Category: Digital Identity

Serious cardmaking

Kevin Hammond ups the ante on how to put a graphic on your infocard.  His reference to my card makes me blush – I just “borrowed” a graphic that had been assembled by one of the computer journals, not having any idea of how one would make it.  One day I'll find the time to play with the cool technology he is talking about.

There's a lesson here though.  When people start hand-tailor their cards, it becomes impossible for “phishing software” to successfully perform social engineering attacks that trick people into thinking a fake CardSpace interface is real.  The phisher has no idea of what kind of graphic or what kind of photo the user has created – so it just can't do a believable impersonation.  The result is that the user immediately recognizes something is very wrong.

I've been getting my feet wet with Windows CardSpace and my self-issued card. In watching Kim Cameron's demonstration of how he integrated CardSpace with WordPress, I saw his nifty looking card with his portrait on it. Right then and there I decided I too must have one. What do you think of the results? Here's how I did it.

I made a self portrait with my Canon EOS 20D and an EF 50mm f/1.8 II lens.  I extracted the headshot with Photoshop CS2’s Extract filter, did some complexion touch up and resized it to what you see here, about 60×64 at the shoulder. I created a new 120×80 image according to the guidance provided by Vittorio Bertocci in his great article about how images are mapped onto cards. From here, it's all a composite. There's a layer for the black rectangle across the bottom, a layer for the gradient background, a layer for my portrait, and a layer each for the text. It took some experimenting with fonts and text transformation to arrive at the setting you see here – by far the largest part of this entire exercise. My Layers palette is reproduced here for your reference. Frankly, I'm surprised by the result because I'm by no means a Photoshop guru. But I think I now have something cool to liven up casadehambone.com with!

Vista does one annoying little thing in the reflection it places on the top third of the card when it renders it within the Windows CardSpace UI. I can see how they're trying to be cool, but I think it detracts rather than adds to the overall experience.

ARCAST adds transcripts

I got a note recently from Ron Jacobs, host of Channel 9’s ARCast, telling me that they have added transcripts to their “more popular” ARCasts.  Somehow that included a very early one on the Laws of Identity. Ron is great fun, and has a cave of a studio that really makes you feel like you're “on the air” – though being digital, he is of course post-air…

Let me be the one to say it:  Reading the transcripts I wish a) I were more articulate, and the transcriber a bit more tuned into my perhaps overly informal style; and b) everything published on the internet wasn't going to be around forever.  But I'm not, and it will, and so we all soldier on.

Ron

Hi this is Ron Jacobs and welcome to our talk today. I’m joined by Kim Cameron who is an architect in Windows Identity and access management area. I guess I’d say how’s it going Kim?

00:47.11

Kim Cameron

It’s just great.

01:7.31

Ron

And and so, that’s really interesting. I didn’t realize that we had a whole group that is focused around identity and access management in Windows.

01:8.43

Kim

Oh sure, because we have things like Active directory, you know meta directory integration services and all that sort of stuff. So different ways of being able to find out who you are dealing with inside windows environment. So when you for example login to windows, you know, somebody is got to write that stuff

01:17.11

Ron

Yeah oh yeah, I’m glad you are because you know

01:36.98

Kim

It’s not me though

01:40.08

Ron

OK well (laughs)

01:40.73

Kim

It’s our, it’s our group

01:42.51

Ron

Your group… yes, but you are the architect. You’re the guy that like in Matrix who wheels around and says I’m the Architect

01:43.96

Kim

Yeah, Yeah, I’m responsible for what's wrong and what's bad about it,

01:51.00

Ron

Okay… Now you’ve come up with this real interesting thing that we are going to talk about today called the Laws of Identity. And I love; I love these kind of things. There are seven laws of Identity that you’ve written down on your, on your wonderful blog which I’ve to plug it’s www.identityblog.com

01:55.93

Kim

I love you…

02:16.72

Ron

Well you can return the favor and plug this show later

02:17.50

Kim

I’ll I’ll

02:22.18

Ron

I love concise list like this because it kind of formalize a lot of random thinking that goes on. How did you come up with this list

02:22.90

Kim

Well you know I was … Have you been ever to one conference too many?

02:33.30

Ron

I have … yeah

02:38.10

Kim

So you know I was there and I just was listening to the way the discussion was going and it occurred to me that we don’t really have a framework that allows us to restart the discussion about identity anywhere except from the beginning each time we have it. Sort of like back to the beginning, rewind, and we start again. And all the words mean different things to different people and basically there is… so as a result everybody ends up discussing little technical nits instead of the real concepts that are behind these things. So I figured … is there some way that I can actually reset the conversation or or… well the same time I was just starting to blog and I didn’t really know anything about it … which was a good thing… and I didn’t have anything to write about so I was going … you know… I wondered what would happen if I started this discussion in about. How we get a real … you know… a set of concepts that we can reuse so we don’t always have to go back to square one. And do that with the web… so… it was kind of … it was just a … sort of… experimental, trying to figure it out kind of thing.

02:38.96

Ron

Yeah and I guess a few people have noticed this now and so started showing up in various conferences and slide decks and that sort of a thing right?

03:57.92

Kim

Yeah it’s really bizarre because first of all I was thinking that I’ll start a blog and then maybe a year from now or something people will start to read it.

Lots more where this came from…

What I really like about this is that podcasts become searchable within text engines.  So thanks, Ron.

Ontario Privacy Commissioner extends the Laws of Identity

Here is a post from the Toronto Globe and Mail's Jack Kapica on a development I'll be writing about over the next couple of days – the Ontario Privacy Commissioner's active support for those of us in the industry building an identity metasystem with “embedded” privacy.  This is a remarkable turn of events.

Dr. Cavoukian is one of the preeminent voices for privacy world-wide, and her early and active involvement will help ensure we technologists continue to go in the right direction.  I'll be podcasting her press conference and address to the International Association of Privacy Professionals (IAPP) Conference being held this week in Toronto, Canada.  She has also agreed to share the remarkable documents she and her colleagues have produced to tease out the privacy implications of the Laws of Identity.

Anne Cavoukian's work extends the conversation into a whole new milieu.  And what could be a more auspicious beginning than the vote of support from Jack Kapica, widely known and respected for his careful vetting of all things technological.

Ann Cavoukian, Ontario’s clear-eyed Information and Privacy Commissioner, is onto something very big after endorsing the Seven Laws of Identity, developed under an initiative headed by Microsoft, which she did at a press conference this morning. Using a form of Microsoft’s own strategy, she has embraced and extended those laws in a way that might change tame Internet forever, and maybe even help stop spam.

The seven laws of identity were formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Microsoft’s Chief Identity Architect. With Cavoukian’s spin, they describe a system in which a set of digital identity cards would keep personal information distinct from information needed for verification.

And no, the seven laws are not Microsoft’s property — anyone can use them. But a form of them will ship with Microsoft’s Vista, its next version of Windows, due for release in January.

Cavoukian and Cameron hint that the system ought to provide the best defence against spam I’ve yet seen. The idea is that while on-line, users can control their personal information, minimize the amount of identifying data they reveal, minimize the links between different identities and actions and detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.

While Cavoukian’s proposal, called Seven  Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, is primarily intended to protect privacy and make on-line commerce safer, it could also kill e-mail from those villains who sell snake oil and pump penny stocks by sending you e-mail from  fraudulent return addresses.

Cavoukian was one of the first non-technologists to grasp the link between on-line identity management and privacy, and has a better understanding of technology than most people do. Kim Cameron, a former Torontonian who has been a personal friend for almost 30 years (he wrote the software that ran the original Globe and Mail books bestseller list), is another great visionary. The combination of the two should make an enormous impact on  technology and commerce if the world takes notice.

With uncharacteristic overstatement, Cavoukian says that once a universal method to connect identity systems and ensure user privacy is developed, there will be an “Identity Big Bang.”

I wish them both the best of luck.

Reading Jack's piece I remember the old days we spent together – and how hard we worked to make sure the Bestseller List was scrupulously scientific and objective.  That's the kind of guy Jack is.  There's real honor there.

 

Seems we agree

I have to answer Kveton's response to my last posting just because he answered my answer as fast as I answered his! 

Kim: you’re officially the fastest person in the world at responding to blog posts … 🙂

Yes, could this be a problem you create when it gets too easy to log in?

But wait, Kveton continues:

I’ve always said I’m for interoperability … heck, I’ve made a living at it. Choice for the user is always a good thing.

My answer? You build interfaces and test them. You look at the numbers. You test phishing approaches on a wide assortment of people. You find out what works and doesn’t, and keep evolving the interface. If we take this as a starting point, we’ll all end up agreeing.   

The problem with redirection within the conventional browser is there is no way to know for sure where you’ve ended up – especially if you aren’t a network engineer.

I actually think we’re in agreement here; we both want to find the best experience for end-users and its going to require their involvement to make that happen. Just as InfoCard may not be the end-all-be-all, so too could be the same for OpenID. Either way, both move the ball forward and conversations are happening to make sure interoperability occurs.

There is wisdom in this. But if Kvelton is against giving the InfoCard visual metaphor a try, then I don’t get it. It does nothing to undermine OpenID.

I’m all for trying InfoCard visual metaphor. I’m just trying to figure out how you drive adoption of such a different paradigm, hence my comments on iterative development and the OpenID process.

Those are all legitimate concerns.  I'm trying to do a lot in one go.  I realize it is “somewhat ambitious”.  But what have personal computers been about since the get-go?  Haven't they always seemed ambitious?

Meanwhile Pamela Dingle posted another comment to which I subscribe as well:

Heaven forbid we ever end up with only one solution anyways — how dead boring would that be?

I’m glad there is choice & competition in this area – it means that nothing is being shoved down anyone’s throat, and that the field is still open for further improvement. It also means that nobody is taking the direction for granted, which I think is a healthy thing. Not to mention, it makes identity conferences ever so much more exciting :)

Agreed.  And there's lots of room to keep innovating for a long time.

BBAuth and OpenID move identity forward

I read this piece by Scott Kvelton and wanted to make it clear that my concerns about user experience when using protocols that redirect you from site to site to site were not meant to put down the positives that both those technologies represent. 

I think BBAuth and OpenID both move identity forward.  Count me in as a supporting that.

I‘m just saying that I think we should co-operate to fix the redirection user experience, and replace it with something that is way less phishable. 

Scott says:

Lots and lots and lots and lots of discussion going on regarding BBauth and OpenID 

Kim Cameron had an interesting post today concerning the interface issues with BBauth as well as OpenID:

My concerns really originate with the user interface issues. And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I appreciate Kim’s passion about InfoCards and the concept of a consistent user interface. I think its a fantastic idea. So let’s be pragmatic about it. We’re here today: no consistent user interface, lots of usernames and passwords and phishing is a huge problem. We want to get here: consistent user interface, one username and password and phishing becomes a thing of the past. Great. Where do we start? I don’t think InfoCard is the answer. Let me explain.

How do we know InfoCard provides a great interface for users? When I first saw and used an InfoCard it freaked me out. “What the heck is popping onto my screen?!” Talk about a paradigm shift. Answering the this-is-a-great-user-interface question is an iterative process. It takes time and lots and lots of user input.

My answer?  You build interfaces and test them.  You look at the numbers.  You test phishing approaches on a wide assortment of people.  You find out what works and doesn't, and keep evolving the interface.  If we take this as a starting point, we'll all end up agreeing.

The problem with redirection within the conventional browser is there is no way to know for sure where you've ended up – especially if you aren't a network engineer. 

The fact is we have no idea how users are going to use user-centric identity so how can we make assumptions about the user interface today that aren’t iterative?

But if this type of SSO were to become a massive success, that success would bring about its downfall. For it would then be worth attacking and very vulnerable at the same time.

If something like OpenID or BBAuth takes off, there won’t be a downfall. The platform will continue to evolve and get better. Is InfoCard the final and complete answer? We have no idea. The real question is which platform is best suited to constant evolution? Like Kim is a broken record about InfoCards (his words, not mine), I’m the same way about OpenID … 🙂 I believe OpenID is best suited to this kind of evolution.

Sorry – the redirection aspect of the incremental UI is still, in my view, vulnerable.  None the less it's a step forward from where we are today.  I'm not arguing that InfoCard is the final word on anything.  I'm arguing that it helps you deal with multiple identity providers, eliminates “redirection attacks”, prevents the evil site from being in control of the user experience.  Surely these can't be seen as bad things?  OpenID could take advantage of them by including support for that interface.

Kvelton concludes: 

OpenID is incremental by its nature. Its not a quantum leap. Its a URL. Users today are starting to think more and more in terms of URL’s … just ask a MySpace or blog user (I have cold hard data on this one; my babysitter is a MySpace user). Its iterative. We’re not trying to boil the ocean in the first go at this. We don’t know how users are going to use this thing. So let’s make the fewest number of assumptions for the users before we deliver something. Watch how they use it, find out what makes sense. Repeat.

A lot of users will be fine with URLs for their public personas.  But I fear they can still be phished during redirection.

Is BBauth, CardSpace or OpenID the end-all-be-all solutions for single sign-on? Definitely not today. One thing is clear though; companies and users alike are seeing the value of user-centric identity and its slowly but surely happening; CardSpace, OpenID and BBauth are clear indications of this. This stuff doesn’t happen overnight but the ship is slowly turning in the right direction.

There is wisdom in this.  But if Kvelton is against giving the InfoCard visual metaphor a try, then I don't get it.  It does nothing to undermine OpenID.

 

Hans gets more specific about Yahoo BBAuth

Several readers have asked me to comment on the recent post by Verisign's Hans Granqvist about “security problems in BBAuth”.  He writes:

I have had concerns about Yahoo!’s choice of security of BBAuth. Jeremy Zawodny responds to my posting to ydn-auth list:

“While I can’t comment on the choice of algorithm, I can say that some of the technology used in BBAuth was not developed solely for use with BBAuth.

Okay, fair enough.

But then he continues:

“In other words, we’re reusing some existing stuff that’s been tested in the field and proven to work well for our needs.”

Now, this doesn’t sound right. Not at all.

MD5 has been broken for a few years now. According to Ferguson’s and Schneier’s Practical Cryptography it’s possible to find MD5 collisions in 2**64 evaluations (using the birthday paradox). This was too easy 2003, and it sure is not more difficult now.

Be that as it may. Perhaps these collisions are purely academic.

What’s worse is the lack of a proper HMAC. In Yahoo!’s BBAuth, the MAC is created by hash(text + key) where ‘+’ denotes string concatenation.

This simplistic way of building a pseudo HMAC scheme is not secure. Readers of Practical Cryptography may want to turn to section 7.5 for more information. In short, tacking the key on to the end leads to key recovery attacks that are much easier to execute than they should be.

What scares me is that this broken scheme apparently is used in plenty of other Yahoo! products. I would not be surprised if there are attackers trying to exploit this weakness at this very moment.

My advice to Yahoo! is to change this to a proper HMAC right now. Other identity protocols, like OpenID manages to require HMAC-SHA1 or HMAC-SHA256. There are OpenID libraries for all major programming languages available, so it’s definitely not too hard to implement.

My thinking?

I believe that when it comes to security, it's better to use an algorithm that has been widely vetted (like HMAC-SHA256), and to avoid creating new ones unless you really need to – or have a long runway to test them on.  I also think protocols should use algorithm identifiers.  With security, it may become necessary to migrate to new algorithms when we least want to, without blowing all the downlevel clients out of the water. 

But despite my “high-minded principles”, if you look at the actual content of what Hans calls “text” in the BBAuth protocol, it looks to me like it is full of entropy (a good thing): although it contains some fixed information, it also contains a token, which is variable and not calculable by an evesdropper; a timestamp, which makes long-running attacks impossible; and a shared secret, which makes multi-site catalog attacks impossible.  So this is not toy cryptography given Yahoo's purposes.  That isn't to say Hans doesn't make some good points.

My concerns really originate with the user interface issues.  And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I'm talking about the fact that users are redirected from one context to another quite different one.  We have found that systems that work this way introduce a lot of “noise” – let's call it ambiguity – into the channel between the system and the user. 

The user can be confused – by accident or, worse, on purpose. 

It's the “I'm-buying-a movie-from-someone-but-now-I'm-at-Yahoo-and-now-I'm-not” problem.  In the midst of the redirections, the user can potentially be redirected to a wolf-in-sheep's-clothing, who can relieve her of her secrets and employ them for other purposes. 

Suppose that Google and MSN and AOL and eBay all do the same thing as Yahoo.  Then things would get really confusing for the user, wouldn't they?  As she visits different sites she would find herself redirected to a bunch of different home pages…  MSN here, AOL there, and who knows what else.  This kind of redirection is just not good from the point of view of users being certain about what's happening.  It's similar to getting a URL in an email.  This is one of the main reasons I think that a strong, consistent visual experience like InfoCards is key to building something safe, and why I want to see all of this converge.  But of course, everyone knows I'm like a broken record on this.

Some of my concerns may not matter much when it comes to controlling access to your photos.  But if this type of SSO were to become a massive success, that success would bring about its downfall.  For it would then be worth attacking and very vulnerable at the same time.  That's why I think it is best to combine it with the type of experiential system I've been talking about before any of these problems arise.

 

 

BBAuth and OpenID

From commented.org, here's a thoughtful piece by Verisign's Hans Granqvist on Yahoo's BBAuth:

Yahoo! released its Browser-based authentication (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!’s services, for example, photo sharing, email sharing.

Big deal, huh?

The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing users’ passwords mean much less liability, much less programming, much less problem.

Now Yahoo! gives you a REST-based API to do just that.

It will be interesting to see how this plays out against OpenID.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.

However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:

  • have someone deal with your users’ passwords,
  • retrieve name and email address for a user

And now Yahoo! does the first, and the second is available. At the same time they’re making your app reachable to 257 million+ users. Here’s an example.

Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.

And yet someone has added a sobering comment to Hans’ blog:

It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They'll be nice and ripe for password harvesting via fake yahoo login forms then. 🙂

Sadly, if I had written this comment I would not have included the happy face. Until the security concerns are addressed, despite Yahoo's very laudible openness, this is not a happy face moment.

But through Yahoo-issued InfoCards BBauth would avoid the loss of context that will otherwise lead to password harvesting.  It's a good concrete example of how the various things we're all working on are synergistic if we combine them.

 

Move over, Jeopardy! Watch out, Vegas!

Anyone who has heard Citigroup's Hilary Ward speaking at identity conferences knows Citi has the understanding and experience needed to launch a major league identity team.  And it looks like it's happening.  They have some very interesting new technology, and will be issuing high assurance certificates.

Beyond that, these folks have a sense of humor.

My friend Francis just sent me Citi's new Vegas Quiz game based around Identity and Digital Certificates.  

It will be played by visitors to the Citigroup booth at the upcoming Assoication of Financial Professionals (AFP) conference in Las Vegas.

Citi-id-challenge 

You must present a high-assurance digital certificate to win, so get ready!

The quiz is a real achievement in integration.  It's built with Windows Presentation Foundation – and uses digital certificate information read from Smart Cards or USB tokens.

The player's score is then written out to a Word document which in turn is signed using the digital certificate from the store. 

All joking aside, one can see that the real-world version of this will be a dynamite application in this world of SOX and increasing quality of process.

I'm also willing to bet this is the first application that combines high-assurance digital certificates with the Windows Presentation Foundation (formerly Avalon).

I can just imagine all this stuff integrated with InfoCards.

 

Rob Richards and a new WS-Security / InfoCard code base

Over the last while I've been lucky enough to have some conversations with a php web services guru from the northeast called Rob Richards.  He asked some very good questions about self-issued identities, which I wrote up and will be posting, and also answered a number of my questions about PHP. 

Besides being prolific and modest he kind of won my heart through a posting called I asked for a beer,  The photo at right shows what he got instead – city people, that is a bear, not a dog – and the story reminds me of all kinds of personal episodes too crazy for me to even think about at this stage.

But that's not the point.  He's been quietly doing amazing work that again shows how close we are to getting ubiquity with progressively more robust identity technology. 

Here is a posting that refers to slides from some talks he did at PHP|2006 in Montreal. 

The first was called Advanced XML and Web Services (with accompanying code), while the second was a good overview of XML Security that is so up to date it even covers Information Cards in excellent detail.

But wait, folks.  That's not all.  There's also the code base.  And the fact that he has InfoCard-enabled his Serendipity blog.

For the XML Security session, what people are probably most interested is the code used to implement WS-Security and possibly Infocards using PHP.

Security Library – Base XML Security library implementing XMLENC and XMLDSig functionality.
WS-Security library – WS-Security library for use with SOAP. Currently only implements client functionality and is missing the ability to encrypt SOAP data.
Example Usage of WS-Security – An example of interacting with the Amazon Elastic Compute Cloud (Amazon EC2) SOAP Service. Easily re-factored for use with other services requiring WS-Security.
Infocard Library – Base library for processing infocards.
Infocard demonstration – Demonstration of processing a submitted Infocard. The result is a SAML token along with a function to view submitted assertions. The form has NOT been updated to work with the recent namespace change, so modify the requiredClaims for use with IE7 RC1, Vista RC1 or .NET 3.0 RC1.

These libraries and examples contain unmaintained, yet useable code. They were developed only for testing while designing an API for C based code and most likely any extensions developed to perform the functionality will differ from the code provided here. There are many optimizations that can be made to provide better performance, so feel free to make any modifications you like. I may provide updates in the way of bug fixes if needed and might extend them a bit more if so inspired (such as adding encryption to the soap client or possibly handling of ws-security on the server side), but if anyone wants to take the code and run with it, please let me know as I would gladly provide help (time permitting).

It's really interesting to hear Rob is working on ‘C’ code as well.

Whobar identity 2.0 technology now available as open source

Not only does Whobar support InfoCards and related identity technology, but check this out:

Sxip is pleased to release the Whobar code to the community.

Whobar makes it easy for users to register and login to a website using their choice of emerging identity protocols such as InfoCard, i-names, and OpenID. It enables developers to easily add support of all these emerging Identity 2.0 technologies to their site. The benefits of this for users is a common website login experience. For web developers, to streamline their user registration and login process so that they don’t need to store user passwords, nor users needing to remember yet another password, thereby improving site conversion ratios. Future releases will also allow users if they so choose, release data about themselves with a single click.

Given the interest shown at the recent DIDW and Future of Web Apps conferences from Phil Windley, Rafe Needleman, and others in the community, we’ve made the Whobar technology available as open source. Whobar is written in PHP, but works like a proxy, so that the web application can be in any language. However, we’ve also been contacted by several developers interested in contributing a port to C#/.NET so stay tuned for additional modules. If you’re interested in getting involved, please check out our contributing page.

Congratulations to the SXIP team.  When I saw this at the DIDW conference I thought it was amazing.  I'll do a video capture over the next few days so those who haven't downloaded Cardspace or a Chuck Mortimer / Ian Brown identity selector can see what it's all about.