Time Machine

One of the current "joke" emails flooding the internet is an email showing pictures from a 1977 JC Penny catalog. Given that the email referred to "blog fodder" I decided to search around and I've found the original post. Definitely worthy of a read.

Strap In, Shut up and hold on -- we're going back.

If you remember this stuff... If you wore this stuff... I'd suggest that you not share those identity attributes -- unless you don't mind being the butt end of many jokes for the rest of your life.

Tags : identity / time machine

Anti-gulllibility training

I've always felt that one of the most important tasks for a parent is to teach their kids to not be gullible. I routinely work on such training with my kids. In fact the other day, I was way into the story about how Los Angeles schools, while not getting many snow days, do get closed for bad hair days. Unfortunately, while my daughter was well into the "realy?" stage, my wife piped up with "They do not!" cutting me off at the knees.

Nothing is a better example of the importance of such training than the comment in response to Paul's revealing post about Microsoft's Identity Assistants.

So parents, take this as a warning. Train your kids in anti-gullibility before they make a fool of themselves publicly.

Tags : identity / Microsoft / Microsoft

Madsen's Lemmas (or is it Lemmi)

Paul writes about attributes and how they won't be trusted for self assertion when the value of the attributes is used to distinguish levels of service.

In the context of any given application, a Relying Party will be unwilling to accept a self-asserted identity attribute without verification if there exists the possibility of differentiated advantage to the user in claiming one value for that attribute over another.

And follows with the corollary:

For any given identity attribute, there exists an application context in which there can be differentiated advantage to the user in claiming one value for that attribute over another.

Combining the two would make one think that Paul is arguing that self asserted identity attributes will never be accepted, but I'm pretty sure he didn't mean that.

In any case, I think there's another side to this puzzle in that the self asserted attributes can be accepted and used when the result makes it useless for the user to lie about them. If I order something with Paul's credit card, name, address and phone number, it generally will be accepted, the transaction will complete, and the vendor will ship the product -- it will just end up at Paul's house rather than mine, so I won't benefit from it (but I bet Paul was surprised when those enlargement pills showed up :-)).

So I would write the lemma more along the lines of:

There exist some set of cases where a Relying Party provides such differentiated levels of service that they will require third party attestation and/or confirmation of attributes in order to enable access to such differentiated levels of service.

PS. Paul, if you need to fake your IP address to make it look like you're coming from the US, let me know... I can give you access to my proxy server (without, of course, any guarantees as to snooping on the traffic :-)).

Tags : identity / attributes / self-asserted

Living without flash....

Back in March, I wrote about finally succumbing to the need for add blocking when flash adds on several sites were measurably impacting the performance of my system. When I reloaded my system I decided to forgo installing the flash player as my solution as the add blocking software was still kind of a pain.

Well, after a month or so of living without a flash plugin it seems I have to reverse my decision. Too many sites out there are totally unusable without flash. Many use it as an integral component in their site navigation (try researching Dish Network's offerings or look at SciFi's channel info (2/3rds of the home page is blank with "this section requires flash")... Others use it for processing particular functions (I can't us discover's secure credit card number generator because it only works with flash, I couldn't order my daughter's school yearbook from Jostens because the required personalization step requires flash with no alternative).

While all this glitz is nice for the marketing guys, I think that this is a bad thing. Especially when you consider that flash doesn't work all that well for accessibility (just imagine the blind person trying to make sense of the glitzy flash driven site navigation system). The Web Accessibility in Mind folks have a good article on accessibility programming with flash but they note that it's hard to do well.

My suggestions:

• Never use flash for site nagivation. Javascript works well enough.
• If you do use flash, provide reasonable alternative, keyboard based, means to obtain information from your site.
• Evaluate the accessibility of the information and make use of the suggestions provided by WebAIM.

Ideally what I would like to see is an option in Firefox to manually enable flash processing on a site by site basis -- those sites that abuse the privilege by writing CPU intensive flash apps would be blocked, while the more typical mundane implementations could be allowed.

BTW - Given that no browser includes flash out-of-the-box (it's always an add-in plugin as far as I'm aware) I now have some good ammunition to use when I run up against those that resist authentication models requiring software on the client.

Tags : flash / Macromedia / Adobe / WebAIM / Dish Network / Discover / Jostens / SciFi / Firefox