Identity – Page 15 – Kim Cameron's Identity Weblog

UK Chip and PIN vulnerable to simple attack

LightBlueTouchpaper, a blog by security researchers at Cambridge University, has posted details of a study documenting easy attacks on the new generation of British bank cards. Saar Drimer explains, “This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography”. Let's all heed the warning:

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

[Thanks to Richard Turner for the heads up.]

New plans for German identity card

IdealGovernment's William Heath describes a planned identification card for German citizens that incorporates a pseudonym capability for electronic commerce:

The German Home Office has confirmed that a new electronic identity card for German citizens will incorporate the use of pseudonyms for secure web access.

According to the plans of the German Home Office, a credit card sized electronic identity card will be introduced in 2009. It will replace the larger, non-electronic identity cards currently in use. “Apart from the usual personal information, the electronic identity card will contain biometric information, in particular digital fingerprints of both index fingers, and additional information for facial recognition”, says secretary of state August Hanning.

Hanning confirmed that the new identity card will contain a pseudonym function. In a leaked letter to Gisela Piltz, a Member of German Parliament for the Liberal Democrats (FDP), Hanning stated that the card could be used as a “passport for the internet” in the future. “The new identity card offers the possibility of an electronic identity proof for E-Government- and E-Business-applications”, writes Hanning.

The central idea is that the individual card number is used to generate a pseudonym that cannot be reconverted mathematically into the original card number. This pseudonym could then be used to register at, for example, eBay, or any other web service that requires personal identification.

I don't yet know the details of how this works. I would be concerned if the card generates a single pseudonym that remains constant everywhere it is used. This would still be an “identifier beacon” that could be used to link all your digital activities into a super-profile. Such a profile would be as irresistable to marketers as it would be to organized crime, so we can be pretty sure it would emerge . If any aspect of this profile is linked to a molecular identity, all of it is.

In a sense, using a pseudonym that ends up creating a super-dossier would be worse than just using an official government identity, since it would create false expectations in the user, breaking the First Law of identity that ensures the transparency of the identity system so the user can control it.

Regardless of the details of the proposal, it is great to see the German government thinking about these issues. Once you start to look at them, they lead to the requirement to also support “directed identities”. There are leading academics and policy makers in Germany who are capable of guiding this proposal to safety. The key here is to take advantage of the new generation of intelligent smart cards, identity selectors and web service protocols.

[Read more on the e-health Europe site.]

Not the browser!

Google's Ben Laurie bookends our dialog (work back from here) with a really clear statement:

Kim correctly observes that the browser is not the place to be typing your password. Indeed. I should have mentioned that.

Clearly any mechanism that can be imitated by a web page is dead in the water. Kim also wants to rule out plugins, I take it, given his earlier reference to toolbar problems. I’m OK with that. We want something that only a highly trusted program can do. That’s been so central to my thinking on this I forgot to mention it. Sorry.

This sounds really positive. Now, just so I don't end up with a different security product from every big web site, I hope Ben's work will include integration with the CardSpace framework. I'm certainly open to discussions about ways we might evolve CardSpace to facilitate this.

Ben Laurie's “Single Passwords”

Given his latest post, I guess I got the gist of Ben Laurie's proposal for using what I'll call “Single Passwords” rather than “Single Signon”:

“Kim Cameron, bless him, manages to interpret one of my most diabolical hungover bits of prose ever. I am totally with him on the problem of pharming, but the reality is that the average Cardspace user authenticated with nothing better than a password (when they logged into Windows).

Wow. I appreciate the blessing from Father Laurie, but this is kind of a “We're going to die one day, so who cares if we die tomorrow?” type of argument – surprising for a priest.

While it's true that pharming is a challenge for the operating system as well as the browser, let's not seriously equate the dangers of entering passwords into browsers (a malleable experience, the goal of which is to be infinitely and easily modified by anyone) with those involved in booting up your PC (a highly controlled environment designed to allow no modification and use a secure desktop). It's true that both involve passwords. But the equation is simplistic, best summed up as: “Tables have legs, people have legs, therefore tables are people.”

Anyway, I'm sympathetic to Ben's concerns about portability:

“Furthermore, if you are going to achieve portability of credentials, then you can either do it in dreamland, where all users carry around their oh-so-totally-secure bluetooth credential device, or you can do it in the real world, where credentials will be retrieved from an online store secured by a password.

I don't dismiss dreamland – isn't that what iPhones want to be? But we do need lightweight roaming. Using an online vault secured by a passphrase is a reasonable way to bootstrap a secret onto a machine.

But not the browser!

The rub is: once a user gets into the habit of typing this secret into the browser, she's ready to be tricked. I'll go further. If the vault one day accrues enough value, a browser-based system WILL fail the user – sooner or later.

Ben concludes:

“If you believe the Cardspace UI can protect people’s credentials, then surely it can protect a password?

“If it really can’t (that is, we cannot come up with UI that people will reliably identify and eschew all imitations), then how will we ever have a workable, scalable system that includes recovery of credentials after loss or destruction of their physical goods?”

There's food for thought here. Start to take advantage of the engineering in CardSpace, and you inherit significant protection in terms of both phishing and pharming. So if Ben implements his “Single Password” this way, he could start to be reasonably confident that the “function of the password” is what is released, while the password is guarded.

Booze and Identity

Let's turn to New Zealand's Identity and Privacy Blog for the latest in… news about Canada:

It’s interesting to see how booze seems to bring up great questions of identity and privacy. Or maybe it’s just the Canadians?

Canadian Dick Hardt uses buying booze as an example in his famous Identity 2.0 presentation and makes very interesting points about using ID, such as a drivers licence, to buy booze.

Now comes another angle from Canada involving booze: if your ID is scanned when entering a bar, would that make you behave? That was one of the issues at the heart of a case decided by the Information and Privacy Commissioner of Alberta.

The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.

The club says that “We’ve got hard data that it works, we that says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.

In terms of consent, the only thing that the complainant agreed to was the club confirming his date of birth off the licence.

This is precisely the kind of situation that the Laws of Identity frowns upon in digital identity systems, in particular User Control and Consent; Minimal Disclosure for a Constrained Use; and Directed Identity. And another example of unjustified expectations from ID cards that knowing a person’s identity somehow magically solves most societal problems.

Wow. You have to love this nightclub chain.

The owner is apparently bitter. But he could get around these problems if he would just change the club's name to something more fitting. How about the Mein Kampf Eagle Lounge? Then having a functionary scanning “your papers” would just be part of the show – justifiable by any measure.

The whole report is worth a read, but this argument by Tantra management really stands out:

“The SC System [SecureClub ID System – Kim], as part of the overall comprehensive security system, is intended to act as a deterrent to potential wrongdoers in that all patrons know that their identification is scanned and that therefore they could easily be identified if they were involved in any violent or illegal activity. It is submitted that potential wrongdoers would be less likely to engage in violent or other illegal behaviour if their ability to remain anonymous was removed. It is further submitted that the SC system removes the anonymity of potential wrongdoers, and is therefore one effective component of an effective overall comprehensive security system.”

Hey, come to think of it, we should all have our papers scanned wherever we go, day and night!

Gee, maybe it's that Canadian thing, but it all makes me want to go for a beer.

Eric Norlin takes OpenID to CSOs

Digital ID World's Eric Norlin explains why security executives should pay attention to OpenID in this article from CSO – the Resource for Security Executives:

Kim Cameron has posted another thoughtful piece about why he (and by extension Microsoft) is supportive of OpenID. For those of you that don't eat, sleep, dream and breathe identity, Kim is the guy at Microsoft that was responsible for writing the “Seven Laws of Identity,” which led to the idea of an identity metasystem, which effectively gave birth to all kinds of meetings (the “identity gang”), which led to things like OpenID and Higgins really taking off. Bottom line: Kim's a VIP in the identity world (he's also one helluva nice guy).

Kim's main point is this:

“My takeaway is that OpenID leads to CardSpace. I don’t mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It’s a serious technology and involves secure high-strength products emerging across the industry.”

Its important to note that Kim is thinking about identity ecosystems, not “one protocol to rule them all.” Really, it comes down to making the use of an identity a “ritual.” That sounds a bit off, I know, but hear me out. Believe it or not, the great majority of humanity had its first contact with email in a workplace setting. Now, if the interface (and interaction) for email was substantially different for work-usage and home-usage (or should I say, WorkUsage and HomeUsage?), do you think the adoption curve would've been the same? I don't.

One of the essential points that Kim's been hammering on for a couple of years is that we have to make the underlying “ritual” of using identity similar in a foundational sense.

Yet one more reason why you (as a CSO) should be paying attention to OpenID. After all, people don't always first see and experience things in the workplace.

This matter of influences from the internet converging with the enterprise is incredibly important, and I'm going to expand on it soon. By the way, it was Eric's encouragement that got me hooked on writing the Laws of Identity.

From “Screen-Names in Bondage” to OpenID

Google's Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing:

Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?

Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.

In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.

I take it Ben is talking about having a toolbar that asks for your password, and transforms it based on the site's identity so you can use the same password everywhere. Perhaps he is even thinking about a digest protocol where this transformed password would be used to calculate a “proof” rather than transported over the wire.

Phished or Pharmed

Problem is, such a toolbar is as easily “pharmable” as OpenID is phishable.

How does a user know she is typing her password into the legitimate toolbar – rather than an “evil replica”? Our experience with toolbars teaches us that is easy to trick a LOT of people into using fakes. In fact, sometimes the fakes have propagated faster than the real thing! Once people get used to typing passwords into a toolbar you have truly opened Pandora's Box.

Let's look at what happens when the kind of “common password” Ben proposes is stolen. In fact, let's compare it to having money stolen.

If you go into a store and are short-changed, you just lose money in one store. If you are pick pocketed, you just lose what's in your wallet – you can cancel your cards. But if your “common password” is intercepted, it is as though you have lost money in ALL the stores you have been in. And sadly, you will have lost a lot more than money.

The ultimate advantage of moving beyond passwords is that there is then NO WAY a user can inadvertantly give them away.

Is CardSpace too heavy-weight?

CardSpace should be a lighter-weight experience than it is today. We're working on that, making it less “in-your-face” while actually increasing its safety. I also agree with Ben that it needs to be easier to roam credentials. We're working on that too.

The point is, let's evolve CardSpace – and the interoperable software being developed by others – to whatever is needed to really solve the relevant privacy and security problems, rather than introducing more half-measures that won't be effective.

So why OpenID?

If that's all true, Ben wonders why we bother with OpenID at all…

The most important reason is that OpenID gives us common identifiers for public personas that we can use across multiple web sites – and a way to prove that we really own them.

That is huge. Gigantic. Compare it to the cacophony of “screen-names” we have today – screen-names in bondage, prisoners of each site.

Technology people are sometimes insulted when you imply they haven't solved the world's problems. But to be really important, OpenID doesn't have to solve the world's problems. It just has to do this one common-identifier thing really well. And it does. That's what I love about it.

CardSpace doesn't address the same problem. CardSpace plus OpenID solve it together.

Heavyweights, Giants, Bigwigs and Snugglers

Last week's announcement about the OpenID Foundation, and news of participation by a number of large industry players has echoed far and wide. In fact, Bill Gates announced Microsoft's decision to collaborate with the OpenID community almost a year ago at RSA (See the CardSpace / OpenID Collaboration Announcement and a lot of Blogosphere discussion or postings like these from identityblog.

Since the announcement many of us have been involved in sorting out the intellectual property issues which plagued the community. We've come through that, and arrived at a point when we can begin to look at how the technology might be integrated into various services and user experiences. We've also made progress on looking at how the phishing vulnerabilities of OpenID can be addressed through Information Cards and other technologies.

My view is simple. OpenID is not a panacea. Its unique power stems from the way it leverages DNS – but this same framework sets limits on its potential uses. Above all, it is an important addition to the spectrum of technologies we call the Identity Metasystem, since it facilitates integration of the “long tail” of web sites into an emerging identity framework. The fact that there is so much interest from across the vendor community is really encouraging.

Here's some of coverage I have been made aware of. It ranges from the fanciful to the accurate, but demonstrates the momentum we are beginning to acquire in the identity arena.

IDG News Service
Major Vendors Join OpenID Board
Chris Kanaracus

(Appeared in: The Industry Standard, Computerworld, InfoWorld, The New York Times, PCWorld.com, CSO, Techworld, iT News, Reseller News New Zealand)

CNET News.com
OpenID Foundation scores top-shelf board members
Caroline McCarthy

PC Magazine
Microsoft, Google, IBM Join OpenID
Michael Muchmore

Read/Write Web
OpenID: Google, Yahoo, IBM and More Put Some Money Where Their Mouths Are
Marshall Kirkpatrick

ZDNet
Microsoft and Google join OpenID, but where’s Cisco?
David “Dave” Greenfield

Wired
The Web's Biggest Names Throw Their Weight Behind OpenID
Scott Gilberston

Slashdot
OpenID Foundation Embraced by Big Players
Zonk

O'Reilly Radar
OpenID Foundation – Google, IBM, Microsoft, VeriSign and Yahoo
Artur Bergman

InformationWeek
Major Tech Companies Join OpenID Board
Antone Gonsalves

TechCrunch
OpenID Welcomes Microsoft, Google, Verisign and IBM
Michael Arrington

PC Pro Online
OpenID receives heavyweight backing
Stuart Turton

ZDNet
Google, IBM, Microsoft and VeriSign join Yahoo on OpenID
Larry Dignan

Forrester Research
OpenID family grows – How it can transform Identity Federation between enterprises
Andras Cser

ActiveWin
Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web
Jonathan Tigner
02-07-2008

Conde Naste Portfolio
Microsoft, Google, Yahoo Agree … on Open ID
Sam Gustin

SoftPedia News
Microsoft, Google and Yahoo Join Hands – Over OpenID
Marius Oiaga

CSO
OpenID Goes Corporate
Eric Norlin

InternetNews
OpenID Gets Star Power
Kenneth Corbin
02-07-2008

Windows IT Pro
Industry Behemoths Join OpenID Board
Mark Edwards

BetaNews
Microsoft, Google, Yahoo gain seats on OpenID Foundation board
Scott Fulton

The Register
Microsoft! snuggles! with! Yahoo! on! OpenID!
Gavin Clarke

San Francisco Chronicle
Tech heavyweights join OpenID Foundation board
Deborah (Debbie) Gage

Cox News Service
One password for the Web? Internet giants back idea
Bob Keefe
(Also appeared in Atlanta Journal-Constitution)

vnunet.com
IT heavyweights join OpenID project
Clement James

IT Pro UK
Industry giants join OpenID foundation
Asavin Wattanajantra

Computer Business Review
Industry bigwigs back OpenID single sign-on
Janine Milne

BBC Online
Password pain looks set to ease

WebProNews.com
Microsoft, Google Sign On To OpenID
David Utter

GigaOM
OpenID Has Big New Friends
Carleen Hawn

Real Tech News
Microsoft, Google, Verisign, Yahoo! and IBM Join OpenID’s Board
Michael Santo

ComputerWorld Canada
OpenID gains support for online single sign-on
Shane Schick
(Also appeared in ITworldcanada)

Half-life of personal information

In November I coined the term “Identity Chernobyl” for Britain's HMRC fiasco (at least it seems that way when I look at Google).

Cory Doctorow elaborates on this in a nice Guardian piece:

When HM Revenue & Customs haemorrhaged the personal and financial information of 25 million British families in November, wags dubbed it the “Privacy Chernobyl”, a meltdown of global, epic proportions [Hey, Cory, are you calling me a wag? – Kim].

The metaphor is apt: the data collected by corporations and governmental agencies is positively radioactive in its tenacity and longevity. Nuclear accidents leave us wondering just how we're going to warn our descendants away from the resulting wasteland for the next 750,000 years while the radioisotopes decay away. Privacy meltdowns raise a similarly long-lived spectre: will the leaked HMRC data ever actually vanish?

The financial data in question came on two CDs. If you're into downloading movies, this is about the same size as the last couple of Bond movies. That's an incredibly small amount of data – my new phone holds 10 times as much. My camera (six months older than the phone) can only fit four copies of the nation's financial data.

Our capacity to store, copy and distribute information is ascending a curve that is screaming skyward, headed straight into infinity. This fact has not escaped the notice of the entertainment industry, where it has been greeted with savage apoplexy.

Wet Kleenex

But it seems to have entirely escaped the attention of those who regulate the gathering of personal information. The world's toughest privacy measures are as a wet Kleenex against the merciless onslaught of data acquisition. Data is acquired at all times, everywhere.

For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it.

Hidden in that toxic pile are a million seams waiting to burst: a woman secretly visits a fertility clinic, a man secretly visits an HIV support group, a boy passes through the turnstiles every day at the same time as a girl whom his parents have forbidden him to see; all that and more.

All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper.

How long does this information need to be kept private? A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side.

If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor.

Every gram – sorry, byte – of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop's CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughup up a month's worth of travelcard data, there will be no containing it.

And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.

The best answer is to make businesses and governments responsible for the total cost of their data collection. Today, the PC you buy comes with a surcharge meant to cover the disposal of the e-waste it will become. Tomorrow, perhaps the £200 CCTV you buy will have an added £75 surcharge to pay for the cost of regulating what you do with the footage you take of the public.

We have to do something. A country where every snoop has a plutonium refinery in his garden shed is a country in serious trouble.

The notion of information half-life is a great one. Let's adopt it.

The tendency for “information to merge” is one of the defining transformations of our time. When it comes to understanding what this means, few think forward, or even realize that there “is a forward”.

The “contextual separation” in our lives has been central to our personalities and social structures for many centuries.

Call me conservative, but we need to retain this separation.

The mobility and clonability of digital information, in combination with commercial interest and naivite, lead us toward a vast sea of personal information intermixed with our most intimate and tentative thoughts.

The essence of free-thinking is to be able to think things you don't believe as part of the process of grasping the truth. If the mind melts into the computer, and the computer melts into a rigid warehouse of indelible data, how easy is it for us to change, and what is left of the mind that is “transcendental” (or even just unfettered…)?

The ramifications of this boggle the mind. The alienation it would cause, and the undermining of institutions it would bring about, concern me as much as any other threat to our civilization.

The Epic Battle: Sun goes after Ping Identians

I was awakened from my vacation from the blogosphere today by the braying of Sun’s new YouTube video “comedy”. It features a droll engineer with a great sense of deadpan, but when all is said and done, it is bully comedy, with all the subtlety of a bully beating up his smart little brother.

The premise seems to be that big strong Sun has 35,000 technical support engineers ready to descend in buses on customers who deploy one of Sun’s IDM solutions (could their products require a whole lot of support???), whereas the customers of “little Ping Identity” are left on their own to cope with mere off-the-shelf products.

Ping has been a real innovator and thought leader in digital identity. Why attack it? I can only see one explanation: the Ping folks must be making a significant dent in Sun’s marketplace. Even so, it is hard to imagine such a low-road response. The word “unseemly” comes to mind.

FYI, while I have no firsthand experience with Ping, various customers have told me good things about their products, attitude and responsiveness. To me that’s the litmus test.

Cyberspace needs a whole range of players innovating around digital identity. We’re lucky to have Ping in the equation.

One of the significant questions being posed is whether you need to hire a busload of engineers to deploy federation and identity management. Sun’s video takes it as a given that this is the case, but if I were a customer I would head for the hills when I saw the big Sun bus coming for me.

A meaningful identity metasystem, something capable of providing an identity layer for the internet, must be based on commercial off the shelf products that can be deployed by any system administrator. Ping Identity is pushing the envelope in this area, as are a number of us. Our goal is achieving ubiquity, not the renting out of consultants.

Beyond the technical issues, we need to work as an industry towards “federation boilerplates” and a legal framework that drives the cost of creating virtual organizations to zero.

Since identity requires all of us to interoperate, I think people should hold off on attack ads and concentrate on expanding the market.

I don’t normally criticize any of the identity players for their strategy, but I sure would like to see Sun go after the 99.9% of organizations with no federation framework rather than turning on Ping and its successes.

This having been said, Ping doesn’t need me to come to its defense. Its fearless leader, Andre Durand, responded with a hilarious video called The Epic Battle: 72 VS 35,000, that blows the original Sun video right out of the water. Don’t miss it.