Archive for June, 2006

All Declared SAML IPR Statements are now “defensive suspension”

Wednesday, June 28th, 2006


SAML IPR statements have been revised to explicit “defensive suspension”

..though don’t forget to also see this following message noting that AOL lead this charge by example, which those of us working behind the scenes to effect this overall posture liberally pointed to..

Re: SAML IPR statements have been revised toexplicit “defensive suspension”

The SSTC/SAML IPR Statements Page is here. Thanks again to all the folks who worked to make this happen!

My previous post on these developments is here.

Liberty ID-WSF 2.0 Draft Release 3 available

Wednesday, June 28th, 2006

The Liberty Alliance recently announced availability of:

ID-WSF 2.0 (DRAFT), the Identity Web Services Framework (ID-WSF), Draft Release 3

We’re getting very close to completing ID-WSFv2.0. I expect the delta between this Draft Release 3 specification set and the WSFv2.0 “final” spec set to be pretty small.

If you are interested in secure, identity-enabled, SOAP-based web services frameworks, you should take a look at this spec set. Rather than being a “framework of fameworks”, this spec set is directly implementable without further profiling. Indeed, ID-WSFv1.x is implemented, tested, and available from multiple vendors.

Report on security risks of applying CALEA to VoIP

Wednesday, June 14th, 2006

A report on the security risks of applying CALEA to VoIP is available on the website. To quote the site:

A new ITAA study by Internet gurus Vint Cerf, Whit Diffie and other experts warns that extending CALEA wiretap measures to Voice over Internet Protocol communications could stall innovation and introduce major security problems.

One of the report’s authors, Susan Landau, announced the report via this message to Dave Farber‘s Interesting-People mailing list.


Wednesday, June 14th, 2006

Whodentity is an excellent “who’s who” compendium of players in the identity industry, by Mark Dixon.

SAMLv2: HTTP POST ‘NoXMLdsig’ Binding

Tuesday, June 13th, 2006

From various discussions held with various folks, e.g. on the IDWorkshop mailing list (aka “Identity Gang“), it has become apparent that the major sticking point w.r.t. SAMLv2 adoption in some quarters, e.g. in the “scripting” world (e.g. PHP/Perl/Python/Ruby), is the present SAMLv2 bindings‘ mandated reliance on XML Digital Signature (aka “XMLdsig”, Interoperable XMLdsig libraries are hard to come by, perhaps due to the XMLdsig spec’s complexity and reliance on “XML canonicalization” (aka “c14n”, which is inherently complex on it’s own.

So Scott Cantor and I have hacked up this draft alternative SAMLv2 HTTP POST “NoXMLdsig” binding..

SAMLv2 HTTP POST “NoXMLdsig” binding

Now the next step will be to craft a SAMLv2 Profile that takes advantage of it.

SSO / Single Sign-On (read: Simplified Sign-On)

Wednesday, June 7th, 2006

The term “Single Sign-On”, and/or it’s typical acronym “SSO”, is used all over the place — for example in piles of specifications from various SDOs (Standards Developing/Development Organization) and other orgs (eg corporations, .edu world, government, etc). Does anyone — including the authors of said specifications — actually believe that a person would ever have a single set of credentials that they wield everywhere?!#%$^

I don’t believe most folks actually believe that. However, this discussion is decidedly NOT over. I too had thought it was — but then I was recently talking with another security protocol professional who was thinking that we, in the SSTC, were being presumptuous because we employed the “SSO” term, and he thought we were taking it literally, as in “single sign-on”. Which of course we don’t, and are not doing.

Rather, what most everyone appears to acknowledge, including us in the SSTC is that people will end up with some finite set of credentials, or personas, or identities (or whichever word you want to use according to the taxonomy/lexicon to which you subscribe), where the number of credentials is likely > 1 for any given person (but doesn’t have to be of course, it is zero for a lot of people on the planet as yet (in terms of the Internet)).

Note that this is the situation we’re in today, however those of us “in the know” create a new set of creds (eg username & password) for most every Internet site with which we establish a relationship. However, the hope of those of us behind various SSO technologies (e.g. SAMLv2) is that given deployment of these technologies, netizens will gradually have the option to maintain fewer credentials (aka personas) to wield with the sites/services we utilize. Thus our lives will be at least somewhat more simple and thus this interpretation for the “SSO” term. QED, etc.

So where does that leave the term represented by “SSO”? Personally, I subscribe to it’s real-life meaning being:

simplified sign-on

The perspective here being that (hopefully), given the emerging SSO-enabling technology (e.g. SAMLv2, Identity Web Services, etc.), it will begin to be deployed such that most all of us Netizens will have the opportunity to simplify our lists of site login credentials (I have > 80 last time I counted) and (hopefully) arrive at a more manageable number of credentials (aka personas) where n < 20 and hopefully for those who really want to, have n < 10. The foregoing quantities are just my personal off-the-cuff estimates, YMMV.

TIPPI Workshop: Trustworthy [User] Interfaces for Passwords and Personal Information

Wednesday, June 7th, 2006

Dan Boneh yesterday announced the open registration (free, as in beer) for the 2nd Annual TIPPI Workshop at Stanford University. Looks like there is an interesting batch of papers to be presented, which have relevance to recent discussions on the IETF-HTTP-Auth@ mailing list (especially threads during May-2006, e.g. “New draft on anti-phishing requirements”, “BOF proposal”, “BOF Request: WARP – Web Authentication Resistant to Phishing”).

Liberty Alliance Developer’s Workshop 12-Jun-2006 San Francisco

Sunday, June 4th, 2006

Liberty Alliance is hosting an Identity Web Services Framework Developer’s Workshop in San Francisco on 12-Jun-2006, ahead of the Burton Catalyst conference. It’s free, although the registration cutoff is 10-Jun. There will be several presentations by ID-WSF architects, including an ID-WSF overview (by Conor Cahill), a People Service overview (by Hubert Le Van Gong), and a use-case-driven exploration of the policy and consent pieces of ID-WSF (by Peter Davis). The presentations are followed by a Q

“Identity Open Space” Unconference in Vancouver BC in Jul-2006

Friday, June 2nd, 2006

There will be an “Identity Open Space (IOS)Unconference held in Vancouver BC in Jul-2006, during the same week as the Liberty Alliance Project holds their quarterly members’ meeting in the same town. In fact, all Identity Open Space attendees are invited to attend the Vancouver Liberty members’ meeting!

This IOS event is billed as a co-production of the Internet Identity Workshop (IIW) Organizers (nominally Kaliya Hamlin, Doc Searles, and Phil Windley) and the Liberty Alliance Project.

This idea of co-locating an IOS event with the Liberty meeting is a great idea for several reasons, not the least of which is that it fosters convergence in the Identity space, and Identity is what Liberty has been all about from the beginning.

I attended the IIW2006 conference and found it to be quite interesting, stimulating, informative, and a great idea exchange venue.

Kaliya’s blog entry about IOS Vancouver — also known as “IdentityOSVan” — is HERE.

Johannes Ernst also blogged about it, entitling it (amusingly enough) “Un-Liberty?“.

Very much unfortunately, I won’t be able to attend due to overlap with a long-planned family vacation. :-(

Elizabethan traffic analysis

Friday, June 2nd, 2006

If you are aware of the term “traffic analysis“, then you’ll perhaps find this blurb from Steve Bellovin, concerning reference to an awareness of messaging patterns in Elizabethan times, on the Cryptography mailing list, to be of interest…

Elizabethan traffic analysis