Ben Laurie blathering

22 May 2007

Antony Gormley and Portico Quartet

Filed under: Art/Music — Ben @ 11:35

On Sunday the family went to see Antony Gormley’s Blind Light exhibition at the Hayward. I’m obviously not going to make much of an art critic because I don’t have a clue what to say, except that three of the exhibits would have been worth the visit on their own. These were “Blind Light”, “Event Horizon” and one I don’t know the name of that involves a lot of steel rods.

On the way out, we ran into Portico Quartet giving a free performance (of “(Something’s Going Down On) Zavodovski Island”, as it happens) on the South Bank. Superb. Buy their EP.

17 May 2007

Is Liberty Inherently User-Centric?

Filed under: Anonymity/Privacy,Identity Management — Ben @ 14:49

I have already stated that I believe that Liberty can be used in a user-centric way, but I am still being beaten up by Liberty proponents. They appear to want me to believe that Liberty discovery is only about user-centric identity.

I’m not buying it. Firstly, statements made by people involved in Liberty lead me to believe that they are interested in discovery of services that are not visible to users. But that’s just hearsay, so here’s some of Liberty’s own words, from the Liberty ID-WSF Security and Privacy Overview

• Notice.

Public-facing Liberty-enabled providers should provide the Principal clear notice of who is collecting the information, how they are collecting it (e.g., directly or through cookies, etc.), whether they disclose this information to other entities, etc.

• Choice.

Public-facing Liberty-enabled providers should offer Principals choice, to the extent appropriate given the circumstances, regarding how Personally Identifiable Information (PII) is collected and used beyond the use for which the information was provided. Providers should allow Principals to review, verify, or modify consents previously given. Liberty-enabled providers should provide for “usage directives” for data through contractual arrangements or through the use of Rights Expression Languages.

• Principal Access to Personally Identifiable Information (PII).

Consistent with, and as required by, relevant law, public-facing Liberty-enabled providers that maintain PII should offer a Principal reasonable access to view the non-proprietary PII that it collects from the Principal or maintains about the Principal.

• Correctness.

Public-facing Liberty-enabled provider should permit Principals the opportunity to review and correct PII that the entities store.

• Relevance.

Liberty-enabled providers should use PII for the purpose for which it was collected and consistent with the uses for which the Principal has consented.

• Timeliness.

Liberty-enabled providers should retain PII only so long as is necessary or requested and consistent with a retention policy accepted by the Principal.

• Complaint Resolution.

Liberty-enabled providers should offer a complaint resolution mechanism for Principals who believe their PII has been mishandled.

• Security.

Liberty-enabled providers should provide an adequate level of security for PII.

All good principles. If only terms like “public-facing Liberty-enabled providers” and “non-proprietary PII” had not been used, I would be totally buying that Liberty is all about user control.

As it is, I’m not sure why we’re arguing. Liberty seems, quite clearly, to have mechanisms that are aimed at allowing businesses to coordinate data they have on people, without the people being involved. It also has mechanisms that do allow the people to participate. This is good, and I’m sure many of us want to encourage their use in the latter mode. What’s more, I’m sure we’d all like to see Liberty adhere to its principles (for example, from the same document, “Avoiding collusion between identity provider and service provider”) by adopting, for example, selective disclosure techniques, so that it when it is used in these modes (and perhaps in others) it better protects the important people. That is, you.

In short, I think the people who are beating me up are on the same page as me, so can we stop arguing and do something constructive, please?

13 May 2007

Is Liberty User-Centric?

Paul Madsen and Pat Patterson berate me for suggesting that Liberty is all about silos. They’re right, of course. You can use Liberty to support user-centric identity management, if you want to. But I’m not buying their argument that Liberty is all about user-centric. Paul Madsen says that Liberty is built on the assumption that users keep their identity where they want to; if that were really true it would be a very strange assumption indeed, since its pretty clear that users currently do not have any control at all over where their identity is kept, to speak of.

So, I’ll definitely buy a modified version of Paul’s assumptions:

  1. Users’ identity will be kept in multiple places.
  2. The ‘where’ can be 3rd party identity providers as well as local storage (e.g. devices).
  3. It’s highly unlikely that all aspects of identity will be maintained at the same provider, i.e. there will be multiple ‘wheres’.
  4. Most users don’t want to be responsible for facilitating identity sharing by themselves providing the ‘where’.
  5. Experts will misinterpret 1-4 to suit whatever is their current competitive positioning.

I don’t see how changing the first assumption (from “users keep their identity where they want to”) makes any difference to the architecture of appropriate solutions, once you’ve combined it with the fourth assumption. Of course, if you drop the fourth assumption, it makes a huge difference, because you’ll architect a solution where the user is in control.

But Liberty cannot drop the fourth assumption: then facilities for discovery of data the user has no control over would not be needed.

Or, in other words, the base assumption of user-centric identity management is that users do want to control the “where”. If Liberty really were a user-centric architecture, it would have this assumption built in. And need I point out that assumption five applies to Liberty members just as well as anyone else?
Detractors will point out the dumbness of this idea

Ben, you want to remember where the various pieces of your identity are located, go for it. Write down the addresses on sticky notes, email them to yourselves, scribble them on your palm, be my guest. Should you be available when some provider seeks your identity, you can sort through the list of equivalent providers and specify your choice. How very user-centric.

Of course, the users won’t be managing their data by such primitive means. Their computer(s) or their chosen service provider(s) will do all the legwork. How dumb would I sound if I said Liberty couldn’t work because the sysadmins couldn’t possibly keep track of all the post-it notes they’d need for all that identity data?

Pat says

In any case, user privacy, consent and control has always been foremost

As I have explained in my paper on selective disclosure user privacy is just not possible to guarantee using the mechanisms that Liberty currently uses. Since user privacy is foremost, I look forward to Liberty’s adoption of selective disclosure.

Finally, Paul thinks he has taken the moral high ground by linking to this, so I feel obliged to point out once more that this blog does not reflect Google’s views on anything.

11 May 2007

Liberty Loves Silos

Filed under: Anonymity/Privacy,Identity Management — Ben @ 12:03

At both the recent Identity Open Space in Brussels, and the OECD workshop on identity management Liberty folk talked about the urgent need for protocols to discover identity services.

At the time, I was bemused: why would anyone need to discover services? Surely they would be communicated to you as they were needed? But last night I realised the truth: Liberty thinks you need discovery because they think it is both inevitable and correct that all your data should live in silos, beyond your control, and ideally where you can’t see it. Of course, in this case, you can’t assist in the process of locating information about you. Nor can you detect, let alone correct, inconsistency and incorrectness.

This is clearly so much better than user-centric identity (where, in case it isn’t obvious, discovery would be unnecessary – you would just ask me where to look). I can see why Liberty is so keen.

How CardSpace Breaks the Rules

Daniel Bartholomew wants to know which of Kim’s laws CardSpace breaks, and Chris Bunio thinks the OECD workshop was not the correct forum for a detailed discussion.

How fortunate, then, that this blog exists! I can answer Daniel’s question, and Chris can educate us all on why I am wrong.

In fact, there are many ways CardSpace could violate the laws, but there is one which it is currently inherently incapable of satisfying, which is the 4th law – the law of directed identity – which says, once you’ve fought your way through the jargon, that your data should not be linkable. I explain this in some detail in my paper, “Selective Disclosure” (now at v0.2!), so, Chris and Daniel, I suggest you read it.

10 May 2007

CardSpace and the Seven Laws (again)

At this OECD workshop on identity management, Fred Carter, of the Office of the Information and Privacy Commissioner, Ontario, spoke on “Functional Requirements for Privacy Enhancing Systems”. At one point he listed privacy protecting identity management systems, which he broadly defined as those following Kim’s seven laws. The list was short, just PRIME and Credentica … note the absence of CardSpace. So, I just had to ask: “does this mean that you believe CardSpace does not obey the seven laws?”. His reply? “Yes”.

Chris Bunio, a Senior Architect for Microsoft, was present. He did not dispute the claim.

8 May 2007

Sun’s House of Cards?

Filed under: Identity Management,Security — Ben @ 11:00

Sun have a plan. In short, they’re going to have an OpenID provider which authenticates Sun employees only.

That is, so long as you trust your DNS. Or, in other words, if you aren’t using any untrusted networks. How often does that happen?

7 May 2007

Microsoft Helps Digg?

Filed under: Crypto,Security — Ben @ 10:59

As everyone who is half awake knows, there’s a great deal of fuss going on about the publication of a key associated with HD-DVD. You might, however, be less aware of what seems to me to be a rather astonishing decision in the Supreme Court in favour of Microsoft (v. AT&T). My (admittedly non-lawyerly) understanding of this is that the Supreme Court said that Microsoft was not liable for inducing infringement by sending master disks to overseas distributors containing infringing code.

Better legal minds than mine say that this casts doubt on the illegality of posting the HD-DVD key.

2 May 2007

Selective Disclosure

Filed under: Crypto,Identity Management,Security — Ben @ 19:10

I seem to have to explain selective disclosure about once a week – and I’m going to try to explain it again in about 5 minutes flat, next week at an OECD workshop on identity management.

So, I figured it was finally time to write a paper on it. Feedback welcome!

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Filed under: Security — Ben @ 12:26

Apparently I’m not supposed to blog this number … I probably shouldn’t mention HD-DVD in connection with it, either.

So now I know.

Laws of Identity, Revised

Filed under: Anonymity/Privacy,Identity Management — Ben @ 10:28

Many moons ago, I wrote my Laws of Identity. Yesterday, my friend Cat Okita pointed out a deficiency, so here’s an update…
I claim that for an identity management system to be both useful and privacy preserving, there are three properties assertions must be able to have. They must be:

  • Verifiable
    There’s often no point in making a statement unless the relying party has some way of checking it is true. Note that this isn’t always a requirement – I don’t have to prove my address is mine to Amazon, because its up to me where my goods get delivered. But I may have to prove I’m over 18 to get the alcohol delivered.
  • Minimal
    This is the privacy preserving bit – I want to tell the relying party the very least he needs to know. I shouldn’t have to reveal my date of birth, just prove I’m over 18 somehow.
  • Unlinkable
    If the relying party or parties, or other actors in the system, can, either on their own or in collusion, link together my various assertions, then I’ve blown the minimality requirement out of the water.

What’s changed? Cat pointed out that collusion isn’t necessary for linkability, people can do it all on their own.

Powered by WordPress