Heavyweights, Giants, Bigwigs and Snugglers

Last week's announcement about the OpenID Foundation, and news of participation by a number of large industry players has echoed far and wide.  In fact, Bill Gates announced Microsoft's decision to collaborate with the OpenID community almost a year ago at RSA (See the CardSpace / OpenID Collaboration Announcement and a lot of Blogosphere discussion or postings like these from identityblog.    

Since the announcement many of us have been involved in sorting out the intellectual property issues which plagued the community.  We've come through that, and arrived at a point when we can begin to look at how the technology might be integrated into various services and user experiences.  We've also made progress on looking at how the phishing vulnerabilities of OpenID can be addressed through Information Cards and other technologies.

My view is simple.  OpenID is not a panacea.  Its unique power stems from the way it leverages DNS – but this same framework sets limits on its potential uses.  Above all, it is an important addition to the spectrum of technologies we call the Identity Metasystem, since it facilitates integration of the “long tail” of web sites into an emerging identity framework.   The fact that there is so much interest from across the vendor community is really encouraging. 

Here's some of coverage I have been made aware of.  It ranges from the fanciful to the accurate, but demonstrates the momentum we are beginning to acquire in the identity arena.

IDG News Service
Major Vendors Join OpenID Board
Chris Kanaracus

(Appeared in:  The Industry Standard, Computerworld, InfoWorld, The New York Times, PCWorld.com, CSO, Techworld, iT News, Reseller News New Zealand)
     
CNET News.com
OpenID Foundation scores top-shelf board members
Caroline McCarthy
    
PC Magazine
Microsoft, Google, IBM Join OpenID
Michael Muchmore
    
Read/Write Web
OpenID: Google, Yahoo, IBM and More Put Some Money Where Their Mouths Are
Marshall Kirkpatrick
    
ZDNet
Microsoft and Google join OpenID, but where’s Cisco?
David “Dave” Greenfield
    
Wired
The Web's Biggest Names Throw Their Weight Behind OpenID
Scott Gilberston

Slashdot
OpenID Foundation Embraced by Big Players
Zonk 
    
O'Reilly Radar
OpenID Foundation – Google, IBM, Microsoft, VeriSign and Yahoo
Artur Bergman
    
InformationWeek
Major Tech Companies Join OpenID Board
Antone Gonsalves
    
TechCrunch
OpenID Welcomes Microsoft, Google, Verisign and IBM
Michael Arrington
    
PC Pro Online
OpenID receives heavyweight backing
Stuart Turton
    
ZDNet
Google, IBM, Microsoft and VeriSign join Yahoo on OpenID
Larry Dignan
    
Forrester Research
OpenID family grows – How it can transform Identity Federation between enterprises
Andras Cser
    
ActiveWin
Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web
Jonathan Tigner
02-07-2008
    
Conde Naste Portfolio
Microsoft, Google, Yahoo Agree … on Open ID
Sam Gustin
    
SoftPedia News
Microsoft, Google and Yahoo Join Hands – Over OpenID
Marius Oiaga
    
CSO
OpenID Goes Corporate
Eric Norlin
    
InternetNews
OpenID Gets Star Power
Kenneth Corbin
02-07-2008
    
Windows IT Pro
Industry Behemoths Join OpenID Board
Mark Edwards
    
BetaNews
Microsoft, Google, Yahoo gain seats on OpenID Foundation board
Scott Fulton
    
The Register
Microsoft! snuggles! with! Yahoo! on! OpenID!
Gavin Clarke  
  
San Francisco Chronicle
Tech heavyweights join OpenID Foundation board
Deborah (Debbie) Gage
    
Cox News Service
One password for the Web? Internet giants back idea
Bob Keefe
(Also appeared in Atlanta Journal-Constitution)
    
vnunet.com
IT heavyweights join OpenID project
Clement James
    
IT Pro UK
Industry giants join OpenID foundation
Asavin Wattanajantra
    
Computer Business Review
Industry bigwigs back OpenID single sign-on
Janine Milne
    
BBC Online
Password pain looks set to ease
    
WebProNews.com
Microsoft, Google Sign On To OpenID
David Utter
    
GigaOM
OpenID Has Big New Friends
Carleen Hawn
    
Real Tech News
Microsoft, Google, Verisign, Yahoo! and IBM Join OpenID’s Board
Michael Santo
    
ComputerWorld Canada
OpenID gains support for online single sign-on
Shane Schick
(Also appeared in ITworldcanada)
  

Half-life of personal information

In November I coined the term “Identity Chernobyl” for Britain's HMRC fiasco (at least it seems that way when I look at Google).

Cory Doctorow elaborates on this in a nice Guardian piece:

When HM Revenue & Customs haemorrhaged the personal and financial information of 25 million British families in November, wags dubbed it the “Privacy Chernobyl”, a meltdown of global, epic proportions [Hey, Cory, are you calling me a wag? – Kim].

The metaphor is apt: the data collected by corporations and governmental agencies is positively radioactive in its tenacity and longevity. Nuclear accidents leave us wondering just how we're going to warn our descendants away from the resulting wasteland for the next 750,000 years while the radioisotopes decay away. Privacy meltdowns raise a similarly long-lived spectre: will the leaked HMRC data ever actually vanish?

The financial data in question came on two CDs. If you're into downloading movies, this is about the same size as the last couple of Bond movies. That's an incredibly small amount of data – my new phone holds 10 times as much. My camera (six months older than the phone) can only fit four copies of the nation's financial data.

Our capacity to store, copy and distribute information is ascending a curve that is screaming skyward, headed straight into infinity. This fact has not escaped the notice of the entertainment industry, where it has been greeted with savage apoplexy.

Wet Kleenex

But it seems to have entirely escaped the attention of those who regulate the gathering of personal information. The world's toughest privacy measures are as a wet Kleenex against the merciless onslaught of data acquisition. Data is acquired at all times, everywhere.

For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it.

Hidden in that toxic pile are a million seams waiting to burst: a woman secretly visits a fertility clinic, a man secretly visits an HIV support group, a boy passes through the turnstiles every day at the same time as a girl whom his parents have forbidden him to see; all that and more.

All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper.

How long does this information need to be kept private? A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side.

If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor.

Every gram – sorry, byte – of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop's CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughup up a month's worth of travelcard data, there will be no containing it.

And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.

The best answer is to make businesses and governments responsible for the total cost of their data collection. Today, the PC you buy comes with a surcharge meant to cover the disposal of the e-waste it will become. Tomorrow, perhaps the £200 CCTV you buy will have an added £75 surcharge to pay for the cost of regulating what you do with the footage you take of the public.

We have to do something. A country where every snoop has a plutonium refinery in his garden shed is a country in serious trouble.

The notion of information half-life is a great one.  Let's adopt it.

The tendency for “information to merge” is one of the defining transformations of our time.  When it comes to understanding what this means, few think forward, or even realize that there “is a forward”.

The “contextual separation” in our lives has been central to our personalities and social structures for many centuries.   

Call me conservative, but we need to  retain this separation. 

The mobility and clonability of digital information, in combination with commercial interest and naivite, lead us toward a vast sea of personal information intermixed with our most intimate and tentative thoughts. 

The essence of free-thinking is to be able to think things you don't believe as part of the process of grasping the truth.  If the mind melts into the computer, and the computer melts into a rigid warehouse of indelible data, how easy is it for us to change, and what is left of the mind that is “transcendental” (or even just unfettered…)?

The ramifications of this boggle the mind.  The alienation it would cause, and the undermining of institutions it would bring about, concern me as much as any other threat to our civilization.

    

Yahoo! announcement on OpenID

Yahoo! has launched the public beta of its OpenID Provider service.  Congratulations to the Yahoo! identity team!  Here's part of the announcement

Today, we are launching the public beta of the much-anticipated Yahoo! OpenID Provider service. This means that users with a Yahoo! account – all 248 million of them – will be able to sign in to any website that supports OpenID 2.0, the latest version of the OpenID specification.

In case you are curious, here are the key features of this release:

Usability – Users will not have to understand the technical details of OpenID simply to use the technology. Thanks to features introduced in the OpenID 2.0 specification, users will not have to type their OpenID URL while signing in to websites. They can simply type yahoo.com in the OpenID textbox or, if the Relying Party website provides it, click a button that takes them to Yahoo!. By not requiring users to understand the meaning of an OpenID URL, we hope that more users will be able to overcome the initial hurdles of using this new echnology. For those of you who want to set up a custom URL, we will provide a way to do so, including the ability to use your Flickr photos page as your OpenID URL.  [Interesting – Kim]. 

User education – We have spent a great deal of time thinking about educating users on the proper use of OpenID and you will see some of these thoughts implemented throughout our service – whether it's an explanation of the benefits of OpenID, our OpenID tour, or messaging on the safe use of OpenID at various locations.

Anti-phishing measures – We suggest that users of the Yahoo! OpenID service set up and look for their Sign-in Seal to confirm that they are entering their password on a genuine Yahoo! page. A Sign-in Seal is a user-created image or a message that will only appear on genuine Yahoo! pages. We hope to continue working with the OpenID community to combat phishing and provide more secure experiences to users.

We are also actively working on non-US English versions of the service. It is already available for 17 countries and we expect to roll out even more international support in the very near future.

If you'd like to use the Yahoo! OpenID service, feel free to start at Plaxo, Jyte, Pibb, or any other OpenID 2.0-compliant website (this list is growing everyday). Alternatively, visit http://openid.yahoo.com to set up your account for OpenID access. We would love to hear your feedback!

We'd like to take this opportunity to thank the OpenID community for educating us over the past 1 year and helping us make this happen. In particular, we'd like to say “Thank you” to Bill Washburn, Brian Ellin, David Recordon, Dick Hardt, Johannes Ernst, Johnny Bufu, Joseph Smarr, Josh Hoyt, Kaliya Hamlin, Kevin Turner, Larry Drebes, Mike Graves, Scott Kveton, and Simon Willison.

(More here…) 

The Epic Battle: Sun goes after Ping Identians

I was awakened from my vacation from the blogosphere today by the braying of Sun’s new YouTube video “comedy”.   It features a droll engineer with a great sense of deadpan, but when all is said and done, it is bully comedy, with all the subtlety of a bully beating up his smart little brother.

The premise seems to be that big strong Sun has 35,000 technical support engineers ready to descend in buses on customers who deploy one of Sun’s IDM solutions (could their products require a whole lot of support???), whereas the customers of “little Ping Identity” are left on their own to cope with mere off-the-shelf products.

Ping has been a real innovator and thought leader in digital identity.  Why attack it?  I can only see one explanation:  the Ping folks must be making a significant dent in Sun’s marketplace.  Even so, it is hard to imagine such a low-road response.  The word “unseemly” comes to mind.

FYI, while I have no firsthand experience with Ping, various customers have told me good things about their products, attitude and responsiveness.  To me that’s the litmus test.

Cyberspace needs a whole range of players innovating around digital identity.  We’re lucky to have Ping in the equation.

One of the significant questions being posed is whether you need to hire a busload of engineers to deploy federation and identity management.  Sun’s video takes it as a given that this is the case, but if I were a customer I would head for the hills when I saw the big Sun bus coming for me.


Sun't attack ad

A meaningful identity metasystem, something capable of providing an identity layer for the internet, must be based on commercial off the shelf products that can be deployed by any system administrator.  Ping Identity is pushing the envelope in this area, as are a number of us.  Our goal is achieving ubiquity, not the renting out of consultants.

Beyond the technical issues, we need to work as an industry towards “federation boilerplates” and a legal framework that drives the cost of creating virtual organizations to zero.

Since identity requires all of us to interoperate, I think people should hold off on attack ads and concentrate on expanding the market. 

I don’t normally criticize any of the identity players for their strategy, but I sure would like to see Sun go after the 99.9% of organizations with no federation framework rather than turning on Ping and its successes.

This having been said, Ping doesn’t need me to come to its defense.  Its fearless leader, Andre Durand, responded with a hilarious video called The Epic Battle: 72 VS 35,000, that blows the original Sun video right out of the water.  Don’t miss it.

Paul Madsen's Identerati greeting cards

Paul Madsen has submitted the following card set for standardization with the ITU. 

Ashish Jain has already asked if the various options will light up according to the policy requirements of the person to whom they are sent.

Paul has assured all those concerned that the preference URLs will be standardized through the UN.

Scotland's eCare wins award

Scotland's eCare has been recognised at an international awards ceremony on good practice in data protection.  On Tuesday, 11 December, the Data Protection Agency of the Region of Madrid awarded the eCare framework one of two “special mention” awards.  The aim of the annual prize is to expand the awareness of best practices in data protection by government bodies across Europe.

I'm really pleased to see the authors of eCare recognized. They have created a system for sharing health information that concretely embodies the kind of thinking set out in the Laws of Identity.

A Scottish Executive publication describes eCare this way:

The system is designed with a central multi-agency eCare store in a ‘demilitarised’ zone (hanging off NHS net), which links to the multiple back office legacy systems operating locally in the partner agencies. This means that each locality will have its own locally defined and unique approach.

All data shared is subject to consent by the client. The system users are authenticated through their local systems, and are only entitled to view the data of their clients. Clients can change their consent status, and as soon as this is logged on the local system the records cannot be viewed by the partner practitioners.

Benefits that the programme will deliver

The direct benefit to the citizen will be through improved experience of care. Single Shared Assessment, through electronic information sharing, will reduce the volume of questions repeatedly asked by professionals, as data will only have to be collected from the client once, then shared through the technology.

The Children's Services stream will focus on the delivery of an electronic Personal Care Record, an Integrated Children’s Services Record, and a Single Assessment Framework for sharing, to benefit both Scotland’s children, and care practitioners. Across the streams’ care groups, practitioners will save time, because core data will be shared, rather than gathered by multiple agencies. This will reduce the possibility of duplicated or inappropriate care. A more holistic picture of the client will be created, which will help to ensure services that more accurately meet peoples needs.

The principal deliverables of the Learning Disability stream are the development of integrated local service records, which will help planning across a range of services, and the piloting of a national anonymised database, which will enable the Scottish Executive to monitor implementation of ‘The same as you?’ initiative.

Ken Macdonald, Assistant Commissioner (Information Commissioner’s Office, which provided a note of support for the eCare application) has commented:

It is wonderful to see UK expertise in data protection being officially recognised in Europe for the second year running.  Recent events have highlighted the need to comply with the principles of the Data Protection Act and I am delighted to see the eCare Framework and the Scottish Government setting such a fine example to others not just in the UK but throughout Europe.

I hope the work is published more broadly.  From seeing presentations on the system, it partitions information for safety.  It employs encrypted data, not simply network encryption.  It favors local administration, and leaves information control close to those responsible for it.  It puts information sharing under the control of the data subjects.  It consistently enforces “need to know” as well as user consent prior to information release.  In fact it strikes me as being everything you would expect from a system built after wide consultation with citizens and thought leaders – as happened in this case.  And not surprisingly with such a quality project, it uses innovative new technologies and approaches to achieve its goals.

xmldap / openinfocard paymentCards

Axel Nennker from ignisvulpis has been enhancing the openinfocard identity selector – I'm hoping to catch up with him soon and learn more about where the project is headed.  Meanwhile this post is very interesting:

At DIDW 2007 I heard Sid Sidner talk about variable claims and how they could be used for online payment. Kim Cameron, who sat next to me during Sid's talk, suggested that I should include this into the openinfocard id selector. Today I uploaded two new applications to xmldap.org. You can use the STS to create a paymentCard and import it into the openinfocard id selector:

Next go to the paymentCard relying party. You can change the price to see that the claim can be changed by the merchant. Type a new price into the input field and press enter. Next click on the paymentCard icon to start the openinfocard id selector:

 

 Select a paymentCard using the openinfocard id selector:

 

 The result looks something like this:

 

Please note the “trandata?” claim. This is the one that is modifiable by the relying party. It can contain anything. Sid suggested to base64 encode the data needed for 3D-secure. I just use the variable claim to transport price information from the merchant to the STS. The basic principle: If a claim contains a ‘?’ then the matching of the claim against the claims in a information card stops; that is the claim “matches” and the whole claim is send to the STS in the RST. Of course this does not work with the current version of CardSpace. Some newer version of the openinfocard id selector should do it. This functionality is inside it since end of October (I think). I did not find time to blog about this feature earlier. Have fun.

I tried importing the card into CardSpace, but wasn't able to do so since the openinfocard STS currently issues the card using an expired certificate.  CardSpace checks for this, and other identity selectors should too.  Is this one of the tests in the emerging information card interoperability test suite? 

I'll pick this up again once the certificate problem is fixed.  Until then, it works very nicely with the openinfocard selector.

Passwords now 100 times weaker

At first blush it seems we're looking at a 100 fold increase in teenage cracking power, according to this piece from the BBC News.

Security researcher Nick Breese used a PS3 to crack supposedly strong eight-character passwords in hours.

Typically, previous attempts to crack such passwords took days to get the same result.

Eight-character passwords are used to protect PDF and Zip files as well as those produced by Microsoft Office.

The work to turn the PS3 into a password cracker was carried out by Nick Breese, who works for Auckland-based Security Assessment.

The Cell processor at the heart of the PS3 is the key to speeding up the time it takes to crack a password.

In a presentation given at the Kiwicon security conference in mid-November, Mr Breese said a powerful Intel chip could crank through 10-15 million cycles per second.

The architecture of the Cell processor meant it could speed through 1.4 billion cycles per second. This speed boost was possible because each Cell chip had several processing cores – each one of which could be effectively trying passwords at the same time.

This was important when attempting “brute force” attacks that go through all possible combinations for a password.

Speaking to the Sydney Morning Herald, Mr Breese said although the PS3 could be used to crack eight-character passwords featuring letters and numbers, stronger encryption systems – such as those used to safeguard web transactions – remained safe.

Mr Breese's research comes soon after work by Russian company Elcomsoft to use graphics cards to speed up password cracking.

Hmmm.  Security comes from the multiple circles of defense that protect our resources.  So this discovery has many implications.

Amongst other things, it reminds us that password encryption just isn't a solution to problems like the one faced recently by Britain's HMRC.  You need approaches that are more structural – partition data and use strong auth.

[Thanks to Richard Turner for pointing me to this story.  He loves passwords as much as I do.]

Discount software store where to download cheap oem software.
DNS NAXRMicrosoft Office 2004 for MAC.
Buy cheap cheap buy online levitra downloadable.

Buy cheap buy cheap super online l viagra downloadable.

Buy cheap buy free online levitra viagra downloadable.

Buy cheap buy very cheap online levitra viagra now downloadable.

Identityblog mail configuration problem

After the recent attack on my WordPress  software, I moved identityblog to a new more powerful and securable server (I'm sticking with TextDrive – they're good guys and it is helpful for me to get a feel for what it's like to be “hosted”).

Recently I got a flock of messages like this one:

I tried again to comment using my card. It says it is sending me a mail. I waited 24 hours and nothing arrived. Are you sure your code is working and your sender address is not blocked by hotmail?

Of course I was sure – NOT.  I tested it out and my messages were definitely disappearing into a worm hole at hotmail, though getting through to a number of other mailboxes.

Yikes.  My first reaction was to wallow in the irony of it all.  But eventually reason prevailed and I started to look at the headers:

Received: by z07191AA.textdrive.com (Postfix, from userid 80)
    id 1749D1280F; Sun,  2 Dec 2007 19:43:24 +0000 (GMT)

Instead of  z07191AA.textdrive.com, the header should have read identityblog.com.

Somehow I had not succeeded in configuring the hosted mailserver on my TextDrive accelerator to use the right hostname.  Hotmail was smart enough to figure this out and give me the finger.  I guess that's why I get relatively little spam at hotmail.

Now I think I've fixed it, but it will probably take a while for the hostname to propagate.

So, my apologies to people who were trying to comment or try out Information Cards and couldn't register. 

On a side note, when I was reinstalling my blogging software to get all the latest fixes, I was reminded what a fantastic job Pamela Dingle has done in making it easy to configure the PamelaWare plugin that adds both Information Card and now OpenID support to WordPress. 

It provides the best diagnostics Ive ever seen when using certificates and something goes wrong.  I wonder if it would be possible for her plugin to send out an email message and analyse the headers to make sure they are set up in such a way that the registration messages will get through spam filters?  That would be very cool.

I guess a lot of us will be seeing her this week at the Internet Identity Workshop being held in Mountainview.  I'll see what she says.

draft.blogger.com betas OpenID for blogger

Blogger.com now supports OpenID on its beta site.  I have to congratulate the blogger.com team on the user experience they've created.  This is not necessarily their final kick-at-the-can, but I like what they've done so far.

Blog owners have a simple radio-button selection to determine who can comment: 

 

From then on, when someone visits the blog as a user and wants to make a comment, they are given the choice of how to identify themself.  Choose “Any OpenID” and you are given the chance to enter one.  Click on that, and you are redirected to your OpenID provider.

Here's what it looked like for me.  I wanted to congratulate the team for their great work, so I filled out a comment form like this:

 

Then I pressed “Publish Your Comment” and got this:

That's because I use myopenid.com, which for me is phishproof because of its great Information Card support (in other words, no password is involved and no credential can be stolen).

That's it folks.  I pressed send and got:

Why is this implementation so good?  Because it doesn't torment you, doesn't make you set up an account, doesn't make you create a password you don't need, and doesn't nag you to join Blogger when that isn't in the cards.  And it puts full control over the kinds of credentials to accept into the hands of the bloggers  themselves. 

This is the kind of experience I have envisaged and have been waiting for.  I think it is a sign of things to come, since many other sites are looking at the same concepts.  There is going to be a “conflagration” when people start to “get it”.  Just look at the comments.  There could be a lot of people who do join Blogger just because they've been handed a carrot, not given the stick.

One last aside on the low-friction thing.  Once I've gone through the dance above, I can continue to post at Blogger.com and all other sites with which I've established relationships – without further authentication.   That is very powerful.