Tag Archives: tech

OASIS – Identity Management 2009

On 29/30th September, I went to the OASIS Identity Management 2009 forum, the theme of which was ‘Transparent Government: Risks, Rewards and Repercussions’. It was my first time at an OASIS event, and befitting the organisation and the location (it was hosted at NIST), the content was pretty in-depth and technical.

I’d really hoped to convert my scrawled notes into a series of posts on the topics covered, but time has escaped me and so I thought I’d at least post some of the notes I’d taken in rough form so that they didn’t get completely lost… So here are the notes from Day 1. If I get time, I’ll come back and post on some of these topics in more detail!

(There are also plenty of notes from other folks on the event’s Twitter stream, #idm09.)

OASIS IDM 2009 – Day 1

Session 1 – Use of Open Identity Technology In Government

– Leverage existing, open identities for government applications
— New government 2.0 initiative
— Using OpenID / InfoCard vetted providers
— 10 providers -> Can choose which provider / id (Google vs Equifax, for example)

GSA defining ‘profiles’ – sets of standards at specific versions, guaranteed compatible
— Also ‘levels of assurance’ – criteria for various strengths/token types, according to risk/impact of incident
— Not building again, mapping publicly available identities against government assurance levels

–New concept of open trust framework to certify IdPs
— Jointly presented by OpenID, InfoCard foundations
— Outreach to OpenID, InfoCard, InCommon, Liberty and Kantara

–> Open Trust Framework
— Doesn’t presume any existing circles of trust (vs SAML)
— User controlled identity management
— Open, reusable

Anyone can become an IdP, but need to be vetted.

ICAM profiles force private sector IdPs to be precise, to meet the government-specific requirements
It’s a win for the government, industry and the public:

– Govt doesn’t build in a silo
– Industry gets tighter specs to focus on, and drive wider adoption
– Users get reduced numbers of identities, at government levels of assurance

– No verification of assertion attributes, just that attributes are present (e.g. email attribute not checked to be a valid email)

SAML Profile: Already exists, based on existing SAML use cases in govt.

ICAM OpenID Profile:
– Only for sites at LOA1 thus far
– Based on OpenID 2.0
– SSL enforced on all endpoints
– “Directed Identity” approach, i.e. identity appears different to each RP, so no tracking
– Other restrictions defined in profile too, to ensure appropriate security

InfoCard Profile:
– acceptable at LOAs 1-3 (maybe 4)
– Focus on the UI, digital ‘card in wallet’ – card selector in browser
– Can have varying underlying auth methods
– Only supports Managed Cards, IdP issued
– Card auth mechanisms are un/pw, X509, Kerberos, etc

— Truly user-centric would be self-managed

Don Campinella (Equifax)

Spoke about ‘persona control’ – multiple personas for a given identity
Attribute use assurance
Verification of claims

Suggested that a commercial IdP gives experience, data, scale, trust
Better fraud protection and privacy (some liability?)

Discussed at LOA1 use of pairwise unique IDs, pseudonymous: reusable unique identifier given to each RP, but can’t be traced back to the user unless the user shares attributes. Each pairwise identifier can be revoked from the RP.

Quoted that 20% of Medicare/Medicaid fraud is at the service provider, not the user, so we need to authenticate the service providers as well as consumers. This creates the need for a standalone IdP, outside of the RP.

Session 2 – Mary Ellen Callahan (CPO of DHS) & Ari Schwartz (COO – Centre for Democracy & Technology)

MEC on the baseline of govt idm tech – “It’s got to work for my mum” – what happens if something goes wrong? Not just a data breach, but how do you interact with the individual and manage the problem.

– Should have a plan, since nobody’s infallible
– Elements of redress
– Harm-based analysis
– Not just financial loss, but also reputation, etc.
– Maybe even public safety (location data, etc)

-> All about trust of government

Overall message: “Make it as secure as can be, but also plan for the worst. Have a policy to a) deal with it and b) prevent it recurring”

AS – Test of ‘user-managed identity’ is not in the user interface or the technology, but whether the user is on an equal footing with the IdP and the RP.

Session 3 – John Tolbert (Boeing)

Using XACML and ODF for Export & IP controls

Need to have resource (classification, ECCN, USML)  & subject (nationality, location, US person) attributes

For IP controls, there’s an OASIS-XACML-IPC profile.
By using XACML, there’s a simpler, quicker adoption
-> Government can push out standard policy in XACML format to be used in a central decision engine at each org
-> Facilitates quick updates, easier audit – using standardised XACML means standardised rules (though relies on accurate metadata)

Extending this to ODF document control profiles, to match the XACML-IPC profile. This gives end-to-end authorisation, not just at the point of distribution.

Gives the organisation a single set of policies / rules to manage.

Breno de Medeiros (Google)

Drivers for federated identity standards in Google are predominantly credential reuse and social graph sharing

– Social sites ask for passwords for data harvesting
– This is bad! Users are trained then to share passwords (see Linked In, Dopplr, etc)

More reputable sites are less likely to implement APIs for authorisation/delegation as an RP, since they have little to gain. To succeed, providers should give a rich authorisation/delegation API, and a good UI!

Example of Plaxo & Google – OAuth and OpenID combined, but with friendly simple UI. Google account can be used to login to Plaxo, then OAuth allows for sync of contacts.

UI: Per-attribute authorisation is difficult, every additional checkbox makes the UI more complex and prone to rejection by the user. Also noted that users expect a ‘generated’ ID to be pairwise, but a social site ID, or manually created by the user, to be a global, shared identity. Need to be careful as PII could be exposed in URLs (email address, other correlatable data)

Current UI for OpenID that hides the ID is good (‘use your Google/Facebook/Live ID to login’) but isn’t scalable. There needs to be a good browser interface (like InfoCards) for IdP discovery in a privacy-aware way.

Session 4 – SAML 2.0 in government

Karen Higa-Smith (DHS programme manager)
Anil John

Discussion around use of SAML2 for data sharing.
Authentication is already handled by the PIV smart card.

“Profile” created – this is a set of specs at particular levels along with guidelines and implementation documentation for use within government departments. It’s not a ‘standard’, since building these is slow and expensive.

Programme to manage ‘backend attribute exchange’ (BAE).
– Built a deployment profile and documentation
– Build a proof of concept BAE reference implementation, using synthetic data, to show interoperability between multiple vendor products following the BAE profile

– Idea was to document the profile but not to reinvent the wheel, instead to use commercial or free products and existing standards. Programme should allow for multiple approaches and technologies, but to ensure interoperability.
– Encouraging COTS vendors to provide out-of-box support for the US government BAE profile.

Explained two models
1- Direct Attribute Exchange
2 – Brokered Attribute Exchange

In the first case, a simple data exchange using SAML from point-to-point
In the second, smaller departments can use shared infrastructure from a larger department – but the data should be encrypted so that the shared infra provider can’t read the data. This was successfully accomplished using existing SAML standards.

– Specification of supported attributes, name identifier, encryption standards, etc are all specified within the SAML exchange.

– Also integration with the CA, so that user identities can be mapped to those on PIV cards or other certificate issuance.
– Flexible name identifiers, so that there’s no enforcement of a specific unique identifier.

Session 5 – Social Identity

Burton: Leveraging relationships & managing social identity

Discussed benefits of social identity (profiles, social graphs, etc) within the enterprise
e.g. Establishing social data in enterprise portals (skills, expertise, interests)
Leverage within blogs, wikis, forums – munge this data for display on portal -> activity feeds
Allow for ‘following’ of employees, subjects of interest

‘Facebook for enterprise’ – already have business dashboards, sales dashboards – why not a social dashboard?
Supports strategic talent, encouraging interaction, reflects generational shift towards social interactions

– problems of profile proliferation across multiple internal sites (and external)
– solve this with federation/sharing – but then problems of data leakage?

– Also automated activity stream causes sensitivity issues (e.g. posting on a gay forum, completing a sensitive deal)
– Resolve through access management, but then this risks losing serendipity. Creating a balance of access restrictions and openness is a big challenge.

-> Becomes an even bigger problem when trying to merge social graphs between internal and external tools (Facebook, Linked In)
– Breaking boundary between “work me” and “citizen me”. Is it acceptable for your boss to contact you about work issues on Facebook? Should they know about your out-of-work activities?

– Enterprise roles are well defined, though centred around access control
– Social roles proposed, e.g. “News filter”, “wiki gardener”
–> Social ‘talent management’, mining within the enterprise?

Vendor presentations

IDology (Jodi Florence) – identity verification provider
Anakam – government to citizen verification – a sliding scale from anonymous through to vetted proof with liability
Privo (Denise Tayloe) – Parental consent for managing a child’s identity and data sharing

Facebook Security

Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.

That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.

The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.

Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.

The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.

I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.


I first heard about Doubletwist around a year ago, and never really expected it to turn into a real product, but it entered into public beta (on the Mac, at least) this week.

It’s slogan is ‘All your stuff, on all your devices, with all your friends — in seconds’. It’s a media manager that seems to have a pretty good UI, and on the Mac mimics somewhat the Finder or iTunes sidebar, showing your music, photos and videos. It also has a ‘friend feed’ for you to see what your Doubletwist friends are playing (or sharing), and you can upload media to Youtube, Flickr and Facebook. Surprisingly, you can even share tracks you’ve bought from iTunes with your friends.

The most impressive feature is that of copying your media (including DRM-protected content, such as purchased iTunes songs). A pretty large set of devices are included, counting Nokia phones, Blackberries, Windows mobile, Android and the PSP – oddly iPod and iPhone sync support is only available in the PC version.

Sync is as simple as it could be – just drag the media you want on to your device, and any encoding or translation is done on the fly.

Whilst some of the more extreme DRM-ripping features have been removed since the initial concept came about last year, and the media playing features aren’t that great yet, it looks like an interesting tool to keep an eye on.

Spanning Sync

With a plethora of devices and services, it’s a challenge to keep everything in sync. Since long before having an iPhone, I’ve wanted to keep my calendar and contacts in line across my phone, my laptop and an online service for when I’m at work.

The iPhone is great for keeping my phone in sync – every time I plug it in, it all updates… But adding calendar events with notes, or changing a series of addresses can be a hassle, and I like to have my data backed up online, and also easily accessible on a computer when I’m at work or otherwise away from my laptop.

For quite a while now I’ve been using Spanning Sync. This syncs my calendars and contacts from my Mac to Google. It’s entirely seamless – to the point that I regularly forget it’s even there. I don’t remember ever having problems with it doing bad things to my calendar, which is no mean feat.

If you’ve got a Mac (or more than one), you want to get your calendar/contacts synchronised between them, and don’t want to pay for .MacMobile Me, I can’t recommend it enough. It costs $25 for the first year and $15 thereafter normally, but they also offer a programme called ‘Save 5, Make 5′, where referrals have a $5 discount, and I get $5 for the referal too. Everyone’s a winner!

UK TiVo Upgrading

The TiVo, in my mind, is one of the best media inventions – basically ever. It’s been around for quite a number of years now, starting life as what’s now seen as a simple PVR (personal video recorder). The biggest selling point when it first launched was the ability to pause live TV, and when it launched in the UK it was decidedly ahead of it’s time – it launched at around £500, plus subscription, and people didn’t really understand what the point was.

The exclusive distributor in the UK was Sky – and of course they quite happily ripped off the product when Thomson decided to stop making it, in the form of Sky+. In the US, meanwhile, where there’s somewhat less of a TV monopoly, TiVo have continued to innovate. The software is available in standalone units for both standard and HD TV and also embedded in satellite and cable providers’ boxes as a premium option. It also now integrates with the (again US-only) Amazon Unbox movie download service, and can stream a variety of other sources of media from your own home network and assorted internet download sites.

So this takes me to the subject in hand. I bought one of the last TiVos from a store in London, an ex-demonstration unit. I absolutely loved it, and for a long time resisted the urge to swap my Sky and TiVo combination for a Sky+ unit – the functionality of the TiVo is so much better implemented, with a clean and easy to use interface that masks a wealth of functionality in comparison to the continual disappointment of Sky+. I’ve recently sold my TiVo for the ease of a one-box solution, however I kept a variety of links for the upgrades I’d made to my TiVo and thought it might be worthwhile listing them for someone to find via Google.

Hard Drive

The TiVo came with a 40Gb hard drive, which allows for around 20 hours or so of recording on ‘best quality’ mode. It’s a standard 3.5″ IDE hard drive, and the TiVo itself runs Linux, so it’s a relatively easy thing to do to add a new drive. You’ll need a PC with a CD/DVD drive, from which you boot an image CD that lets you modify the hard drives, and ideally a spare FAT-formatted drive for a backup. There are a variety of guides for this, but the best I’ve found are:

Steve Conrad’s Upgrade Diary – A UK TiVo user’s upgrade experience
MFSLive – The best download source for boot images and TiVo drive tools, as well as a (non-UK) upgrade guide
ljay’s guide – Another UK guide

An upgrade to a 300Gb drive (very cheap these days) will give you over 100 hours of recording space

Ultra-Mega-High-Quality recordings

Next up, now that you’ve got a whole heap of disk space you might want to improve the quality of the recordings. The TiVo has a number of recording modes – Basic/Medium, at 352×576 resolution, High at 480×576 and Best at 544×576 are the ‘normal’ ones available. There is also a hidden extra mode, mode 0, at 720×576. The easiest guide for doing this is again at Ljay’s site. This can cause the odd adverse effect – particularly some flickering lines at the bottom of your picture. The background to the Mode 0 upgrade is on the TiVo Community forum.

Web Upgrade

TiVo Central will sell you for under £70 a network and cache-card combined. The network card plugs into a slot on the motherboard of your TiVo and allows you to access it over your network… Moreover it allows you to avoid the nightly phone connection, instead downloading TV listings over the internet.

There’s an actively developed web server, which lets you remotely schedule recordings of TV. By means of port-forwarding, this means you can access your TiVo from anywhere and set, change or delete recordings or Season Passes. The web server is called, cunningly enough TiVoWebPlus – being an evolution of the TiVoWeb project.

TiVoWeb is pretty advanced – as well as setting recordings, you can also control the TiVo – remotely accessing all of the functionality of the TiVo’s menus and also getting at the innards. There are a vast array of scripts you can download, allowing you to receive daily emails (or RSS feeds) of the programmes that have been recorded or that are scheduled, or to add dynamic padding so shows are less likely clash whilst still ensuring you don’t miss the start or end of a show.

You can also update the channel logos seen on the TiVo – there are logo packs, and scripts for doing this.

There are scripts that allow you to validate the data in the channel guide and improve it, too.

Finally, for those with good TVs, there are scripts that allow you to modify the graphics for the TiVo’s on-screen menus to avoid flickering.

Hopefully this is useful to someone who’s recently acquired a TiVo and would like to play with it… At least to tide them over until one day TiVo comes back to the UK.