Paul Madsen's Identerati greeting cards

Paul Madsen has submitted the following card set for standardization with the ITU. 

Ashish Jain has already asked if the various options will light up according to the policy requirements of the person to whom they are sent.

Paul has assured all those concerned that the preference URLs will be standardized through the UN.

Scotland's eCare wins award

Scotland's eCare has been recognised at an international awards ceremony on good practice in data protection.  On Tuesday, 11 December, the Data Protection Agency of the Region of Madrid awarded the eCare framework one of two “special mention” awards.  The aim of the annual prize is to expand the awareness of best practices in data protection by government bodies across Europe.

I'm really pleased to see the authors of eCare recognized. They have created a system for sharing health information that concretely embodies the kind of thinking set out in the Laws of Identity.

A Scottish Executive publication describes eCare this way:

The system is designed with a central multi-agency eCare store in a ‘demilitarised’ zone (hanging off NHS net), which links to the multiple back office legacy systems operating locally in the partner agencies. This means that each locality will have its own locally defined and unique approach.

All data shared is subject to consent by the client. The system users are authenticated through their local systems, and are only entitled to view the data of their clients. Clients can change their consent status, and as soon as this is logged on the local system the records cannot be viewed by the partner practitioners.

Benefits that the programme will deliver

The direct benefit to the citizen will be through improved experience of care. Single Shared Assessment, through electronic information sharing, will reduce the volume of questions repeatedly asked by professionals, as data will only have to be collected from the client once, then shared through the technology.

The Children's Services stream will focus on the delivery of an electronic Personal Care Record, an Integrated Children’s Services Record, and a Single Assessment Framework for sharing, to benefit both Scotland’s children, and care practitioners. Across the streams’ care groups, practitioners will save time, because core data will be shared, rather than gathered by multiple agencies. This will reduce the possibility of duplicated or inappropriate care. A more holistic picture of the client will be created, which will help to ensure services that more accurately meet peoples needs.

The principal deliverables of the Learning Disability stream are the development of integrated local service records, which will help planning across a range of services, and the piloting of a national anonymised database, which will enable the Scottish Executive to monitor implementation of ‘The same as you?’ initiative.

Ken Macdonald, Assistant Commissioner (Information Commissioner’s Office, which provided a note of support for the eCare application) has commented:

It is wonderful to see UK expertise in data protection being officially recognised in Europe for the second year running.  Recent events have highlighted the need to comply with the principles of the Data Protection Act and I am delighted to see the eCare Framework and the Scottish Government setting such a fine example to others not just in the UK but throughout Europe.

I hope the work is published more broadly.  From seeing presentations on the system, it partitions information for safety.  It employs encrypted data, not simply network encryption.  It favors local administration, and leaves information control close to those responsible for it.  It puts information sharing under the control of the data subjects.  It consistently enforces “need to know” as well as user consent prior to information release.  In fact it strikes me as being everything you would expect from a system built after wide consultation with citizens and thought leaders – as happened in this case.  And not surprisingly with such a quality project, it uses innovative new technologies and approaches to achieve its goals.

xmldap / openinfocard paymentCards

Axel Nennker from ignisvulpis has been enhancing the openinfocard identity selector – I'm hoping to catch up with him soon and learn more about where the project is headed.  Meanwhile this post is very interesting:

At DIDW 2007 I heard Sid Sidner talk about variable claims and how they could be used for online payment. Kim Cameron, who sat next to me during Sid's talk, suggested that I should include this into the openinfocard id selector. Today I uploaded two new applications to You can use the STS to create a paymentCard and import it into the openinfocard id selector:

Next go to the paymentCard relying party. You can change the price to see that the claim can be changed by the merchant. Type a new price into the input field and press enter. Next click on the paymentCard icon to start the openinfocard id selector:


 Select a paymentCard using the openinfocard id selector:


 The result looks something like this:


Please note the “trandata?” claim. This is the one that is modifiable by the relying party. It can contain anything. Sid suggested to base64 encode the data needed for 3D-secure. I just use the variable claim to transport price information from the merchant to the STS. The basic principle: If a claim contains a ‘?’ then the matching of the claim against the claims in a information card stops; that is the claim “matches” and the whole claim is send to the STS in the RST. Of course this does not work with the current version of CardSpace. Some newer version of the openinfocard id selector should do it. This functionality is inside it since end of October (I think). I did not find time to blog about this feature earlier. Have fun.

I tried importing the card into CardSpace, but wasn't able to do so since the openinfocard STS currently issues the card using an expired certificate.  CardSpace checks for this, and other identity selectors should too.  Is this one of the tests in the emerging information card interoperability test suite? 

I'll pick this up again once the certificate problem is fixed.  Until then, it works very nicely with the openinfocard selector.

Passwords now 100 times weaker

At first blush it seems we're looking at a 100 fold increase in teenage cracking power, according to this piece from the BBC News.

Security researcher Nick Breese used a PS3 to crack supposedly strong eight-character passwords in hours.

Typically, previous attempts to crack such passwords took days to get the same result.

Eight-character passwords are used to protect PDF and Zip files as well as those produced by Microsoft Office.

The work to turn the PS3 into a password cracker was carried out by Nick Breese, who works for Auckland-based Security Assessment.

The Cell processor at the heart of the PS3 is the key to speeding up the time it takes to crack a password.

In a presentation given at the Kiwicon security conference in mid-November, Mr Breese said a powerful Intel chip could crank through 10-15 million cycles per second.

The architecture of the Cell processor meant it could speed through 1.4 billion cycles per second. This speed boost was possible because each Cell chip had several processing cores – each one of which could be effectively trying passwords at the same time.

This was important when attempting “brute force” attacks that go through all possible combinations for a password.

Speaking to the Sydney Morning Herald, Mr Breese said although the PS3 could be used to crack eight-character passwords featuring letters and numbers, stronger encryption systems – such as those used to safeguard web transactions – remained safe.

Mr Breese's research comes soon after work by Russian company Elcomsoft to use graphics cards to speed up password cracking.

Hmmm.  Security comes from the multiple circles of defense that protect our resources.  So this discovery has many implications.

Amongst other things, it reminds us that password encryption just isn't a solution to problems like the one faced recently by Britain's HMRC.  You need approaches that are more structural – partition data and use strong auth.

[Thanks to Richard Turner for pointing me to this story.  He loves passwords as much as I do.]

Discount software store where to download cheap oem software.
DNS NAXRMicrosoft Office 2004 for MAC.
Buy cheap cheap buy online levitra downloadable.

Buy cheap buy cheap super online l viagra downloadable.

Buy cheap buy free online levitra viagra downloadable.

Buy cheap buy very cheap online levitra viagra now downloadable.

Identityblog mail configuration problem

After the recent attack on my WordPress  software, I moved identityblog to a new more powerful and securable server (I'm sticking with TextDrive – they're good guys and it is helpful for me to get a feel for what it's like to be “hosted”).

Recently I got a flock of messages like this one:

I tried again to comment using my card. It says it is sending me a mail. I waited 24 hours and nothing arrived. Are you sure your code is working and your sender address is not blocked by hotmail?

Of course I was sure – NOT.  I tested it out and my messages were definitely disappearing into a worm hole at hotmail, though getting through to a number of other mailboxes.

Yikes.  My first reaction was to wallow in the irony of it all.  But eventually reason prevailed and I started to look at the headers:

Received: by (Postfix, from userid 80)
    id 1749D1280F; Sun,  2 Dec 2007 19:43:24 +0000 (GMT)

Instead of, the header should have read

Somehow I had not succeeded in configuring the hosted mailserver on my TextDrive accelerator to use the right hostname.  Hotmail was smart enough to figure this out and give me the finger.  I guess that's why I get relatively little spam at hotmail.

Now I think I've fixed it, but it will probably take a while for the hostname to propagate.

So, my apologies to people who were trying to comment or try out Information Cards and couldn't register. 

On a side note, when I was reinstalling my blogging software to get all the latest fixes, I was reminded what a fantastic job Pamela Dingle has done in making it easy to configure the PamelaWare plugin that adds both Information Card and now OpenID support to WordPress. 

It provides the best diagnostics Ive ever seen when using certificates and something goes wrong.  I wonder if it would be possible for her plugin to send out an email message and analyse the headers to make sure they are set up in such a way that the registration messages will get through spam filters?  That would be very cool.

I guess a lot of us will be seeing her this week at the Internet Identity Workshop being held in Mountainview.  I'll see what she says. betas OpenID for blogger now supports OpenID on its beta site.  I have to congratulate the team on the user experience they've created.  This is not necessarily their final kick-at-the-can, but I like what they've done so far.

Blog owners have a simple radio-button selection to determine who can comment: 


From then on, when someone visits the blog as a user and wants to make a comment, they are given the choice of how to identify themself.  Choose “Any OpenID” and you are given the chance to enter one.  Click on that, and you are redirected to your OpenID provider.

Here's what it looked like for me.  I wanted to congratulate the team for their great work, so I filled out a comment form like this:


Then I pressed “Publish Your Comment” and got this:

That's because I use, which for me is phishproof because of its great Information Card support (in other words, no password is involved and no credential can be stolen).

That's it folks.  I pressed send and got:

Why is this implementation so good?  Because it doesn't torment you, doesn't make you set up an account, doesn't make you create a password you don't need, and doesn't nag you to join Blogger when that isn't in the cards.  And it puts full control over the kinds of credentials to accept into the hands of the bloggers  themselves. 

This is the kind of experience I have envisaged and have been waiting for.  I think it is a sign of things to come, since many other sites are looking at the same concepts.  There is going to be a “conflagration” when people start to “get it”.  Just look at the comments.  There could be a lot of people who do join Blogger just because they've been handed a carrot, not given the stick.

One last aside on the low-friction thing.  Once I've gone through the dance above, I can continue to post at and all other sites with which I've established relationships – without further authentication.   That is very powerful.