Mark Wahl, CISA

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

mark.wahl@informed-control.com — Sun, 15 Jun 2008 14:00:00 GMT

Commentary by Mark Wahl, CISA

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

The first public beta of Microsoft Identity Lifecycle Manager “2” was shown last week at TechEd. (A Release Candidate is planned for Q4CY2008; RTM in Q1CY2009.)

This announcement was covered by blog posts from Nick MacKechnie, Nathan Lasnoski, John, Sean Bryson and Sudeep James, and in articles in Network World, eWeek, CRN, internetnews.com and IT Jungle.

Trust vs the Distancing Effect (20080418)

mark.wahl@informed-control.com — Tue, 22 Apr 2008 07:00:00 +0000

Some categories of attacks on identity systems are subversions of trust relationships, in which one party in the system is caused to act based on an incorrect assumption about its own trust relationships.

Walter Benjamin wrote in "What is Epic Theatre? (second version)"

The art of epic theatre consists in arousing astonishment rather than empathy. To put it as a formula, instead of identifying itself with the hero, the audience is called upon to learn to be astonished at the circumstances within which he has his being.

RSA Conference 2008 US (20080414)

mark.wahl@informed-control.com — Tue, 15 Apr 2008 04:40:00 GMT

Commentary by Mark Wahl, CISA

RSA Conference 2008 US (20080414)

I was the subject of a recent blog post by Jackson Shaw; he also took my picture standing next to Angelo at Microsoft Identity and Access stand in the RSA Conference 2008 (US) exhibition:

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

mark.wahl@informed-control.com — Tue, 25 Mar 2008 03:40:00 GMT

Commentary by Mark Wahl, CISA

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

The US Patent and Trademark Office is currently participating in a Peer Reviewed Prior Art Pilot project, in which applicants for patents classified in the Computer Architecture, Software and Information Security Technology Center can volunteer their application to be included as one of the 250 applications in the pilot for community (public) review. The goal of the pilot is to test whether ...collaboration can effectively locate prior art that might not otherwise be located by the [Patent] Office during the typical examination process.

More information on how to participate in finding and reviewing prior art is on the www.peertopatent.org web site:

Peer-to-Patent involves 1) review and discussion of posted patent applications, 2) research to locate prior art references 3) uploading prior art references relevant to the claims, 4) annotating and evaluating submitted prior art, and 5) top ten references, along with commentary, forwarded to the USPTO. The goal of this pilot is to prove that organized public participation can improve the quality of issued patents.

Anyone in the public can participate as a reviewer, a patent application facilitator, and by sharing information about the pilot with others. Inventors can submit a qualified patent application for open review. Public participation is crucial to demonstrating the value of openness and making the case for greater USPTO accountability to the technical community. A successful pilot will also make a case for expanding to other subject matter.

One of the patent applications open for community discussion on the peer-to-patent web site is my System and method for ontology-based translation between directory schemas, which will be available for comments in this pilot for approximately two more months. The application describes

An information processing system comprising a translation from a directory or individuals input source to a state database containing resource description triples, a mapping of the triples in the state database from one ontology class to another, and a translation from the triples in the state database to a directory or individuals output sink.

The specification, illustrations and information disclosure statements (1, 2, 3) are included on the site as well.

Documenting microformats processes (20080203)

mark.wahl@informed-control.com — Mon, 4 Feb 2008 02:40:00 GMT

Commentary by Mark Wahl, CISA

Documenting microformats processes (20080203)

The first book I've seen on microformats is Microformats: empowering your markup for Web 2.0 by John Allsopp, published last year.

The bulk of the book walks through examples of applying many of the existing microformat specification guideliness to annotate typical web page HTML (as shown in a sample chapter provided by the publisher on the GEO and ADR microformats). One strength of the book is in describing the use of microformats to drive the use of CSS for visual layout of elements. However, some limitations lurk below the surface.

Adding metadata structure to a web site should be driven by value it provides to the intended consumers of that metadata, in making the site easier to locate, navigate or access.

In particular, as with the other web 2.0 technologies, microformats are still in their deployment infancy, and for many of the microformat specifications there are few tools which generate them, and fewer sites that make effective use of them. As microformats.org exhorts the guideline of humans first and machines second, it can be difficult to show the value of adding microformat-defined markup to existing HTML content when there are hardly any machine readers which would make use of that content.

Secondly, early in the book, the author points out the wide proliferation of identifier names, used across on web sites in HTML elements which relate the elements to CSS style definitions, as a motivation for microformats. However, this proliferation also could indicate that there is a broad potential for additional models beyond those described by the existing microformat specifications covered in this book. Unfortunately, the book only provides a few pages of advice on the process of creating a new microformat specification. To me, this part of microformat process can be the most confusing for someone who is focused on industry-specific content.

Metadata in Personal Content Experience (20080128)

mark.wahl@informed-control.com — Sun, 27 Jan 2008 08:00:00 +0000

Commentary by Mark Wahl, CISA

Metadata in Personal Content Experience (20080128)

Historically, the idea of managing "metadata" in computer systems has primarily been of interest to practicioners of data warehousing or professional multimedia content producers. Recently, the book Personal Content Experience: Managing Digital Life in the Mobile Age by Juha Lehikoinen, Antti Aaltonen, Pertti Huuskonen and Ilkka Salminen, published in 2007 as paperback and Adobe, argued for the importance of a broader understanding of the value which metadata provides to emerging applications: 2 of the 8 chapters in a book on mobile multimedia application have "metadata" in the title.

In one motivating scenario they present, an artist has been taking hundreds of pictures with a digital camera, and frequently uploads her pictures to a photo sharing web site. While uploading, she adds descriptive labels and notes to her photos as they're going onto that site. Later, the company that provided the photo sharing web site ceases business. She still has all of her photos stored in her computer, but the labels and notes are gone and she has no way of searching her photos: it wasn't clear to her that the metadata she was entering wasn't going to be part of her copy of the image files. It's unlikely that she'll go through the process of re-tagging all of the images, and now they're just wasted space: directories full of files with arbitrary names IMG_nnnn.jpg without any context.

The authors suggest that the traditional models for categorizing and administering metadata have a 'library sciences' flavor that doesn't mesh with the demographics for use of today's media in need of metadata. The iPod-toting youngsters are looking for audio files indexed by metadata attributes such as Genre, Energy, Hipness, not Compression algorithm or Rightsholder.

Furthermore, a key problem in their environment, smart phones and other mobile devices, is that the likelihood of someone manually entering any significant amount of metadata while they're importing content (downloading a song, taking a picture) to the device is basically nil, since they user is likely to be (a) on the move, (b) using a device with a greatly reduced keyboard, and (c) not interested or motivated to do so. However, many existing implementations for automated metadata extraction have been oriented to details not of interest to this category of user. The authors suggest that in particular relational categories of metadata, which link two or more objects together, and the context of interaction have not been fully appreciated.

Information Assurance for CS undergrads at UT Austin (20080104)

mark.wahl@informed-control.com — Sat, 5 Jan 2008 05:30:00 GMT

Commentary by Mark Wahl, CISA

Information Assurance for CS undergrads at UT Austin (20080104)

In 2004 the Center for Information Assurance and Security (CIAS) was founded at UT Austin. Their plans included having UT Austin become a National Academic Center of Excellence in Information Assurance Education, participate in a multi-university cybersecurity exercise and competition, and increase collaborations with business, government and academia. In the NSA's National IA Education and Training Program, institutions wishing to be designated as a National Center of Academic Excellence in Information Assurance Education are required to be certified for providing courses covering the material of NSTISSI 4011 (National Training Standard for INFOSEC Professionals) and one other CNSS standard.

In September 2005 the CIAS director Dr. Fred Chang left UT Austin to be Director of Research at the NSA, and so I came in to write and teach a new course, CS 378: Information Assurance and Security, to help the university meet the courseware requirements for NSTISSI 4011. I followed this in the spring of 2006 with another new CS 378 course Computer Security Auditing and Certification for the requirements of the CNSS standard NSTISSI 4015 (National Training Standard for System Certifiers).

Even though the these standards had been established with the goal of training specialists charged with protecting the information processing systems of US federal government agencies and incorporated many terms and elements which aren't found outside of this domain, in my first lecture of each class I discussed why I felt that awareness of the concepts and approach Information Assurance was basic knowledge for practicing computer security scientists and engineers, regardless of whether they were working with government or industry systems:

Information Assurance includes considerations for non-security threats that could impact information systems, such as acts of nature, and the process of recovery from incidents.
Information Assurance has an emphasis on management, process, and human involvement, and is not focused exclusively on technology.
Deployments of Information Assurance may incorporate multiple disciplines of security, not just computer security but also communications security, operations security, and in some cases emanations or transmission security.

Similarly, in my course for meeting the training requirement of the "certifier" role in the certification and acredentiation of federal computer systems, I presented a sceptical approach that

...introduces students to a new approach to computer security: How to look beyond the scare tactics and hype surrounding security and determine how to assess security vulnerabilities and threats, diagnose, and effectively defend against them. The course covers the techniques organizations will use to recognize threats, vulnerabilities and attacks in computer networks. The projects in this course will provide the students with hands-on experience with expert open source tools that are widely used for analyzing networks and detecting intruders, insider attacks and performing computer forensics.

A mapping of the material from my two courses and related prerequisite CS courses was submitted to the NSA for review, and in April 2007 the NSA IAD Information Assurance Courseware Evaluation Review committee notified the UT CIAS that they had achieved courseware certification.

This spring, Dr. Bill Young, who is also teaching CS 361 Introduction to Computer Security, will again be teaching an Information Assurance course. He writes in the syllabus that:

Our approach will be to cover selected topics from this very broad area of study with the goal of preparing the student to think critically about security from a wholistic perspective, rather than a purely technical perspective. Topics may include:
   1. Introduction to Information Assurance
   2. Metrics for Information Assurance
   3. Networking and Cryptography
   4. Information Assurance Planning and Deployment
   5. Vulnerabilities and Protection
   6. Identity and Trust Technologies
   7. Verification and Evaluation
   8. Incident Response
   9. Human Factors
  10. Legal, Ethical, and Social Implications

digital identity book recommendation for 2007 (20080102)

mark.wahl@informed-control.com — Thu, 3 Jan 2008 05:50:00 GMT

Commentary by Mark Wahl, CISA

digital identity book recommendation for 2007 (20080102)

For 2007:

2007: The Future of reputation: gossip, rumor and privacy on the internet by Daniel J. Solove

Daniel Solove, an authority on information privacy law, offers a fascinating account of how the Internet is transforming gossip, the way we shame others, and our ability to protect our own reputations. Focusing on blogs, Internet communities, cyber mobs, and other current trends, he shows that, ironically, the unconstrained flow of information on the Internet may impede opportunities for self-development and freedom. Longstanding notions of privacy need review, the author contends: unless we establish a balance among privacy, free speech, and anonymity, we may discover that the freedom of the Internet makes us less free.

For previous years:

2006: Identity Crisis

...Jim Harper takes readers inside identification-a process everyone uses every day but few people have ever thought about. Using stories and examples from movies, television, and classic literature, Harper dissects identification processes and technologies, showing how identification works when it works and how it fails when it fails. Harper exposes the myth that identification can protect against future terrorist attacks.

2005: Digital Identity

Network-based, automated services have changed the way businesses operate, but not always for the better. Many companies are more concerned with risk than opportunity. Digital Identity shows how an enterprise-wide identity management architecture can provide security while ensuring that interactions with customers, employees, partners and suppliers are richer and more flexible.

2003: Hello World: A life in Ham Radio

Whenever hams connect on the air for the first time, they exchange specially designed postcards in the mail. These QSL cards are physical proof that the radio contact actually took place. Each ham's card is different, featuring the call sign for his station, details about the call and the gear used, and words and pictures that tell more about himself and his home.

1997: Life on the Screen: Identity in the Age of the Internet

Life on the Screen traces a set of boundary negotiations, telling the story of the changing impact of the computer on our psychological lives and our evolving ideas about minds, bodies, and machines. What is emerging, Turkle says, is a new sense of identity--as de-centered and multiple. She describes trends in computer design, in artificial intelligence, and in people's experiences of virtual environments that confirm a dramatic shift in our notions of self, other, machine, and world. The computer emerges as an object that brings postmodernism down to earth.

(fwd) i-card hero ROCKS!!!! (20071230)

mark.wahl@informed-control.com — Mon, 31 Dec 2007 06:59:00 GMT

Commentary by Mark Wahl, CISA

(fwd) i-card hero ROCKS!!!! (20071230)

A thank you note email I received this week:

Dear Mark,

Thank you very much for getting me the icard hero video game for Xmas!! i know a lot of my friends have also got it, but i'm not sure how many are really playing it much

when i started playing i sucked pretty bad and i just kept practicing pressing the password-on-a-postit button on the controller over and over each time a login came up... but then the "disclosed personal identifying information" stuff started appearing and the Phish Meter went way UP!

anyway i'm getting much better now with all the other authenticators...I can even do chords where I have to use two of them at the same time

My fav one is where you're logged into your work with a vpn but then you have to book personal air travel, and then blog about it at an OpenID-enabled site... but i'm still having trouble with that bridge in it where the airline sends ya over to the car rental site...

so thanks - i have to go practice some more - conor is coming over and he says he can play like 237 different identities in a row so we'll see!

Assimilation (20071128)

mark.wahl@informed-control.com — Thu, 29 Nov 2007 05:00:00 GMT

Commentary by Mark Wahl, CISA

Assimilation (20071128)

Organization change: I am now a Senior PM Architect for identity lifecycle management (part of the identity and access product suite) at Microsoft Corporation.

7,302,439 (20071127)

mark.wahl@informed-control.com — Tue, 27 Nov 2007 08:00:00 +0000

Commentary by Mark Wahl, CISA

7,302,439 (20071127)

Information model mapping with shared directory tree representations

A registry service is described which uses a partitioned publisher assertion recording and accessing scheme. A publisher assertion regarding a relationship between entities (e.g., business or other types of entities) is encoded within a directory information tree in a memory. The publisher assertion includes publisher assertion part nodes corresponding to entity nodes in the directory information tree. The publisher assertion is complete if all publisher assertion parts corresponding to entities in the relationship are present in the directory information tree. The service may include a network including directory servers and registry servers. The publisher assertions are manipulated by authorized publishers and accessed by users using a variety of techniques, the operations of which are performed by such parties and/or are encoded upon computer-readable media.

Inventors:	Gadbois; David Gregory (Austin, TX), Wahl; Mark (Austin, TX)
Assignee:	Sun Microsystems, Inc. (Santa Clara, CA)
Filed:	June 28, 2002

Bob Blakley on outsourcing to the identity oracle (20071122)

mark.wahl@informed-control.com — Fri, 23 Nov 2007 03:10:00 GMT

Commentary by Mark Wahl, CISA

Bob Blakley on outsourcing to the identity oracle (20071122)

Bob Blakley of the Burton Group was recently interviewed by Forum One Communications on "User-centric identity: Platforms, trade-offs, and next steps".

He was asked how the Identity Oracle approach might succeed where previous attempts to operate outsourced identity providers (Tidepoint?) have not been successful:

Compliance mandates create financial risk for organizations which collect identity data but don't protect it. This means that there is now - for the first time really - a business cost to the collection and use of identity information. The core notion behind the Identity Oracle is that the [Identity] Oracle can be a business which specializes in handling identity information, and because it specializes it can do a better job than its customers, and because it does a better job it can do the job at a lower cost, and because it can do the job at a lower cost, it can charge its customers less than they would pay to do the job in-house and still make a profit.

Closing ICANN Comment Period on WHOIS (20071027)

mark.wahl@informed-control.com — Sat, 27 Oct 2007 07:00:00 +0000

Commentary by Mark Wahl, CISA

Closing ICANN Comment Period on WHOIS (20071027)

From the ICANN public comment page:

Explanation: A Whois taskforce convened in June 2005 completed its work and sent a final report to the GNSO Council in March 2007. In that report, a majority of members endorsed a proposal called the "Operational Point of Contact" (OPOC). Under OPOC, every registrant would identify a new operational point of contact and the registrant's postal address, city, and postal code would no longer be displayed. The operational point of contact's name and contact information would be displayed instead, and it would replace the administrative and technical contacts.

Expanding on that work, the GNSO Council in March created a Whois working group to examine three issues and make recommendations on them ... The working group's report [pdf] was published on 20 August 2007. On 6 September 2007, the GNSO Council approved a resolution for further public comment on the report with the intention to lead to a vote on the issue on 31 October 2007 during the Los Angeles ICANN meeting... Public comments are invited on both of the GNSO Council's Whois reports and recommendations referenced above and summarized in the Final Staff Overview of Recent GNSO WHOIS Activity of 11 October. Please comment on the Whois Task Force and Working Group Reports, the 11 October Final Staff overview of Recent GNSO Whois Activities [pdf] and the 11 October Staff Implementation Notes on the Whois Working Group Report [pdf] .

Comments will be taken until 00:00 UTC (17:00 PDT) on 30 October 2007.

52 What-ifs of Identity Science Fiction (20071004)

mark.wahl@informed-control.com — Thu, 4 Oct 2007 16:10:00 GMT

Commentary by Mark Wahl, CISA

52 What-ifs of Identity Science Fiction (20071004)

The Id Futures ad-hoc working group of the Identity Commons 2 currently has a list of 52 possible events on its Wiki. This list was used to shape a discussion of The Future of Convergence in Internet-Scale Identity Systems at the recent Digital ID World. These events are not intended to be predictions or even necessarily desirable outcomes, merely tools for scenario planning.

OT Frivolous Blog and Clothing Store (20071003)

mark.wahl@informed-control.com — Wed, 3 Oct 2007 16:00:00 GMT

Commentary by Mark Wahl, CISA

OT Frivolous Blog and Clothing Store (20071003)

I'm moving topics which are not relevant to identity management to a Mark Wahl frivolous blog .

Also in honor of the anniversary of the launch of Спутник-1, the Zetona Clothing Big Science and Little Kids clothing store offers for sale infant and toddler clothing with a space exploration theme.

Gartner Magic Quadrants for User Provisioning (20071002)

mark.wahl@informed-control.com — Tue, 2 Oct 2007 15:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Gartner Magic Quadrants for User Provisioning (20071002)

The "Gartner Magic Quadrant for User Provisioning, 2H07" published last August is online in both HTML and PDF.

Two areas of "market immaturity" that Gartner highlighted which are technical limitations of many existing user provisioning products are role management, and user-provisioning audit and reporting.

Digital ID World presentation on CardSpace in credit card txns (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 23:00:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World presentation on CardSpace in credit card txns (20070925)

Sid Sidner of ACI Worldwide presented "Online Payments using Information Cards" at the DIDW conference (DIDW2007). This presentation followed from a post "InfoCard and e-Commerce" he made to his blog in December 2006.

He mentioned several enhancements he had requested of Microsoft individuals to be made in future versions of the InfoCard protocols, such as

the use of the "question mark" symbol in URIs should terminate matching, and
multiple issuers should be allowed in a WS-SecurityPolicy element.

Digital ID World presentation on LDAP in media asset metadata management (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 21:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World presentation on LDAP in media asset metadata management (20070925)

Chuck Hurst of Scripps Networks presented "Assigning Identities to Enterprise Assets" at the DIDW conference (DIDW2007). As a media company (HGTV, Food Network, etc.), they observed that they were likely to experience an exponential growth of media "object" assets in the next few years, even though they were anticipating only linear growth in the number of TV episodes they manage. (A single episode might incorporate many snippets of different forms of media objects: video clips, music, stills, graphics, etc., and many of these objects are valuable as they can be reused). At the time, they had 2.5 million objects for 50,000 archived episodes.

The approach to manage these objects use the Dublin Core for the basis of their media object metadata model, and they store the index in an LDAP directory service. They chose LDAP over a relational database approach due to the directory server's fast search, built-in replication, and other reasons. In their pilot scale testing of 9 physical server systems running eDirectory 8.8 storing 100 million objects, they saw they could achieve a sustained rate of 9000 reads/sec, or 33 modifies/sec. Their custom directory-enabled management application, the Scripps Asset Registry (SAR), is deployed with the spring framework in a servlet container, and they tested their application could perform 3000 reads/sec.

Their production deployment has 160,000 broadcast assets as of March 2007, and are in the process of merging 20,000 non-linear assets in October 2007. Their SAR deployment is integrated in their enterprise search infrastructure, and they are considering integrating with the nonlinear editing software tools in the future.

An advantage of this system is that a particular media asset might have multiple identifiers assigned to it. For example, external content providers might have assigned their own identifiers to media objects they license to Scripps Networks.

Digital ID World keynote by Jamie Lewis (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 17:12:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World keynote by Jamie Lewis (20070925)

Jamie Lewis of the Burton Group provided the second day keynote at the DIDW conference (DIDW2007). Some of the observations included that

The starting point for an enterprise beginning an identity management deployment is still the same, as most products require a directory infrastructure, and data linking and cleansing is relevant to any IdM project.
In the provisioning space, there's no product that provides data synchronization and workflow equally well, and provisioning deployed primarily for compliance won't necessarily provide an enterprise account management function.
Identity-as-a-service within the organization has a few deployments, but is inhibited by governance issues and lack of mandate.
The applicability of federation has been overstated in the market, as ubiquity is preposterous with today's technologies, due to these technologies' requirements for tight cross-party coordination hindering scale, and their trust issues.
Claims (in theory) could help with deployment, as they could allow authoritative sources to emerge, but coordination and trust problems remain.
Emerging authentication technology is still being designed and positioned for tech-saavy users, and the user experience might not be appropriate for the typical web users, as he illustrated with the Doctor Fun cartoon.

Digital ID World Liberty Alliance IDDY Awards (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 16:40:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World Liberty Alliance IDDY Awards (20070925)

The Liberty Alliance announced at the DIDW conference (DIDW2007) the four winners of the 2007 Identity Deployment of the Year (IDDY) award: eBIZ.mobility, the New Zealand Government, NTT Labs and Rearden Commerce.

Chuck Mortimore accepted the award on behalf of Rearden Commerce. Congratulations, Chuck!

Digital ID World and OpenID URLs (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 16:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World and OpenID URLs (20070925)

There were numerous blog announcements of France Telecom mentioning support for OpenID in their session "Advanced Identity Management in Telco environnement: Challenges of multi-play Identity Convergence" at the DIDW conference (DIDW2007). Some of the caveats discussed did not seem to find their way into some of the existing blog posts, such as

France Telecom/Orange have not yet announced their support for OpenID to their DSL or mobile customers.
The ability to get an OpenID is likely to be marketed just to the techie subsegment (~15%) of their customers, and it is anticipated that some segments of their customer base will never be interested in OpenID, in particular as the idea of having to remember and enter a long, arbitrary URL in web forms is a significant barrier to gaining access to a service, as compared to behind-the-scenes SSO the customers might be more familiar with.
That OpenID require the user to enter a personally-identifying URL at arbitrary Relying Party web sites raised privacy concerns to France Telecom. France Telecom did not auto-assign OpenIDs to their customers, as it would have exposed their existing customers' user identifiers (currently private to the customer-FT relationship). A customer might not wish to be required to have their userid become exposed in an OpenID URL.
The 'right hand side' user-specific identifiers in France Telecom OpenID URLs will be short text words, and these will be assigned on a first-come-first-served basis with no correlation required to the customer's identifier they use at FT/Orange web sites. The first France Telecom customer who decides to get the OpenID URL ".../john" will get to have "/john". It was predicted that there will be "trading of the France Telecom OpenIDs on eBay", so it's not particularly clear what value these OpenIDs will provide to relying party sites for authentication purposes over any other arbitrary OpenID identity provider.

Digital ID World and an EAP-SIM PoC (20070925)

mark.wahl@informed-control.com — Tue, 25 Sep 2007 15:40:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World and an EAP-SIM PoC (20070925)

At the DIDW conference (DIDW2007) Conor Cahill of Intel presented the Intel system technology lab project "Identity Capable Platform" (ICP), which could participate in one or more identity metasystem protocol models.

According to a 2005 presentation, the ICP is a trusted environment adjoining the desktop/device operating system, comprising an identity manager and one or more managable identities (iMIDs). Multiple iMIDs, for biometric, smartcard, username/password etc, could be 'stacked' to provide multi-factor authentication. The identity manager could provide identity sources to an InfoCard identity selector, by enumerating the iMIDs on the platform which meet the requirements for WS-Trust.

He mentioned a BT/HP/Intel joint Proof-of-Concept exercise in which the trusted module was a soft-SIM. In this PoC, a laptop automatically authenticates to wireless access points using EAP-SIM, without needing user interaction (although the user could be involved if required, eg., by stacking an iMID which involves entering a PIN).

Digital ID World panel on interoperability partners, and developer difficulties (20070924)

mark.wahl@informed-control.com — Mon, 24 Sep 2007 23:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World panel on interoperability partners, and developer difficulties (20070924)

A panel on (Microsoft-centric) "Identity Interoperability: A Discussion of Partners" at the DIDW conference (DIDW2007) highlighted one of the failings of the identity management technology industry as a whole: the developer interfaces.

Historically, an ISV/third party application developer that wished to do something other than maintain its own embedded username/password database, something that would ease the process of deploying their application in large enterprises, would be told to "just get the data from LDAP". The LDAP API was comparatively simple, SDKs were available on multiple platforms, and an application could get by with just an ldap_open() and a ldap_search() or ldap_bind() call (although there were numerous subtles and gotchas). With a little bit of work, the ISV could build their product that would be functionally independent of whether the enterprise had a Sun directory server, a Microsoft directory server, or something else.

Today, there is a proliferation of models (Liberty, Shibboleth, OpenID, InfoCard) with distinct protocols, that provide advanced functionality for authentication and attribute/claims transfer, and these models are intended to support applications that might be deployed as an Internet service.

Until recently, an application developer that wished to develop an application that was aware of these services would need to first come up to speed on the language of federation technologies, even if federation in its traditional sense would not be of interest to the developer.

Some open questions:

How much does an application developer need to know about the low-level aspects, such as key exchange, digital signatures, certificate paths, underlying the emerging identity protocols OpenID/SAML/WS-*? Are there interfaces sufficient that an application developer can be unaware of these aspects of a protocol and still build a successful, interoperable and auditable identity-aware application?
What interfaces will be available in the popular development languages that are identity-protocol-agnostic? Hardcoding OpenID, or SAML, or WS-* interchanges in an application seems to be as problematic as hardcoding LDAP calls.
The panel discussed the use of security token service (STS) components for claims transformation. It is not yet known what the difficulty will be of implementing and deploying a STS to support a particular application.
As RL "Bob" Morgan has reminded us, claims transformers are gateways, and

No message was ever improved by a gateway. -- Einar Stefferud

Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

mark.wahl@informed-control.com — Mon, 24 Sep 2007 19:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

I'll be on a panel entitled "The Convergence of Internet-scale Identity Systems" at the DIDW conference (DIDW2007).

A lot of folks refer to it as "the big bang" - that anticipated moment when interoperability and convergence happen around internet-scale identity systems. Some claim the big bang is right around the corner, others aren't so sure.

The panel will be discussing several exemplary scenarios that significantly affect the future of digital identity and identity systems. These scenarios were derived from a planning activity reviewing possible future events documented and characterized at a meeting of the ID Futures proto-working-group of the Identity Commons. These events are not predictions, but merely tools for enabling further discussion:

networks of trusted individuals compete with corporations as players in identity-dependent transactions
personal data on US citizens anchored to trustees when used in European Union transactions
virtual world contact addresses are accepted as commercial billing addresses
the wide deployance of facial recognition limits public anonymity
Internet access legislated by many countries to be authenticated and so cannot be anonymous
forgeries of government-defined digital identities lead to lack of confidence

Digital ID World keynote: Kim Cameron on claims (20070924)

mark.wahl@informed-control.com — Mon, 24 Sep 2007 17:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World keynote: Kim Cameron on claims (20070924)

Kim Cameron of Microsoft presents "Why Claims will Change Everything" at the DIDW conference (DIDW2007).

Traditionally, the enterprise identity management system has been a "single source of truth". This capability is limited, however, by the numerous silos: silos by operating system, by application, by enterprise, by services, by networks, and by access control subsystems. Other problems he mentions inherent in this silo/mesh model include:

that entities such as users want to obtain a service, not be defined by a service,
end-to-end policy-based controls are incompatible with silos, and
needlessly difficult to combine services from multiple systems.

Mr. Cameron proposes applying the "WS-* combinational pattern" to identity. As Dave Kearns wrote earlier on a "toy model",

So by creating a Legonic Identity System (LIS?) we have one which can put together identity data in various ways to fit the conditions of the moment. Relying Parties, Identity Providers and User Agents can work together to construct sets of Identity Claims from all of the available pieces of identity data.

with his goals being

enabling claims-based application data to cross enterprise boundaries, in which assertions might be detached from the trust infrastructure,
supporting cross-vendor architectures, and
meeting requirements for user-centered systems to simplify mashups and transfer of control.

He describes "convertible claims" as an assertion which is in doubt, as there may be multiple sources of claims being presented at a component, and that through the intervention of claims transformers, some of these claims are converted into "actionable claims", those claims that a component are willing to act upon after an evaluation step.

His taxonomy of claims includes

static claims	for traditional attribute types
relationship claims	indicating connections between entities
derived claims	less "leaky" than static claims
capability claims	claims for authorization
meta-claims	claims about the subject

The claims vision suggests that claims transformers could perform transformations on the format of claims (e.g., chainging a claim of one form to another (e.g., such as "24 years old" to "over 18"), on their contents, as well as on their trust points (e.g., changing a claim to be sourced by one authority to be sourced by another authority recognized by a relying party).

However, even though these tie into the InfoCard transaction model (in particular that the RP, IdP and Identity Selector components are joining responsible for a transaction, as there are mutual vetos for claims), this convertible claim model is somewhat beyond what is achievable with deployed InfoCard technology. While InfoCard protocols and guideline documents mention the use of Relying Party Security Token Services (RP-STS) agent services on the Internet, these services operate under the control of the Relying Party, and only transform claims on behalf of the Relying Party web server or web service. There is not yet a model in InfoCard for claims transformation on behalf of the identity selector or identity provider services, independent of the relying party.

Furthermore, the claims representation in InfoCard is still very limited as compared to a SAML assertion, in particular that there is not yet standards for the metadata about claim types, or the ability to describe the relationships between claims (e.g., that a claim "am over 18" is derived from a claim "is 24 years old" without needing to reveal the content of the source claim). I also observed that there wasn't a taxonomic category in their slides for dynamic and time-limited claims, so representing dynamic data in the claims format might still be problematic for some time to come.

Digital ID World keynote: Managing the Decentralization of Identity (20070924)

mark.wahl@informed-control.com — Mon, 24 Sep 2007 17:00:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Doc Searls, in his presentation on "Managing the Decentralization of Identity" at the DIDW conference (DIDW2007), presented several vendor relationship issues affecting digital identity, including

private social networks do not make a marketplace

First, that existing social networks are walled gardens. Second, the "users" in most major social networking services are not the customers: the collection of users is merely the enabler for the relationship between the social networking service and the advertisers. Thus, activities enabling better user-driven integration between services might undercut this actual customer relationship.

own the customer is analogous to slavery

In a marketplace, the independence of the customers is their ability to make choices between vendors, which runs counter to the idea of customer lock-in. In the VRM model, Mr. Searls suggests that building relationships between customers and vendors will be a better foundation for defining tools that enable markets, than tools driven by transactions or traditional CRM.

Digital ID World opening keynote (20070924)

mark.wahl@informed-control.com — Mon, 24 Sep 2007 16:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Digital ID World opening keynote (20070924)

At the DIDW conference (DIDW2007, co-hosted by CSO), Phil Becker in his opening keynote discusses his "three waves of digital identity in the enterprise":

the first wave (past): location, as determined by physical presence-based security and private networks, is an implicit "proxy" for security, and identity is submerged in email address books and networks,
the second wave (present): the growth of public networking decreases the capability of location to be used to provide security, but identity transforms security from a "siege mentality" to "allow access by authorized users", and with digital identity adding stronger authentication and providing increased visibility for meeting compliance requirements, and starts to enable end-user self-service, and
the third wave (future): drivers of promiscous interconnection of networks and self-service lead to interconnections of identity systems and drives the use of managed but decentralized digital identities to support new experience-driven applications.

Anti-utopian social networking #3 - the real world and its online representation (20070917)

mark.wahl@informed-control.com — Mon, 17 Sep 2007 18:00:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Anti-utopian social networking #3 - the real world and its online representation (20070917)

Dan Brickley who blogs at danbri's foaf stories wrote last week in his post "The World is now closed" that one problem with popular social networking service sites such as Facebook is that their software is making the closed world assumption: anything the service didn't already have in their database, was false, rather than "unknown". This assumption causes a service to have a view of the world that an individual didn't exist until that individual became a member of that service. This is of course incorrect:

A description of me and my friends hosted by a big Web site isn't "my social network". Those sites are just a database containing claims made by different people, some verified, some not. And with, inevitably, lots missing.

Suppose Alice and Bob got married in the 1970s. A social networking service Foo starts operation in 2006. Alice joins the Foo service June 2007; Bob joins that same service Foo in July 2007, and in August 2007 Alice and Bob decide to add the 'spouse' links between their accounts in Foo's database. Unfortunately, it is likely that Foo will immediately afterward send out an announcement to all of Alice and Bob's friends who have accounts in Foo that "Alice and Bob are now married. Congratulations!". Mr. Brickley writes

Syndicating descriptions of the changeable properties of the world, on the other hand, is more slippery since you need to have all other relevant facts to be able to say how the world is right now (or implicitly, how it used to be, before).

Through data sharing protocols and mechanisms, it may become possible for services to assemble better pictures of their subscriber's interactions, by exchanging data with the other services through which their subscribers interacts. But this approach is still limited in what it can provide, and social networking services that assume that everything is going to be available on the web will present a fantasy role-playing game view of the real world, since there's no JTAG interface to the minds of individuals, where the social networking 'raw data' resides.

I agree with his recommendation that We need better UI that reflects what's really going on....what we're most missing is a style of end-user UI here that educates users about this world that spans websites, couching things in terms of claims hosted in sites, rather than in absolutist terms.

However, while joining a new service and having it pronounce "you do not have any friends!" is disconcerting, might it also be disconcerting for a too accurate view of real world social networks to be presented? Most individuals are not used to there being a gossip column maintained about their life. Furthermore, might there be an "uncanny valley" for social networking services, in which humans reject software that appears to "know too much" about the activity of humans? The closer the software reaches to actual social skills in its attempts to provide a human-like social ability, the further it might appear to be. Jean Baudrillard in the paper "Holograms" in Simulacra and Simulation writes

The social, the social phantasmagoria, is now nothing but a special effect, obtained by the design of participating networks converging in emptiness under the spectral image of collective happiness. Three-dimensionality of the simulacrum - why would the simulacrum with three dimensions be closer to the real than the one with two dimensions? It claims to be, but paradoxically, it has the opposite effect: to render us sensitive to the fourth dimension as a hidden truth, a secret dimension of everything, which suddenly takes on all the force of evidence. The closer one gets to the perfection of the simulacrum..., the more evident it becomes ... how everything escapes representation, escapes its own double and its resemblance.

Data Sharing and fault tolerance (20070909)

mark.wahl@informed-control.com — Sun, 9 Sep 2007 18:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Data Sharing and fault tolerance (20070909)

One topic which has not seen as wide discussion in the context of the DataSharingSummit (wiki) has been the ability for data sharing to help provide the users with fault tolerance for social networking services they rely upon. This is a problem worth addressing as currently a single hosting center outage can shut down multiple independently-operated social network services. Furthermore, that outage shut down an OpenID identity provider (OP), and thus the users of that OP were no longer able to use their OpenIDs to log into services elsewhere which were still online.

In a fault tolerant distributed system, the system as a whole continues to operate, perhaps in a degraded mode, even when one or more of the components of the system have failed. Some of the failure modes might include:

A temporary outage of one or more services as a backhoe takes out the power or network connectivity to the hosting center.
A component service disappears, never to return, and any data maintained in there is lost. For example, the Walmart Hub social networking site went away only a few months after it was launched.
A component service experiences a Byzantine failure and issues erroneous data. Pamela Dingle discussed this in her post "Mystery Solved; Questions Abound" that for a few hours in July 2007 the wordpress.com staff installed software that mixed RSS feeds up for some unknown number of blog accounts, resulting in content from one persons' blog being published under the name of someone else.

Some of the techniques worth considering would include:

Ensure that relying parties (RPs) allow their users to associate multiple independent identities with their 'accounts' at the relying party. Just a person in the real world might carry a fallback credit card or ATM card from different issuing bank than their primary card's issuing bank in case their primary bank blocks their account, a backup identity would permit a user to continue to access their RP even when their primary identity provider (IdP) is unavailable.
For portal sites which primarily aggregate a user's web data held by sites not affiliated with the portal, permit a page description to be exported to and held by the user on their local devices, so that the user can easily import their page description into a different portal should that become necessary.
Many of the deployment models today assume that the user must trust their IdPs OP and RPs, and will 'just switch' to a better party should the IdP or RP misbehave. Unfortunately, these assumptions are not viable in the real world. An evil site will not advertise that it is evil. A well-intentioned site might occasionally experience errors or attacks that cause it to behave badly. A site might decide to change its policies but the user still has a large volume of data maintained there. In particular, when a site impersonates one of its users, today this is indistinguishable from the user's own behavior, and these activities can wreck a social network. Is there a way of recovering trust in a user after a service has impersonated that user?

Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

mark.wahl@informed-control.com — Sat, 8 Sep 2007 20:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

During the second day of the DataSharingSummit the discussion of the initial set of identity schema metadata properties was continued with a focus on the metadata for an attribute to express restrictions on the value syntax.

Use cases for value syntax restrictions include

validating attribute values being entered by an end user in a form,
validating of identity attribute values exchanged between services,
transformation of identity attribute values exchanged between services, and
display control: improving the formatting of the display of values based on known constraints of the values.

For an initial specification of the minimal set of identity schema metadata properties, the low-hanging fruit is providing human and machine readable descriptions of the contents of simple, string-valued attributes in order to support validation of input based on patterns, and information for developers to learn more about how to format values of the attribute. There is no one format for encoding this description. Instead, there are several options which might be viable: regular expressions, XBNF and XML schema formats (of which there are several).

XBNF is a proposal by Marty Schlieff for encouraging reuse between formal language specifications of formal languages derived from BNF, which uses XRI "dollar notation" to provide unique names to symbols. A specification for this is still under development.

The discussion also highlighted the value in adding to the set of metadata test case values as specialized forms of example values which contain edge cases.

Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

mark.wahl@informed-control.com — Sat, 8 Sep 2007 17:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

During a discussion at the DataSharingSummit with Drummond Reed, Paul Trevithick and others, I proposed an initial set of identity schema metadata properties chosen from the set listed at the identity schema metadata wiki page.

Those properties which have a native pre-existing RDF representation:

label: one line descriptions of the schema element (localizable).
Suitable for display to an end user.
comment: multi-line descriptions of the schema element (localizable).
Primarily for use by application developers.
equivalence: identifiers of other schema elements of the same kind as this one which are equivalent, differing only in their identifier.
This is to support mapping between organizations which have redefined schemas.
seeAlso: identifiers of related attributes of interest.
Primarily for use by application developers.
obsolete/deprecation: an indication of when a schema element was made obsolete by its originator.
Primarily of use for application developers.
subtype and supertype relations: for indicating specialization of attribute or claim types in a D.A.G.
For example, applications can use this property to determine if a more-specific attribute or claim can be provided to a relying party that is requesting a less-specific attribute. E.g., a 'mobile telephone number' might be suitable for a relying party requesting merely a 'telephone number'.

Those properties which are common across many identity systems (e.g., LDAP, OpenID AX, InfoCard):

cardinality: how many values of this attribute or claim can be present in a record holding this attribute/claim.
For example, a minimum and maximum nubmer of values.
value syntax: an identifier of the syntax of this value.
This would indicate whether a value is a 'string', what form of date, a binary blob, or a complex type which requires specialized encoders/decoders.
value syntax restriction: for string-valued attributes, a constraint on the pattern of acceptable values.
Constraints on the choice of characters or strings forming the values. For example, this might be a regular expression or other machine-verifiable pattern.

The schema metadata properties originally proposed for use in OpenID AX:

sample value: an example value of this attribute.
Primarily for use by application developers to have data suitable for testing.
acquisition source: an identifier of an Internet service where a value of this internet can be obtained.
Primarily for use in applications which are presenting an RP's requirements to the end user. For example, a site requiring a Yahoo ID might indicate that such an ID can be obtained from Yahoo.
authority: if there is only a small number of parties on the Internet that can legitimately issue values of this attribute.
For example, a 'bigco-employee-number' attribute only is suitable for consideration if issued by a 'bigco' organization service.

Metadata properties for use in change control:

originator of the schema: what party proposed the schema definition.
change history: for example, who made a change, the timestamp of the change, etc.

Drummond Reed, Andy Dale and others also were interested in defining support for properties to support attributes with non-URI identifiers, and indicators for the community consensus on particular sets of schemas.

Also, Marty Schleiff requested properties for matching rule id: the identifiers of the matching rules for values of this attribute.

Identity schema element metadata in RDFa (20070906)

mark.wahl@informed-control.com — Fri, 7 Sep 2007 01:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Identity schema element metadata in RDFa (20070906)

I've uploaded two specifications for review by the Identity Schemas working group of Identity Commons and the OpenID specifications discussions mailing list.

The document "Identity Schema Element Metadata: Basic Retrieval" defines a procedure by which a retriever can obtain a description of an identity attribute type, an identity claim type, or an identity schema, from a web site. This procedure is applicable for some InfoCard claim types, OpenID AX attribute types, and SAML attribute types. The returned metadata of the identity schema or schema element is described using RDF and is encoded in RDF/XML or RDFa.

The document "Identity Schema Element Metadata: Existing Specifications" specifies how existing RDF predicate definitions can be used for describing identity schemas and schema elements.

Still to be published is "Identity Schema Element Metadata: New Specification", which defines the predicates for the identity schema metadata for which there is no suitable existing specification.

An example RDFa-encoded identity schema is this XHTML, with the RDFa markup in bold

<?xml version="1.0"?> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:higgins="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#"> <head about=""> <title property="rdfs:label">Example schema containing two attribute types.</title> <meta property="rdfs:comment" xml:lang="en" content="This schema has two attribute type definitions: patronymic and age." /> <meta property="owl:versionInfo" xml:lang="en" content="$1.1$" /> <link rel="rdf:type" href="http://www.w3.org/2002/07/owl#Ontology" /> <link rel="owl:imports" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl" /> </head> <body> <ul about="#patronymic"> <li>Patryonymic</li> <li>This is an <a rel="rdf:type" href="http://www.w3.org/2002/07/owl#ObjectProperty">OWL ObjectProperty</a>.</li> <li>This is a sub-property of a <a rel="rdfs:subPropertyOf" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#attribute">Higgins attribute</a>.</li> </ul> <ul about="#age"> <li>Age</li> <li>Alter (German)</li> <li>Âge (French)</li> <li>Comment: How old a person is (in years)</li> <li>This is an <a rel="rdf:type" href="http://www.w3.org/2002/07/owl#ObjectProperty">OWL ObjectProperty</a>.</li> <li>This is a sub-property of a <a rel="rdfs:subPropertyOf" href="http://www.eclipse.org/higgins/ontologies/2006/higgins.owl#attribute">Higgins attribute</a>.</li> </ul> </body> </html>

Also, I uploaded a revised draft of the specification "Language Tags for OpenID Values". That document defines a mechanism by which a party in an identity system using the OpenID protocols can associate a language tag with a string. The input to the mechanism is a language tag and a string value. The output from the mechanism is a UTF-8 encoding of a combination of the language tag and the value.

Timeline of WHOIS, the original Internet social network service (20070824)

mark.wahl@informed-control.com — Sat, 25 Aug 2007 03:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Timeline of WHOIS, the original Internet social network service (20070824)

WHOIS is a very simple protocol, currently defined by Draft Standard RFC 3912 "WHOIS Protocol Specification" from September 2004. The client opens a TCP connection to a WHOIS server, sends a single line of text of a request (e.g., a name such as "Smith"), and receives back a human-readable text response. The original purpose of WHOIS, as it originated in 1982, was to allow anyone on the ARPANET network to search the list of the ARPANET's users, stored in the Network Information Center (NIC) database. This database was maintained by SRI International on behalf of the US Dept. of Defense:

[The Defense Communications Agency] requests that each individual ... who is capable of passing traffic across the ARPANET, be registered in the NIC Identification Data Base. To register, send full name, middle initial, U.S. mailing address (including mail stop and full explanation of abbreviations and acronyms), ZIP code, telephone (including Autovon and FTS, if available), and one network mailbox, via electronic mail to NIC@SRI-NIC. (RFC 812)

Privacy was not a significant concern at the time as the network was under single administrative control with fewer than 50 non-military computers attached to it.

Today, the WHOIS-accessible database is distributed and encompasses the registration details for second-level Internet domain names. Each domain has one or more points of contacts: people or organizations who have authority over the domain. Currently, these points of contacts are public: anyone can lookup a domain name and view the names, addresses and phone numbers of the contact people and/or organizations. As such, the database has been the subject of significant debate over its accuracy (updating obsolete or obviously bogus registration data) and privacy concerns (who should be permitted to view a registration, and under what circumstances?). Follow-on protocols have been developed to provide richer semantics than WHOIS, e.g. the RFC 3982 "Domain Registry Type for the Internet Registry Information Service" protocol defines queries such as findDomainsByContact.

The web site of the noncommercial users constituency (NCUC) of ICANN Generic Name Supporting Organization participating organizations has a mirror of a WHOIS timeline prepared by Dr. Milton Mueller and Mawaki Chango of the Syracuse University School of Information Studies. The timeline covers from the first publication of the WHOIS protocol in RFC 812 (March 1, 1982), to the contentious final outcomes report of the ICANN WHOIS Working Group 2007 (August 20, 2007), with links to relevant documents in the evolution of WHOIS-fronted data services.

Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

mark.wahl@informed-control.com — Thu, 23 Aug 2007 17:30:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

One of the presentations at the recent 2nd USENIX workshop on Hot topics in security (Hotsec 2007) was on Horton. Horton is a part of an object capability system and provides identity-based tracking and control for delegating responsibility with authority (from the paper). In the presentation "Delegating Responsibility in Digital Systems: Horton's "Who Done It?"", Mark S. Miller (Google Research), Jed Donnelley (LBNL/NERSC) and Alan H. Karp (HP Labs) discuss scenarios in which pairs of identity tunnels (e.g., Alice - Bob and Alice - Carol), can be used to build a new tunnel (Alice introduces Carol to Bob, so that Bob - Carol). Carol might however believe that Bob is merely a pseudonym for Alice, and additional parties are used to disaggregate Bob and Alice (Dave has tunnels to Carol and to Bob, and from this Carol joins the "Bob" identity she heard from Alice with the "Bob" identity she heard from Dave).

The paper "Turtles all the way down: research challenges in user-based attestation" by Jonathan M. McCune, Adrian Perrig, and Arvind Seshadri (CMU/CyLaB) and Leendert van Doorn (AMD) highlights a problem with the TCG remote attestation model. A client system connects to a server system somewhere on the Internet. The server can determine that the client is out of conformance (e.g., wrong software, malware present), but does not have a way of informing the client's user of this situation, since any such malware on the client could ignore the warning message from the server and display a "all OK, type in your password" message to fool the user. The authors propose a hypothetical "iTurtle" device, such as USB fob, which the user plugs in to each of their client systems. The iTurtle verifies the client system's configuration, displays the status of that system's verification to the user (e.g., a red LED lights for "bad"), and possibly could act as a boot disk to restore an infected client system to a known good state.)

In "The Strengths of Weaker Identities: Opportunistic Personas", Mark Allman, Christian Kreibich, Vern Paxson, Robin Sommer, and Nicholas Weaver (ICSI) state that it is sometimes unnecessary (or inconvenient) to perform the ceremonies necessary for a 'full' establishment of a party's identity and trusted keys prior to communication with that party. They use the term opportunistic persona for situations in which the cryptographic keys are generated opportunistically and do not provide what is traditionally considered a "strong" form of identity. They write

In addition to the opportunistic generation of personas, we also argue for the idea that user actions can often be interpreted as an implicit proxy for management of personas. Users tend to respond differently to legitimate versus unwanted activity. By observing user reactions, we can then in some cases infer the user's trust in particular personas. For example, user reactions could drive the construction of white- and black-lists... Certainly, in terms of achieving secure and sound systems, learning personas in an informal fashion is in principle not as desirable as manually exchanging and validating keys. However, in a number of contexts such validation has proven impractical: it is either beyond the ability of most users, or at least beyond their 'pain threshold' for the perceived benefits . Thus, we believe application and protocol developers will benefit if they broaden their thinking to consider weaker forms of identity may actually provide stronger practical security.

If a user's interpersonal software (e.g., email, conferencing) dynamically generates a key for signing outgoing messages to other users, over time, a user might promote these opportunistic personas of other users with whom they frequently communicate into the 'actual' identity of that user.

Anti-utopian social networking #2 (20070811)

mark.wahl@informed-control.com — Sat, 11 Aug 2007 23:20:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Anti-utopian social networking #2 (20070811)

In an earlier post on anti-utopian social networking, I outlined a scenario in which An anti-utopian social networking site is a social networking site that has developed a flaw that "spoils" it, and one flaw could be the misapplication of undercover/viral marketing strategies.

Another problem which could be a flaw in social networking is hyperreality, a term used by the theorists Jean Baudrillard and Umberto Eco. One possible definition of hyperreal could be made in contrast to what is "real":

The very definition of the real has become: that of which it is possible to give an equivalent reproduction... The real is not only what can be reproduced, but that which is always already reproduced: that is the hyperreal...which is entirely in simulation. (Jean Baudrillard)

1. Just because you're not a celebrity doesn't mean millions of people couldn't be watching your every move.

One impact is the sense an individual would have from "always being viewed". In part, social networking services give anyone with Internet connectivity the ability to share minutae of their life with others, regardless of boundaries of time or distance. Everyone is encouraged to self-publish: blog their life, update their status on Twitter, write about their feelings in specialized feeling-recording Facebook or MySpace apps, upload their family photos to Flickr and videos to YouTube. Not only do people enjoy uploading, people enjoy watching. Without LiveJournal/Twitter/Facebook/Flickr/MySpace/YouTube, would those same authors write in their diaries, show their snapshots to friends at parties, etc? To some, the magnification available from publishing to these services must offer an appeal, but with it often comes a cost to the participants: both the authors, and the viewers searching for the "real" in self-generated content. Jean Baudrillard wrote in the section "The End of the Panopticon" of Simulations, concerning a TV documentary capturing an "actual typical American family":

"It is again to this ideology of the lived experience, of exhumation, of the real in its fundamental banality, in its radical authenticity, that the American TV-verite experiment on the Loud family in 1971 refers: 7 months of uninterrupted shooting. 300 hours of direct non-stop broadcasting, without script or scenario, the odyssey of a family, its dramas, its joys, ups and downs - in brief, a "raw" historical document, and the "best thing ever on television, comparable, at the level of our daily existence, to the film of the lunar landing." Things are complicated by the fact that this family came apart during the shooting: a crisis flared up, the Louds went their separate ways, etc. Whence that insoluble controversy: was TV responsible? What would have happened if TV hadn't been there.
More interesting is the phantasm of filming the Louds as if TV wasn't there. The producer's trump card was to say: "They lived as if we weren't there". An absurd, paradoxical formula - neither true, nor false: but utopian. The "as if we weren't there" is equivalent to "as if you were there". It is this utopia, this paradox that fascinated 20 million viewers, much more than the "perverse" pleasure of prying. In this "truth" experiment, it is neither a question of secrecy nor of perversion, but of a kind of thrill of the real, or of an aesthetics of the hyperreal, a thrill of vertiginous and phony exactitude, a thrill of alienation and of magnification, of distortion in scale, of excessive transparency all at the same time..."

The popularity of these social networking services gives millions of people around the world the ability to simultaneously 'drop in' on any randomly-chosen individual in a way that never would be physically possible before. The BBC reports that footage of a teenage kid swinging a golf ball retriever, not intended to be shown to anyone, has been viewed 900 million times, making the victim a "worldwide object of ridicule": It was simply unbearable, totally. It was impossible to attend class.

As people are objects in social networking services, these services are designed to make it easy for the users to find other people they know, and learn more about them. Chris Ceppi writes about the people search engine Spock and the New New Transparency that

Spock automates the retrieval of those bits - if your age is published on LinkedIn, MySpace, a random online bio, or any other number of sources that Spock sorts and surfaces - then it will be front and center on Spock.

Also, many social networking sites encourage users to add comments about each other. Gossiping is a natural human activity, that now is magnified through technology to allow the gossip to be available on a vast scale. As a result, individuals find that they are not in control of their story as commentary aggregates and swirls around and about them. Pamela Dingle wrote in her blog post "The Dating Mashup (or my Facebook Adventure)":

Why wouldn't someone from some other part of my life or history cruise through and add his own dating history into that photo thread? Heck, maybe my husband will chime in, he's on Facebook too. If there was enough interest, I do believe that an entire timeline could be constructed, and what could I do? I could scream and freak out and have the photo removed I'm sure. But such anti-social behaviour would become the object of discussion in turn. When you protest, people assume you are afraid of something :). Taken separately, nobody's dating history is secret - but peer-to-peer publishing of cumulative results makes me feel vulnerable to the same phenomena occurring around some other, less innocent set of facts.

Bob Blakley has discussed this in his blog post "On the Absurity of Owning One's Identity", and the fear of computer systems and organizations conspiring behind one's back is based on real concerns, as shown in an article earlier this year by Liz Pulliam Weston in MSN Money entitled "Insurers keep a secret history of your home" discusses the ChoicePoint Comprehensive Loss Underwriting Exchange (CLUE) database:

Jan and Kevin Garder of Bremerton, Wash., discovered this the hard way. The Garders thought they were doing the right thing when they told their insurance company, State Farm, about some minor water damage caused by a rainstorm last year. The couple, who say they had been with their insurer for 30 years without filing a claim, ultimately decided not to file one this time, either. That didn't stop State Farm from dropping them as customers, they say. Not only that, but they say State Farm also shared the damage information with the CLUE database. When the Garders applied for coverage elsewhere, the other insurers cited State Farm's damage report as the reason they wouldn't write a policy, Jan Garder said.

Here, as the information flow paths in social networking services are based on one's "friends", "coworkers" and other more nebulous relationships, this time, it's personal.

Thus one flaw of social networking might be that it provides anyone with the ability to drill into the details (facts, opinions, speculations, connections real or implied) of another's life, and to the target, the sense that this could occur at any time and come from anywhere.

The former, taken to extremes, can be anti-social behavior. It is not necessary to know everything about a person to be their friend/coworker/neighbor, and conversely knowing everything of a person's biography does not make them one's friend, as I mentioned in the example of the King of Comedy.

2. The Replica replacing the real

The second flaw might be that the unreal world of online interaction might come to affect real-world interaction.

Internet users are conditions to not accept certain people as real. There are not hundreds of rich widows in Nigeria seeking help in moving their fortunes; it is a variant of the Spanish prisoner scam:

Fellow says him and his sister, wealthy refugees, left a fortune in the home country. He got out, girl and the money stuck in Spain. Here is her most beautiful portrait. And he needs money to get her and the fortune out. Man who supplies the money gets the fortune and the girl. Oldest con in the world.

On the face of it, as Pamela Dingle noted in "Breaking the TOS before you even start", the terms of service of various social networking sites require the user to provide 'true' information. Some sites would delete "fake" profiles for non-real persons, as a 2003 article in SF Weekly states

Jonathan Abrams, the 33-year-old software engineer who founded Friendster to improve his own social life ... abhors the phony profiles. He believes they diminish his site's worth as a networking tool and claims that fakesters' pictures -- often images ripped off the Web -- violate trademark law. Abrams' 10-person Sunnyvale company has begun ruthlessly deleting fakesters and plans to eventually eradicate them completely from the site.

Yet if there is commercial value in having certain "non-person" characters present, then those are allowed, as a 2004 article in Wired states

"What Friendster is doing with these movie-character profiles is actually a brand-new paradigm in media promotion," Friendster spokeswoman Lisa Kopp said. "We are working directly with a number of production houses and movie studio partners to create film-character profiles, or 'fan' profiles, that allow our users to share their enthusiasm about the film with their friends."

Social networking services can further be subverted with characters that have no existence outside of the services themselves. An Internet celebrity may not necessarily be a "real" person or even a "real" (pre-existing) character, as in the example of lonelygirl15:

To further the initial illusion that Bree was a real girl, a MySpace page was set up for her and she began meaningfully corresponding with many of her fans. Several fans of lonelygirl15's video posts began to wonder if Bree was, in fact, a real person or if the posts were part of a teaser campaign for a television show or an upcoming movie (similar to the viral marketing used to hype The Blair Witch Project). Others felt that the blog might be part of an alternate reality game.

If all one sees are replicas, does it become harder to recognize the real? For an extreme example, in the movie Galaxy Quest, an alien civilization, the Thermians, has intercepted Earth's TV transmissions from the 1960-1970s. Yet their mental models are different and they do not 'get' that the television shows are sometimes fictional. They believe Gilligan, the Skipper, "and the rest" really were stranded on an island. They also believe that the episodes they receive of the sci-fi show "Galaxy Quest" were "historical documents" describing the adventures in space of the crew of the NSEA Protector, a thinly-veiled Starship Enterprise. Using their advanced technology, the Thermians transport the actor Jason Nesmith, who portrayed the captain of the Protector, to an actual interstellar spaceship they have constructed with the appearance of the Protector from these "historical documents". Jason Nesmith, having of course never seen an actual spaceship, doesn't recognize it as being 'real', believing it to be only a fan's reconstruction:

This is great. Usually it's just cardboard walls in a garage.

The second impact of social networking is that 'unreal' statements made on the Internet about interpersonal relationships might replace the 'real' statements: the vocabulary of the software becomes a "Newspeak" that reframes the participants' expressions. Suppose the term friend is used to mean any connection: people who are interested in me, people who have a pretty picture on their home page, people who I was at the same school at, people whose friends I know, etc. Can changes such as these affect people's behavior?

In an article in last month's New Scientist on "The rise of cyberbullying" several contributing factors are cited, including the typical scapegoat of anonymity, the magnification of attacks from the wide distribution possible online, the 24x7 connected lifecycle of the participants, and

The lack of face-to-face contact might tempt bullies to new levels of cruelty. "On the playground, seeing the stress and pain of the victim face-to-face can act as an inhibitor to some degree," explains Carr. "In cyberspace, where there is no visual contact, you get more extreme behaviour." Kowalski says the effect is unique to computer-mediated communication. "There is a distancing of the self and immediacy in response that we don't have in any other form of communication," she says. "On the computer, it's like it's not really you."

Furthermore, unlike traditional online games (e.g., Nethack) where people play behind personas defined by the game, game-like interactions embedded in social networking services have such no layer of isolation: the players are playing "as themselves".

The article also notes that 2000 abuse reports are filed each day in Second Life, and that

"It's adults hassling other adults," says Thomas Chesney of the University of Nottingham, UK, who has encountered pushing, swearing and shooting there. Chesney and colleagues recently set up an office in Second Life where they interviewed more than 100 inhabitants about bullying. Chesney says that because many people come to Second Life with a background in gaming, they bring preconceived notions of violence and aggression with them. "They're playing games like World of Warcraft - where the aim is to kill everybody - and they take that attitude into Second Life," he says. "It's a bit depressing that we haven't progressed beyond hassling one other, but not surprising given all we know about workplace bullying."

Report on the state of the art in software security assurance (20070810)

mark.wahl@informed-control.com — Fri, 10 Aug 2007 21:00:00 GMT

Commentary by Mark Wahl, CISA

Organizing principles for identity systems:
Report on the state of the art in software security assurance (20070810)

The US Dept. of Defense Information Assurance Technology Analysis Center and the Data and Analysis Center for Software have jointly released Software Security Assurance Start-of-the-Art Report. This report is a 400-page PDF document which includes

an introduction to software threats and vulnerabilities,
secure systems engineering,
security concerns at each stage of the software development lifecycle and a comparison of the security enhanced methodologies,
a survey of software assurance initiatives, organizations and other resources, and
a list of observations on the general problem of security assurance and current research efforts.

Mark Wahl, CISA

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

Microsoft Identity Lifecycle Manager “2” beta news links (20080614)

Trust vs the Distancing Effect (20080418)

Trust vs the Distancing Effect (20080418)

RSA Conference 2008 US (20080414)

RSA Conference 2008 US (20080414)

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

Peer-To-Patent public community patent application prior-art review and Ontology-based translation between directory schemas (20080324)

Documenting microformats processes (20080203)

Documenting microformats processes (20080203)

Metadata in Personal Content Experience (20080128)

Metadata in Personal Content Experience (20080128)

Information Assurance for CS undergrads at UT Austin (20080104)

Information Assurance for CS undergrads at UT Austin (20080104)

digital identity book recommendation for 2007 (20080102)

digital identity book recommendation for 2007 (20080102)

(fwd) i-card hero ROCKS!!!! (20071230)

(fwd) i-card hero ROCKS!!!! (20071230)

Assimilation (20071128)

Assimilation (20071128)

7,302,439 (20071127)

7,302,439 (20071127)

Bob Blakley on outsourcing to the identity oracle (20071122)

Bob Blakley on outsourcing to the identity oracle (20071122)

Closing ICANN Comment Period on WHOIS (20071027)

Closing ICANN Comment Period on WHOIS (20071027)

52 What-ifs of Identity Science Fiction (20071004)

52 What-ifs of Identity Science Fiction (20071004)

OT Frivolous Blog and Clothing Store (20071003)

OT Frivolous Blog and Clothing Store (20071003)

Gartner Magic Quadrants for User Provisioning (20071002)

Organizing principles for identity systems: Gartner Magic Quadrants for User Provisioning (20071002)

Digital ID World presentation on CardSpace in credit card txns (20070925)

Organizing principles for identity systems: Digital ID World presentation on CardSpace in credit card txns (20070925)

Digital ID World presentation on LDAP in media asset metadata management (20070925)

Organizing principles for identity systems: Digital ID World presentation on LDAP in media asset metadata management (20070925)

Digital ID World keynote by Jamie Lewis (20070925)

Organizing principles for identity systems: Digital ID World keynote by Jamie Lewis (20070925)

Digital ID World Liberty Alliance IDDY Awards (20070925)

Organizing principles for identity systems: Digital ID World Liberty Alliance IDDY Awards (20070925)

Digital ID World and OpenID URLs (20070925)

Organizing principles for identity systems: Digital ID World and OpenID URLs (20070925)

Digital ID World and an EAP-SIM PoC (20070925)

Organizing principles for identity systems: Digital ID World and an EAP-SIM PoC (20070925)

Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Organizing principles for identity systems: Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Organizing principles for identity systems: Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Digital ID World keynote: Kim Cameron on claims (20070924)

Organizing principles for identity systems: Digital ID World keynote: Kim Cameron on claims (20070924)

Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Organizing principles for identity systems: Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Digital ID World opening keynote (20070924)

Organizing principles for identity systems: Digital ID World opening keynote (20070924)

Anti-utopian social networking #3 - the real world and its online representation (20070917)

Organizing principles for identity systems: Anti-utopian social networking #3 - the real world and its online representation (20070917)

Data Sharing and fault tolerance (20070909)

Organizing principles for identity systems: Data Sharing and fault tolerance (20070909)

Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

Organizing principles for identity systems: Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

Organizing principles for identity systems: Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

Identity schema element metadata in RDFa (20070906)

Organizing principles for identity systems: Identity schema element metadata in RDFa (20070906)

Timeline of WHOIS, the original Internet social network service (20070824)

Organizing principles for identity systems: Timeline of WHOIS, the original Internet social network service (20070824)

Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

Organizing principles for identity systems: Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

Anti-utopian social networking #2 (20070811)

Organizing principles for identity systems: Anti-utopian social networking #2 (20070811)

1. Just because you're not a celebrity doesn't mean millions of people couldn't be watching your every move.

2. The Replica replacing the real

Report on the state of the art in software security assurance (20070810)

Organizing principles for identity systems: Report on the state of the art in software security assurance (20070810)

Organizing principles for identity systems:
Gartner Magic Quadrants for User Provisioning (20071002)

Organizing principles for identity systems:
Digital ID World presentation on CardSpace in credit card txns (20070925)

Organizing principles for identity systems:
Digital ID World presentation on LDAP in media asset metadata management (20070925)

Organizing principles for identity systems:
Digital ID World keynote by Jamie Lewis (20070925)

Organizing principles for identity systems:
Digital ID World Liberty Alliance IDDY Awards (20070925)

Organizing principles for identity systems:
Digital ID World and OpenID URLs (20070925)

Organizing principles for identity systems:
Digital ID World and an EAP-SIM PoC (20070925)

Organizing principles for identity systems:
Digital ID World panel on interoperability partners, and developer difficulties (20070924)

Organizing principles for identity systems:
Digital ID World: Convergence of Internet-scale Identity Systems (20070924)

Organizing principles for identity systems:
Digital ID World keynote: Kim Cameron on claims (20070924)

Organizing principles for identity systems:
Digital ID World keynote: Managing the Decentralization of Identity (20070924)

Organizing principles for identity systems:
Digital ID World opening keynote (20070924)

Organizing principles for identity systems:
Anti-utopian social networking #3 - the real world and its online representation (20070917)

Organizing principles for identity systems:
Data Sharing and fault tolerance (20070909)

Organizing principles for identity systems:
Identity Schema Value Syntax Restrictions at Data Sharing Summit Day 2 (20070908)

Organizing principles for identity systems:
Identity Schema Metadata at Data Sharing Summit Day 1 (20070908)

Organizing principles for identity systems:
Identity schema element metadata in RDFa (20070906)

Organizing principles for identity systems:
Timeline of WHOIS, the original Internet social network service (20070824)

Organizing principles for identity systems:
Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)

Organizing principles for identity systems:
Anti-utopian social networking #2 (20070811)

Organizing principles for identity systems:
Report on the state of the art in software security assurance (20070810)