{"id":701,"date":"2007-03-04T14:14:57","date_gmt":"2007-03-04T22:14:57","guid":{"rendered":"\/?p=701"},"modified":"2007-03-04T14:20:27","modified_gmt":"2007-03-04T22:20:27","slug":"wrong-headed-impersonation","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=701","title":{"rendered":"Wrong-headed impersonation"},"content":{"rendered":"<p>James Kobielus&#39;s blog also includes a <a href=\"http:\/\/jkobielus.blogspot.com\/2007\/03\/rfi-user-centric-identity-and-what-eve.html\">report<\/a> on his&nbsp;interview with <a href=\"http:\/\/www.xmlgrrl.com\/blog\/\" class=\"broken_link\">Eve Mahler<\/a>.&nbsp; I think there are two issues raised that deserve discussion.&nbsp; The first concerns what Eve calls the &#8220;human absent&#8221; scenario:<\/p>\n<blockquote><p>&#8220;She focused on the centricity of the user in the data flow during a login attempt, distinguishing between the &#8220;human present&#8221; interaction mode (i.e., the actual human user\/subject is online during the transaction, responding to prompts, selecting i-cards, deciding whether or not to disclose this or that personal attribute to this or that relying party), vs. the &#8220;human absent&#8221; interaction (i.e., the human user\/subject is not actually online during the transaction on which they are a principal, but, instead, an identity software agent\/intermediary or delegated other human user is selecting i-cards, disclosing attributes etc. on their behalf).<\/p>\n<p>&#8220;She pointed out that most of the current crop of user-centric identity schemes (i.e, MSFT CardSpace, OpenID, etc.) focus primarily on the &#8220;human present&#8221; mode, which, as Eve stated memorably, means that the &#8220;user&#39;s policy is in their brain.&#8221; By contrast, she pointed out, Liberty&#39;s ID-WSF was developed to support both the &#8220;human present&#8221; and &#8220;human absent&#8221; modes.<\/p><\/blockquote>\n<p>The essence here is&nbsp;her notion that &#8220;an identity software agent\/intermediary or delegated other human user is selecting i-cards, disclosing attributes etc. on [the user&#39;s] behalf&#8221;.<\/p>\n<p><strong>On behalf of&#8230;<\/strong><\/p>\n<p>I&#39;m going to make a categorical statement.&nbsp; <em>No one&nbsp;and no service&nbsp;should ever&nbsp;act in&nbsp;a peron&#39;s identity&nbsp;or employ their&nbsp;credentials when they&#39;re not present.<\/em>&nbsp; Ever.<\/p>\n<p>It&#39;s not that there aren&#39;t use cases for which this might seem to be desireable.&nbsp;&nbsp;For example, let&#39;s look at the problem of linkback spam, in which fake sites fill bloggers&#8217; comment queues with garbage.&nbsp; Suppose, one day, we come up with <em>authenticated linkbacks<\/em>.&nbsp; Wouldn&#39;t you want&nbsp;the linkback service to be able to log in with your identity?<\/p>\n<p>Another example &#8211; given to me by someone who thought it was&nbsp;really definitive &#8211;&nbsp;was that of the OnStar notification system.&nbsp; Suppose&nbsp;you&#39;re driving, are involved in an accident, and lose consciousness.&nbsp; You want your OnStar system to call on your behalf so help will be dispatched.&nbsp; Clearly you can&#39;t participate.&nbsp;&nbsp;Similarly, hospital scenarios provide all kind of grist for the&nbsp;&#8220;human absent&#8221; mill.&nbsp; But should OnStar or a hospital system actually be acting &#8220;as you&#8221;?<\/p>\n<p>Last-century systems supported exactly this kind of behavior.&nbsp; We called it &#8220;impersonation&#8221;.&nbsp; And anyone who has done practical security work will tell you how many problems this caused, and how wrong-headed it is.&nbsp; If you&nbsp;give some service&nbsp;the ability to&nbsp;simply appear to be you, you are open to all kinds of attacks &#8211; and we&#39;ve seen them all around us.<\/p>\n<p>Put another way, I don&#39;t want OnStar to be be able to act on my behalf&nbsp;with respect to&nbsp;very many things.&nbsp; I don&#39;t want it to be able to remove money from my bank account.&nbsp; I don&#39;t want it&nbsp;buying gifts, or&nbsp;controlling my insurance, or doing anything else other than calling for help.<\/p>\n<p>So what I really want is for OnStar to identify itself as Onstar, and for Kim to identify himself as Kim.&nbsp; Then Kim can give OnStar a <strong>Delegation Coupon<\/strong> allowing it to call for help on my behalf.&nbsp; The coupon&nbsp;should be very restrictive.&nbsp; And if the service does something improper,&nbsp;that impropriety&nbsp;will clearly be associated with the service&#39;s own identity, not with Kim.<\/p>\n<p><strong>There is no user-absent scenario<\/strong>&nbsp;<\/p>\n<p>In otherwords, there is no user-absent scenario.&nbsp; There is a <strong>user is present and delegates authority<\/strong> scenario.&nbsp; After all, how can a user delegate authority if she isn&#39;t present???<\/p>\n<p>CardSpace is built on this principle.&nbsp; A delegated authority coupon is just a set of claims.&nbsp; CardSpace&nbsp;facilitates the&nbsp;exchange of any claims you want &#8211; including delegation claims.&nbsp; So using CardSpace,&nbsp;someone can build a system&nbsp;allowing users to&nbsp;delegate authority to a service which can then operate &#8211; as itself &#8211; presenting delegation tokens whenever appropriate.<\/p>\n<p>This is the right way to do things from a&nbsp;security point of view.&nbsp; We need to move beyond the idea of omnipotent services running behind the curtain, which is what we have come up with in the past, to a truly secure model where the user consciously delegates and systems demonstrate this in an auditable fashion.<\/p>\n<p>Surely it is obvious this is the best way to <em>reduce everyone&#39;s exposure and liability<\/em>.&nbsp; The user has less exposure because she controls what she delegates.&nbsp; The service has less exposure because it operates under specific and explicit permissioning, and insider attacks are significantly mitigated.<\/p>\n<p>As much as I think Liberty represented a step forward when it first stepped up to the plate, it needs to embrace the user-centric model and replace&nbsp;the more monolithic &#8220;on behalf of&#8221; mechanisms with a proper approach to delegation under the control of the affected parties.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Moving toward secure delegation scenarios<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,8,3,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/701"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=701"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/701\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}