Wednesday, August 30, 2006

P2P Randomized Web Search

The recent exposure of internet search data by AOL had led to lots of interesting discussions about security and privacy and about the fact that search histories frequently have enough information to identify the searcher.

One of my compatriots, Paul Madsooon, wrote about TrackMeNot -- a plug-in for Firefox which periodically issues random search queries in order to confuse and obfuscate the real search history of the user.

This type of solution (noise generation) can lead to performance problems and network overload (just imagine the load on popular search engines if everyone used such a tool all the time).

I think a better solution would be to use the great anti-royalty music-sharing P2P model to share the submission of search queries within a large P2P network. When I submitted a search query, a random partner in my P2P network (perhaps even indirected to a subsequent random partner) would be chosen and the search submitted to the search engine through that partner rather than directly from my system. Each query would be submitted through a different random partner.

This would eliminate the traceability while also keeping any one party in the network from building the same kind of data (which is an issue with the other potential solution -- using a proxy to combine multiple user's queries from a single source).

Tags : / / / /

Friday, August 25, 2006

335 Identities (and counting)

I ended this week with a total of 335 Internet identities. I count any site that requires a username and password credential as an "Internet identity".

The new identities created this week included:

  • An account at Shannon Airport's Free Wireless - you have to creat an account in order to access the free wireless -- first place I've seen require that rather than just a click-through terms agreement. Interestingly, they also required email confirmation (and gave 15 minutes of temporary access in order to do the confirmation or would cut you off).

  • An account at which I was required to create in order to obtain a discount coupon for Hershey Park as my kids wanted to go there and the $8.00 discount off of the $45 entrance fee was worth it.

    The registration page had many fields of personal information that one could fill out, although the only required one was the zip code (other than name, email address and password).

Both of these were examples of what I would call identity overkill -- requiring identity when it just wasn't necessary. But they were in possession of a resource that I wanted to use, so I was willing to participate (although an enterprising young man like myself can easily see how to game the system and fake it, even with required email confirmation -- nothing stopping me from having many eamil addresses).

I think life would be better for everyone if sites only required the association of a user identity when they really needed it for the proper functioning of their site. If VisitPA really needed the zip code for tracking purposes, they could just ask for the zip code without requiring that the user create and "account". Similarly for Shannon Wireless (perhaps they wanted the account to enforce their bandwidth and time limits, but that could just as easily been done with mac addresses).

Tags : /

Wednesday, August 23, 2006

Home Sweet Home - Back in the US of A!

Today, I made it back from my trip to Ireland. To catch you up, the trip from LHR to SNN went off without a hitch and no observed differences in security.

However, the return was quite different. Checking in at SNN and the flight to LHR wasn't a big deal (other than checking a bag, which I usually don't do).

But when I got to LHR things went downhill quickly.

First off, I somehow missed the signs for flight connections and ended up coming out of security -- I think they've changed the path since the last time I was there. Once outside in Terminal 1, I had to walk through the seemingly miles of tunnels to Terminal 3 and then come in like I was originating in LHR.

Coming into Terminal 3, there are people stationed at *every* entrance and you have to walk outside to the entrance that is closest to the check-in area for your airline (I ended up walking outside all the way to area G for United -- wasn't that bad since the weather was nice).

After checking in, went to the FastTrack security entrance for premium passengers and there was a relatively long line there (usually thee is no line) and a much longer line at the regular security entrance. While waiting in line there were several people walking up/down asking about liquids/gels and they were aggressively enforcing the baggage size limit (my Targus computer backpack almost didn't make it -- I had to unload and re-arrange a bunch of stuff to get it to fit the required depth (and this with a standard computer backpack case -- the 6 inch depth restriction is very tight for many laptop bags)).

I was able to bring in all of the typical electronics without a problem: Noise canceling headphones, MP3 player, Portable hard drive, airplane power supply, laptop, mouse, etc., etc.)

The rest was pretty much typical security stuff -- take off your shoes & belt, take laptop out of bag, feed all through xray system. I was not selected for a hand pat-down, not sure what the criteria was, but it seemed to be selectively done and not necessarily associated with someone triggering the metal detector alarm.

Once we go to the gate, there was another security line and again people were selected for a hand-search of their hand baggage.

At both the outside security and the gate security, I declared that I had some prescription ointment (a little less than 2 ounces) and they let me through without a problem.

One final note, when the flight arrived in the US, we had to disembark out the back of the airplane onto Dulles's famous mobile lounges which were staffed with 2 immigration officials (in addition to the driver) to ensure we didn't sneak away. One of them mentioned that the plane is searched after we disembark and before the airline personnel are allowed onboard.

I wonder how long this extra security will continue -- they certainly are spending gobs of money on all this manpower, especially in LHR.

Tags : / / / / /

Friday, August 18, 2006

Made it to LHR..

While waiting in Dulles, I sat down next to a couple of fellow travelers (Ann & Millie) who just happened to be heading to Shannon as well. So we became traveling partners.. They were heading to Ireland for one of those walking tours, while I am going there to relax with my extended family (no walking tours for me!).

Getting on the plane at Dulles seemed no different other than the signs about not being able to bring liquids and the announcements about if you had bought any liquors at the duty free, you had to dring them before you got on board. There were 2 TSA people there, but the hadn't pulled anyone aside (perhaps they would have if they had

On board the flight, the flight attendent still announced that you weren't to dring any alcohol you brought on board with you (I guess they hadn't heard of the ban).

Otherwise trip was uneventful -- took my ambien and slept till we were preparing to land.

At LHR, being a Global Services member with United, I was met at the plane and they escorted (drove) myself and my traveling partners over to the flight connections center, saving *alot* of walking.

Another walk though security that didnt' seem any different than before (of course, I didn't have the typical 22" roller bag with me -- that probably would have caused a problem)

Now I wait my flight on Aer Lingus to Shannon... almost there!

Tags : / / /

Thursday, August 17, 2006

I'm on my way!

I am heading out on my first trip since the terrorist scare last week and, of course, I have to fly through London Heathrow Airport where the current scare is centered and where the strictest security rules were in place, but have since been relaxed some.

For those who aren't aware, the US has issued New Security Procedures which ban any form of liquid or gel from flights. While I haven't found any official statement to this effect, I have seen reports that in some airports this also applied to their gel insoles, so I guess I won't be gellin' on my way to Europe.

The UK initially elminated pretty much all carry-on baggage (including laptops) but has since relaxed their Security Procedures to allow one carry-on, but it is substantially smaller than what I have been able to carry through previously (my old Samsonite 22 inch bag doesn't cut it any longer).

The combination of the two restrictions has led me to check bags rather than carry them on the plane -- something I usually avoid if at all possible.

So far, so good. I have made it through the security lines here at Washington Dulles Airport (the lines weren't long at all at 3pm).

I did have a small problem... I have a prescription ointment that I needed to bring with me and it had the perscription label attached (which was good as they usually have the label on the outside of the box, which most people throw away and just keep the tube). In any case the tube was 45gm (weight measurement) and the TSA employee wanted to know how many ounces it was.

While the conversion factor is about 28 grams to the ounce, that's the weight ounce (as in 16 ounces to the pound) and not the fluid ounce (as in 16 ounces to the pint) and I'm pretty sure that they were looking for fluid ounces, so I couldn't give her a good answer. Besides, I thought the volume limits were for non-prescription medications.

In any case, they checked the name on the prescription and my ID and let me through with it.

Now I wait at the airport for my flight to London... then a connection to Ireland (that should be an interesting experience -- the connection in london).

Tags : / / / / /

Hey, there's plain text too...

In Let's not forget about the powerpoint Paul Madsen writes about an article describing a home-grown solution for SSO.

I do love Paul's sense of humor and the depth of his sarcasm and it's clearly at work in his comments on the article. I especially liked:

The following sentence particularly caught my attention.

The Liberty Alliance has churned out a number of PDFs but that seems to be the extent so far of their effort.

I don't know why people are constantly scoping the Liberty Alliance down to the publication of just PDF documents - we are far more than just that. It seems that just because the best known examples of our published material are in PDF, then somehow we get typed as only publishing in PDF.

Fundamentally, the Liberty Alliance defines a marketing framework, a platform on which can be built systems capable of publishing in a variety of formats appropriate to different marketing applications. Any particular publishing run is able to use the Liberty framework in a manner that suits the sort of marketing campaign being targetted. Examples of particular file formats supported by the Liberty framework include Powerpoint, HTML, JPEG, Flash etc and of course, yes, PDF.

There are lots of publishing frameworks that support one or two of the above formats, LAP is, AFAIK, unique in its "publishing format breadth".

He does forget to mention that we also have generated output in the all important plain-text form as well

On a more serious note (hard for Paul to be serious at times... just read his blog and you'll see what I mean) there are a number of issues with the yet-another-home-grown-solution-for-sso including:

  • Requiring users to give out their IdP's password at each relying party (even if that party just sends it back to some verification server) is very, very bad for the user as now, that second party has their credentials and could act as them (and any employee at that second party can do so as well). Even accidental leaks via log file entries can be very troublesome in this manner.
  • Security analysis for attacks and weaknesses of protocols are not something for the weak at heart... take advantage of the reviews & analysis that has already taken place on the standard specs rather than creating new holes in your own solution.
  • Doing your own solution requires that everyone has to write one-off code and/or integrate your one-off code into their platform -- I know from real world experience while I was at AOL that it is not easy to get other parties to do this -- much better to use an off-the-shelf solution which they may already have in their application plaform.
  • I could go on with more, but you should get my point by now... Try to use what's there before you re-invent the wheel yet again. It's alot less painful that way -- for everyone

And, while it really pains me to say it, Paul's response to the PDF comment kind of misread the point (probably purposelly like my teenage son does all the time). It wasn't about PDFs vs other formats, it was questioning whether there have been real deployments. I have to say that there have been real deployments, and there are real products shipping today which support the protocols. There is even a conformance program for certifying conformance with the protocols.

I would suggest that one trying to solve the SSO problem look at the SAML2 Specifications and if they have questions about how to ratchet it down (select the minimal feature set) for their particular environment, send a note to the saml-dev mailing list (link further down on the same page).

Tags : / / / /

Wednesday, August 16, 2006

The Verification Chain, part 3

Tom Maddox responds to my comments about the Verification Chain.

Cahill is right about the essential weakness of these systems: anyone who knows the answers to the questions they ask in effect becomes you--and could, in some scary science fictional way, take your place in given situations.

However, I'd argue that Cahill misses the point: which is that any workable system of establishing identity that we have now is ultimately unsound, relying on some point of proof as a benchmark from which all other verifications are based. Think: any document that can be presented can be stolen or falsified; any information requested, likewise.

Absent a universal biometric ID system (which would of course have its own problems), we're never certain about someone's identity; we merely have degrees of confidence. The highest official level of confidence that we can attain is "very high confidence in the accuracy of the asserted identity."

While I like alot of what Tom says (I think we agree on more stuff than it might appear) I don't think I missed the point -- although, perhaps, I didn't make my point strongly enough.

I was trying to say that we need to move away from using published knowledge as a way of identity verification. I suggest that instead we move towards methods where I prove I am in control of something (my bank account, my published phone number, my email address) as a much stronger (not perfect, but much better than what we do today).

The Paypal example was good for a bank account (I believe it also verifies that the name on the account matches, though I am not sure). Similarly one could verify the name/address/phone number with the published phone information and call that number asking the person to say or keypad enter some sequence proving that they were (at least temporarily) in control of said phone number.

I'd also add that time should be used as a strengthening factor. If I am able to repeatedly (say every year) meet the required proof, as time goes on, it's more likely that I am that person, vs the person who setup a new phone number and new bank account yesterday -- note that I said likely since even I do move from time to time and end up creating a new phone number/bank account.

I'm just trying to get people to think a bit outside-the-box on how to do these things and not rely on the old tried-and-broken model of knowing my mother's maiden name, the city I was born in, or the name of the high school I went to. I think we can all agree that those are pretty bad ways to prove identity given how easy it is to look up this kind of stuff.

Tags : / / /

Self Service Checkout

In the past few years, most grocery store chains in the US (and perhaps elsewhere) have installed self service checkout stands where the shopper does their own checkout (and sometimes their own bagging of the groceries). These have met with various responses... One of my sisters thinks that she has a second calling as a cashier and loves to whip through such a line. My father, on the other hand, being the union guy in the family, won't get within 10 feet of one as it might put a union worker out of a job. I have to admit that I do sometimes use them, especially when I have my son along with me as he can do the bagging :-), but my primary driver in checkout line selection is which has the shortest line -- I just want out.

Recently, one of our local weekly papers, "The Blue Ridge Leader" (no web presence) carried the following story in their Police Blotter section:

August 2: an ATM Visa bankcard was left at the Food Lion self service checkout and has been used numerous times in Washington and Maryland

Which shows that this new "do-it-yourself" solution opens up a new hole for identity "left-it-behind-resulting-in-theft". With a typical cashier, they usually will remind you to take the card when they give you the receipt, or if they don't, they will usually save the card somewhere so that later when you sheepishly call looking for the card, they can tell you it's with the manager.

Moral of the story: Don't leave the store without it (your card). One time, long ago, a friend (yes, I do have one or two of them) mentioned to me how they keep from forgetting their card -- once they take their card out of their wallet, they keep their wallet out and open until the card is put back in the wallet -- and I've since adopted this solution with great success.

Tags : / / /

Authentication does matter

In "A clafication" Rohan Pinto writes of how his exploit on Kim Cameron's blog was actually an exploit of a bug in Wordpress and not a bug in Cardspace (note that this may be an outright bug in Wordpress, or a bug in how Kim configured Wordpress on his server -- I'm not sure which). Rohan goes on to ask:
However, this still makes me wonder if "authentication" really matters. "infocard" / a.k.a. microsoft cardspace… is all about user control and consent, and enables users to authenticate based who who they claim to be. The issue is that "authentication" helps establish a valid session. Therefore the web application that uses "user controlled" authentication, SHOULD have processes and RULES in place that validates the rights of the user and controls what the user can or cannot do.

Authentication does matter and in the case of infocard, the user does have control and consent where their authentiation/identity data is sent. However, they do not have control yet (and this can't be enforced by any client only solution) about what happens to their data once it gets to the relying party.

Most security folks will tell you that if you can get an account on the system being attacked your more than 70% of the way of being able to successfully hack into the target system. Most web server applications are designed with this in mind and severely restrict what one can do from a user's logged in account.

In this case, Rohan found a hole, but that doesn't mean we should do away with logins, nor does it mean that we should do away with solutions for my current 333 distinct logins or the ease at which the common user is phished (both of which are things that Infocard are trying to solve).

Access Control is always going to be a responsibility of the entity managing the resource (in this case, Kim's blog is managed by a wordpress installation that he setup on his server, so his server must manage the access control). The selection of the tool to manage the rescource will be based upon the reliability of the manager and the value of the resource. I'm sure Kim wouldn't have put his bank account up on wordpress without a lot more testing and perhaps requiring someone else to stand behind it should there be such a problem (and this does explain why banks in many cases were very slow to play on the internet).

What all this really means is that we need to continue to test our solutions and when holes are found, we need to work with the manufacturer of the products to get the holes fixed (preferably before we announce them to the world).

Tags : / / / /

Monday, August 14, 2006

A High School for Western Loudoun

It's amazing how much time, energy, and money a local government can waste working against what many people would say is a good thing.

The Loudoun County School Board has chosen to build a new high school just outside the town limits of Purcellville in western Loudoun County, VA.

Purcellville's leadership and some of its more vocal residents are strongly opposed to the new high school near the town purportedly because of the "additional" traffic it will bring to the town -- even though the vast majority of the students already attend one of 2 schools in/near Purcellville (Harmony Intermediate School -- grades 8 and 9, and Loudoun Valley High School -- grades 10-12).

At first the town threatened to sue the county asserting that their planning commission had to approve the school since it was to be on land that fell within the urban growth area surrounding the town (even though the county had bought the property several years ago for the purpose of schools and public parks and has already built an elementary school on a portion of the property).

This week's Leesburg Today (one of our local papers) carried a story stating that the town has now chosen to assert that they plan to condem and/or purchase the exact 40+ acres that are planned to be used for the school for a wellfield (a series of wells used to supply water to the town).

The thing that makes this so interesting is that they have the audacity to claim that this decision has nothing to do with the school even though they are passing up several other sites that were recommended with higher priority/preference in a study paid for by the town

First off, I don't understand how a community can be against adding a school that will relieve some of the the worst overcrowding in any of the schools in the county (the only high school in the county with 3 grades instead of the normal 4 grades).

I call on the leaders and residents of Purcellville to work, rather than fight, with the county to figure out what needs to be done to get this to be acceptable to all rather than wasting scarce resources at both the town and county level in fighting what seems to be a clearly losing battle.

The school is necessary, it is on the location appropriately chosen by the school board (the Fields Farm property) and the new school is desperately needed for the 2008-2009 school year. All of this fighting is a waste of everybody's resources and threatens the timely opening of the school.

Tags : / / /

Sunday, August 13, 2006

Federation and User Centricity

In User Centric Identity is here to stay I wrote:
Ultimately, I would say that federation can be used in both user centric and non-user centric solutions. Federation is a technology/protocol and user centric is an implementation philosophy.
which Kim Cameron picked up and responded with:
I like a lot of Conor's thinking. I agree that use of a managed card in Cardspace should be considered a form of "federation" between the relying party and the identity provider - federation approved by the user.

But I don't quite buy that "federation is a technology/protocol" wherease "user-centric is an implementation philosophy". I doesn't compute given a great deal of work I've been doing lately.

It's clear to me that good "user-centric" experience isn't just an automatic or natural by-product of some other "technology/protocol". In fact, it requires just as much study, just as much thought, just as much coding, and just as much experimentation as protocols do - probably more.

What I'm try to say here is that it requires technology. In the past we've had a lot of technology that failed miserably at organizing, integrating and rationalizing the user's experience. I've been working on software that I think does a lot better job at this. Why wouldn't Conor call that a technology?

I too like alot of what Kim says and in fact, I think we agree on many, if not most things related to identity technologies (we haven't spoken politics :-).

I do agree that to implement a good user centric solution you need alot of technologies to enable a good user experience. I would just say that the fact that you get user centrism out of the product is because how the technologies were put together rather than the basic technologies themselves as I could probably use many of them in a very non-user-centric model if I chose to.

I also agree that it does take whole lot of time, energy, blood, sweat and tears to get a good system (user centric or otherwise) out the door and I was not trying to imply that it wasn't.

I think the two terms are addressing different issues. User centric systems may use federation and they may not (although I would say that most viable user centric systems will use federation). Federated systems may be user centric and they may not be. It all depends upon the needs for the particular implementation.

Tags : / /

Thursday, August 10, 2006

User Centricy Identity is here to stay

In User Centric is here to stay, Kim Cameron writes:

I agree with Dick on this one, and don't really understand why Brett is wants fold user-centricity and federation into a single axis. They are orthogonal.

Federation technologies aim at helping internet portals, their suppliers, and their enterprise customers (businesses or government) to digitally identity the subjects of their business transactions. This might or might not involve "users" in the conventional sense.

User-centric technology aims at helping individual people organize their relationships with many different and unrelated portals and internet sites - contact relationship management for individuals, as Doc Searls once said.

I think the issue causing the disagreements here is the interpretation of the term "federation" when discussed in an identity context.

Certainly federation can mean groups of businesses working together and this is the traditional meaning of the term in the business community. This meaning would fit with Kim's statement above.

However, in an identity context (as in "identity federation" -- the stuff the Liberty Alliance has been working on since its founding) the term federation was used to describe the sharing of identity information from party A to party B. Party A is usually some party representing the user (acting on the user's behalf) such as an Identity Provider or an Attribute Provider. There is nothing that says whether Party A is an entity operated by the user or by some 3rd party.

In fact, in the Cardspace solution, the process of sending data through an Infocard instance to a relying party would be considered taking place under identity federation, whether the infocard instance was rooted in a local data source or a remote data source.

Ultimately, I would say that federation can be used in both user centric and non-user centric solutions. Federation is a technology/protocol and user centric is an implementation philosophy. When designing a user centric solution, you almost always have to include some form of identity federation, but give the user great control over its use. The converse is not required to be true (although I wouldn't object to it if it was true in any environments in which I played).

Tags : / / / /

Wednesday, August 09, 2006

Identity Provider Availability

This week, I went to create my 330th (yes, three hundred thirtieth) account on the internet. I had gone to register to attend a meeting and was forced to create an ID on ProtectNetwork (but at least the site I was trying to go to was willing to accept and ID from an IdP rther than creating a local ID as most other sites force).

After completing the registration form (not that much information, but it did have one of those pesky secret questions that I dislike so much), I clicked on Submit and got a "Service Unavailable" message that claimed it was because of maintenance or because of too much load.

Several attempts over a non-trivial amount of time to do anything like login, or register resulted in the same message.

That really irked me. An entity that wants to represent themselves as an IdP really needs to achieve close to 100% availability. Without such levels of availability we will never move away from local authentication at every party (and my 330 accounts will continue to grow and grow).

Looking around their site I found their SLA which stated:

99.9999% Network Uptime

9Star Research, Inc. guarantees that its ProtectNetwork.ORG identity provider and authentication network will be available 99.9999% of the time in a given month, excluding scheduled maintenance. Network uptime includes functioning of all network infrastructure elements including routers, switches, firewalls, intrusion detection devices and cabling.

9Star Research, Inc. Guarantee: Upon experiencing downtime, 9Star Research, Inc. will provide ....... to the customer.

While 4 9s of uptime is a laudable goal, I really, really, don't like the "excluding scheduled maintenance" clause as that just opens a door through which one can drive a truck.

I'm not trying to pick on ProtectNetwork, but rather using them as an example of what entities that want to be IdP's can't do if they want this IdP business to succeed. We have to design our systems so that there is no scheduled downtime . Yes interruptions can occur because of problems outside of one's control. However the basic applications much be designed so that they can be incrementally upgraded without the need for scheduled maintenance periods.

And, in closing, i do have to admit that after I wrote this, I went back to the site and was able to create my account.

Tags : / / /

(In)Security Questions

I'm pretty sure you've all seen those pesky security questions (sometimes called a secret question) that we're forced to fill in when we create a new account on many internet sites.

They were invented several (many?) years ago, as a solution for the problem of having to reset a forgotton user's password

I have also been in discussions where people assserted that, when you give the user a choice of questions, you are increasing the protection from phishing as the phishing site won't know the question.

I think this is all a bunch of hogwash and I recommend strongly against putting any real data inside of your secret questions. I royally hate sites that force me to create one (and many, if not most, are doing so now).

I strongly recommend that you place random data into this field and record the random data someplace safe should you need it later. That random data will prevent someone who just happens to know the name of your first dog, or your mother's maiden name from being able to reset your password and have full access to your account.

Tags : / /

Saturday, August 05, 2006

Yeah, I'm a 27 year old single guy, but should I tell my wife?

In "How old are you, are you single?, my friend, Kim Cameron, quotes an article in the Business News talking about identity verification services. The article, describes the process as:

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services -- or a separate company -- electronically check data in public-record databases to verify assertions.

At first glance, this verification service looks like a good step forward. However, if you look closely, the process appears to mimic the same procedures that provide the foundation for much of the identity theft that exists to date -- that being the fact that all I need to do to steal your identity is know a few key pieces of information (which will verify correctly).

I would hope that they start to add stronger verification that the person who "knows" this stuff is actually the person who's data is being verified. Things like what Paypal does for bank account verification (deposit two small sums in your account and require you to input the actual deposit values to prove you have access to the account).

We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.

Tags : / / /

People Centric Identity

An atricle written by Dave Kearns discussing the need for cross-device user convenience in identity management solutions stirred a note from Richard Baker...
I read with interest David's article

His assumption seems to be that we are working with a broadly tech savy enterprise environment, the "knowledge worker".

What we are finding in our discussions with vendors around strong authentication is a almost complete failure to realise that strong authentication is going to have to be rolled out to the masses. In the UK this means 20M + people. In the US 100M+ people.

These people come is all shapes, sizes and abilities. When I am presenting to our clients we are very aware that many are planning to roll out systems that will eventually need to be used by people like my mother. She will need to have to use them, not for a matter of convienience but because that is the way that the system has to work. She is in her 70's and hardly touches the computer in the house.

In the UK this year the banks have just rolled out "chip & pin" for bank card verification. It had to consider real usability issues for the elderly, the blind, those in wheel chairs who had to be able to reach or see the key pad. As an example I recenty had to gently steer a solutions designer away from proposing a OTP Token solution for someone whose typical profile was 70 years old, diabetic and probabaly going blind!

We are moving to a world where we will have to manage risk in a more flexible manner that is able to support every person given their personal capabilities. This is becuase we are going to have to better manage risk in every transaction, face to face, over the phone and not just online transactions and not just to support the next form of electonic gizmo. We must be aware of this as we design our architectures and solutions.

This is a plea for PEOPLE CENTRIC Identity Management. If we fail to consider people in their diversity, we will fail as vendors and service providers.

Richard brings up a very good point in adding accessiblity to the "convience" argument in the article. Whatever the solutions are that we come up with, we need to ensure that they are convenient to the user as the user sees it while not giving up practical security measures.

Later in the discussion, someone asked for a description of "PEOPLE CENTRIC" Identity Management. Eric Norman of the University of Wisconsin responded:

Here are some things I would list. (These are for any system, not just identity management).

It means that people can operate the controls of the system without having to know the definitions of arcane words and concepts (the things that geeks love).

It means that taking the path of least resistance leads the operator to doing the "right thing".

It means that it's difficult to make a mistake.

It means that people can understand the controls of the system and are able to predict what they will do.

It means that feedback is always provided about the current state of the system.

It means that the system operates in a manner that matches the operator's internal mental model. Note: this mental model *is not* the same as the model that the developer uses.

It means that people can operate the controls of the system without having a help desk assistant on the line.

It means that the user documentation does not include screen shots!

It means that law 6 is to be obeyed.

Here's another reference.

"The Design of Everyday things", by Don Norman (No relation, by the way).

I like much of what Eric says here... I would add that the concept of what is "right" for one user may be a "mistake" for another (there's no one right answer. I would also say that documentation should be as helpfull as possible for each supported environment -- meaning that

When I was at AOL and we were doing the initial architecture of these kinds of things we always kept in mind the following guidlines:

  • Out of the box, it should work for my mother
  • The rest of us should have a "geek page" we can go to to tweak the behavior
  • The common configurations should be available as settings packages (e.g. UltraParanoid, ParanoidEnough, NotParanoidAtAll :-)).

I'm sure there were other more detailed requirements, but these (especially the first) guidelines helped keep us grounded in what we were "discussing".

I'd also want to point out that this topic, although similarly named, is different than the recent user-centric identity discussions. User Centric Identity is about control of operations, People Centric Identity management is about designing solutions that work for many types of people and to make it convenient to those people.

Tags : / / / /

Thursday, August 03, 2006

Is NetIDMe the right way to go?

Rob Wilton writes about Net-ID-Me on his blog and raises a few issues about it.

While I agree with the issues he rasied, there's another, perhaps more sinsister issue in that this appears to be a single centralized provider which can track users and their associations -- the exact same stuff that the privacy folks complained about when Microsoft wanted to do it.

At the minimum, a more federated approach provided by multiple vendors and, even better (Dick Hardt will love this) a direct, user-to-user without a third party, usage model (perhaps using some form of signed credential like a driver's license) would be even better.

I realize protecting our kids is important to all of us and try to do so for my kids, but I have real concerns about this big-brother-in-the-sky solution.

Tags : / /

Wednesday, August 02, 2006

What do you mean by "Identity" ?

After spending a non-trivial amount of time discussing therms like Digital Identity, Claims, Digital Subject, etc. and very lawyerly interpretations of the definitions on the Identity Gang Wiki, I thought Iwould take a step back and talk about how I think about identity and how it should work.

Identity Data

To start, I as a human being (yeah, I'm pretty sure I am one of those) who does interact to some extent in the digital world, have manifested myself in a number of locations (on the order of 300).

In this wide variety of locations I have created, stored or somehow caused to be created data about me or associated with me. For example, my email provider has my email (yes, emails sent to me are a part of my identity data), Amazon has my account details with orders back to the mid-90s, Ebay has my account history and my very important feedback rating (a solid 124 with no negative feedback in the 8 year's I've been there, thank you very much!). In addition all of those locations required me to create some security credential (e.g. username/password) to use to access my identity data (so that other bad guys didn't get access to it).

Note that some of this data is not owned/created/asserted by me, but instead some third party's assertion (such as Ebay's Feedback rating -- it wouldn't be worth much if I could just change its value).

This entire conglomeration of data, credentials and all, is what I refer to as Identity Data. The Identity Gang term Digital Subject, I think, refers to the entity to which all this data applies to/is related to, etc..


Identity is a grouping of Identity Data that is tied together in some way. In today's walled-garden world, the grouping tends to be the Identity Information related to a specific account at a specific provider. So, I see this as me having more than 300 independent identities at all those locations I mentioned earlier.

For many reasons (perhaps something to cover in another story) this situation of multiple independent identitys will change over time to a smaller number of identities that share access to the same group of Identity Data. The portions of the Identity Data within an Identity that may be visible to any particular party may be different (such that my name and email address might be visible to my blogging site, while my name, phyiscal address, and phone number might be visible to an ecommerce site). Federation is the term used to describe this sharing of identity data at multiple parties. I'll discuss that in more detail below.

This model of sharing the same Identity across multiple parties makes it easier for the user to maintain their data and also can increase the security of the users data by enable the user to select some form of strong authentication (or even a good username and password that they don't share elsewhere).

A user may have all of their Identity Data under a single Identity and use that one identity everywhere. My mother is probably a good example of someone who would do this.

A different user may have different sets of Identity Data (which may be duplicated) under different Identities. For example, many of us will have personal Identities and work (or job related) identities. My Identity at Intel is separate and distinct from my identity at home (even though I use the same name in both places). Other reasons for doing this include things such as manifesting a pseudonym or keeping public and privite lives separate.


Federation is when I use my Identity (remember: group of identity data) at one provider to establish/use a relationship at a second provider.

Sometimes this relationship is such that the 2nd provider gets a persistent handle for me so that when I return later they can associate my prior actions at their site (perhaps remembering previous orders, or preferences which I've recorded there). This type of federation is common in an ecommerce and/or premium service environment and in most privacy conscious settings, results in the generation a unique identifier for the user between those two providers rather than using the same identifier at multiple providers.

Federation is also used to describe situations where a persisten handle is not generated for the user. A common example of this is when one party just provides some non-unique data to the second party (such as membership in a group). In such case, the second party can't tell the same user has come back (at least not because of these protocols), but is still willing to provide services to the user knowing that they are a member of the group.

I'm not so convinced about the non-persistent thing being called "federation", although I do agree that it's a very useful use case.

Tags : / /