Tag Archives: Information Cards

A good question indeed

Mark Dixon responds to this Dave Kearns article comparing passwords to buggy whips by posing a very good question:

The big question is, “Replace username/password with what?”

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

This is a question that is not asked enough, much less sufficiently answered. All of the competing approaches suffer from drawbacks that make them less acceptable in many cases.

Like Mark I also think highly of certificates as the solution. But there are significant lifecycle deployment issues that are too daunting for most users. There is also another issue that does not get enough attention, physical security. When using a certificate you are really dependent on the physical security of the container holding the private key. If it’s a smart phone in your possession, great. If it’s a laptop in your possession, also great. If it’s a beige box sitting unsecured in your cubicle while you are at lunch, not so great.

Information Cards are a good solution, but also suffer from the same physical security issues. Of course the card can be PIN protected, but a PIN is really just another password (albeit a local one) and now you get into some of the same issues as with passwords, for example the PIN for less frequently used cards written on a yellow stick attached to the monitor.

Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords.

If cost is no issue OTP devices are a great way to go. But cost is always an issue.

Password authentication is like an impressionistic painting. The farther you move away from it, the better it starts to look.

Advertisements

Age verification information cards

Mike Jones has this interesting post about an age verification service based on information cards from Idology. Although not yet available for use, this service does look intriguing.

OpenID and Phishing

I am probably going to make a lot people mad here, but all this talk of OpenID and Phishing made me think of this demotivator: 

But seriously. The recent Fun OpenID Phishing Demo shows just how troutish the typical OpenID user would if the technology was ever adopted for serious use. With OpenID (as with all SSO technologies) once they have your master login credentials they have access to all your SP accounts. Too many OPs are far too easy to Phish.

Touting the added security of an additional browser plug-ins (especially one that is only available on Firefox) is simply not going to cut it. SPs have to believe that OpenID provides sufficient protection for all their customers assuming a vanilla browser or it won’t be adopted for serious use.

Some sites like Vidoop are more Phishing resistant than others (Vidoop also has a browser plug-in that is available on both Firefox and IE). Also relying on Information Cards to authenticate to the OP provides a high degree of Phishing resistances. But relying on sites to be Phishing resistant would force SPs to a White List approach.

Perhaps OpenID + White Lists + Phishing Resistant OPs would keep Mr. Trout safe and happy.

PAPE is supposed to address this. But trust is all about knowing who you are dealing with. If I don’t know you, how can I trust you will really honor your promise? Likewise how does an SP trust that a previously unheard of OP will honor the promises it makes via PAPE in regards to authentication? 

You don’t mess around with Kim

I was listening to an old Jim Croce song while working on a rainy Sunday afternoon in Tampa, and I swear it sounded like this:

Horst Görtz has got its hustlers

And Bochum got its bums

The Redmond Gang got Big Kim Cameron

He a Card shootin’ son of a gun

Yeah he sly and smart as a man can come

But he’s quicker than a country hoss

And when the smart folks all get together at night

You know they all call Big Kim boss, just because

And they say you don’t tug on Superman’s cape

You don’t spit into the wind

You don’t pull the mask off an ‘ole Lone Ranger

And you don’t mess around with Kim

Well, let’s not take this too far because in the original song things don’t work out so well for Big Jim. Kim Cameron, on the other hand, just laid waste to claims by a trio of university researchers to have breached CardSpace. You can read Kim’s rebuttal here and here.

Compare this silliness to the recent Open ID Phishing demo. The Phishing demo is a very useful demonstration that not only shows a real and practical attack, but also provides a way for OpenID providers to test their own implementations out.

Guess which one got more press from the mainstream media?

Why everything you know about the Metric System is wrong and what it means for Identity Systems

Recently as part of my work with Cub Scouts I had to prepare a lesson on the Metric System. That started me thinking about the myths and misconceptions of the Metric System, why it isn’t used in the United States, and what that all means for Identity Systems.

First let me say I am a big fan of the metric system (I have a MS in Aerospace Engineering). And living in the United States, I almost never use it. And those not contradictory statements. The reason that I never use it is that for my day to day life outside of work it simply offers no advantages to me. When studying engineering in college I used the Metric System almost exclusively. However after going into the software industry I haven’t used it professionally since.

Here are some myths and misconceptions:

Myth #1 – The Metric System is a base10 system which is far superior to base 12 systems. The metric system has been adopted world-wide (except for those crazy stuborn Americans) because of the inherent superiority of base10 mathematics in every day use.

BTW, what time is it where you are? What coordinates does your GPS show? How steep is that incline? Have you ever tried to saw a 1 meter board into 6 even pieces?

The point is while base10 is much better for doing calculations with a calculator, base12 is better for some calculations you need to do in your head. That is because 10 is divisible by only 5 and 2, where as 12 is divisible by 2,3,4, and 6.

Myth #2 – You shouldn’t use the English (Customary) System for technical purposes because the conversion between feet and inches and pound and ounces is much harder than converting between meters and kilometers and liters and milliliters.

When doing technical work you don’t ever need to convert between feet and inches. You really every need to convert between meters and kilometers either. Once you are using scientific notation it doesn’t matter. 10,000 feet is 1x10E6 feet and 10,000 meters is 1x10E6 meters. Neither unit system is easier than the other in scientific notation.

Myth #3 – The Metric System is superior because all units are derived and reproducible from the properties of natures. For instance the Celsius 0 and 100 are freezing and boiling point of water. The meter is derived from a Meridian of the Earth.

While the Metric System was once naturally derivable, it was long ago discovered that physical properties that they originally used vary too much to give an accurate definition.  For a while they where defined against physical models (for instance a certain platinum bar was used to define the meter). That was eventually viewed as too risky. Now all units are defined in purely arbitrary, but reproducible terms.

Myth #4 – The stubborn Americans will eventually convert when enough are “educated sufficiently”. It’s only ignorance that keeps the Americans from converting willingly like the rest of the world.

The Metric System originally became accepted only at gun point. The point of Napoleon’s guns to be exact. The real telling point comes from the Wiki entry:

As of 2007 only three countries, the United States, Liberia, and Myanmar (Burma) had not mandated the metric system upon their populace.

Ah, breathe in the Orwellian goodness of that statement. The Metric System is so superior to other forms of measurement it has been mandated on the people by the force of law. All for their own good of course.

The point is while there is a huge advantage to everyone being on the same system of measurement, the choice of Metric versus Customary is purely an arbitrary choice. Since people make these choices based on personally perceived value combined with a natural resistance to change, most will not willingly convert to a new system without being forced to under threat of punishment. Or put simply:

Change is hard. Inches are easy.

What does all of this have to do with Identity Systems? Change is painful. Like measurement systems, people will make do with their current Identity System (mostly user IDs and passwords), because they understand it and it works sufficient for their day-to-day lives.

Yes, it’s a mess. Yes, it’s not very secure. But it works for most people. They understand it. They are comfortable with it. Most will not switch to an alternative like OpenID or CardSpace unless they see real value. Or put simply:

Change is hard. Passwords are easy.

Jeff the Bard on Self-Issued Cards

Never read your child Dr. Seuss and then stay up late writing about Information Cards. You might have a nightmare that goes something like this (with apologies to Theodor Seuss Geisel)

Bard is Jeff
Bard is Jeff
Jeff is Bard

That Jeff-the-Bard!
That Jeff-the-Bard!
I do not like
that Jeff-the-Bard!

Do you like
self-issued cards?

I do not like them,
Jeff-the-Bard.
I do not like
self-issued cards.

Would you like them
here or there?

I would not like them
here or there.
I would not like them
anywhere.
I do not like
self-issued cards.
I do not like them,
Jeff-the-Bard.

Would you use them
in your house?
Would you use them
with your mouse?

I do not like them
in my house.
I do not like them
with my mouse.
I do not like them
here or there.
I do not like them
anywhere.
I do not like self-issued cards.
I do not like them, Jeff-the-Bard.

Would you use them
‘cause of SOX?
Would you use them
with Firefox?

Not ‘cause of SOX.
Not with Firefox.
Not in my house.
Not with my mouse.
I would not use them here or there.
I would not use them anywhere.
I would not use self-issued cards.
I do not like them, Jeff-the-Bard.

Would you? Could you?
At a bank?
Use them! Use them!
I’ll be frank!

I would not,
could not,
at a bank.

You may like them.
I’ve been shown.
You may like them
on a phone!

I would not, could not on a phone.
Not at a bank! You leave me alone.

I do not like them ‘cause of SOX.
I do not like them with Firefox.
I do not like them in my house.
I do not like them with my mouse.
I do not like them here or there.
I do not like them anywhere.
I do not like self-issued cards.
I do not like them, Jeff-the-Bard.

A blog! A blog!
A blog! A blog!
Could you, would you,
on a blog?

Not on a blog! Not on a phone!
Not at a bank! Jeff! Leave me alone!

I would not, could not, ‘cause of SOX.
I could not, would not, with Firefox.
I will not use them with my mouse.
I will not use them in my house.
I will not use them here or there.
I will not use them anywhere.
I do not use self-issued cards.
I do not like them, Jeff-the-Bard.

Say!
With Explorer?
There in Explorer!
Would you, could you, with Explorer?

I would not, could not,
with Explorer.

Would you, could you, with Safari?

I would not, could not,
with Safari.
Not with Explorer. Not with Safari.
Not at a bank. Not on a phone.
I do not like them, Sam, you’ve known.
Not in my house. Not ‘cause of SOX.
Not with my mouse. Not with Firefox.
I will not use them here or there.
I do not like them anywhere!

You do not like
self-issued cards?

I do not
like them,
Jeff-the-Bard.

Could you, would you,
with OpenID?

I would not,
could not,
with OpenID!

Would you, could you,
in Liberty?

I could not, would not, in Liberty.
I will not, will not, with OpenID.
I will not use them richer or poorer.
I will not use them with Explorer.
Not with Explorer! Not on a phone!
Not at a bank! You leave me alone!
I do not like them ‘cause of SOX.
I do not like them with Firefox.
I will not use them in my house.
I do not like them with my mouse.
I do not like them here or there.
I do not like them ANYWHERE!

I do not like
self-issued cards!
I do not like them,
Jeff-the-Bard.

You do not like them.
So you say.
Try them! Try them!
And you may.
Try them and you may, I say.

Jeff!
If you will let me be,
I will try them.
You will see.

Say!
I like self-issued cards!
I do! I like them, Jeff-the-Bard!
And I would use them in Liberty.
And I would use them with OpenID…

And I will use them as I log.
In with Explorer. And on a Blog.
And at a bank. And on a phone.
They are so good, so good, you’ve know!

So I will use them ‘cause of SOX.
And I will use them with Firefox.
And I will use them in my house.
And I will use them with my mouse.
And I will use them here and there.
Say! I will use them ANYWHERE!

I do so like
self-issued cards!
Thank you!
Thank you,
Jeff-the-Bard!

(Mirrored from TalkBMC)

Information Card Miscellany

Bob Blakley summarizes the OSIS User Centric Interop demo at Burton Catalyst Europe. BMC didn’t participate in this one (we were there at the previous one in San Francisco). It sounded like it was a great success. Hopefully we see more events like this soon.

Mike Jones points to updated Information Card Icon usage guidelines from Microsoft.

Kim Cameron points to an interesting white paper on Information Card privacy issues in the EU.

There is an interesting discussion on Information Card usability issues between Paul Masden and Ashish Jain. You can pick up the discussion here.

There is also another discussion going on about Level of Assurance and a potpourri of other issues that you can pick up here.

There is this interesting article about Sharepoint moving towards a claims based model for AuthZ.

(Mirrored from TalkBMC)