In my recent post on Hardy Infocard Pioneers, I refered to the fact that the first “attack” had been made on the site. Apparently, I wasn't clear enough about the fact that I saw this as a good thing – something I appreciated. That led to this comment from Rohan.
An Attacker. thats a nice title, when the intention was not to â€œattackâ€ but try to look at infocards from the other side. From another perspective altogether. Everybody seems to just nod heads when workflows and use case examples are explained. I have not seen many who have tried to disagree in the â€œopenâ€.
Well, I am trying to do just that. Not disagree, but to look at it from another angle, and talk to you about my discoveries.
Iâ€™m sure that youdâ€™ acknowledge, that I â€œdidâ€ inform you as soon as I logged into your site with FAKE info. Well, thats not called an â€œattackâ€.
As far as the â€œbrowsehappy.comâ€ link goes, thats just a jokeâ€¦
Like you said : All of us will be attacked and all of us have to work hard – and together – to create a safe internet. I AGREE with you. 100%. But lets be open to ideas that may be contradictory to our ownâ€¦.. My efforts are to create a SAFE internet. To point out issues and errors, so that one may work on fixing them.
So let me set the record straight. I think Rohan is making a positive contribution to thinking about InfoCards. I appreciate what he is doing for the very reasons he expresses. And if you go to his site, you'll see how creative he is.
I didnâ€™t mean â€œattackerâ€ in the â€œnormalâ€ sense of the word – I was talking about THE ATTACKER ROLE we refer to as identity and security people, when we attempt, as he did, to think things through from the viewpoint of an attacker.
I am delighted to have others in the community thinking through the possible attacks with me. More about that in a minute.
In terms of the browsehappy.com thing, it was obvious that Rohan was poking fun – and that's fine. I just appreciated the opportunity to rail, en passant, against a couple of the site's more dubious claims.
This said, I'd like to be very clear about the status of the work I'm doing here to InfoCard-enable my site.
There are two parts to this project.
The first is pretty much complete, and involved developing a way to consume and verify InfoCard SAML tokens using a typical LAMP server without installing binaries.
The second is the part I'm working on now. It involves experimentatng with how to use InfoCards concretely from a web site – in this case my blog. I'm learning as I go. After all, InfoCards are a relatively recent arrival on the scene…
I'll publish various elements of code as it evolves – but I'm writing this stuff personally as an exploration – it isn't a product, doesn't yet have a formal threat analysis, hasn't gone through security reviews, and hasn't even been seen by anyone other than me before appearing here. What you see is what you get.
My thinking is that the security threat model and reviews will be done here as part of the blogoshere process. And no doubt we'll find things to fix, working as a team.