Category: Identity

I promise I didn't mean to chide Paul Masden, as he puts it in YACCP – Yet Another Conor Cahill Post 

Kim Cameron chides me for what he believes to be inappropriately cast aspersions on Conor Cahill.

I think if Paul had been present at the session he would actually have appreciated what Conor had to say. Objectivity and realism in sizing up deployment blockers, and transparency in setting expectations, is what will lead to success.

A couple of points in my defense:

1. Conor and I have a long established tradition of casting aspersions on each other. When I think of my involvement with Liberty, I divide it 2 periods – that initial period during which I was too intimidated by Conor's expertise and strongly voiced opinions to challenge him, and then the last couple of weeks.
2. As quoted by Phil, Conor's statement about non-enterprise deployments could be misinterpreted. Conor doesn't blog so I thought I would give him an opportunity to clarify/expand by commenting on a post of mine. I chose sarcasm and satire in order to goad him over the pain barrier of making such a comment.
3. This was part of a new marketing campaign by Liberty to put a more human face on the organization. New logo soon.
4. The end result of an individual so strongly linked with Microsoft's identity strategy defending a Liberty-proponent (rather than laughing with delight over what might appear to be LAP-internal squabbling) and what this might imply for the future (or even just for the sake of irony) must surely justify some small artistic excess in my original post?

I'll be seeing Conor at a Liberty meeting in Washington tomorrow. Can't wait.

Actually, I'm the last person who would want to stop good natured banter between friends – or others.

Along that line, I guess Paul's point 3) above meansI fell for yet more marketing gloop? 

Well, I can console myself with the realization that I've fallen for worse things in my life.  Anyway, getting the identity conversation as close as possible to reality is a good thing.

In terms of laughing with delight at the squabling of others, I see you Liberty folks as allies in getting an identity metasystem done.  That's just where the dynamics of virtual reality will lead us.

Here is a piece Jon Callas (CTO and CSO of the PGP Corporation) sent to the “idworkshop” list recently.  I am often asked to speak about “identity management”, but the truth is, I don't actually know what people want me to discuss when they make such a request.  My working hypothesis has become that there are different aspects of identity management, rather than different definitions of it, and that people tend to concentrate on some aspect central to their current concerns.  Having a formal definition of these aspects, along the lines suggested by Jon, would help a lot.  This would be especially true if they had names we could agree on, numeric identifiers probably not being adequate in the long run…

When I first started hearing the term “identity management” show up at security conferences, I made a habit of going up to anyone offering products or services that they called “identity management”  and asking them what identity management is.  I found that there were two different things called identity management. I also started ending up at various fora where “identity management” was discussed.  I pointed out that identity management was not one thing, but two.  Then I found a third. Then a fourth.

At Financial Cryptography 2006, I was on a panel on identity management. I opened up the discussion with level-setting. Part of that level-setting was to describe these different types of identity management that are often related, but are still distinct.

At the last IIW, I found that the vagueness was all over there. At Monday's first session, E.E. Kim told us first that identity management is what I call IM(4), but then Paul Trevethic talked explicitly about what I call IM(2), and IM(1). My notes say that he was most emphatic that IM *is* IM(1). At various times in the workshop I heard people unknowingly talking about IM(i) and IM(j) at each other. Others would start with one and slide into another in a paragraph.

This week, I was at another security conference and one of the keynotes was by Ken Watson of Cisco and he spoke at length about the need for good identity management, but he was talking mostly about IM (3), with IM(2) being secondary and IM(1) being implied. We're not using the same language, even though we're all talking about more or less the same thing.

I think it's important to know that there are at least four things that are identity management, and maybe more. Here's my four, taken from my March slides at FC2006, with some added commentary:

    * Identity Management (1)
    – Traditional security notions of identification, authentication,
    authorization, reputation, etc. Oftentimes a “PKI.” Often times
    “AAA” systems.

The very first IM systems I played my little Socratic game with were PKIs and AAA systems re-labeled as “IM.” There was, in fact, no change in what the product was from the previous year. It was merely marketing spin.

    * Identity Management (2)
    – Mechanisms to reduce the annoyance factor of the above.
    Oftentimes a “Single Sign-On” system or password
    reduction/elimination system.

I consider these distinct, because at the same time I started seeing PKIs relabeled as IM, there were SSO systems relabeling themselves as IM. While the *concepts* are related, as I note, the *systems* were distinct. Also, when I interviewed people, some people would say, “Oh, IM is really PKI” and others would say, “Oh, IM is really SSO.” 
Furthermore, the systems they were building were distinct.

    * Identity Management (3)
    – Database management systems to facilitate accurate, speedy
    updates. Oftentimes, a human-resources system that keeps track of
    phone numbers, titles, building access, parking places,
    conference room reservation, “metadirectories” etc.

This is the most recent addition to my taxonomy, but I number it 3 here, because it is taxonomically related. I know of a couple of places in which a security company that did not call its PKI or AAA system IM acquired or built the entity management systems and started calling that addition “identity management.”

    * Identity Management (4)
    – Marketing systems that keep track of preferences, buying
    habits, loyalty programs, and so on so as to effectively send
    people ads that won’t annoy them. Much.

    – Note that this is the most different of the types, but still
    abuts them.
       – Also note that in this form, Alice does not own her
       identity

    – Important because it is closest to the colloquial definition of
    identity
       – It is the outside world's perception of who you are.

This is the type of IM that first got me to make a taxonomy. I had noted that IM1 and IM2 are not the same thing, but because the companies that do each are across the aisle at the RSA or CSI trade show, I just rolled my eyes at the sloppy language use.

When I was at an early spam-fighting conference in 2002, I detected groups of us not communicating. That turned out to be because there were the security people all talking about IM1, and the direct marketing people talking about IM4. We had to have a reset when I finally realized that what they talked about solving spam through IM, they did not mean what we meant. They wanted to make sure you never got an unwanted advertisement, and thus there would be no spam. Argue if you want, but not with me, please.

The very definitions of “identity” were different. If I take the definitions Paul Trevethick gave us on Monday, my group, the security group were talking about what he talked about as “identity” (claims about oneself) and the marketing people were talking about “reputation” (clams others make about you). This doesn't exactly follow, because they wanted you to make claims about yourself that they will then tune. Nonetheless, it's important to understand both the imprecise language and that the terms have somewhat separated out, but are not exact.

However, I believe that it's important for us to be able to make these distinctions. We're not going to get anywhere without recognizing that IM1 != IM2 != IM3 != IM4, despite them forming a smear. I numbered them the way I did because fortunately, IM3 is related to IM2 and IM4, but not much to IM1. IM4 is somewhat close to IM3 but not much at all to IM1 and IM2. They do, thank heavens, form a spectrum.

Arun Gupta, who works on Web Services at Sun, recently wrote about a remarkable demo at Java One showing interoperability between GlassFish and InfoCard.

We, at Sun Microsystems, have been working with Microsoft for past several months on achieving interoperability between Java EE and .NET technologies. Web Services Interoperability Technology (WSIT, a.k.a Project Tango) is Sun's Web services interoperability portal and provides all information on that effort. Earlier yesterday, we gave a demonstration of our work so far in JavaOne 2006 keynote. The main points from the talk is that Project GlassFish community and Windows Communication Foundation make Interoperability a Reality TODAY.

A video clip of the keynote demo is available HERE. This clip starts with our keynote presentation where Nick Kassem explains the business scenario which shows how Web services technologies enables integration within and across business boundaries. Watch me explaining the development environment to Jeff Jackson from 3:46 to 4:48. All the tools and technologies used in the demo are available today. And then Kirill Gavrylyuk shows an interoperability demo between Infocard and Sun's Secure Token Service. A picture is worth thousand words, here is a graphical representation of the scenario.

On the right, a Retail Quote Service (RQS), running in Sun-managed environment, uses Wholesale Quote Service (WQS) to serve car quotes to Java and WCF consumers shown on the bottom left. RQS also gets competitive bids from a WQS running in a Microsoft managed environment. The clients talk to the RQS secure MTOM, RQS talks to WQS using a Secure and Reliable Connection. Each managed environment has it's own identity provider, also known as Secure Token Service or STS in short. A trust relationship between the two environments is enabled by a trust relationship between a priori trust relationship between STS.

We also plan to share the demo code in the near future and I'll post another blog when it's available.

Check out some of the pictures I took at JavaOne on Tuesday. This picture shows me, Nick and Kirill.

More information on the GlassFish interoperability project is available here.  Arun gives a number of other download links in the full posting.

I'm sure I'm not alone in applauding Sun's work towards identity interoperability and their readiness to collaborate with others of us in the industry to get to an identity metasystem.  As an industry we've come a long way in the last year or two.  All will benefit.  This really represents progress in getting to the Identity Big Bang and the intelligent environment.  Kudos to all those at Sun and Microsoft who made this happen.

Paul Toal, Principal Architect for a UK based IT security company, has posted one that makes the mind churn: 

Not long ago I was on a night out with some work friends. As is customary on these nights out, we ended up at a casino. Don't get me wrong, I aren't a hardened gambler. I only go to eat the free sandwiches and spend my £20 spending money

However, back to the story. This particular casino was not one that I had been to before and as a result I wasn't a member. “No problem” I was told by the lady behind the counter. Your friend who is a member can sign you in as a guest. I was asked if I wanted to join and politely (and drunkenly) declined. “We need some identification. Can I have your driving licence?” said the lady. Dutifully I handed it over expecting her to have a quick glance and pass it back.

However, instead of the courteous check, off she trotted to the back room with my licence. A few minutes later, back she came and gave me my licence back with absolutely no explanation of where she had been. Upon asking her, I was told that she had taken a scan of my licence and would retain it on record.

In my slightly inebriated state I thought nothing of it. However, the next day, after the hangover had subsided, this started to bother me.

1) How do I know what they are going to do with that?

2) How long are they going to retain my information?

3) Who within their organisation has access to that information?

Since my licence is a trusted proof of identity, it worries me that it is kept on file at some casino. In the UK we have the Data Protection Act 1998 which protects against misuse of personal data but how do I know that this is adhered to within this casino.

At one time or another I think we have all been guilty of handing over our personal information without too much regard as to what the person requesting it is going to do with it. In that one transaction alone, I broke at least the first 3 laws of Kim Cameron's 7 laws of Identity!!

I don't want to give anything away by appearing to be too much of an expert on European casinos, but the experience Paul describes is not wholly unknown to me – except it was my Passport that was whisked away.  From conversations I have had during some quintessentially bizarre and momentary winning streaks, I think Paul would be surprised at the kind of international databases that are maintained. And it would be really fascinating to see how, for example, the European privacy legislation has impacted the Casino Royale – or the local hotel.  Can anyone tell us?

Meanwhile, I wonder if there is some blood alcohol level after which informed consent no longer applies? 

From Gunnar Peterson at 1 raindrop… 

This is ridiculous. Yahoo:

“Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.
…
“Nicholson said there was no evidence the thieves had used the data for identity theft, and an investigation was continuing.”

Sure they are probably just using it as a test bed for arbitarily large data sets for a charitable open source projectRamona Joyce, spokeswoman for the American Legion, agreed that the theft was a concern. “In the information age, we're constantly told to protect our information. We would ask no less of the VA,” she said.

Nicholson declined to comment on the specifics of the incident, which involved a midlevel data analyst who had taken the information home to suburban Maryland on a laptop to work on a department project.
…
“I want to emphasize there was no medical records of any veteran and no financial information of any veteran that's been compromised,” Nicholson said, although he added later that some information on the veterans’ disabilities may have been taken.
…
Sen. John Kerry, D-Mass., who is a Vietnam veteran, said he would introduce legislation to require the VA to provide credit reports to the veterans affected by the theft.

“This is no way to treat those who have worn the uniform of our country,” Kerry said. “Someone needs to be fired.”

Sorry, but firing people is not going to fix this problem. Instead, maybe GWB could increase his popularity by adopting Pete Lindstrom's modest plan to Eliminate the SSN Facade. And while we are at it, why not write the Laws of Identity into the Constitution? Ok, maybe not on that last one, but how about we use the Laws in the systems we build?

Regular readers know I am a great fan of the “there was no evidence the thieves had used the data for identity theft” line.  Oh.  And just one more thing.  Please refrain from taking the munitions home with you for the weekend. 

Paul Madsen's ConnectID takes me to task in a piece called “If you prick us, do we not breed?” 

It seems Microsoft does not believe we Canadians have children.

Perhaps this is part of ‘the plan’, discourage non-Americans from population growth by turning off for us all software features that facilitate family-based identity management? Brilliant!

For myself, simply knowing that I'd be on my own in the raising of additional offspring makes me feel less inclined to do my “bit” for Canada.

Or maybe this is directly at Kim‘s instigation? Some long festering grudge against his homeland? Was he forced to go to the States for some two-tier medical procedure and carries his resentment to this day?

Some might have dismissed this complaint as a being merely specious, but out of completeness I did a search and found this shocking statistic:

Canada's birth rate fell two years ago to its lowest level since 1921, when the agency began keeping records, according to Statistics Canada.  The federal agency said on Monday that Canada's “crude birth rate,” which measures the number of live births per thousand Canadians, fell to 10.5 in 2002.

The rate declined by slightly more than a quarter in the decade between 1992 and 2002, according to the report.

In 2002 Canadian women gave birth to 328,802 babies, down 1.5 per cent from the year before. It was also the eleventh decline in 12 years.

Canadians, I am confident that it was not the conscious intent of my colleagues in Windows Live to further erode the Canadian birthrate.  And remember that the statistics cited date from before the NHL strike, which left the nation – rather, nations – with nothing to do on Saturday nights, meaning the situation may well be on the mend – even without my intervention.  None the less, I'll check into this and get back to you.  Personally I take it as a good sign that there is some differentiation between what is served up in the various markets.

Speaking of Windows Live ID, a lot of thinking and refinement has been going on there recently with respect to identity.  My colleagues have written a white paper which I'll share with you over the next few days.

From techworld.com, here is piece on a leading IBM researcher who has reached the same conclusions I have in evaluating the design of the current proposal for UK identity cards.  Putting privacy issues aside for a moment – as important as they no doubt are – he is repulsed by the design from a security point of view. 

He couldn't be more right.  My central “aha” in studying the British government's proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems.  A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved.  The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

The starting point for a security thinker is that there will be perforations.  In low value systems, the breach will come from neglect.  In a high value system, there will be conscious attacks mounted both from without and within, and one must assume that one of these will succeed.

Our art consists in reducing the frequency of such perforations, and – once a breach occurs – minimizing the damage that is done.  The current British proposal masterfully maximizes such damage, like a fire extinguisher full of gasoline.   

IBM researcher Michael Osborne, whose job is research into secure ID cards, slated the UK government's ID cards scheme on the grounds of cost, over-centralisation, and being the wrong tool for the job.

Based in Big Blue's Zurich research labs, where the scanning tunnelling microscope was invented and won its inventors a Nobel Prize, Osborne said that the problem is neither the cards nor the fact that the scheme is intended to use biometric technology.

The big issue is that the UK government, plans to set up a central database containing volumes of data about its citizens. Unlike other European governments, most of whom already use some form of ID card, the central database will allow connections between different identity contexts – such as driver, taxpayer, or healthcare recipient – which compromises security. Centrally-stored biometric data would be attractive to hackers, he said, adding that such data could be made anonymous but that the UK Government's plans do not include such an implementation.

Osborne added that biometric technology is still immature. “It's not an exact science”, he said. In real world trials, some 10 per cent of people identified using iris recognition failed to enrol – which means the system didn't recognise them. Even fingerprinting is no panacea, as four per cent failed to enrol. Scale that up to a whole population – the UK contains nearly 60 million people – and the problem of biometric identification becomes huge, he said.

Osborne also criticised the government for the potential cost of the system. He said that it will cost a lot more than anyone thinks, pointing out that a project of this size hasn't been tried before, so the government's projected costs are not necessarily accurate.

Finally, Osborne also used a dozen criteria, including whether or not such as system is mandatory or time-limited , to show that on all but two, the UK Government's scheme fails – even before controversial civil liberties issues are considered.

And as for whether ID cards are the right tool to defeat terrorists in the first place, security expert Osborne said: “ID cards won't solve the problem because terrorists don't care about identification – and they'll have valid IDs anyway. The issue is the central database.

“But no-one knows if it'll work, or if it'll be accurate enough – it's more about perceived security than actual security.”

Osborne suggested an alternative, which involved keeping the data on the card. With such a system, only the template is downloaded and identity processing happens on the card using Java and local data rather using centralised storage and processing.

He added that since terrorists wanted to be identified, having an ID card was unlikely to be a deterrent. “However, in some previous studies, some criminals were found to be deterred by the need to possess an ID card.”

Osborne's remarks were made in a personal capacity during a visit to the Zurich labs, and did not reflect IBM's corporate viewpoint.

Just by the way, I always have trouble with the “in a personal capacity” disclaimer.  Michael Osborne presumably says the same things about the matters in which he is expert whether at work or not.  IBM should just let him speak freely as the researcher that he is – and learn, as should we all, from what he says.

Via Paul Mooney at dotnetjunkies here's news about a free personal identity provider from Verisign.  It's great to see a bunch of talented people at Verisign throwing their weight behind Identity 2.0.  The identity metasystem can only result from the confluence of all of our efforts – and here I'm speaking not only of vendors, but of writers, architects, top management and technical leaders all across IT.

I had a nice chat with Mike Graves of VeriSign at the Syndicate Conference  yesterday. I've met many people who work for VeriSign, but this is the first time I talked to one with a blog.

Mike was part of the Authentication and Feeds breakout and I asked him if VeriSign would ever come out with a five dollar certificate – how about free – was his reply.

So I checked-out Mike's blog and found out about it:

Introducing the VeriSign Personal Identity Provider (PIP)You're invited to visit and try out a beta version of an identity service we've provided. It's called the VeriSign Personal Identity Provider

What Can I Do With The VeriSign PIP?

When you register at the VeriSign PIP, your user name is used to generate a unique URL for your profile. My username is “mgraves”, so my OpenID is “http://mgraves.pip.verisignlabs.com/. Now when you go to a site that supports OpenID, you can provide your OpenID, and use it instead of having to register separately for each site.

InfoCard will arive with Windows Vista, so PIP is an opportunity for us to get to learn about what's required for identity, trust and authentication.

Here is a story in CGN.com on a new report from Homeland Security on the privacy implications of RFID. 

The Homeland Security Department’s Privacy Office has issued a draft report from a technology analysis group that strongly criticizes the personal privacy and security risks of using radio frequency identification device units for human identification and says the technology offers little performance benefit over competing methods.

The Privacy Office is seeking comments on the report, which are due by May 22.

The department’s Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee prepared the report, which is titled “The Use of RFID for Human Identification.”

The critical report comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.

State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include:

• The SENTRI and Nexus trusted traveler cards
• The “laser visa” Mexican Border Crossing Card
• The Free and Secure Trade card for truck drivers

The People Access Security Service card now being developed will comprise a “passport-lite.”

In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.

But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.

“Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,” the report states.

“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,” the report continues. “When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.”

The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says “Against these small incremental benefits of RFID are arrayed a large number of privacy concerns.”

The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.

Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.

Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.

“It’s inappropriate to use RFID technology for tracking and authenticating identities of people,” Pattinson said.

“You can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,” Pattinson wrote in an e-mail comment on the report.

“Wireless computers and mobile phones use radio frequencies too, but they’re secure devices because they contain computers and are securely associated with individual identities over networks,” he wrote.

According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.

“Contactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,” Pattinson wrote. “Contactless smart cards are the appropriate technology to uphold privacy and security.”

I have looked into the contactless cards and it appears they can be programmed to be compatible with the Laws, especially Law 4.   But as the industry moves towards contactless cards, their very flexibility will make it hard to discern which specific implementations obey the Laws, and which ones don't.  It's my view that we will need a set of objective criteria which contactless cards will have to meet in order to be deemed acceptable, and these criteria will have to be broadly vetted by the privacy community before moving forward.

This said, it is most encouraging to see Homeland Security paying so much attention to these issues, which deeply affect not only our privacy, but our individual security.