Friday, March 30, 2007

Ad Blocking

I've known about the Firefox adblock plug-in for a long time, but have resisted installing it. For the most part, I think that sites I visit have a reasonable case for showing advertisements (to pay for the thing that I'm going to view or use). I don't mind that they make money. And, I don't mind getting ads that are related to what I'm doing, so it was sort of a win-win for everyone.

However that changed today... Over the past few weeks I've been poking around on my system when it would go slow. Of course, Outlook was frequently to blame. But there were times when I could not attribute the problem to Outlook and looking in my task manager, I found that it was Firefox that was using up the CPU -- 15 to 20% of it, even when I was doing nothing.

Some experimentation found that there were several adds running on different sites that were flash based and were eating away at my CPU.

So, I installed the plug in, restarted Firefox, and went to the pages that had the ads in question and easily blocked them. I'll continue to allow ads that aren't hungry consumers of my CPU (for the reasons I gave earlier), but nobody has the right to put an ad on my system that has a measurable impact on the performance. Ad writers, take this to note... Stop with the flashy, high load ads lest we block them all.

Anyway, thanks a bunch to the Adblock Crew and Michael McDonald for making this great plug-in available.

Tags : / / / /

Wednesday, March 28, 2007

Planet Earth

The Discovery Channel has started running an 11 part miniseries titled "Planet Earth", narrated by Sigourney Weaver.

We enjoyed watching the first 3 episodes (thanks to Tivo!!!!) which aired on March 25th. The show will continue to air on Sundays through April 22nd.

It's a great show and I recommend it as breathtakingly entertaining (and even educational) for the entire family.

Tags : /

Free Software Update

Back in Dec, I wrote about the Almost Free Software offers that I kept receiving in the mail and how it clearly wasn't a smart or good deal. Since then, the parties pushing their "Downloadable Software" have gotten even more aggressive (I'm getting probably twice the number of offers today) and they have varied their approach considerably.

I still get the emails that have the list of software offers for like $79. I also get emails with images such as the one below:




Office 2007 is available for enterprise users from November 30, 2006. The end user version is available from the beginning of 2007. The 2007 Microsoft Office System, also known as Microsoft Office 2007, is the most recent version of Microsoft's productivity suite. Formerly known as Office 12 in the initial stages of its beta cycle, it was scheduled to be made available to volume license customers on November 30, 2006, with general availability following in early 2007. Office 2007 contains a number of new features, the most notable of which is the entirely new graphical user interface called the Ribbon, replacing the menus and toolbars that have been the cornerstone of Office since its inception. Office 2007 also includes new applications and server-side tools. Chief amongst these is Groove, a collaboration and communication suite for smaller businesses which was originally developed by Groove Networks before being acquired by Microsoft in 2005. Also included is Office Sharepoint Server 2007, a major revision to the server platform for Office applications, which supports "Excel Services", a client-server architecture for supporting Excel workbooks that are shared in real time between multiple machines, and are also viewable and editable through a web page. While Office 2007 includes many new features, one has been removed entirely: Microsoft FrontPage is no longer being developed; its successor is the Microsoft Expression line of products. Microsoft Office 2007 Enterprise
Retail Price $899.00
Our Price $79.95
You save $819.05


Downloadable Software (DS) is a rapidly growing company with a high quality software. You've come to the right place if you need professionally implemented programming solutions for your usage. Thousands of contented customers have already benefited from our software and solutions. Hundreds are joining this community every day.
We deliver superior software products and services that empower our partners and customers to dramatically improve their development, deployment, integration and management of quality applications all over the world.

Most popular OEM products:

Microsoft Windows Vista Business
Retail Price $299.00
Our $79.95

Microsoft Office 2007 Enterprise
Retail Price $899.00
Our $79.95


These offers come from all kinds of people (most likely falsified) with subjects tell me that Carysoft, michelsoft, Jefferysoft, Jinnysoft, sanitysoft, etc., etc. have great "80% offers off MICROSOFT/ADOBE SOftware". I've even gotten some "sóftwáre dównIóád cóúpón" (again, the special characters are an attempt to squeeze by spam filters).

The domains/hosts where you are asked to go include:

  • (currently the most popular)

What should you do?

Stay away from those sites. As Robert Heinlein often said: TANSTAAFL -- Their Ain't No Such Thing As A Free Lunch. If it sounds too good of a deal, it is too good of a deal.

I haven't dug deep enough into the site to figure out if they are just trying to steal your identity or to sell you bogus software, but I'm convinced that it's one or the other.

Tags : / / / / / / /

Tuesday, March 27, 2007

Liberty's Advanced Client Trusted Module

Last week, the Liberty Alliance announced the release of the initial draft of the Advanced Client Technologies (ACT) specification set. I mentioned it as well last week.

One component of the Advanced Client Technologies that may be less than obvious is the Trusted Module (TM). The TM should not be confused with the Trusted Platform Module (TPM) whose specifications have been released by the Trusted Computer Group -- the two modules do very different things, although I expect that some TM implementations will make use of a TPM to enable their trustedness.

The TM doesn't stand out so well since there is no "Trusted Module" specification in the specification set, although there is discussion about the TM in the Advanced Client Technologies Overview. That is, in part, because the TM isn't a service itself (although it does make use of other services such as the IdP service).

However, the TM is one of the more useful components included in the Advanced Client Technologies specs and was driven by a number of valuable (from a personal and a business sense) use cases which called for the following capabilities:

  • The TM can act in the name of the (Identity Provider) IdP for SSO and Web Services transaction identity assertions.
  • The TM can locally validate user credentials (username/password, smartcard, biometric, etc.) and assert the identity of the user based on the local validation (to the IdP and/or to relying parties (RPs)).
  • The TM can perform these tasks when "offline" or otherwise disconnected from the IdP (sometimes out of a choice for privacy reasons).
  • The solution must allow for, document, and support a model that does not inadvertently require the creation of a correlation handle for the user's identity across multiple providers. This requires interesting solutions when you take into account that an entity that is likely to be per-user will be participating in signed transactions.

Essentially in this model, the TM is a local beachhead for IdP delegated functionality. The reasons why an IdP might want to support this model include (in no special order, nor intended to be totally inclusive):

  • Security - allowing verification of credentials locally, without the need for network transmission nor network storage of the credential verification data decreases the likelihood that such data will be stolen (especially an issue when considering biometric data given that the user typically can't change their biometric data).
  • Load distribution - the identity related transactions are distributed out to end-user systems rather than having to rely on a central server for every transaction.
  • Privacy - allowing the TM to perform SSO operations reduces the visibility of the IdP into exactly what the user did when since the TM can do so without involving the IdP (assuming, of course, that the IdP has allowed the TM to do so).
  • Availability - the user is able to actively assert their identity, even when the IdP is not available (e.g. because of maintenance downtime, connectivity issues, or even remote site access).

All-in-all, this TM provides a substantial package of powerful technology that will improve the overall identity meta-system. I look forward to seeing some of this stuff hit the street.

Tags : / / / / / / / / /

Monday, March 26, 2007

Keylogging & Security

In Identity X-File 0x01, Pam writes about a story in the UK where a 6 year old was able to bring in and install a hardware key logger on an MP's computer in the House of Commons (it was part of a BBC experiment).

I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…

Essentially what a key logger does is use a Man-In-The-Middle attack to capture all input to programs and applications (including login screens) on a computer. The captured data is then analyzed to pull out useful information such as login credentials, credit card numbers, and other such valuable information.

If the primary concern is login credentials, the "easy" answer is to move to some form of strong authentication that requires hardware assistance (such as a smart card or biometric reader). These usually have communications protections in them to protect against MITM attacks. This isn't so easy to implement across a number of vendors (especially if you try to do it without identity federation networks such as those discussed by the Liberty Alliance's ID-FF and OASIS's SAML 2.0) and, even if you were to do so, the non-credential data entered by the user would still be subject to loss (such as the content of all typed emails, documents, etc.).

I did stumble across one amusing way around loggers (but, IMHO, opens all kinds of other problems) which uses a screen based keyboard to enter your data by clicking on buttons -- theoretically this is less likely to be picked up by loggers. The problems with this model include:

  • While you click on the keys, your credentials are displayed plain-text on the screen so anyone looking over your shoulder would get them.
  • You are trusting that the party that manages that page is not going to add anything to that page to log your entries (and without looking at the code, there's no easy way to do so).
  • The site is unencrypted, so anyone looking at your network traffic can get the data
  • The way that you then copy the data to the appropriate application is via the Operating System's copy/paste routines, something that is frequently available to any application and so subject to attack.

I wouldn't recommend using such a solution. Just too many weaknesses for me.

The ultimate answer for key loggers is a Trusted Path (sometimes called "Secure Path"). The trusted path ensures that the user is talking to the application that they think they are talking to (i.e. that there's no MITM listening in). Microsoft talked about doing this in their Next Generation Secure Computing Base (NGSCB) (code-named Palladium), which, at one point was to be part of Vista. However, only a limited set of the NGSCB functionality made it into Vista - the BitLocker drive encryption component.

This problem isn't small and isn't easy to solve, especially when you consider the need for being able to replace keyboards (because they broke, because you want to try a more ergonomic version, etc.). If you make replacement easy, you make MITM easy. If you protect against MITM, you end up making it hard for your users to easily work with their systems (increasing IT maintenance cost).

Tags : / / / / / / / / / / /

Thursday, March 22, 2007

Vonage One Year Later

Last year, after one outrageous long distance bill from AT&T for a call to a hotel in Rome, I bit the bullet and jumped into the VOIP world. I signed up for 2 lines from Vonage with unlimited long distance within the US and very reduced charges for international calls. Seemed like a great deal.

I wasn't worried that much about the bandwidth as I have a T1 line with 1.5Mb bi-directionally that spends most of it's time very idle, so bits weren't a problem. I also figured that in this case, contrary to my norm, I wasn't going to be on the bleeding edge as VOIP had been around for a while and should have had many of the kinks worked out.

However, that wasn't to be the case and today I took the first steps to move back to the POTS world. Which isn't all that hard as I hadn't gotten rid of our primary line. My reasons for the switch back include:

  • Voice quality - we continuously had voice quality problems. First with an annoying echo when calling certain numbers -- worst being my wife's cell phone which made the line pretty useless. Then with people not being able to hear us and having to regularly fall back to our POTS line so that they could. If it was just one call or one party, I could have worked around it, but it was consistent with many people.

    And yes, I worked with tech support at Vonage (including their first level support in India and in several cases with their second level support that seemed to be in the US). There were 4 separate times where I worked with them for like 45 minutes to an hour as they tried one thing and another and required me to go down and reset the switch manually.

    I should have recognized that there would be this kind of issue when their documentation was very clear about "many problems are solved by just power cycling the switch" -- I don't think I've ever power cycled my POTS phone and yet it seems to just work.

    In any case, we never got the audio problems fixed... they would get better for a little while or to a particular number, but shortly, I'd end up with what?... What did you say?... Can you speak louder? (yes, they asked *me* if I could speak louder).
  • Even when we didn't have audio quality problems, we had bandwidth issues (yes, even on a T1). As soon as I started downloading a big file -- and in todays world of sending around multi-megabyte attachments, this wasn't exactly under my control -- the call started cutting out. Even when we downgraded the audio bandwidth to their lowest setting of 30Kbs which, of course, made the audio quality problems worse.

So I guess I will have to wait a bit further before joining the VOIP revolution.

For now, I've signed up with Verizon's Freedom plan giving me unlimited long distance in the US for a good bit more than what I would pay Vonage ($44 vs $25) and with a few less services, but I have a phone that just works and I don't have to spend lots of time explaining audio to them or go down to my basement to reset the device. I've kept one of my Vonage lines, but downgraded to their $15 plan to deal with transferring back our registered numbers at school and such. Once the switchback is complete, we'll just get rid of that too.

I have friends who have no problems with Vonage. Perhaps they have a better switch... Perhaps they talk to people with better hearing... Or, perhaps their just more willing to deal with the problems. I don't know.

Tags : / / / /

Wednesday, March 21, 2007

Ignorance exposed

In Oh, the humanity (not sure exactly who it is, the blog post is attributed to "") it is clear that the author has never experienced the pleasures that come from being an elite member in an airline frequent flyer program.

I've never seen anything quite so blatantly designed to appeal to the self-absorption of an the emerging upper-middle class. Are those of us who—please, have a hanky ready before you read this next—have absolutely no elite frequent flyer status at all really expected to wail in sympathy at this? That seems a bit rich, particularly if we happen to be (as we so often are) holding the paper in front of us as we shift helplessly from foot to foot on the four-hour airport security line.

As my 13 year old daughter, Lauren, would say "you're just jealous!"

I'm not responding at all to your complaints about the NY Times (even though, as a youngster, my first real money making job was door-to-door selling subscriptions to the paper where I typically earned $100/week back in the mid '70s -- pretty darn good salary for a teenager back then) - just to your clear lack of experience with privilege and its loss.

It's been less than a month since I lost my United Global Services Status and I already miss the fact that a human would answer the phone when I called them, or I would be met upon arrival at LHR to be escorted to my connection, etc., etc..

Perhaps I too am unreasonably crying, but once you experience these things, it is hard to go back.

Tags : / / / / /

Liberty's Advanced Client Technologies

Today, the Liberty Alliance announced the availability of the public draft release of the Advanced Client Technologies specification set.

This is personally pretty important for me because:

  • it is closely related to the Identity Capable Platform research work that I'm doing at Intel (which we demonstrated at the RSA Security Conference in a joint proof-of-concept with British Telecom & Hewlett-Packard)
  • I was the editor of each of the specifications (with lots of great contributions from several other Liberty members -- even Paul, if you can believe that)
  • I was quoted in the press release :-)

The advanced client work is some pretty cool stuff where we are taking the next step in the evolution of powerful client capabilities including:

  • Trusted Module - the IdP can extend itself onto the user's device in a trusted way so that the user's device can act as an extension of the IdP and assert the user's identity independently of an active session with the IdP (for privacy and/or connectivity reasons).
  • Provisioning - functionality can be provisioned over-the-air (or over-the-wire) in a trusted fashion with full life cycle support. So Trusted Modules can be provisioned to devices already in the field.
  • Service Hosting/Proxying - enabling connectivity challenged devices to be the primary host of services (such as my PDA being my "official" contact book service) while providing a more stable network visible proxy to provide access to that service's data through either local hosting or proxying request to the client service.

This draft release is being done much earlier in the spec evolution process than Liberty has typically done in past specification releases as part of our attempt to be much more open in our specifications development process. I hope that you take some time to look at the specs and provide feedback and/or input. I would recommend starting with the Advanced Client Technologies Overview before digging into the other specifications.

The only negative in all of this is, as Paul surmised, I was unable to figure out a way to insert my blog url ( for those few that don't know) into either the specs or the press release. I'll have to see if I can get that error fixed in the next release.

Tags : / / / / / /

Tuesday, March 20, 2007

Flight Connection Pain...

After my Liberty TEG meetings last week, I spent the weekend visiting some of the relatives in Ireland. Since that obviously wasn't a part of my business trip, I purchased the tickets to go from London Heathrow (LHR) to Dublin (DUB) independently of my business travel tickets.

In this case, I decided to use British Midland (BMI) since they are a member of the Star Alliance (hoping my status in United would help) and they were a few (like 10 or 20) dollars cheaper.

Well, that was a mistake that I soon found out when I got to LHR to head over to DUB. We had finished the meetings a bit early (around noon) and with a quick drive back to London, I was in the airport at 1 and asked if there was an earlier flight that I could get on. There was. At 5:40 PM. But to get on that flight I would have to pay an additional £200 (about $400), just to get in a few hours earlier. I decided to pass.

Next came my return flight. I was flying BMI to LHR and then United to Dulles. United is a member of the Star Alliance, of course. But BMI refused to check the bags through to Dulles. They would even refuse to check the bag through if the connection was a BMI flight. So, I had to pick my bags up in London, totally exit security and then walk over to Terminal 3 and come back in through checkin and security as if I was originating in London (could not use the flight connection center which makes this much easier). This was NOT a fun experience -- but, if it does happen to you, be sure to take one of the baggage cart and put your bags on there for the walk over. Even with wheeled bags I found the cart much easier for the long trip through the tunnels connecting the terminals (and, unlike most airports in the US, the carts are free).

Next time, I will use Aer Lingus. I've used them before and done the earlier flight (yeah, they did charge me £25, but that's much more reasonable) and they do check the bags through for me on the return. I won't get United miles (I'll get American instead) and I won't get my Star Alliance Gold treatement (that only allowed me to use the priority check-in and boarding), but I will get a much, much more reasonable airline.

Tags : / / / / / / /

Thursday, March 15, 2007

Mail Fraud

This week I've been off in the UK (in sunny, friendly Ipswich which is northeast of London) attending a Liberty Alliance Technology Expert Group (TEG) face-to-face meeting. Paul and I have been giving one of the other attendees (who works for Sun, but shall remain nameless) a hard time the entire week about an interesting work item that we want him to take on.

We discussed talking to his boss offline and having our management board reps approach his boss as well and clearly had him worried about the possibility.

So I used my mail server to forge a note from his boss stating:


Robin has advised me that he can no longer participate as the co-chair of the PPEG group within Liberty. Given that Sun needs to maintain it's visibility Liberty for our customer base, Eve and I have spoken and it seems that you would be an ideal candidate to step up as the next Chair of the TEG.

We need to talk further when you're back in town.


We thought about talking directly to Bill afterwards and getting him in on it so he could send a note to the nameless one with a "Why haven't you responded to my mail?" -- perhaps he will read this and do so :-).

Moral of the story: Don't believe email, especially if the sending server isn't within your own domain. George says there should be a thunderbird plug-in that will red-flag any email coming from one of my domain, but I pointed out that I host like 15 or so domains for friends, so I could easily work around such a restriction.

Tags : / / /

Monday, March 12, 2007

GPS, timezones, and patents

I've had a lot of experience using my cool gadget-of-the-week Nuvi 670 on trips over the past 3 weeks (east coast US, west coast US, Bristol UK, and Ipswich UK -- yes, all of that in the past 3 weeks!) and techie though I am, I am still quite impressed by how well it works, especially with all the roundabouts in England.

However, one thing that bothers me with this unit is that the time continuously is reported as my originally configured EST/EDT. So, upon arriving in the UK yesterday, the anticipated arrival time in Ipswich showed as 5AM rather than 10AM.

Why doesn't the unit automatically adjust the clock for the local timezone (or at least have an option to do so)? It's not like the unit doesn't know where I am at any given moment. It's not like the timezone maps are all that complicated -- hey it has *road* maps and speed camera POIs which I'm sure are much more variable and complex.

Looking at Garmin's web site I found the following timezone FAQ:

Q. How do I get local time displayed? What about daylight-saving time?

A. GPS units operate on UTC time. UTC is the Universal Coordinated Time or Greenwich Mean Time (GMT). You can input a local offset (or difference) from UTC so that the unit will display your local time. This option is located under the unit's operational setup. A chart is provided in products' owner's manuals to help you select the appropriate offset for your area. If needed, the chart will also show the UTC offset during daylight-saving periods. New Garmin GPS units allow you to select the time zone you are currently in or select a time zone for a projected location by selecting from one of eight U.S. time zones or 24 international time zones. You may also turn an adjustment for daylight saving to auto, on, or off.

So, no mention of automatic adjustment.

Given that this is such an obviously useful feature, I wondered if the reason for the lack of the feature was because of our oft-maligned patent system. A quick search in the US published patents turned up a patent #5,089,814 assigned to Motorola:

A portable receiver has a time of day clock and receives a signal indicative of the location of the portable receiver. The portable receiver has a memory which has a plurality of locations with corresponding time zones. Upon reception of the location signal, the receiver determines the time zone of the location and the time zone of the time of day clock. The time of day clock is then adjusted to correspond to the time zone of the location. The location signal may also be used to adjust the operating frequency of the receiver.

This feels like another one of those patents that don't rise above what one would consider the non-obviousness bar, but which made it through the patenting system anyway. No offense meant for Motorola or for the inventors as this is how the patent system works and if you don't play the game according to the rules set by the US PTO, you loose.

Note that I have no clue if this particular patent is the reason or even if that patent would really read on GPS systems (the patent was developed for paging systems, not GPS systems), but given the obvious match of GPS and automatic timezone adjustment, I have to assume that there's something holding back that feature and the most likely culprit is our patent system.

Tags : / / / / /

Thursday, March 08, 2007

No Child Left Behind

The No Child Left Behind (NCLB) program holds schools responsible for the progress of each student's education. At first glance, this seems like a good idea and, of course, nobody wants to have children grow up without getting an adequate education.

However, education, especially for younger students, is not something that is completely in the hands of a school. The formula for success of a student's education includes the student themselves as well as the student's family. The NCLB program makes no allowances for the fact that while the school is doing all that they can to help educate the child, the child may not care or, in some cases, their family may not care and may even stand in the way of their child getting adequate assistance.

In Virginia, each year schools use the Standards of Learning tests to measure the progress made by students. The problem here is that the student has no skin in the game until they get to high school. In Middle School, if the student passes or fails, it doesn't matter. They are still promoted to the next grade -- the test is just used as a measure of the school's performance. This lack of skin in the game means that some students, once they recognize this, don't study or otherwise help prepare themselves for the test and when taking the test, don't even try to do well.

Family life, which has the biggest impact on student success, is not considered at all in NCLB. In fact because of the segregation of student groups, traditional minority groups which have a strong cultural drive for education (Chinese, Indian, Japanese, etc.) are purposefully prevented from raising the bar for all minorities. Parents have a responsibility to their children to help them learn the value of a good education and to help them get a good education. With NCLB, Parents who don't do this, who sometimes even make it hard for a student to succeed have no repercussions.

This is coming to a head now because of this formerly little known provision requiring "Adequate Yearly Progress" (AYP) for all groups -- not just the school as a whole. This means that if any of the subgroups don't make adequate year over year progress, the school can be subject to corrective actions. Even the best of schools can be subject to this. Recently the Washington Post ran a story about some good local schools that were taking seemingly drastic moves to meet the requirements for AYP. From the article:

The principal of Earle B. Wood Middle School in Rockville gathered teachers and handed out a list of all the black, Hispanic, special-education and limited-English-speaking students who would take the Maryland School Assessment, the measure of success or failure under the federal No Child Left Behind mandate.

Principal Renee Foose told teachers to cross off the names of students who had virtually no chance of passing and those certain to pass. Those who remained, children on the cusp between success and failure, would receive 45 minutes of intensive test preparation four days a week, until further notice.

Apparently some are concerned about doing this, but, given the position that these schools are in with limited funds, limited time and so much on the line, I think it's appropriate for them to target their resources where those resources will have the biggest impact. However, I don't think that the school should be put into this position. There needs to be a better way than putting everything on the school.

So where does all this leave us? First off, I think that there should be some way to make the students and the parents responsible as well. I'm not sure exactly what to do, but this can't be done just by the schools. The solution has to include families and students.

Tags : / / / / /

Tuesday, March 06, 2007

Seat Selection

While I was arranging a future trip to Portland (where my office is), I selected the exit row aisle seat (11C) on the Airbus A320 that would be used for that flight. You can do that (select exit row seating) when making reservations on a United Airlines flight if you are at a Premier Executive or higher level in their Mileage Plus program. I think this is one of the more valuable benefits of being a Premier Executive.

Anyway, later, when the trip was ticketed by our travel department, I went to look at my seats on United's web site and found:

Note that some crazy person had apparently selected the exit row middle seat right next to me, even though there were exit row window and aisle seats still available all over the place. What kind of nut was that. So, I changed my seat to 11D (the aisle seat on the other side of the plane) and went onto the next leg of my trip.

When I later returned to check on the seat, I found:

The idiot had followed me. I had a plane seat stalker...

After switching back and forth a few times and finding that the seat next to me kept being occupied by my stalker friend, I figured out that this is United's way of ensuring that somebody else doesn't sit in the seat next to me until and unless the flight is filled above some level of capacity.

I had heard that they do this, but this is the first time I had some reasonable amount of proof that it actually occurs (surprising that it took me more than a million miles to figure this out, isn't it). My understanding (rumor level only) is that this happens (on purpose) for 1Ks and above.

Of course, this is all probably moot since I'll probably be upgraded before I actually get on the plane :-) -- as evidenced by my Traytable pictures.

Tags : / / / / /

Delegation, Impersonation, and downright access

This discussion is going on and on and people are talking about it from all points of view (including Kim, Pete, Dave, Paul, and Eve, who apparently started it all in a conversation with Jim). The conversation seems to be arguing about technical issues, but in reality it is mostly a semantic argument rather than a technical one.

From what I can gather, I think all of the parties agree that:

  • The user can give permission to an entity to do "something" for the user at some later point in time.
  • When this "something" occurs, the entity initiating the "something" needs to be identified as well as the user for whom the "something" is taking place.
  • When this "something" occurs the user does not need to be physically present, online, or otherwise directly involved.

The points of disagreement seem to be in the area of how to refer to this taking place and whether or not this is supported by one protocol or another. I'm not married to the terms "user-not-present" (which is, physically true, by the way) nor the term "on behalf of", although I do think that both apply to this case. I'm also OK with the term "delegation".

One thing that hasn't been clearly discussed here is the case of real impersonation. There are real world cases where impersonation takes place, such as when an administrative assistant performs some tasks in the name of his boss (like sending flowers to my wife :-) ). I certainly don't want those flowers to indicate that they came from my admin. However, I still think that case is rooted in my admin authenticating as himself to a provider where I have granted permission for him to act in my name (perhaps for a particular set of tasks), so this seems like the same ultimate use case (me defining permissions on some resource I control).

So the last part in the discussion is onto the protocols. I can state unequivocally that Liberty ID-WSF does in fact fully support this use case and has explicit definition of all the parties involved in a transaction. Liberty also provides for the means for collection of the permissions necessary for the transaction as well as a means for an entity to indicate to the service provider that they intend to invoke a particular request later in a context where the user will no longer be present (so that the service provider can prompt for any necessary permissions from the user). At Liberty, we painstakingly walked through the entire use case and all of its related messages to ensure that the system would work in that case.

I do not understand how this same (or similar) sequence would be done using the WS-* family of specifications. I am sure it could be done, but I believe anyone doing so would be doing a one-off solution that would not interoperably work with anyone else's one-off solution as the protocols don't dictate a standard way to do this (yet). I would like to be wrong here and call on the WS-* guys to stand up and point out how this could be accomplished in a standard way that is expected to be interoperable.

Tags : / / / / / /

Monday, March 05, 2007

SAML, Liberty and user presence

Clearly Kim Cameron doesn't understand Liberty Alliances's Identity-based Web Services Framework (ID-WSF) when he states:

One of the main advantages of WS-Trust is that it allows multiple security tokens to be stapled together and exchanged for other tokens.

This multi-token design perfectly supports strong identification of a service combined with presentation of a separate delegation token from the user. It is a lot cleaner for this scenario than the single-token designs such as SAML, proposed by Liberty, or the consequent “disappearing” of the user.

First off, I don't think hap-hazard combining of tokens is a way of ensuring that the user's desires are followed. So I presume there's something else going on that supports the correct combining of tokens within WS-Trust, not just the fact that I have the two tokens.

Secondly, in SAML (and specifically in ID-WSF's profile of SAML), the method used to connect the user token to the presenter is dictated by the Subject Confirmation within the token. Essentially this says that "to use this token, the presenter MUST meet the following condition" and that condition, in many circumstances, is the presentation of proof of possession of a key (thus securely binding the presentation of the token to the possession of a specific token by the provider). This is a clear, specific requirement that securely binds the presentation of the user token to the possession of a particular token by the provider.

Thirdly, we don't generally see the model of the user issuing tokens to a provider (most user's I know don't have a clue about how to create a token). The model we used is one of permission based identity sharing where there are appropriate controls provided by the various parties.

For example, the IdP would have a permission switch available to the user giving them control as to whether or not the service provider is allowed to obtain a token for the user when the user is not actively present (so, I would record at my IdP whether or not the service provider is allowed to get a token for me to talk to my payment service, perhaps because I setup automatic payments for that provider).

There are advantages to this model. First off the tokens used in any transaction would be short-term tokens rather than long lived delegation tokens (and as a security weenie, I always like shorter lived tokens better). Secondly, when and if the user would want to change this decision, they just needed to talk to the IdP and not go deal with tokens that they have lying about all over the place.

A second step in this permission based model is that the payment service itself would store permissions about what the other service provider is allowed to do in that context. I may have stored a permission that says the provider can do anything they want. I may have instead stored a more specific permission that says get OK from me for any transaction above $x. These permissions would be specific to the service that I'm giving access to.

In order to support the collection of these permissions, Liberty has identified specific methods used when the user is present to invoke a service indicating to the provider that the caller intends to invoke this service later when the user is not actively present. This allows the service provider to collect the necessary permissions from the user while the user is around.

One final note, Kim separately claims that the user is actually present when these transactions takes place since they consented to their operation at some point in the past. I disagree. Saying that the user is present just because a provider can identify me is a bit of a misleading statement. When my electric company charges my account for my electric bill each month, I am typically asleep and not in any way involved in the transaction. Any identity system that doesn't make that situation clear to all relying parties is, IMHO, wrong. The parties need to know if I'm sitting there instigating this particular transaction or if this is taking place when I'm asleep. Yes, it still should be able to take place when I'm asleep. Yes, it should securely identify who I am in the transaction. But no, it should not look the same as a transaction taking place in the context of a live authenticated session with me directly involved.

Tags : / / / / / /

Thursday, March 01, 2007

Hotels, Laptops, Passports

If you work for any sizable company, you surely have been subjected to one or more of those information security training sessions that tell you to either keep your laptop with you at all times or to lock it in the hotel safe. Smart advice that is rarely listened to by most of us.

Well, I'm off on a trip to the UK staying at a Holiday Inn hotel in what appears to be a nice relatively rural area outside of Bristol. One of my fellow travelers came back from a joint dinner to find the window in his room smashed in, his computer gone as well as his computer bag.

Unfortunately, he had his passport, car keys and much other stuff within the computer bag and so here he was, stranded in the UK without a passport. Luckily, he still had his wallet with his driver's license and credit cards. He spent much of the next day in the US Embassy in London going through the steps necessary to get a new temporary passport issued (good for one year) just so he could return home (at a cost of approx. $97).

How did this happen? Well, he was in a ground floor room, left the computer on the desk in plain sight with the curtains open. The hotel, which mentioned later that things like this had happened several times recently, had not taken the extra step to warn people staying on the ground floor.

Morals of the story:

  • Close the curtains when you come into your hotel room.
  • Don't leave your laptop in clear view (yeah, you should put it in the safe, but I've only felt necessary to do that in Rome, but perhaps I will be more cautious moving forward).
  • Keep your passport with you! Don't leave it in your room.
  • When given the choice, stay in an upper floor room.
  • One of our fellow travelers also pointed out that when he leaves his room, he puts the "Do Not Disturb" sign on the door handle to make it seem like someone is in the room. Good advice if you ask me.

Luckily we were but an hour and a half from London. If we had been much further away from a US Embassy, it's likely he would not have been able to get things sorted out so that he could go home on time.

Tags : / / /