Saturday, December 27, 2008


Panspermia is to the origin of life as Web SSO is to authentication - it doesn't address the issue but rather just outsources it.

Super Hero

Visiting in-laws for Xmas, I asked my brother-in-law what his wireless network password was. His best guess turned out to be inaccurate. But clearly it was a guess that resonated for him.

So I snuck in through the router's admin page and reset the password to what he had guessed. And then went around to all his laptops and desktops to change them accordingly.

Password Man to the rescue.

Sunday, December 21, 2008

Thursday, December 18, 2008

I have seen the future of home media entertainment

and it looks like an Archos 5.

Wifi, web, email, video, music, flash, web TV, DVR, HD, pics ....

More to follow (with an almost certainly tenuous connection to identity).

Better left unsaid

Eve put me on to this cool UML app.

Started me thinking about how identity protocol swim-lane diagrams often have the various endpoints mulling over policy and authz decisions to themselves, completely separate from what goes out on the wire.

Something like this.

Wednesday, December 17, 2008

Better get a bucket

I'm gonna throw up ( before you follow the link,  play the embedded video - it will put you in the right frame mind of mind)

Low-tech but effective

Chris Messina's email signature uses a simple mechanism for expressing rights
Chris Messina
Citizen-Participant & Open Technology Advocate-at-Large # #
This email is:   [ ] bloggable    [X] ask first   [ ] private
Of course,  when the thing you want to blog about is the signature itself and not the content of the email, it's unclear how to proceed.....

As I understand the mechanism, Chris uses a Thunderbird AI extension that analyzes the content of outgoing emails for key words and phrases before automatically setting the appropriate privacy switches.

Or maybe something simpler
Yep, I set those manually. Nothing like ASCII for utter UI simplicity and data portability!

Wouldn't it be nice if there were other (enforceable) switches...

This email is: [ ] non-forwardable
                        [ ] non-repliable
                        [ ] non-startsomeinterminablethreadabout"whatisidentity"able

Monday, December 15, 2008

5 is enough

Usability guru Jakob Nielson argues that you don't need large numbers of testers to gather useful data about an interface. 5 users is sufficient - providing the right trade-off between spotting issues and economy & efficiency.

As you add more and more users, you learn less and less because you will keep seeing the same things again and again. There is no real need to keep observing the same thing multiple times,

Jeez, a whole 5 users?

I guess we'll have to wait a bit before conducting Infocard usability tests.

Thursday, December 11, 2008

Like I need to be told

Some Identity bloggers are abuzz about Typealyzer.

Until such time as different sectors of the brain are associated with scorn, sarcasm, and derision I will not partake in such personality analysis - it would only demonstrate science's current limitations.

Temporal phishing

If the phisher has an idea of the timing of legitimate mailings that the user expects to receive, it will be that much easier to fool them.

Case in point, I recently achieved Elite status for my frequent flyer program (said status resulting in my pretzel packages being pre-opened as well as being allowed to use public washrooms in the airport).

Air Canada sent me the below asking me to login in order to customize which perks I want.

As far as I know, Air Canada does this for all Elite users at this same time each year.

Even if hadn't reached Elite status and got this mail, I'd be inclined to log-in to see if I could take advantage of their mistake.

Franchise Opportunity

The OpenID Board vote.

Tuesday, December 09, 2008

Facebook Connect is the new panopticon

Some interesting reading in the Facebook Connect Terms of Use.

In order to make Connect possible, you agree to allow Facebook to check your Facebook cookies when you are visiting participating third party websites, and allow Facebook to receive information concerning the actions you take on those third party websites. In addition, once you allow a participating third party website to connect with Facebook, you agree to allow Facebook and such third party website to generate and publish news feed and other stories about actions you take on the website without any additional permission. In the event you no longer want the third party website to publish stories about you, you can always disable this feature by changing your application settings.

I used to think that SAML & Liberty could enable a pretty-good panopticon model (or at least that's what I was told) but we have nothing on this.


Facebook Connect has single log-out.

Comparing functionality would suggest that it's SAML that should feel threatened.


Monday, December 08, 2008

Perhaps a bailout criteria?

Chris Saad has a proposal to make OpenID competitive with Facebook Connect.

As a bonus, Chris suggests

If you provide OpenID but do not consume it you need to be named and shamed. There should be a 2 month grace period, then The OpenID Foundation, the DataPortability Project and everyone else who is interested should participate.

Absolutely. And the the Big Three car manufacturers should be forced to buy cars as well as sell them.

And why cannot I sell my own homemade burgers to fast-food chains?

Oh right, business models.

The more things stay the same

the more they change ... or something.

It seems FaceBook Connect is the new Passport.

So would that make the 'O' (i.e. OpenID, OAuth, Open Social, etc) stack the new Liberty Alliance, i.e. advocating decentralized standards-based identity in opposition to a centralized & proprietary model?

This 'convergence' is for me an early Xmas gift of hilarious incongruity wrapped up in sweet sweet irony.

Friday, December 05, 2008

Well I do declare

Phil Hunt will be giving a webinar on the ArisID API.

ArisID de-couples developers from having to make protocol, schema, and architecture decisions that would limit the usability and deployability of their application in an evolving and ever complex enterprise network, where a large number of identity sources and protocols are used. By relying on intelligent ArisID libraries, developers can now ensure maximum flexibility and use of their applications while significantly reducing development time.

Fundamentally, rather than an application developer coding 'Use protocol X to obtain identity attribute Y', ArisID would have them express 'My application needs identity attribute Y' using an XML syntax

The CARML specification is an XML document that developers use to describe the identity data and transactions used by a service or application. The data types may include identity attributes, predicates (e.g. “Is an Adult”), and roles (e.g. “Manager,” “Business Class Flier”) that an application requires.  

The burden of determining the how (ie LDAP, SAML, OAuth etc) and from where  (i.e. dealing with discovery) to obtain the attribute is taken off the application, and assumed by the identity infrastructure.

I have been experimenting with profiling CARML in a slightly different manner - each morning, I create a CARML file with my food and drink expectations for that day (i.e. cold beer @ 5pm) and then upload it to my blog so that the home infrastructure can retrieve and process.

As in any intra-enterprise project there are political battles to be fought - the food and drink adminstrators have as yet refused to acknowledge the value of the new paradigm and cling stubbornly to clearly obselete modalities.

Thursday, December 04, 2008


I'm reading a biography of Charles II, who seemed to prorogue parliament with a frequency exceeded only by that of the turnover amongst his mistresses.

There is a clear historical precedence for this move.

Now it's personal

Finding $25 tucked down amongst the couch cushions, I just joined the OpenID Foundation.

The criteria for my vote for the upcoming board election is simple - I will NOT vote for any candidate that uses either 'philosophy' or 'spirit' in their platform. Separately, an open bar at IIW would be nice.

Whatever the result, let's just hope that everybody has confidence in those elected.


is fair play. As I often speak condescendingly to my children, hockey referees, and shop keepers, I can't rightfully complain when Ben directs it at me, in his rebuttal of my (and a plethora of others) criticism of his 'phishability' post.

Ben's argument hinges on a definition (my interpretation, he never comes right out with it) of 'unphishable' as
unphishable: a security characteristic enabled by an authentication protocol in which the password is never sent to the authentication server but presented by the user only to a secure device - the device then authenticating to the server on their behalf.

With this definition, I don't disagree (and you wont't hear me diminishing the critical importance of small mobile communication devices to security). If passwords aren't delivered over the wire (and all the other necessary 'utopian' conditions that Ben after the fact stipulates are met) then users could use the same password everywhere.

But of course, this is Ben's definition for unphishable and so perhaps we shouldn't be surprised that it works out nicely for him.

Another definition (one that it appears all of those who had an issue with the original post prefer) looks something like this

unphishable : impossible to phish, see phish.
phish: a fraudulent attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication

A phish depends on the fact that the user bears the burden of spotting the fraudulent site (notwithstanding visual cues designed to assist them). Any (mutual) authentication protocol that removes that burden from the user could warrant the unphishable descriptor (with similar utopian caveats as Ben stipulates).

This more inclusive definition does not guarantee (for some mechanisms, this would be the case) that there will be nothing on the authentication server that could be used by a insider to impersonate the user elsewhere. And so, this type of unphishable does not inevitably mean that it is appropriate to use the same credential everywhere.

Wednesday, December 03, 2008

For an OpenID from here I'd wait

Total Prestige is a social network for the super-rich.

It seems they white-list.

Well that's just friggin' great! So when Paris wants to show me her holiday pics she'll have to email them to me.

Personal Best

is a personal web application that will give you some insight into your sex life.

For me personally,  November was a good month.

Oh wait, I just noticed the 'partners' tab - that puts a different spin on my numbers

Tuesday, December 02, 2008

I don't follow

On the scaling of passwords, Ben Laurie writes
If your password is unphishable, then it is obviously the case that it can be the same everywhere. Or it wouldn’t be unphishable.

I don't follow.

Because I can't be fooled into divulging some credential where I shouldn't means that it is appropriate that I use it everywhere? Are there not other attack vectors that would drool at the thought?

Conversely, that the fact that I can use the same credential everywhere is somehow a necessary aspect of 'unphishability'? 

Client-based authz?

Flying to Toronto this morning for an ISWG meeting, I used 'mobile check-in', in which a link to a QR code was emailed to my phone.

Of course, at Ottawa airport there is no infrastructure to read the code (and I so desparately wanted to swipe it somewhere) - I ended up instead showing the email to security and at the gate.

When I later tried to access the link from my laptop, I saw the following

Who made Air Canada the authority in charge of defining what is mobile and what is not?

My laptop is pretty mobile, but if I had tried to use it to show the QR code I would have been stuck.

Monday, December 01, 2008

Help for busy couples trying to start a family?

The title of this Download Squad post had me thinking of a different application, one potentially leveraging both the iPhone's accelerometer and connectivity.

Wife subscribes to be notified if and only if her pre-defined Male Critical Angle (MCA) is reached, husband's location determined from GPS, calendar application coordinates marital rendezvous, etc etc.

I expect it will be in the fastening mechanism by which different IPhone case manufacturers differentiate themselves.


According to Olivia Judson in a half-baked article postulating a link between obesity and voting record
the way an individual responds to threat is part of its personality

Why then should we expect there to be a single anti-phish solution?

Perhaps there is a Lakoffian explanation, i.e. that those held often by their parents as babies develop to be more trusting and confident adult web users?