{"id":1018,"date":"2008-10-30T10:13:49","date_gmt":"2008-10-30T18:13:49","guid":{"rendered":"\/?p=1018"},"modified":"2008-11-01T08:22:31","modified_gmt":"2008-11-01T16:22:31","slug":"kim-camerons-excellent-adventure","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1018","title":{"rendered":"Kim Cameron's excellent adventure"},"content":{"rendered":"

I need to correct a few of the factual errors in recent posts by James Governor<\/a>\u00a0and Jon Udell.<\/a>\u00a0 James begins<\/a> by\u00a0describing\u00a0our recent get-together:<\/p>\n

We talked about Project Geneva, a new claims based access platform which supersedes <\/a>Active Directory Federation Services, adding support for SAML 2.0 and even the open source web authentication protocol OpenID.<\/p>\n

Geneva is big news for OpenID. As David Recordon, one of the prime movers behind the standard said on Twitter yesterday<\/a>:<\/p>\n

Microsoft\u2019s Live ID is adding support for OpenID. Goodbye proprietary identity technologies for the web! Good work MSFT<\/p>\n

TechCrunch took the story forward<\/a>, calling out de facto standardization:<\/p>\n

Login standard OpenID has gotten a huge boost today from Microsoft, as the company has announced that users will soon be able to login to any OpenID site using their Windows Live IDs. With over 400 million Windows Live accounts (many of which see frequent use on the Live\u2019s Mail and Messenger services), the announcement is a massive win for OpenID. And Microsoft isn\u2019t just supporting OpenID – the announcement goes as far as to call it the de facto login standard [the announcement <\/a>actually calls it “an emerging, de facto <\/span><\/em>standard” – Kim]\u00a0<\/span><\/p>\n

But that\u2019s not what this post is supposed to be about. No I am talking about the fact [that] later yesterday evening Kim hacked his way into a party at the standard using someone else\u2019s token!\u00a0 [Now this is where I think some “small tweaks” start to be called for… – Kim]<\/p>\n

It happened like this. I was talking to Mary Branscombe<\/a>, Simon Bisson<\/a> and John Udell<\/a> when suddenly Mary jumped up with a big smile on her face. Kim, who has a kind of friendly bear look about him, had arrived. She ran over and then I noticed that a bouncer had his arm across Kim\u2019s chest (\u201dif your name\u2019s not down you\u2019re not coming in\u201d). Kim had apparently wandered upstairs without getting his wristband first. Kim disappeared off downstairs, and I figured he might not even come back. A few minutes later though and there he was. I assumed he had found an organizer downstairs to give him a wristband\u2026 When he said that he actually had taken the wristband from someone leaving the party, and hooked it onto his wrist me and John practically pissed our pants laughing. As Jon explains (in Kim Cameron's Excellent Adventure<\/a>):<\/p>\n

If you don\u2019t know who Kim is, what\u2019s cosmically funny here is that he\u2019s the architect for Microsoft\u2019s identity system and one of the planet\u2019s leading authorities on identity tokens and access control.<\/p>\n

We stood around for a while, laughing and wondering if Kim would reappear or just call it a night. Then he emerged from the elevator, wearing a wristband which \u2014 wait for it \u2014 belonged to John Fontana<\/a>.\u00a0 Kim hacked his way into the party with a forged credential! You can\u2019t make this stuff up!<\/p>\n

While there is certainly some cosmic truth to this description, and while I did in fact back away slightly from the raucus party at the precise moment James says he and Jon “pissed their pants”, John Fontana did NOT actually give me his wristband.\u00a0 You see, he didn't have a wristband either.\u00a0<\/p>\n

So let's go through this step by step.\u00a0\u00a0It all began with\u00a0the invite that brought me to the party in the first place:<\/p>\n

As a spokesperson for PDC2008, we\u2019re looking forward to having you join us at the Rooftop Bar of the Standard Hotel for the Media\/Analyst party on October 27th at 7:00pm<\/p>\n

This invite came directly from\u00a0the corporate Department of Parties.<\/p>\n

I point this out just to ward off any unfair accusations that I just wanted to raid the party's immense Martini bar.\u00a0Those who know me also know nothing could be further from the truth. You have to force a Martini into my hands.\u00a0 My attendance\u00a0represented nothing but Duty.\u00a0 But I digress.<\/p>\n

Protocol Violation<\/strong><\/p>\n

The truth of the matter is that I ran into John Fontana in the cafe of the Standard and we arrived at the party together.\u00a0 He\u00a0had been invited\u00a0because this was, ummm, a Press party and he was, ummm, Press.\u00a0<\/p>\n

However, it didn\u2019t take more than a few seconds for us to see that the protocol for party\u00a0access control\u00a0had not been implemented correctly.\u00a0\u00a0 We\u00a0just assumed this was a bug due to the fact that\u00a0the party was celebrating a Beta, and that we would have to work our way past it as all beta participants do.\u00a0<\/p>\n

Let\u2019s just say the token-issuing part of the party infrastructure had crashed, whereas the access control point was operating in an out-of-control fashion.<\/p>\n

Looking at it from an architectural point of view, the admission system was based on what\u00a0is technically called \u201cbearer\u201d tokens (wristbands). Such tokens are NOT actually personalized in any way, or tied to the identity of the person they\u00a0are given to through some kind of proof. If you \u201chave\u201d the token, you\u00a0ARE the bearer of the token.<\/p>\n

So\u00a0one of those big\u00a0ideas<\/strong> slowly began to take root in our minds.\u00a0 Why not become bearers of the requisite tokens, thereby compensating for the inoperative token-issuing system?<\/p>\n

Well,\u00a0at that point, since not a few of the people leaving the party knew us, \u00a0John and I explained our “aha”,\u00a0and pointed out\u00a0the\u00a0moribund token-issuing component.\u00a0 As is typical of people seeing those in need of help, we were showered with offers of assistance.<\/p>\n

I happened to\u00a0be rescued by an\u00a0unknown bystander\u00a0with incredibly nimble and strong fingers and deep expertise with wristband technology.\u00a0\u00a0She was able to easily dislodge\u00a0her wristband and put it on me in such a way that it\u2019s integrity was totally intact.\u00a0<\/p>\n

There was no\u00a0forged token<\/strong>.\u00a0 There was no stolen token.\u00a0 It was a real token.\u00a0 I just became the bearer.<\/p>\n

When we got back upstairs, the access control point\u00a0evaluated my token \u2013\u00a0and presto\u00a0\u2013 let me in to\u00a0join a certain set of regaling\u00a0hedonists basking in the moonlight.\u00a0\u00a0<\/p>\n

But sadly – and unfairly –\u00a0 John\u2019s token was rejected since its donor, lacking the great skill of mine, had damaged it during the token transplant.<\/p>\n

Despite the Martini now in my hand, I was overcome by that special sadness you feel when escaping ill fate\u00a0wrongly allotted to\u00a0one more deserving\u00a0of good fortune than you.\u00a0 John slipped silently out of the queue and\u00a0slinked off to a completely different party.<\/p>\n

So that's it, folks.\u00a0 Yet the next morning, I had to wake up, and confont again my humdrum life.\u00a0\u00a0But I do so inspired by the kindness of both strangers and friends (have I gone too far?)<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

The admission system was based on what is technically called \u201cbearer\u201d tokens (wristbands). The question is just, “do you have the token?”<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[63,21,12,13],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1018"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1018"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1018\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}