and vendor relationship.

the translation is "we want a cut on price".

Wednesday, June 04, 2008

Historical Precedent

for the '10 OPs to every RP' phenemenon
Our Celestial Empire possesses all things in prolific abundance and lacks no product within its own borders. There was therefore no need to import the manufactures of outside barbarians in exchange for our own produce. But as the tea, silk and porcelain which the Celestial Empire produces, are absolute necessities to European nations and to yourselves, we have permitted, as a signal mark of favour, that foreign hongs should be established at Canton, so that you wants might be supplied and your country thus participate in our beneficence.
- Emperor Qian Long's letter to King George III, 1793

Superficial difference

1) humans are 99.9% genetically the same
2) the small differences in the genome that do exist determine the interface between the individual and the environment, eg. skin colour, body shape, eye folds, disease resistance, etc
3) while the body's APIs may have adjusted to different environmental forces, the underlying processes and systems are the same

Good taste prevents me from drawing an analogy between the ability of different human communities to interbreed and attempts to reconcile the interface incompatibilities of identity systems.

Tuesday, June 03, 2008

Monday, June 02, 2008

Purpose & Forwarding Policy

From BoingBoing

Notwithstanding that this is a bad privacy policy, it is indeed a privacy policy, and is exactly the sort of information that the Liberty Alliance's Privacy Constraints are designed to express.

A NEW paradigm

prompted by Axel, I installed the Operator Firefox extension, and I have to say I am blown away by the power of micro-formats and the Semantic Web.

The idea is (and it may take a while for you to grasp this because it is a NEW PARADIGM) that the contents of a page are 'marked up' with 'tags' that describe the data they contain.

I'll give you a bit to digest this.
Then, and this is the incredible NEW PARADIGM part, the browser, based on those tags, renders the information for you to read! Yes, you heard me, you can actually VIEW the contents of the tagged up data in your browser!

What's more, you can export the tagged up data from the browser, or even have the browser remember it!

I may be stretching what is possible, but I can even imagine people putting online whole books, classifieds, perhaps even advertisements. The mind boggles at the possibilities.

Reduce, reuse and recycle

Axel's bias peaks out

Axel would have us believe that we need steel toes for serious phish-kicking action at all times.

Secure yes, but hot in the summer.

XRI? Alas we hardly knew you.

Is there a comparable program to this for recycling standards? Our landfills are filling up fast.

Connectid recommends against XKMS

If the W3C's stated criteria for judging the relevance of XRIs were converted into a general principle of
We are not satisfied that X provide functionality not readily available from Y

I wonder how some W3C specifications would fare?

Sunday, June 01, 2008


If I need to tell you, well then shame on you.

First Contact

Do not even think of it, I have already sent out the invites to these social network virgins.

The black and red dyes covering their bodies are made from crushed seeds and are believed to signal aggression, native-rights experts say.

Ah yes, they furiously painted themselves up when they heard the drone of the engines.

I look forward to acting as their guide to the subtleties of Web 2.0.

I do anticipate some trouble justifying Twitter.

So, you mean, people actually care ...

Some things are universal.


I have 4 laptops and 2 desktops in the house.

(Linux EEE PC not shown)

A not insignificant amount of my time is spent moving stuff (e.g. movies, pics, songs, address books, docs, erotica, etc) from one machine to the other.

Forget the Web, I need a metasystem at home.

I'll Have To Say I Love You In A Song

or it seems Jeff does at least.