Dave Kearns takes on anonymity

 Dave Kearns of The Virtual Quill (and many other venues) has joined the anonymity scrum (even though he was already in it) :

“Anonymity as default,” which I mentioned in the previous post, is taking on a life of it's own. Now Tom Maddox has posted in his Opinity weblog, commenting on Ben Laurie's commentary about Kim Cameron's mention of Eric Norlin's post concerning David Weinberger's original thought that “Anonymity should be the default.”

(I'll just sit here and whistle for a moment while you follow that set of links)

The point I wanted to mention was Maddox’ statement:

We need to begin with anonymity/pseudonymity as the default, Laurie's ‘substrate choice’. Otherwise, whatever identity system we employ, we'll always be trying to get the cat back in the bag (or the scrambled egg back in the shell)

The fallacy here is that he seems to believe that there can be an “identity system” in which anonymity is a choice! And not only a choice, but the default choice. But without a unique identifier for each object in the system, there is no identity system. And with a unique identifier there is no anonymity within the system. Rather, the default should be PRIVACY for all objects, with any dispersal or publishing of identity attributes only done with the consent of the entity if it's sentient, and the entity's controller if it isn't.

Maddox is correct that once the data is published you can't unpublish it completely. That argument shouldn't be overlooked. But it's equally as important to realize that the “anonymity bandwagon” is out of control and headed for the cliff. Privacy is the key, and privacy should be the issue.

I have trouble with Dave's use of the phrase, “within the system”.  What is “the system” in a multi-centered world with an interpenetrating mesh of domains?  Put another way, just because an object has a unique identifier, do entities dealing with the object have to know that?

Things may have unique identifiers that are known to some identity authority / domain (even infinitesimilly small ones) but these authorities don't have to release them when identifying things to other parties. 

Would an example help? 

Suppose some company – let's call it Contoso.com – runs Active Directory as its local identity infrastructure.  Active Directory identifies all of the machines and people in Contoso's “domain” with a Security IDentifier (SID) – basically a unique id/domain pair.  But when I am dealing with someone from Contoso.com, I probably don't give a darn about their SID, no matter how useful it may be to their local AD system.  Dave, do you care about my SID? Knowing you and loving you, I think you've got better things to worry about!

In the world of web services, which will be a vast mesh where identity reaches beyond domain boundaries, the definition of what is “within the system” becomes very ambiguous. 

The SID makes sense “within the system” thought of a narrow domain manager.  It normally doesn't make sense “within the system” thought of as a connecting mesh of entities that happen to interact with many domains. 

In this bigger world, I may be interested in the fact that someone is an employee of Contoso, byt totally uninterested in anything that uniquely identifiers them as an employee – even if such unique identification is necessary for some other purpose.

For example, if I call 411, I speak with a representative of the phone company.  I don't know her or his name, or number, or location, or anything else.  I just know the person I'm talking with works on behalf of Verizon – and that is all I really want to know.

Yet knowing they are an official employee is still a matter of identity! 

Is this anonymous?  I would say so.  It “has an unknown or unacknowledged name”, as my pathetic online dictionary puts it (I'm travelling).  So it is anonymous, but it is identity.

This is all part of the notion that an authority can make claims about a subject – and that this is done through a set of assertions.  Given this, we need a name for the “empty set” of assertions. 

So far, we call it anonymity.  We believe this will ring a bell in more peoples’ heads than “empty set of assertions”.

If we now combine this thinking with the second law (minimal disclosure) – we come to the notion that if more is not needed, the identity set should be the empty set.  This is what I think people are talking about when they say the default should be anonymous.

Demo gets good reviews

Paul Toal over at Identity, Security and Me posted this to encourage you to check out the demo I put up recently.  (Just in case any of you are busy, it's only 3 minutes long!)

Picture of Britian's Paul ToalKim Cameron has posted a really good video here explaining how user-centric identity and federation can work together. His blog and associated demonstration is shown using Microsoft CardSpace and Ping Federate from Ping Identity.

I have worked with Ping Identity for some time and was happy with the product and how it, and federation works generally. However, like Paul Squires here, I was struggling to see how it fitted within a user-centric architecture. Whilst I saw the two as complimentary, I didn’t see the link.

This video has clarified this for me and shown that there is a clear interaction between the two.

As usual Kim, thanks for a great demo! If you haven’t seem the demo yet, you HAVE to view it.

Then, following Paul Toal's link to Paul Squires at Here, Now, I came across his additional comment:

This [demo…] is well worth seeing for anyone with an interest in where digital identity is going. The demo itself shows cardspace (if there’s anyone who hasn’t seen it yet!) along with interoperability between a number of applications. The guys at Ping have done a great job with this and I’d hope this brings together these various strands of identity management (it’s certainly helped me, not least from an architectural point of view). Things are starting to look very exciting!

Update: Never one to miss out on a bit of vanity, the second open tab in the browser during the demo looks very familiar!

Gee, I'm on a roll.  Just like my horoscope said, I seem to be communicating well with people named Paul.

As for Paul two's “update”, looking closely I also can see that I had been reading one of his posts the day I captured the demo.  Just think.  Some people are worried there will be no fingerprints in the digital world.  It ain't true.

Anonymity is the substrate

Ben Laurie at Links, contemplating the “identity as a default” debate, argues “Anonymity is the substrate“:

Kim Cameron’s blog draws my attention to a couple of articles on anonymity. The first argues for anonymity to be the default. The second misses the point and claims that wanting anonymity to be the default makes it a binary thing, whereas identity is a spectrum.

But the point is this: unless you have anonymity as your default state, you don’t get to choose where on that spectrum you lie.

Eric Norlin says

Further, every “user-centric” system I know of doesn’t seek to make “identity” a default, so much as it seeks to make “choice” (including the choice of anonymity) a default.

as if identity management systems were the only way you are identified and tracked on the ‘net. But that’s the problem: the choices we make for identity management don’t control what information is gathered about us unless we are completely anonymous apart from what we choose to reveal.

Unless anonymity is the substrate choice in identity management gets us nowhere. This is why I am not happy with any existing identity management proposal – none of them even attempt to give you anonymity as the substrate.

Ben has a valid point in terms of the network substrate.  There are a number of hard issues intertwined here.  But from a practical point of view, here is how I approach it:

  1. You can't solve every problem everywhere simultaneously.  Solving one problem may leave others to be dealt with.  But with one problem gone, the others are easier to tackle.
  2. There are interesting technologies like onion routing and tor that could be combined with the evolving identity framework to offer a more secure overall solution (Ben is better versed in these matters than I am).
  3. If society mandates storage of network addresses under certain circumstances, as it seems to be doing, a much more secure approach to this storage could and should be adopted.  Any legislation that calls for auditing should also require that the audit trail be encrypted under keys available only to vetted authorities and then only through well-defined legal procedures with public notification and in an off-line setting.  This would have a huge impact in preventing the ravages of Norlin's Maxim.

Network issues aside, in keeping with the second law of identity (minimal disclosure), users should by default release NO identifying information at all. 

You can call this anonymity, or you can call this “not needlessly blabbing everything about yourself”. 

Sites should only ask for identifying information when there is some valid and defensible reason to do so.  They should always ask for the minimum possible.  They should keep it for the shortest possible time.  They should encrypt it so it is only available to systems that must access it.  They should ensure as few parties as possible have access to such systems.  And if possible, they should only allow it to be decrypted on systems not connected to the internet.  Finally, they should audit their conformance with these best practices.

Once you accept that release of identifying information should be proportionate to well-defined needs – and that such needs vary according to context – it follows that identity must “be a spectrum”.

 

Ping's Identity Metasystem demo

Ping Federate with InfoCardEarlier this summer, just before the Burton Group Catalyst conference, Andre Durand and Ashish Jain of Ping Identity really surprised me with a lovely Identity Metasystem demo that combined use of Information Cards and federation technology.

I don't think anything I've seen demonstrates more concretely why “federation” and “user centricity” are different and yet complementary.

The demo is built around Ping Federate, which speaks four protocols for transporting SAML tokens around:  SAML 1.0, SAML 1.1, SAML 2.0, and WS-Federation.  Since it speaks all these federation dialects, it can talk to any federating system regardless of its dialect – for example WebSphere, Presentation Server, Windows 2003 and .NET, Tomcat, SAP, Web Logic, Salesforce.com, SiteMinder, CoreID, etc.

But even better, the user has a rational experience as well – just seeing this circle of trust as being accessed through an Information Card.

To play the demo:

Use Windows Media Player.  (You will need the Techsmith Screen Capture Codec (TSCC).  If your system complains it doesn't have the right codec, pick it up here.)  If you want to watch this and don't have any way to see it with Windows Media Player, let me know and I'll make a version for Quicktime.

The demo lasts 3 minutes and takes up 4 megs.  Download here.

As always I sound a little earnest as I rush you towards the finale.  But I think you'll like what these guys have done anyway.

Federation and user-centricity

Conor Cahill picked up on a discussion I recently relayed to identityblog readers – part of an ongoing dialog between Brett McDowell and Dick Hardt.  Conor says:

I think the issue causing the disagreements here is the interpretation of the term “federation” when discussed in an identity context.

Certainly federation can mean groups of businesses working together and this is the traditional meaning of the term in the business community. This meaning would fit with Kim's statement above.

However, in an identity context (as in “identity federation” — the stuff the Liberty Alliance has been working on since its founding) the term federation was used to describe the sharing of identity information from party A to party B. Party A is usually some party representing the user (acting on the user's behalf) such as an Identity Provider or an Attribute Provider. There is nothing that says whether Party A is an entity operated by the user or by some 3rd party.

In fact, in the Cardspace solution, the process of sending data through an Infocard instance to a relying party would be considered taking place under identity federation, whether the infocard instance was rooted in a local data source or a remote data source.

Ultimately, I would say that federation can be used in both user centric and non-user centric solutions. Federation is a technology/protocol and user centric is an implementation philosophy. When designing a user centric solution, you almost always have to include some form of identity federation, but give the user great control over its use. The converse is not required to be true (although I wouldn't object to it if it was true in any environments in which I played).

I like a lot of Conor's thinking.  I agree that use of a managed card in Cardspace should be considered a form of “federation” between the relying party and the identity provider – federation approved by the user.

But I don't quite buy that “federation is a technology/protocol” wherease “user-centric is an implementation philosophy”.  I doesn't compute given a great deal of work I've been doing lately.

It's clear to me that good “user-centric” experience isn't just an automatic or natural by-product of some other “technology/protocol”.  In fact, it requires just as much study, just as much thought, just as much coding, and just as much experimentation as protocols do – probably more. 

What I'm try to say here is that it requires technology.   In the past we've had a lot of technology that failed miserably at organizing, integrating and rationalizing the user's experience.  I've been working on software that I think does a lot better job at this.  Why wouldn't Conor call that a technology?

To my way of thinking, you have two more or less orthogonal technology efforts – that oriented around federation issues, and that oriented around the user's experience.

As a user, when I go from portal to portal to portal, it's likely they will have relationships with different identity providers.  Should my experience therefore be totally discontinuous as I move from one portal to another, being organized by the portal rather than by my own system?

In Cardspace (and with Information Cards running on other devices and platforms) we postulate that the user can benefit from computerization of his or her own identity experience – just as enterprises benefit from computerization of theirs.

Through Information Cards users can benefit, to the extent the technology is adopted, from the same well-understood experience as they move between unrelated portals which do not share identity relationships.   

I see Cardspace as providing a palette of identity relationships (Information Cards) that work for me as a user and make sense from my point of view as an individual with a complicated life. 

I think Dick Hardt, and others like Paul Trevithick at Higgins, share a number of the same notions as I do, though each of us is concentrating on different aspects of the problem.

So that's why I'm saying that there are two legitimate technology areas, orthogonal in the sense that you can have either one without the other, but synergistic in that together you get a number of critical new scenarios.

To make this more concrete, my next post will be  a demo of Andre Durand and Ashish Jain's work in showing how this can look in practice.

Norlin's Maxim

I'm a big fan of Eric Norlin – it was one of his posts that got me started on the Laws of Identity.  But I think this ZDNet piece is especially good – and love Norlin's Maxim:

In the very near wake of a foiled terrorist plot, I find myself waking up, planning to write about the topic of anonymity and identity. The original impetus for my post is a recent article by David Weinberger. In that article, David argues for anonymity as a “default” in the online world by saying: “personal anonymity is the default in the real world — if you live in a large town, not only don't you know everyone you see, but you're not allowed randomly to demand ID from them — and it ought to be the default on line.”

Its not so much that I disagree with David, as I think he's framing the problem incorrectly. Framing the “online anonymity” issue in the context of being a default makes it a binary issue — a simple on/off switch; either anonymity is the default, or something else (from pseudonymity up to strongly authenticated identity) is the default. But online identity is *not* a binary issue. Identity (be it authentication, access, authorization, federation or any other component) operates on a spectrum. Further, every “user-centric” system I know of doesn't seek to make “identity” a default, so much as it seeks to make “choice” (including the choice of anonymity) a default. Whether the system is SXIP, CardSpace, or OpenID, they all begin by having the user choose how they will present themselves.

In the context of choice being the identity default, we're finding that the bulk of online users are choosing to place huge chunks of their identity online. My evidence: MySpace, YouTube, Facebook, etc. The heaviest generational component of the online community (the kids) rushes to identity themselves online. They flock to it so fast and so easily that its making federal lawmakers (and many parents) uneasy. Do these kids think that anonymity is or should be the online default? Apparently not.

My semi-joking explanation of this lies in “Norlin's Maxim.” I first posited “norlin's maxim” as a joke, but I've since found it to actually be at least partially true — thus its semi-joking nature. Norlin's maxim is simple: The internet inexorably pulls information from the private domain into the public domain. The proof: Google your name today and google it again in 90 days (more will be known about you over time).

So, rather than arguing about whether or not anonymity is the default in the “real-world” (its not), I would simply assert that while location may have been a proxy for identity in the original architecture of the internet, the nature of the network itself *forces* identity information from the private to the public domains. That forcing function leaves users open to losing control over their own personal information, and *that* problem demands a digital identity network infrastructure.

It's so true.  One of the main keys to understanding my work is to understand Norlin's Maxim.  And the maxim also explains why so many comparisons between the brick and mortar and the digitial worlds fail to grasp the central issues.

Adventures in Cardspace

Industry guru Craig Burton's Cardspace is working now (thank goodness).

The bad news is that he's had a pretty miserable time getting it going.  Mainly, it seems in retrospect, because his computer was set up with a FAT32 file system.  If you have this configuration, no error message is displayed to you as a user – you have to read through a cryptic note in the system-wide error log.  This has to be fixed.

The good news is that once he got Cardspace working, Craig really liked it.  That's really important to me:

I have been trying to get CardSpace to work on my machine for several weeks. (Seems much longer.)

I have downloaded tons of upgrades, deleted apps and services, and so on.

Pamela Dingle and Kim Cameron have been very helpful in trying to help me make things work.

Pamela studied the error log –created by the CardSpace control panel–I posted and suggested that the problem was that my c: drive was using the FAT32 file system. She explained that her resources tell her that CardSpace only supports NTFS.

Turns out this is true. Kim subsequently fessed up that FAT32 isn't secure enough so they decided to set the bar at NTFS. They just didn't bother to tell anybody. (Good thinking.)

I decided–against my better judgement–to convert my FAT32 file system to NTFS. I haven't done that until now because I haven't been successful in creating an NTFS compatible boot CD. If something happens to my system, I'm in trouble. I am working on resolving this. (There is a DOS-based utility that will access NTFS for recovering critical data. I don't like that prospect.)

Anyway, to convert from FAT32 to NTFS you do the following. Open a command line window:

start>run>cmd

Run the convert utility:

convert c: /fs:ntfs

Reboot, and the convert utility–assuming you have enough empty storage–will convert FAT32 to NTFS with no loss of data.

I tried it. It worked. Whew! Getting this far has been no simple task.

I was then able to create an Infocard with the CardSpace control panel and login  to the Idendity web log and to the NetFX Sandbox.

I also tried the Ping site . It was slow–not sure why–but it worked. A page came up with four other sites that support Ping Federation that I can sign into with my Infocard. The sites aren't all the useful to me, Java, Verisign, Computer Associates, and another one I can't remember. That was cool.

The Ping site–unlike the other two sites–gave me three options for signin:
Traditional (yuch) name and password, self issued Infocard or Managed Infocard. Not sure why ping distingshes between self-issued and managed Infocards as the Infocard selector lets you do that, but I will find out.

Caveats.

If you convert to NTFS, you cannot go back to FAT32 without repartioning and formatting your disk.

I love being able to register and login to a website with an Infocard…SWEET!

I hate how complicated it is and that it only works with BETA code. Infocard simplicity comes at a complicated uphill price. At least it isn't Msft-silo-centric. Apple, Mozilla, RedHat and others have commited to support Infocards.

Things will have to get significantly easier–and supported by other browsers and OSs–before we see any kind of adoption.

Despite all of that. Not having to use name-password mechanisms for secure interaction is very significant to the industry and people. This has been a long time coming and I can't emphasize its importance enough.Thanks to all that have made it happen. 

Many thanks to Pamela, who has become a Cardspace savante, for figuring this out – I've been in Australia and couldn't keep up with the troubleshooting.

Cardspace + FAT32 = Unhappiness

Pamela Dingle has posted some information we need to get out more broadly: 

Important installation note for people wanting to play with CardSpace: CardSpace only works when installed on an NTFS filesystem. If you are planning on setting up the July CTP and playing with CardSpace, make sure your C: drive is not FAT32. (more…)

We can't get the same kind of access control protection  with FAT as we can with NTFS – for example the ability to set permissions at the directory and file level –  so we set the bar at NTFS.

 

William Tay on converting public key pair formats

William Tay has a very interesting technical blog and has solved the riddle of how to take a public key pair that he produced in a Microsoft environoment, and export it to PEM so it can by used by PHP.  I didn't have this particular problem, because I created my site's key using OpenSSL in the first place.  However, I've spent many hours with the OpenSSL utility trying – so far unsuccessfully – to go the other way (PEM to pfx).  It shouldn't matter which platform you create your key on – if you have a mix of platforms you want to be able to take the key in both directions.  Anyway, for those who have William's problem, here's how he dealt with it:

I believe some hardcore Windows CardSpace fanatics out there may have tried out Kim Cameron's IdentityBlog Cardspace demo on php. The tutorials can code samples can be found via his blog here. As of this time, I dont think he has updated it to work with the WinFX July CTP drop.

If you had played with those php samples, you will realize that nothing much has changed for the WinFX July CTP drop, we are still using the same version of WS-Trust and WS-Security Specifications specifications. While WS-Security has been pretty much baked, as the advanced WS-* specifications reach a better level of maturity and acceptance, it won't change as frequently anymore.

The only change to take note is the OBJECT element in the html page. The way claims are presented on a html page is now space-delimited and not comma-delimited as it was before.

I have been showing the php demos in my presentations around the Asia-Pacific circuits for some time now. One of the questions I frequently get asked is how do we get the RSA private key of the https site (Relying party) we are using to authenticate our users. While Kim has shown some briefs snippets of his php code here (It is fairly obvious why the entire Private Key cannot be disclosed here),

// Cardspace_demoprocessing.php
// Put your own PEM private key here and
// use the right password (for the demo
// we don't use MySql to store this stufffunction get_settings($key)
{
    if ($key == “infocard_key”) {

$retVal = “—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9266952B733BFBE0

Z4WmpirV4dXvYjNmfSN99Iu4iYzUWa4/CPZG0NParYSVHMOhb4lsS6iISjgniGG9
zhA862KDwsYUjgoyAIXfJAd5Z3hXiyJYdkygF/DUgeQFcwQjsWmkguq27EDHW6nS
.
.
.
3GkQxPLzTMFZYm7haU3WH+QYnNxz2bG0esUmB/YECXDCqFTbrUm/DUPd4YiI2HiL
+j40vRpPzY6ngd1QNOfd5jkin7sjW1YlsEsRPV8OzEJvNmBZF274Cw==
—–END RSA PRIVATE KEY—–“;

    }
    else if ($key == “infocard_opener”){
        $retVal = “xY8O< |aBB";     }     else {         $retVal = NULL;     }     return($retVal); } he did not show how he got that RSA Key. There are, of course, a few ways to get that key. But since we are on the subject of Open-source and php being the flavour of the day, I thought why not show the readers how to get it using another popular utility out there called “OpenSSL“. I am using version 0.9.8b the OpenSSL binaries/executables.

Once that is all downloaded, installed and setup – I used this command to retreive the RSA Private Key into a PEM file:

Openssl pkcs12 -in Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx -out cert.pem -nodes

You will, of course, replace the “Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx” with your own site's SSL digital certificate. The -nodes flag just tells the output not to have a passphase lock on the resulting PEM file. Of course, you can if you want to if you are afraid of others being able to view your site's Private Key from the php code file. The output cert.pem will contain the output:

Bag Attributes
    1.3.6.1.4.1.311.17.2:
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: 1a9c651d1153bf0e58ac3ff34c9fce1f_615cbd1c-54d4-4ea0-b0d4-5c14115c3abb
Key Attributes
    X509v3 Key Usage: 10
—–BEGIN RSA PRIVATE KEY—–
MIICXgIBAAKBgQDElLoxJcOzWT0jHT6uvdDHpDBnZLa4AE/gznjcKuSIT880MAmL
ADVIoDP/0MPDucexjWCtJ33msRCmi2TOQ86dPhyc/kfrmpTnjG+Kwi7tR5x07rAM

XLj+knD7VxrZvE/CBJP5PgjuvqfcbiSGf4R8dVB/nVm6tw==
—–END RSA PRIVATE KEY—–
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: Default Web Site
subject=/C=SG/ST=Singapore/L=Singapore/O=Softwaremaker.NET Pte Ltd/OU=Software Development and Architecture Research Unit/CN=swmvm2k3
issuer=/CN=Softwaremaker.NET Pte Ltd
—–BEGIN CERTIFICATE—–
MIIE1DCCA7ygAwIBAgIKYVFrDgABAAAACDANBgkqhkiG9w0BAQUFADAkMSIwIAYD
VQQDExlTb2Z0d2FyZW1ha2VyLk5FVCBQdGUgTHRkMB4XDTA2MDYzMDAyMjkyNFoX

Gl+c093/wY1RT9FhAyK0vpP/H9rFzyrCZbuyL69tWkTI1DGTuZHW5g==
—–END CERTIFICATE—–
Once you got the above output, you just have to replace the “—–BEGIN RSA PRIVATE KEY—–…” until the “—–END RSA PRIVATE KEY—–“ with your own in the php code file (Cardspace_demoprocessing.php).

Hope this helps someone out there.

Yeah.  It's true that I was unclear, when writing my demo PHP code, how to best store and retrieve secret keys in a LAMP environment.  In Windows, I would use the system-provided routines for protecting and accessing secret keys, but I don't know the equivalents one would use in LAMP.

I ended up just storing my keys in mySql (the code William shows above is a simplification to make the issues as easy to understand as possible) – but I'd appreciate hearing from someone who knows the proper way to do this.

 

Demo libraries fix

Keith Grennan has a fix to the PHP sample code I published a while back.  He notes he “hasn't heard back”…  My mail system is extremely aggressive about putting things in the Junk Mail folder, so if you ever “don't hear back” don't be afraid to ping me again. 

I was hacking on Kim Cameron’s demo PHP InfoCard libraries recently, and sometimes found I got the error “SignedInfo digest doesn’t match calculated digest”.

It turns out the XML canonicalization in infocard-post-get-claims.php was breaking when character data in the token contained entity references (e.g. &), because the characterData handler gets only the decoded data.

Here’s a patch that fixes it. The patch re-encodes ‘< ’, ‘>’, and ‘&’ characters back to ‘<’, ‘>’ and ‘&’ respectively before adding them to $canonicalTokenBuffer. There are some edge cases that may not be solved by this patch, but it’s a quick fix that should make the token processing code more robust for many possible cases. I sent it to Kim but have not heard back.

Happy infocarding.

Check out the fix here.  I'll incorporate it into my code, which is intended to help people master infocard and can be used in whatever way is deemed helpful.  I'll post an updated ZIP this comng week.

Thanks, Keith.