Monday, November 19, 2007

Time Machine

One of the current "joke" emails flooding the internet is an email showing pictures from a 1977 JC Penny catalog. Given that the email referred to "blog fodder" I decided to search around and I've found the original post. Definitely worthy of a read.

Strap In, Shut up and hold on -- we're going back.

If you remember this stuff... If you wore this stuff... I'd suggest that you not share those identity attributes -- unless you don't mind being the butt end of many jokes for the rest of your life.

Tags : /

Thursday, November 15, 2007

Anti-gulllibility training

I've always felt that one of the most important tasks for a parent is to teach their kids to not be gullible. I routinely work on such training with my kids. In fact the other day, I was way into the story about how Los Angeles schools, while not getting many snow days, do get closed for bad hair days. Unfortunately, while my daughter was well into the "realy?" stage, my wife piped up with "They do not!" cutting me off at the knees.

Nothing is a better example of the importance of such training than the comment in response to Paul's revealing post about Microsoft's Identity Assistants.

So parents, take this as a warning. Train your kids in anti-gullibility before they make a fool of themselves publicly.

Tags : / /

Wednesday, November 07, 2007

Madsen's Lemmas (or is it Lemmi)

Paul writes about attributes and how they won't be trusted for self assertion when the value of the attributes is used to distinguish levels of service.

In the context of any given application, a Relying Party will be unwilling to accept a self-asserted identity attribute without verification if there exists the possibility of differentiated advantage to the user in claiming one value for that attribute over another.
And follows with the corollary:
For any given identity attribute, there exists an application context in which there can be differentiated advantage to the user in claiming one value for that attribute over another.

Combining the two would make one think that Paul is arguing that self asserted identity attributes will never be accepted, but I'm pretty sure he didn't mean that.

In any case, I think there's another side to this puzzle in that the self asserted attributes can be accepted and used when the result makes it useless for the user to lie about them. If I order something with Paul's credit card, name, address and phone number, it generally will be accepted, the transaction will complete, and the vendor will ship the product -- it will just end up at Paul's house rather than mine, so I won't benefit from it (but I bet Paul was surprised when those enlargement pills showed up :-)).

So I would write the lemma more along the lines of:

There exist some set of cases where a Relying Party provides such differentiated levels of service that they will require third party attestation and/or confirmation of attributes in order to enable access to such differentiated levels of service.

PS. Paul, if you need to fake your IP address to make it look like you're coming from the US, let me know... I can give you access to my proxy server (without, of course, any guarantees as to snooping on the traffic :-)).

Tags : / /

Friday, November 02, 2007

Living without flash....

Back in March, I wrote about finally succumbing to the need for add blocking when flash adds on several sites were measurably impacting the performance of my system. When I reloaded my system I decided to forgo installing the flash player as my solution as the add blocking software was still kind of a pain.

Well, after a month or so of living without a flash plugin it seems I have to reverse my decision. Too many sites out there are totally unusable without flash. Many use it as an integral component in their site navigation (try researching Dish Network's offerings or look at SciFi's channel info (2/3rds of the home page is blank with "this section requires flash")... Others use it for processing particular functions (I can't us discover's secure credit card number generator because it only works with flash, I couldn't order my daughter's school yearbook from Jostens because the required personalization step requires flash with no alternative).

While all this glitz is nice for the marketing guys, I think that this is a bad thing. Especially when you consider that flash doesn't work all that well for accessibility (just imagine the blind person trying to make sense of the glitzy flash driven site navigation system). The Web Accessibility in Mind folks have a good article on accessibility programming with flash but they note that it's hard to do well.

My suggestions:

  • Never use flash for site nagivation. Javascript works well enough.
  • If you do use flash, provide reasonable alternative, keyboard based, means to obtain information from your site.
  • Evaluate the accessibility of the information and make use of the suggestions provided by WebAIM.

Ideally what I would like to see is an option in Firefox to manually enable flash processing on a site by site basis -- those sites that abuse the privilege by writing CPU intensive flash apps would be blocked, while the more typical mundane implementations could be allowed.

BTW - Given that no browser includes flash out-of-the-box (it's always an add-in plugin as far as I'm aware) I now have some good ammunition to use when I run up against those that resist authentication models requiring software on the client.

Tags : / / / / / / / /

Monday, October 22, 2007

New Gadget #13

My latest gadget is an update on a previously reported gadget.

This week I bought the latest and greatest Western Digital Passport external hard drive. A drive with a honking 250GB of space on it in the same packaging that my older 120GB and later 160GB drive used. In fact side by side with my prior 160GB drive you can't tell which is which:

Interestingly, they came out with this quick enough that they are still using the 160GB retail packaging with just a sticker over the 16GB on the front of the package. When I first looked at the back of the package (which listed only 120GB and 160GB) I was worried about a bait/switch from the retailer. However, that wasn't the case, it was a real deal.

The drive comes formatted with a FAT filesystem and has software for doing automated backups and synchronization with your primary hard drive. I immediately reformatted it for NTFS so I could use encryption and such on the drive. I don't need the backup or synchronization stuff as I use this drive as an extended primary drive rather than a backup drive. I use rsync to backup my system (including the WD drive) to my server regardless of my location (remote or at home).

Some who have used this device have complained about the fact that it sometimes won't work in their USB port. WD does document that it requires a full power USB port (though I can't find any documentation on exactly what is a full power USB port and how do you know you have one). I have had problems when I plug this device into some ports and found that on my laptop only one of the ports works reliably. Even the ports on my external powered hub are not sufficient to power the device alone. So when at home using the hub, I use a Y cable that grabs power from a second USB port to power the WD drive. I'm not sure where I got the cable, it was lying about in my USB cables collection, but WD does sell one.

The only other thing is that I suggest you buy the slipcase sold by WD to protect the drive when on the road. I had one lying about from my 160GB drive, so I just used that one.

Tags : / / / /

Sunday, October 21, 2007

Subversion end-of-line style

In my work with the Liberty Alliance, I'm the editor for several documents in the upcoming Advanced Client specification set. We use subversion as our source code revision control system.

Recently, when I was working on a new draft of the specs and committing a set of files that included a number of Visio drawings and the equivalent Encapsulated Postscript file images, I ran into problems. After all the files were uploaded during the commit, which failed with the error message:

svn: File "xxx.vsd" has inconsistent newlines svn: Inconsistent line ending style

A quick look at the file and I saw that the files had the typical windows line terminator CRLF rather than the UNIX typical LF. So I hand edited the file removing the CRs and tried the commit again. The same thing happened just with the next file in the list. So clearly this was going to go on for each file. So I did what any other UNIX weenie would do -- entered a one line shell script for loop on the command line using tr to delete the CRs in each file.

This got me past the problem and the commit succeeded. However, I was not totally satisfied as I wasn't sure that if they could be edited in Visio with these changes. So I dug a bit deeper into the problem looking into Subversion.

It turned out that subversion has attributes on files, one of which is "svn:eol-style". In this case, the files I was working with had gotten this attribute set to "native" which on the UNIX system I was on would be "LF". Not good for a file from Visio. I thought about changing the svn:eol-style to CRLF which would get around my specific problem at this time (until Visio changed their file format), but the better solution ended up being to just delete this attribute on the file with the following command:

svn propdel svn:eol-style *.vsd *.eps

Then I copied in the files from my Windows partition (where they still had the CRLFs) and committed the files without a problem.

Tags : /

Tuesday, October 16, 2007

Checking in too early

Like most airlines, United has, and strongly encourages the use of, an online check-in tool so that passengers can check-in for their flight before leaving home. This is seen as a win-win situation for everyone. United gets the user to do the manual labor of checking in and paying for the paper stock for printing the boarding pass while the user gets to avoid check-in lines at the airport.

I am a big fan of using this and typically check in near the limit of 24 hours before departure. I check in this early in part so that I don't forget to check-in in the mad rush out of the house on the day of my flight and in part so I can check to see if there's a better seat available at check-in.

However, this has led to one problem. On several recent flights, I was upgraded sometime between my early check-in and my departure for the airport. Because I was already checked-in in coach, I was unable to select a seat in the first class section. Theoretically I should be able to un-check-in and then re-check-in, or I should be able to get the customer service people to do the same for me, but neither worked and I had to wait till I got to the airport and the gate agent opened the flight at the gate (even the Red Carpet Club agents were unable to help me).

Moral of the story: If you're on the upgrade list, don't check in till you're close to leaving for the airport.

Update (10/21/07): Not learning from my own mistakes, I checked in around 11:30 PM the night before a flight to Tokyo as it appeared that there was no chance that it would clear before leaving for the airport in the morning (it was a 12:41PM departure). Of course, I was wrong and the upgrade cleared at 5:03 AM. But, since I was already checked in, I couldn't select seats in business class. Checking the site (by the usual trick of trying to purchase a business class ticket) showed that there were still 4 seats open including a coveted aisle seat (8D). By the time I got to the airport and checked in, the only seat left was 13E (a middle seat). Hopefully you'll learn from my mistakes better than I do.

Tags : / / /

Sunday, October 14, 2007

A broken Washer

This is a long story, feel free to just cut to the end.

A little over a year ago, we bought one of Sears top-of-the-line washing machines (the Kenmore Elite Oasis Canyon) for several reasons including that it was EnergyStar compliant while also being very large (so we could do our laundry in less loads while saving energy).

We really like the washer. It does a great job on our clothes, does it quickly, and does lots and lots of clothes at the same time, while also being very efficient at doing small loads.

However, we didn't like the fact that the thing just up and died mid-load with no sign of life in it. None of the lights were lit, none of the buttons did anything. On top of that, the lid was locked and there was nothing I could do to unlock it, so our clothes were stuck in there. Power cycling it did nothing (though I was able to use a meter to verify that it was not only getting power, but also consuming some small amount of wattage). Just in case you're wondering, no, the there was no surge on the line as the weather was clear (we're in the middle of a drought) and I have UPSs all over the house which beep like crazy for any power line problems -- none of that happened, so I'm pretty convinced it was not a surge.

Of course, the warranty was over (1 year) and, given that it was a top-of-the-line system I thought it wouldn't be necessary to buy the extended warranty (especially since they almost always are a waste of money). So the repair was going to be on us.

We called Sears Home Repair and they couldn't schedule someone to come out and fix the washer for 2 weeks. When he did get here, he determined that the electronics module behind the console was bad, ordered a replacement and scheduled someone to come out and install it (another 2 weeks later). This at a cost of $346.77.

The part came in a few days and since I didn't want to wait another week to get a working washer (we had already been to the public laundromat once) I tried to install it (something not all that unexpected if you read my blog). However, the cover over the board was screwed down with 3 screws and had 2 locking tabs. I was unable to get the locking tabs to release no matter what I did. I gave up and decided to wait for the repair guy to show up.

This past Thursday he shows and he had the same problem with the tabs and ended up cutting them off. After installing the board, the washer was still dead. He then said that the problem was most likely the main electronics unit (motherboard to the rest of us) and ordered one with "Emergency" delivery and scheduled a return visit the following week. He also noted that the replacement board was a different part and therefore they probably had fixed something in there. This at an additional cost of just under $300, bringing the total to $625.25. Needless to say I was NOT happy.

I poked around on the web and on Sears own site, found several people who had complained about this same exact failure just after the warranty expired. It seems like this was more of a general problem than a unique failure.

Armed with all of this information, I called customer relations and after about 40 minutes on the phone I was asked if they could call me back. I was hesitant because I was afraid of not getting a call and having to start over, but I went along with them. About an hour later, she called back and said that she had found that the electronics were covered by a 2 year warranty and the repair would cost us nothing (and she arranged for a refund of the initial charge on the first visit).

The part came in on Friday and since I didn't want to wait another week for a working washer, I decided to install it myself. This was a bit more complicated than the first board as it had many wires running about, but I took a few pictures so I could verify where all the wires should be and off I went. After about 15 minutes, the module was in, the washer was all back together and magic, I had a working washing machine. Of course, I was again proud of myself for doing the repair (though it was much easier than when I replaced the LCD on my camera).

One thing I did note once I had the washer working again: when I do a load a bleach load of whites on hot, steam comes out around the lid of the washer. Some of this steam could leak into the area with the electronics if the seals aren't tight enough. It was a similar load/settings on the washer when it died.

Things to learn from this

  • The squeaky wheel definitely gets the oil. It was only after calling and talking to 3 people at customer relations did I get to someone who magically said "oh, that should be covered by warranty". I do have to admit that I can't find any such warranty statement with the documents for my washer, but I'm happy to get the part fixed.
  • I was amazed about how little trouble-shooting was done on the phone prior to rolling a truck. Dell is a pretty good example for how to do this right, they will work quite well over the phone to figure out the exact problem to save a truck roll if possible. A little diagnosis over the phone and they would have known that the problem was with the electronics and could have sent the parts so that the unit would have been fixed the first time (note that Dell will even let you install the parts if you feel comfortable doing so -- which I've done several times for keyboards and such stuff).
  • Sears definitely has a problem with the electronics module for this unit. When something like that happens to a car, they do a recall, or they do a proactive warranty extension to keep their customers happy. Sears doesn't appear to be doing this and that's problematic given that they risk loosing a customer who is buying their top-of-the-line (probably widest margin) goods.
  • The lid-lock should release when power is removed from the machine. Having it stay locked like that meant that we were unable to remove our clothes from it until the repair guy came and took the machine apart (and the lid was still locked when he was done, but we did get our clothes out).

Update (10/21/07) - apparently things were not as well worked out as they appeared. The service guy still tried to come out to my house for the installation of the part even after I had twice called to tell them that I had installed the part and they had said something to the effect of "Cool, then no need for us to come out. I'll cancel the service call". The service guy said he still had to come out to collect payment. I told him that customer relations had said that this was a warranty repair as the electronics were warrantied for 2 years. He went off the check on this and called me back about a half our later saying that that was a parts-only warranty and that since I had installed it myself that voided the warranty and that I would have to pay both for the service call and the parts. I told them to give it a shot, but that there was no way in hell I was going to pay for this work. We'll see how this works out.

What I can't understand is how Sears is showing that they have no interest whatsoever in smoothing things over with a customer who has routinely purchased their top-of-the-line appliances. Ruining a relatitonship like that over $65 or so just doesn't make sense to me, but that's what they appear to want to do.

Tags : / / / /

Saturday, October 06, 2007

The Case for Federation and SSO

To date, the vast majority of real-world federation roll-outs have been internal or enterprise type deployments. Things like an enterprise authenticating its users out to an outsourced provider (such as a Fidelity 401K, or AOL's Radio Service). Yes there are many exceptions to this general statement (you can see many of them on Liberty's Adoption Page), but that is the general view of the industry and I certainly don't knowingly use federation in any cross-provider operations.

The time has come for federation and Single-Sign-On to be adopted in a more general fashion. I say this for many reasons and hope that the various vendors and providers out there will not be stubborn and/or resistant about it. I think this is valuable to parties that will wish to assert identity. I think this is valuable to the people who will accept identity federations and I think this is valuable to the users themselves.

When I say it is valuable to the user, I don't mean the often quoted "that way you can reduce the number of passwords you need to remember" -- though I still think that is a reasonable benefit. The real value for the user is that they will be able to share their data across multiple providers without the need to give their credentials to the other party.

Examples that already exist today include:

  • On LinkedIn, if I want them to pull my contact information from my contact book in several mail services (e.g. GoogleMail, HotMa il, etc.) I have to provide LinkedIn with my username and password on the mail service. LinkedIn logs in as me (either through their web interface and does screen scraping, or directly via an exposed web service) and extracts my contacts. Since I gave them my login information, I'm hoping that they don't do anything wrong with the data (like expose it), and that they don't mis-use the access to my account (e.g. sending spam in my name).
  • On Etrade, when I want to setup a new bank account for transferring funds from my Etrade account, one of the options provided is for ETrade to be provided with my username and password for online access to my bank account so that they can verify that I have control of the account and that it is in my name. Like LinkedIn, I'm hoping that they don't do anything wrong with the credentials while they have them (and in the case of ETrade, hoping that they do not store them like they claim they won't do).

I could go on with this list, but you get the idea. The user is already federating their data together across different providers. It's just in a very broken way that can lead to cascading security failures as any security failure at one site can lead to security failures at other sites.

With federation, I wouldn't need to give my credentials to LinkedIn. My mail provider could also differentiate the access provided (letting LinkedIn see the set of contacts that I chose to share with LinkedIn without being able to send mail in my name or being able to change contacts). LinkedIn could maintain that federation so that they could periodically check for updates. A break-in at LinkedIn would mean that someone could perform the same operations that I've already OK'd for LinkedIn -- get the data that LinkedIn already has -- so no additional exposure.

Why would GMail, HotMail, or even my bank, want to do this? First off, they are already doing it in an insecure way (I can always give my login credentials to the other party) and with the expanded access at their service. This would be a much better solution from a security and least priviledge point of view.

Another issue that might be raised with regards to the service providers is why would they want to expose a web service with this data. In many cases that's a new thing for them to do. But I think it's worth it becuase today, when they don't expose such an interface, theh other parties just walk though their standard user web interface and do screen scraping of the data -- I'm sure that data via a web page is more costly than exposing it through a programmatic web service.

Of course, LinkedIn would want to do this as they already do, but within the restricted capabilities of today that open them to some liability as well (should my data be misued at their site).

While I spoke heavily about LinkedIn in this post, this clearly applies to any and all cases where I want to do things across sites -- this is becomming more and more important in the Web2.0 world more interesting applications join togetether information from various parties. I can see how Dopplr would want to access my LinkedIn account to get my list of friends to pre-populate my traveling buddies rather than me having to establish new connections. I can also see how Dopplr would want to get access to my United Airlines itineraries so that they could auto-populate my trips.

The list goes on and on and it's a win-win-win for everyone, users and providers.

You might then have the decision as to what token format one should use for the federation and what web services structure one should use for the service access. I, of course, would recommend SAML and Liberty's Identity based Web Services Framework (ID-WSF), respectively, but that isn't as much the issue as is getting this up and running for the users.

You might notice that in this case, I haven't been advocating a large Circle of trust with centralized IdPs. Most of the examples I gave were point to point federations where, essentially, the relying parties and the IdPs were the same entity. The advantage with this model is that you have no need for extended business agreements so it's much easier to roll out. I do think that as more and more people start adopting and using this, it will be a natural evolution to environments where there are separated IdPs and Relying Parties, but we don't need to start there.

Tags : / / / / / / / / /

Wednesday, October 03, 2007

A painful Vista

My Dell Latitude D830 came with Microsoft Vista which, for the most part, has seemed like a prettied up XP without a lot of added useful functionality nor a substantial increase in stability. At the time I upgraded, I wrote that I was like so close to buying a Macbook Pro. I am sorry to say that I regret that decision even more today.

What got me to that stage? Well, it's a long painful path and to be honest, I'm not at the stage (yet) that I'm ready to just give in and replace my fairly new laptop.

The problems all started about 2 months after receiving the laptop. On July 14th, the day before I left for a trip to Shanghai, my email program (Thunderbird) locked up. When I restarted it, it still had problems and wouldn't pull mail from nfthe server, so I shutdown and restarted the computer.

During the reboot, the OS decided a chkdsk of the NTFS filesystem was necessary and it found and fixed many problems. When I got back to the running OS, all of the files that were actively open at the time I cleanly shutdown the system were gone. Totally gone. Not in the found.* directories (the NTFS equivalent of the UNIX lost+found directory).

Luckily I had the data backed up earlier that day as well as an offline backup on an external drive from a week before that. Since I was taking off for Shanghai, I copied both backups onto my system so I could pick the files (as I wasn't sure if the backup earlier that day wasn't corrupt as well).

I was able to get up and running again on my way to Shanghai without a problem and things were working fine. I assumed it was just some freak accident.

About a month later (mid-August) the same thing happened. This time I dug into it further and found that there had been a series of events in my event log (both then and back in July). It seems the problem starts with an NTFS event (which is flagged as an "Error" rather than a "Critical" event) with the event code of 137. The message from the event was extremely helpful... NOT!:

The default transaction resource manager on volume D: encountered a non-retryable error and could not start. The data contains the error code.

Microsoft's online help for the event was no help:

Results for: Microsoft product: Windows Operating System; Version: 6.0.6000.16386; ID: 137; Event Source: Ntfs;

No results were found for your query. Please see Search Help for suggestions.

Googling on "Default transaction resouce manager" found little results as well, but there was at least a possible link to another's problem. Apparently some had discovered that Acronis True Image had led to similar problems. I had installed Acronis Disk Director to reorganize my disk partitions, so I uninstalled it to see if that would alleviate the problem. And, of course, I did the same restoration process to get back all the lost files.

I did find one interesting discussion on resource managers in Vista, but that didn't provide any information that would help solve my problem.

Given that the error message just showed up in the event log (and in both cases, was close to 24 hours before the system crashed -- allowing me to open/use many files that disappeared), I added an event alert task which would send a message to the console should this error occur again. This is really important so that you can catch the problem as it starts, minimizing the potential damages.

Things went well for about another month and then it happened again in Mid-September, so it clearly wasn't the Acronis product. I was busy getting some heavy work done, so i didn't have the time to explore the problem other than to restore the files again.

About a week later, it happened again. This time it started going into an almost daily problem, sometimes happening again just after I had fixed things and ran chkdsk to fix the problems.

The pain had passed the threshold and I decided to do a total reinstall of the system. Prior to doing that, I did a complete backup. I copied my data files to a portable drive. I ran the extensive system diagnostics including the full suite of hard disk diagnostics to see if there was some form of a hardware problem. All diagnostics passed.

So, this past weekend, I reinstalled vista. I've been installing each of my former tools (there are many of them) and so far, so good. Given that this didn't turn up until I had had the computer for about 60 days the first time, I guess I won't know for sure if I've gotten around the problem till early Dec.

And, of course, I went and added the event task to generate a message should this occur again.

Wish me luck!

Tags : / / / / / /

Monday, September 10, 2007

Mistaken Identity

In a case of mistaken identity (of a place rather than a person) my United flight to Portland last night was delayed and had to re-connect the jetway and switch passengers.

As we were getting ready to push back, one of the passengers got up and talked to the flight attendant in the front of the plane. They talked, she talked to the pilot, they talked some more. All I could here was "I'm really sorry" coming from the passenger.

The jetway re-connected and the guy got off the plane (while another passenger, who had been denied boarding because the plane was oversold, got on -- lucky him).

Apparently, the departing passenger had booked the tickets, checked in, and boarded the plan without realizing that he hat ticketed himself to go to Portland, OR, rather than Portland ME. I would have thought that the 5 hour flight time would have given him a hint, but perhaps the fact that the 3 hour time difference made the apparent time difference (if you didn't pay attention to timezones) appear to be just 2 hours.

Anyway, luckily we hadn't gone far and he didn't have any checked baggage (nor, from what I could see, much carry-on luggage -- just a small laptop case). So after the quick switch we were on our way.

Tags : /

Wednesday, September 05, 2007

Advanced Client Take 2

The second draft of the Liberty Advanced Client Technologies set of specifications has been published on the Liberty Alliance web site.

For those who aren't aware, the Advanced Client Technologies work is the 3rd generation of client technologies coming out of Liberty. The first generation was work that enabled a Liberty-aware client and/or proxy to participate in the SSO transactions (similar to what Cardspace does today). The second generation enabled active clients to act as WSC's in identity transactions (such as a radio or mail client authenticating with an IdP, discovering and accessing a service provider).

This third generation enables clients acting as an extension of network providers such as an IdP, and addresses the issues related to hosting full-fledged service providers (such as my own IdP, or my own Contact Book Service) on my personal client.

So, this is your chance to nail me to the wall and point out how many stupid things I've done in there (though I'm not the only contributor, I'm sure that if something stupid is in there it is my doing). Please take a look-see and let us know of any interesting things you find in there (even pointing out the many, I'm sure, English mistakes would be helpful).

Go for it!

Tags : / / /

Tuesday, September 04, 2007

Portals and IdP Discovery

I recently received a comment on my SAML Bashing blog entry. "Jeremy" (not sure which Jeremy as he was otherwise anonymous in his comment -- I wonder if it's really James in disguise -- this seems the kind of comment James would leave, but James is usually quite blatant about it, not hiding behind an identity pseudonym) asked:

Kim stated "The question of how the relying party knows which identity provider URL to use is open ended. In a portal scenario, the address might be hard wired, pointing to the portal’s identity provider. ". What are your thoughts on that?

In the early days of Liberty ID-FF, we paid a good amount of attention to what solutions would fit into the various portal solutions. Must of this has to do with the configuration and structure of the portal. We saw different portals using different solutions including:

  • Push SSO

    In "push SSO" the portal, when creating links to the various components that make up the portal, generate redirection links that send the user directly to the IdP with some additional information causing the IdP to initiate an SSO to the third party.

    This is a common solution used in enterprise portals when the user selects a link provided by an outsourced third party (such as Fidelity providing 401K or stock purchase account management for employees).

  • Well-known IdP

    This is the solution mentioned in your quote of Kim. The members of the portal know which entity provides IdP services for the portal and can send the user to the IdP to get them authenticated. This is how most portals work today (e.g. Yahoo's IdP is known as the IdP for all Yahoo services at the Yahoo portal, so when I go to Yahoo Games, I get authenticated by the Yahoo IdP).

  • Affiliations

    Affiliations are a technical structure used to represent provider membership in a group (such as a portal, but can also be other business groups). When the user "federates" to an affiliation, the members of the affiliation are able to treat the user a a common user providing synchronized services and precluding a multitude of consents and idp interactions.

    The concept of Affiliations was introduced in the ID-FF specifications and was incorporated into SAML 2.0 during the convergence of SAML 1, ID-FF and Shibboleth.

Tags : / / / / / / /

Friday, August 24, 2007

Relatinships and authorization

James McGovern writes about how relationships must include authorization:

Anyway, the notion of relationship is something that belongs to the identity provider and entities such as the Liberty Alliance are defining standards around it. Check out their notion of the people service. The key though is that relationships sometimes require authorization. For example, just because my son can order an insurance card from Amica doesn't mean he is also allowed to cancel the policy for the entire family. Relationship needs authorization especially in domains having to do with medical interactions.

While I like his good words about the Liberty Alliance, I take exception with some of his conclusions.

First off, I don't think that relationships should or must belong to the Identity Provider. This is especially important in a world where my relationships cross the boundaries to many different Identity Providers. Within Liberty's People Service, we took great pains to ensure that the protocols support both a) the People Service be able to be provided by a party other than an IdP (just as LinkedIn provides this type of service to their customers) and b) the relationships contained within a user's People Service must be able to cross identity domains while still protecting the privacy of the users. The latter requirement lead to some rather complex protocol sequence requirements when establishing a connection.

Secondly, I look at authorization as being associated with the object being accessed (where the input parameters may include individuals and/or group memberships) and not with the relationship itself. So in the example provided by James, James would introduce his son to Amica (using the People Service) and then set the associated rights at Amica, not within the People Service. The primary driver for this is that only Amica understands the objects available to Jim and the associated access permissions that may be possible for those objects.

The one place where I see the People Service (and/or any other relationship tracking service) getting involved in authorization is where the user controls what another may do with his relationship (e.g. I can allow Paul to see my relationships (and the fact that I long ago had a coolness link to the ever-cool Joni)).

Tags : / / / / / /

Friday, August 03, 2007

Sniffing Cookies

In Tools to sniff and clone cookies Stephan Brands writes about a scene at a recent Black Hat Security conference where a presenter was able to steal live sessions by sniffing cookies on open internet connections and concludes:

The message for those working on digital identity solutions, in particular “lightweight” identity solutions and plain-vanilla browser identity federation a la ID-FF, should be clear: unless asymmetric cryptographic protection is made an integral part of a solution, users are highly vulnerable to theft of IdP login credentials as well as of identity claims that are issued to them.

First off, to be very clear, there was absolutely *NO* stealing of login credentials. What was actually stolen in that particular case was a session cookie that would enable the hacker to use an existing session for the length of the session. The stolen cookie could not be used to establish new login sessions (as login credentials would allow).

Secondly, in a Liberty ID-FF and/or SAML scenario the authentication protocols are required to take place within an SSL session and we strongly encourage that SSL be used to protect the authenticated session afterwards.

The real example that was shown is that services that do not use SSL to protect communications from the browser to the server are liable to be monitored, recorded, and even hijacked -- regardless of how well the user was authenticated.

Moral of the story: Use SSL to protect communications of sensitive information.

Tags : / / / / /

Monday, July 23, 2007

United announces new Business Class Seats

Today, United Airlines announced their new lay-flat business class seating that will start rolling out into the fleet later this year with a completion of the roll out in 2009.

The new business class seat is a substantial upgrade over the current seats including:

  • Lay-flat 6'4" bed
  • 15.4 inch LCD display
  • 110 volt outlet -- no more need for empower adapter!!!!
  • Apple iPod dock
  • USB power supply to power/recharge devices
  • etc., etc.

You can take a look at the following for more information:

All I can say is "bring it on!!!" I'm ready for it today.

UPDATE: 7/24 - The down side in all this is that there are substantially less business class seats in each of the aircraft: 747 - 53 (down from 72), 767 - 26 (down from 32), and 777 - 40 (down from 45/49). So while the seats are much better, there are less of them making upgrades much more competitive. TANNSTAAFL.

Tags : / / / / /

Sunday, July 22, 2007

Shanghai Maglev Train

When we arrived in Shanghai, being the techno-dweebs that we are, we just had to ride the MagLev train from Shanghai Pudong Airport to the Shanghai Metro's Longyan Road station.

The train ride is quite short (less than 8 minutes) but well worth the 50 yuan (about $6) just for the experience of riding at 431 KPH at ground level.

I took the video below (about 1 minute long) to show the speed that you see as you're riding along at that speed. This video is not retouched or sped up, that's the normal speed.

Enjoy!

Tags : / / / /

Saturday, July 21, 2007

8 hours in SFO.... and then some...

On my way to Shanghai this week, I had a layover in SFO that was originally supposed to be around 4 hours. Normally I would fly through Chicago on my way to Shanghai, but my boss and a co-worker were traveling as well and they wanted me to meet up with them in San Francisco. 4 hours is a bit longer than the typical layover for me and part of it was my fault -- I had booked an early morning flight from Dulles because it was internationally configured and so the upgrade to business class was so much better.

When I got to SFO I received a text message from United that the flight to Shanghai was delayed 1/2 hour (to 2:20 rather than 1:50) -- no big deal.

However, that wasn't the end. Around 2:00, they told us that the delay was now changed to 6:40PM (another 4 hours) and they provided us with a meal voucher.

Later (around 5:30PM), they delayed the flight to the next day at 9:00 AM. This wasn't a cancellation, but a delay -- and given how full flights are nowadays, I'm glad they did the delay or it might have taken us days to get to Shanghai. They gave us dinner and breakfast meal vouchers as well as putting us up at the local Hyatt.

So, almost 24 hours after arriving in SFO, we took off for Shanghai and the rest of the flight was uneventful. Luckily, I was upgraded into business class the entire way.

Of course, the Chicago to Shanghai flight that I normally would have flown went off without a hitch and I would have arrived in Shanghai almost 24 hours earlier. For some reason, I find it necessary to remind my boss of that every few minutes :-).

Tags : / / / / / / / /

Wednesday, July 11, 2007

Maintaining Social Networks

A recent article on the Teknision blog complains about the pain it is to build and maintain social networks again and again on one site or another:

There is something very wrong with the web……

I wonder how many times I have had to find and add Gabor Vida, Steve Mackenzie, Ryan Stewart, Mike Chambers, Phillip Kerman, Mike Downey, Mike Potter, Stacey Mulcahy, Ryan Murphy, Mykel Ruvola( and on and on and on and on) in the last few months. I have spent a huge amount of my time across social networks re-finding the same people over and over and over again.

I too have felt that pain and I am feeling the pain yet again as several of my compatriots have joined dopplr to keep track of where we all are and find interesting crossings of paths as we gallivant around the world.

Interestingly, this is what the Liberty Alliance's People Service was designed to solve, including the connection to people in different identity circles (e.g. they didn't all have accounts within the same identity domain). You can follow along on a webcast on the subject: audio is here, presentation deck used is here.

Take a look, there's some interesting stuff there.

Tags : / / / / /

Harry Potter Mania

Today, my daughters (Lauren and Jessica) were quite grumpy when heading off to their eventing horse camp (even more grumpy than they usually are in the morning). Their problem stems from a lack of sleep as they were up till quite late last night so that they could see the midnight showing of the new Harry Potter movie "Harry Potter and the Order of the Phoenix".

The movie was great (perhaps even more so since I knew I was seeing it about 3 hours before Eve :-) -- she's on the west coast, though I wouldn't be surprised if she few to the UK just to be able to watch it last week during its world premier). Warner Brothers have done another good job transferring the magic of the book to the screen.

The movie was true to the book, fun and quite enjoyable. It felt a bit long in a few places, but the books are getting quite long as well. Of course, I haven't read the books recently so now I'm all confused about what happens in book 4 vs 5 vs 6. I guess I'll have to go back and read them again before I start in on book 7. We had to order two copies of the last few books in the series (including 7) in our house to ensure a reasonable wait time for each of the readers -- we will all read it.

What amazed me about this movie is that we got there around 10:15 or so (almost 2 hours before the star -- much earlier than we had gotten to Star Wars Episode III's midnight showing and got great seats for that movie) only to find that the theatre was already 2/3 full. The entire middle was pretty much full and we were relegated to one of the sides. Pity the people who only showed up about an hour before start time as they had trouble finding 2 seats together anywhere in the theatre.

Tags : / / / /

Monday, July 09, 2007

VMWare Tips & Tricks

I've been using VMWare Workstation for several years now (after dumping VirtualPC when Microsoft bought them and promptly dropped support for Linux guest OS integration). As part of my recent upgrade to Windows Vista, I upgraded to VMWare Workstation 6.0 and had to re-enable all of my tricks to get everything working the way I like within the OS (and I had to find them all again as I hadn't written them down as I discovered them previously).

So, this time, I've decided to document them here so that others could benefit from them (and so I had them lying about for the next time I have to do the same). They are listed here in order of discovery (as opposed to any semblance of an order of importance). I will continue to come back to this and add new things from time to time as I run across them. If there's something of interest you thing should be added, let me know.

My configuration is that I have a Windows Vista host OS and two guest VMs, one running Windows XP Pro (as that is necessary for correct operation of many of our corporate tools), and one running Fedora Linux (where I do some open source development).

  • ctrl-alt-del shuts down guest OS

    I am using a windows host and I always lock the screen when I leave my desk/computer. Sometimes I happen to be in my linux VM at the time and this causes the linux system to log me out and/or shutdown, neither of which I appreciate, especially if I have lots of work in progress. I could figure out how to stop this within Linux, but I really just want VMWare to ignore the ctrl-alt-del and let me send one explicitly there if I need to.

    I achieved this by adding the line:

    mks.ctlAltDel.ignore = "TRUE"
    to the "C:\Users\All Users\VMware\VMware Workstation\config.ini" file. This tells the VMWare to ignore the ctrl-alt-del and so the client's don't see it. If I want to send a ctrl-alt-del to the client, I use the VMWare defined ctrl-alt-ins combo.

  • Shared Folders are slow in Windows XP Guest

    My Windows XP guest was extremely slow in accessing shared folders (to the point that I didn't want to use them). At first I just thought this was normal, but then after a quick google search, I found this :

    1) Create a text file called 'lmhosts' in the folder 
       C:\WINDOWS\system32\drivers\etc - if it doesn't already 
       exist. If it does, simply edit it.
    2) Add the following line:
    
            127.0.0.1   ".host"
    
    3) Save the file. 
    

    This is done in the Guest OS and it worked like a charm, though I didn't consistently have the slowness problem before implementing this and didn't study it long enough to figure out the specific mixture of circumstances to cause the problem. Implementing this fix got rid of the problem in all situations (so far).

  • Text input cursor icon disappears in Win XP guest

    In my windows XP guest, the standard I-Beam text input mouse cursor icon (the one that is used when the mouse is over a text input field such as a field entry, or an edit box) would not show up. I would be left without an indication of where my cursor was. At first, with just editing some forms, this was just an annoyance, but later, when I went to edit a document or an email message, it was downright painful.

    I first tried fixing this by changing the cursor icon. This worked in some cases, but left the most important (editing docs/emails) still broken. Some more searching (and this took a bit of work) and I found the right article in VMWare's forum which included:

    In the guest, try dropping the display hardware acceleration down a notch.
    
    Start->Settings->Control Panel->Display
    Settings->Advanced->Troubleshoot->Hardware acceleration

    Note that there's also a "Troubleshoot" button on the Settings Tab. This isn't the one, you want to use the Advanced button and then go to the Troubleshoot tab.

    For me, dropping it down one notch (to turn off some of the acceleration of the cursor operations) was all that was needed.

  • Printing from a Windows XP Guest

    Printing from my Windows XP host was a problem as I would sometimes be connected to the corporate VPN and sometimes not. While on the VPN, the printers on the system's local network were not available from the guest as the connection to the physical network was through a NATed VMNet and thus two levels away from the guest.

    I worked around this by sharing the printer from my host OS and then using the host-host VMNet to access that "network" printer -- which was a local connection and thus allowed under our VPN configuration. This works whether or not the VPN is up and running.

  • Conflict between Communicator and VMNet setup

    In my Windows XP guest, I was unable to connect to our company's Microsoft Office Communicator SIP server. Playing around with this for a while, I was able to determine that the problem was related to my host-only VMNet. Disabling the VMNet allowed Communicator to connect, enable it and Communicator would again fail to connect.

    The problem was that the DHCP server was setting a DNS server in the guest host and the failure of that DNS host was causing the problems (probably timing) for Communicator. So, I disabled DHCP on that connection and hard-coded an IP address for the host and guest OSs manually and did *not* specify DNS servers for that connection (didn't need them) and voila, it all worked fine.

Tags : / / / / / /

Sunday, July 08, 2007

Derived trust

Eric Norman, commenting on my chastization of Chase asks me:

Do you have any idea about what your mother would have an easy time of? That is, your mother would be able to say, "Yes, this is my bank", or "Wait a minute; something is wrong here" and get the right answer every time.

Would the green address bar be enough for your mother?

I started to answer in a comment myself, then thought that this topic was important enough to require its own discussion topic.

The answer to the "green address bar" being enough, of course, is: No. Color, pretty locks, etc. would not be enough for my mother nor, I suspect, many other mothers, fathers, brothers, sisters, etc.

What my mother needs is a means of deriving the trust of a site from other people that she knows and trusts and to have any site that isn't on that list to either be totally blocked or to set off all kinds of bells and whistles so that it's impossible for her to not realize she's walked out of the nice safe world into the dark inner city of the internet.

My mother would trust sites that I, or probably most of my siblings, had said were OK (which is essentially how she does things today, but with a phone call and without protection within the platform that she really is looking at the actual site one of us said was OK).

This would require some client enhancements in browsers and possibly in mailers, some reputation based host that she could point her client towards to say "include Conor's list in my set of sites," a means to get real-time approval, support for multiple such lists (so she could include my sister's list, or my brother's list) etc. etc. I think she would set it to block any non-OKed sites. Others would probably want to be able to add their own sites as well.

As I think about this, much of it feels like the kind of infrastructure AOL has in place for their parental controls (where the parent can control what their youngster has access to), though this would be the reverse direction and rather than a control, it would be advisory (because my mother could change the settings on her browser and do whatever she wants on her computer).

Tags : / / / / /

Saturday, July 07, 2007

The Vast Machine

On my last trip, I picked up a book at one of the airport bookstores. The Traveler by John Twelve Hawks. It's a good story about the struggle between good and evil and I recommend reading it.

The reason I bring it up here is because it paints a pretty strong fictional picture of what could be done by the wrong hands in our ever-more-connected world. They called it "The Vast Machine" and fictionalized how the bad guys were able to tie together information from every kind of source to create a super surveillance system capable of finding anybody who even touches the grid. Using ATM video feeds to track a victim, using toll boot cameras to track cars, planting false criminal records to get law enforcement to do their work, etc., etc..

On of the memorable sequences discussing the US's choice to put RFIDs into passports (supported and driven by the bad guys, of course):

"Is the information encrypted?" Michael asked

"Of course not. That would make it difficult to share the technology with other governments".

"But what if terrorists use the skimmers?"

"It would certainly make their job easier. Let's say a tourist was walking through the marketplace in Cairo. A skimmer could read his passport -- find out if he was an American and if he had visited Israel. By the time the American reached the end of the street, an assassin could be stpping out of a nearby doorway."

Michael sat for a moment and studied Nash's bland smile. "None of this makes sense. The government says it wants to protect us, but it's doing something that makes us more vulnerable."

General Nash looked as if his favorite nephew had just made an innocent mistake. "Yes, it's unfortunate. But you have to weigh the loss of a few lives against the power given to us by this new technology. This is the future, Michael. No one can stop it. In a few years, it won't just be passports. Everyone will carry a Protective Link device that tracks them all the time."

Scary. Very scary. Fictional yes, but not outside the realm of possibilities given current or near future technologies.

This certainly reinforces the need to study the long term privacy impacts of all this magical work we're doing in the Identity space and especially with the move to contactless transactions.

Anyway, good summer reading for everyone and especially for those in the identity space.

Tags : / / /

They Just Don't Get It....

Received this email the other day from Chase (the banking folks who are frequent targets of phishing attacks).

I'm still amazed that financial institutions continue to send emails to their customers with active hyperlinks and directions to use those links. This encourages the exact behavior that makes their customers susceptible to a phishing attempt. After checking the links closely (I do like to study phishing attacks) as well as the rest of the content of the message, the only thing that provided any evidence to me that this was actually from Chase was the 4 digit portion of the account number (something buried deep down in the message).

What's especially interesting in this case is that I have already used their online payment system to make the payment for the current statement, so they are sending me an email to tell me to use a link to do something that I've already done.

We need to move away from these kinds of emails until there is some way for the average user to authenticate that they came from the real party with which they have a relationship with and not some phishing impostor. Yes, I can tell verify this because I'm the suspicious type but my mother would have a hard time with it.

Tags : / / /

Thursday, July 05, 2007

Equipment recycling

In all my collecting of gadgets and toys, I've built up a collection of unused electronics. Thank god for eBay as I'm usually able to get rid of working electronics without too much trouble (in fact I think Ebay has created an entire new model for gadget upgrading and trickle down flow as us gadgeteers sell our gadgets as soon as the next gadget comes out).

Of course, I also have stuff that just isn't worth selling on eBay -- usually because it is broken or the shipping cost is just too high when compared to the value of the item. This is especially the case for old computer monitors.

Well, today, I looked around the house and found 5 monitors ranging in size from 13 inch to 21 inch (the 21 inch Viewsonic was dead, the others work, but were old and unused), a 27 inch Sony television, and a dead APC rack mount UPS (when I called APC about it like a year ago, they said that "it gave its life to protect all the equipment behind it"... I thought that was a lame way of saying "we don't want to pay to fix it, you're on your own").

A quick search for electronic recycling found E Tech Recycling which, interestingly has two offices in the U.S. -- One in Hillsboro, OR (where my work office is) and one in Chantilly, VA (close to where I live). We loaded the stuff into my wife's car (it was raining and I didn't think it would be wise to put electronics into the back of my pickup truck) and drove off to the local E Tech.

They helped unload the car, and charged me $65 -- which, I think, was a very good deal for everyone.

Tags : / / / / /

Wednesday, July 04, 2007

Cygwin on Microsoft Vista

I've run into a few problems using Cygwin on Microsoft Vista on my new laptop:

  • The installation hung during the post-install step "/etc/postinstall/gnuplot.sh". Researching this problem on the google found an article on the cygwin mailing list which worked around the problem by setting the Windows XP compatibility mode on the installation executable. I wasn't comfortable with this solution as it might cause things to not work well later on Vista.

    So I poked around a bit, turned on the "Command Line" output for the "Processes" tab in the Windows Task Manager and found that the script was hanging on "/usr/bin/texhash", which rebuilds a directory listing used by Tex. I was able to run the command successfully on the cygwin command line, but it was still hung in the installation process. So I used Task Manager to kill the texhash process and the installation continued to a later step "postinstall-ec-fonts-mftraced.sh" where it was trying to run "mktexlsr" - which is the same program. I again used Task Manager to kill that process and the installation now went on to a succesfull completion.

    Following the install, I went back and ran the texhash program manually, which did require me to change the mode of the files "/var/cache/fonts/ls-R" and "/usr/share/texmf/ls-R" files which had been left read-only when I killed the process.

    Everything seems to be working fine now.

  • Scripts moved over from my Windows XP installation of cygwin now fail to run because they are DOS formated (\r\n line termination vs UNIX's \n). I don't recall setting anything special when I installed cygwin on my old system, but on the new install, it clearly asked if I wanted to use the binary (UNIX) mode vs DOS mode and recommended Binary (which I picked). Not a big deal... Just ran "tr -d '\015' < file > file.new" for any such scripts to get rid of the \r's
  • My rsync backup scripts failed with strange errors and paths. I poked around a bit and this seems to be caused by the extensive use of NTFS's Junction points within the c:\users\user_name profile directory (including a particularly problematic one where "c:\users\user_name\AppData\Local\Application Data" points back to "c:\users\user_name\AppData\Local" creating an infinite loop, even for Windows Explorer (you can infinitely open "Application Data" again and again going as deep as you want since at every stage you get the contents of "Local" again which has the "Application Data" junction again within it).

    Junction points look like a shortcut in Windows Explorer and behave like a Unix symbolic link to some extent. I couldn't find anything within the cygwin mailing lists, nor in the rsync man page to deal with this problem, so I just manually excluded the problematic entries from the backup set and things worked fine.

Tags : /

Saturday, June 30, 2007

Gadget of the Week #12

My latest gadget is my new Dell Latitude D830. This replaces my older Dell Precision M70 and includes all the available bells and whistles. 2.4GHz Intel Core 2 Duo processor, 160GB 7200RPM drive, 4GB memory, 802-11a, g, and *n*, thumbprint reader, TPM, theoretically long battery power, and, of course, Windows Vista Ultimate. It is also thinner and lighter than my former laptop (and the Dell latitude D810's we have here).

The battery life is nowhere near the claimed "up to 9 hours" (which I didn't expect it to be, given how I use the system), but it does last about twice as long as my former laptop with the same relative workload -- about 5 hours now, easily going the entire cross-country flight either direction which I tested last week. With the old laptop I had to bring along a spare battery and used them both up pretty well on the same trips (or I brought a power adaptor).

This is a screamer of a system. About the only thing I can say negative about it is that it only came with the integrated graphics card (they did not offer an option for an enhanced graphics card at the time I ordered -- they do now, but there doesn't seem to be an option to add it to an existing system).

So far Microsoft Vista has been OK. There are some things I like (recent places). There are some things that I miss from Windows XP (hardware profiles being one of them). I'll make a separate report later on Vista as I get more used to it and figure out the tricks.

One other note of interest: While the system does have 4GB of memory installed, the fact that I am running a 32 bit operating system (Vista) which can only address a total of 4GB and has memory reserved for hardware i/o mapping (and some shared memory for the graphics card), the net amount of memory I have is around 3.4GB. Much lower than I thought. I'm thinking about making the jump to a 64 bit OS next time.

I did come like this close (picture me with my thumb and index finger almost touching) to jumping on the Macbook Pro bandwagon this time. I just couldn't give up the 1900x1200 display and the availability of real docking stations. Perhaps next time.

As part of this upgrade, I have done my part for the tech economy, choosing to buy/install upgraded versions of most of my like 5 billion utilities that I use. I guess Microsoft does cut a wide economic swath within the tech industry.

This is the first system upgrade in more than 2 years for me and it was worth it. I've been looking for a while and waited for Intel's Santa Rosa platform to become available.

Tags : / / / / / / / / /

Monday, June 25, 2007

You know you're an addict when....

Back in February, I wrote about getting hooked up with Where's George after finding a dollar bill in my change with some strange markings on it.

I quickly went out and got my stamps and started marking some bills.

Well, 4 months later (today), I am totally hooked on it. So far I have:

  • entered 727 bills worth a total of $5,177 (many of them are $1s).
  • gotten 44 hits on my bills, most of them coming in the last month or so (seems you need to build a certain amount of inertia before the hits start rolling in)
  • achieved a "George Score" of 637.36, placing me above the 85th percentile of Where's George users!!!!!
  • joined Friends of George where I get to pay extra money for the joy of entering my bills and tracking them :-).
  • started paying cash for many transactions that I had been paying with credit cards (so I can mark more bills and cause money to flow).
  • learned that it is better to mark small bills ($10s, $5s, and $1s) as they circulate alot more than $20s, $50s, and $100s which frequently just go to the bank awaiting a future withdrawal.
  • learned that it is better to get a stamp that needs little to no alignment (rather than the nice circular stamp I bought that goes around the treasury seal and must be aligned somewhat carefully -- taking way too much time when trying to stamp a stack of 100 or 200 $1s).

The real signs of my addiction:

  • The anticipation that I have when checking emails looking for hits.
  • The groans that I hear from my "friends" when I pull out my wad of marked bills trying to exchange them for unmarked bills in their pockets.

In any case, I still find it lots of fun and my friends seem to be mostly amused with my addiction. If you're interested, go get a stamp and enjoy marking your bills!

Tags : /

Sunday, June 24, 2007

Perhaps not so much Bashing...

Kim responds to my note about SAML Bashing:

...which is, by the way, absolutely NOT my intent. I’m simply trying to understand how SAML relates to linkability, as I am doing for all the other major identity technologies. I can’t take up all the points he raises, but encourage the reader to look at his piece…

Perhaps I reacted too negatively, but the analogy of some unknown clerk reaching into my pocket really irked me as that clearly isn't what happens and it appears to be written to instill unreasonable fear in an implementation of a browser-based SSO protocol.

I’m not criticizing or discussing the profile for an Enabled Client/Proxy. I was talking about SAML as we know it - in the mode which has been widely deployed in portals all over the world.

I think such analysis should be based upon the capabilities of the protocol and not about what some deployments have chosen to do within their environment (where they clearly felt that browser-based SSO meets their needs (and in many cases is mandated by the deployment scenario).

I think Conor is misunderstanding my intentions. I agree that with a completely trustworthy Identity Provider following best practices for end user privacy, Conor’s b) and c) above would apply. But we are looking at linkability precisely to judge the threats in the case that parties to identity transactions are NOT completely trustworthy (or are attacked in ways that undermine their trustworthiness.) So arguing that the identity provider will behave properly has nothing to do with what I am exploring: risk. I’ll try to build Conor’s concerns into my ongoing discussion.

I'm sure there's some misunderstanding here. I normally find that I agree with most of what Kim has to say and really respect his opinions.

As far as the trustworthiness is concerned, there's nothing that is completely trustworthy, not even if I make the decisions myself and hand-code the response messages from the keyboard (I'm sure that I will make mistakes of judgment and or typos).

I would ad that the same "attacked in ways that undermine their trustworthiness" applies to client implementations that try to enhance privacy protection. They too are subject to being attacked. Nothing is totally foolproof and I'm not sure which has more likelihood of successful attack, a service maintained under contractual agreements or open software systems in the hands of end user.

I certainly have chosen to put my money in a bank rather than store it under my mattress. Yes, the bank is more likely a target for a robbery, but they are legally obligated to maintain my funds, even if they are robbed. Similar decisions will be made by many people in the identity space (and yes, some out there will always keep their funds in their mattress).

Tags : / / / /

SAML Bashing

Kim writes about SAML's use of redirection protocols.. To start with, he forgets to mention a few important facts as part of his discussion:

  • SAML defines a profile for an Enabled Client/Proxy (ECP) which is an evolution of the Liberty Alliance's LECP protocol. This protocol does *NOT* involve redirection, but instead supports an intelligent client directed by the user driving SSO transactions (a similar model to that adopted by Cardspace).
  • The Browser-Profile that Kim is referring to is one written based upon a use case requirement that the profile work out-of-the-box on unmodified browsers. There is NO other possible solution that will work in this scenario that will protect the users credentials at the IdP.

That said, there are still several statements in Kim's analysis that I feel obligated to respond to. These include:

Note that all of this can occur without the user being aware that anything has happened or having to take any action. For example, the user might have a cookie that identifies her to her identity provider. Then if she is sent through steps 2) to 4), she will likely see nothing but a little flicker in her status bar as different addresses flash by. (This is why I often compare redirection to a world where, when you enter a store to buy something, the sales clerk reaches into your pocket, pulls out your wallet and debits your credit card without you knowing what is going on. (”Trust us.”)

First off, the user only see's nothing if a) they are already authenticated by the IdP, b) they have previously established a federation with the relying party, and c) they have told the IdP that they don't want to be notified when an SSO with this party takes place. I, for one, want things to work this way for me with providers that I trust (and yes, I do trust some providers). The inability to do this type of automatic operation is one of the shortcomings in Cardspace's implementation that I think will eventually be fixed. There is no need to have repeated confirmations of operations that I say may occur without my unnecessary participation.

Secondly, the analogy is way off base, trying to make this seem like I'm bing pick-pocketed by someone I don't know which Kim knows is absolutely not the case. A more proper analogy would be something along the lines of "I give one of my providers permission to reach into my bank account and withdraw money to pay my bill". I do this all the with providers I trust, such as my electric company, my telephone company (both wired and wireless) and may other companies.

So, returning to the axes for linkability that we set up in Evolving Technology for Better Privacy, we see that from an identity point of view, the identity provider “sees all” - without the requirement for any collusion. Knowing each other’s identity, the relying party and the identity provider can, in the absence of appropriate policy and suitable auditing, exchange any information they want, either through the redirection channel, or through a “back channel” that dispenses with the user and her browser altogether.

The IdP does not "see all". The IdP only sees that you have visited a particular relying party. It does not see what you do at the relying party. Knowing that I visited Amazon, is not the same thing as knowing what I looked at and/or purchased at Amazon.

Secondly, my choice of an IdP (as with most others) would be made based upon the appropriate policies and auditing capabilities at that IdP (just like I don't choose to use Johnny down the block as my bank, I choose a reputable firm and just as I would require the exact same policies and auditing in any client that I chose to use to act as my identity selector (yes, I have to *trust* Cardspace's or Credentica's implementation of policies just as I have to trust an IdP's).

In fact all versions of SAML include an “artifact” binding intended to facilitate this. The intention of this mechanism is that only a “handle” need be exchanged through the browser redirection channel, with the assumption that the IP and RP can then hook up and use the handle to “collaborate” about the user without her participation.

That isn't the intention at all. The intention, as Kim surely knows, is to pass a message by reference rather than by value. For the non-programmers in the audience, this means that I have a message that I need to send to the relying party (in this case that message contains an assertion, which can be big and complex and which has additional security requirements if passed through someone else's hands -- yes, the user can count as someone else). Instead off sending the token to the client to have the client then send it up to the relying party, I can send a small artifact that the relying party then presents to the IdP to get the token. The protocols explicitly define what the artifact is exchanged for -- it was never intended as, nor can it be used within the protocol definitions, as a general collaboration handle.

In many enterprise implementations, the artifact is used to allow the IdP to issue assertions to the Relying Party that don't need to be signed by the IdP. Clearly that isn't something I could do if the assertion was sent to the client (otherwise we'd be talking about how I took the token and edited it say I was Bill Gates when I sent it to his bank).

In considering the use cases for which SAML was designed, it is important to remember that redirection was not originally designed to put the “user at the center”, but rather was “intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent… for example, if the communicating parties do not share a direct path of communication.” In other words, an IP/RP collaboration use case.

All SSO use cases (where one party authenticates a user and asserts an identity for that user at a relying party), redirection or not, would then be, by Kim's definition, an IdP/RP collaboration since the RP (Relying Party) is relying on the identity presented by the IdP. This has nothing to do with redirection or user involvement, or SAML in particular.

As Paul Masden reminded us in a recent comment, SAML 2.0 introduced a new element called RelayState that provides another means for synchronizing or exchanging information between the identity provider and the relying party; again, this demonstrates the great amount of trust a user must place in a SAML identity provider.

No. RelayState is designed for the RP to send information to itself, not the IdP, so that it can remember what the user was trying to access when the user is returned to the RP following a successful SSO operation. This is primarily used in the case where the RP is unable to set a cookie in the user's browser to remember that information. SAML even points out that as little as possible data should be included in the RelayState.

Paul's point in his comment was that if an RP used this incorrectly, they could leak information. The SAML specs contain exactly this caution.

I don't claim to say that SAML is the end-all for every use case. I do believe that we need to support multiple methods, some of which have different privacy implications. I also don't want some privacy weenies making life intolerable by the need for a confirmation of every thing that I already said it was OK to do. I do trust some of the parties that I interact with and want to be able to automate as much as I feel comfortable doing. I have no problem with the privacy weenie that wants to turn on the "let me approve everything" -- just don't force me to live that way as well.

Tags : / / / /