Archive for December, 2006

Liberty Alliance [ID-WSF]v2.0 Workshop

Friday, December 22nd, 2006

The Liberty Alliance will be holding a workshop in Redwood Shores, CA on 22-Jan-2006. Perhaps the event catch-phrase “Liberty 2.0” can be perceived as jumping on the arguably overwrought “2.0” meme coursing through the web these days, but we did in fact recently complete the ID-WSF v2.0 specification set, which I’d noted in these pages earlier this fall.

The event will be quite informative for those wishing to learn more about Identity-based Web Services, with Conor, Eve, JohnK, PaulM, and Mary Ruddy speaking.

Here’s relevant pointers…

Announcing Liberty 2.0 Workshop on Jan. 22 in Redwood Shores, CA

Workshop Agenda

A Cost Analysis of Windows Vista Content Protection

Thursday, December 21st, 2006

Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…

A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

Note that this analysis dovetails with Bruce Schneier‘s overall “DRM is futile” piece from 2001…

The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3

And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…

Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx

..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.

To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”

Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?

[update 25-Dec-2006]

Peter has updated his analysis paper to provide pointers to publicly available sources.

XMLdsig implementations for scripting languages

Wednesday, December 20th, 2006

Various folks in what is becoming known as the “scripter” community, i.e. people who code in Perl/PHP/Python/Ruby scripting languages, have complained that SAML is “too hard” to implement, for essentially two reasons..

The first excuse is becoming more and more moot as tools and techniques proliferate and experience grows.

The second is, it appears, becoming more mitigated with the appearance of various packages that implement XMLdsig for the scripting world. Here’s pointers to a couple…

Rob Richard’s XMLseclibs for PHP
http://www.cdatazone.org/index.php?/archives
/13-SUNs-OpenSSO-project-is-new-home-to-xmlseclibs-code.html

XMLsig for Dynamic Languages (Ruby, Python, PHP and Perl)
http://xmlsig.sourceforge.net/

Now, I hear that some in the scripter community perhaps won’t like the XMLsig package because it is scripting languages wrapped around C wrapped around the xmlsec library (http://www.aleksey.com/xmlsec/), rather than a “native” scripting-language implementation, which is what Rob Richard’s apparently is. Well, time will tell, and in any case, it is good to see this base beginning to get covered.

[later addition; 27-Dec-2006]

John Kemp points out that he wrote up a brief HowTo paper on writing essentially a library similar to XMLsig-for-Dynamic-Langs, for PHP, back in April 2006. Since Aleksey Sanin has already done the work of implementing XMLdsig, it seems to me to make sense to take advantage of it. Here’s JohnK’s material…

PHP XML Signatures
http://appliedlife.blogspot.com/2006/04/php-xml-signatures.html

XML Signatures in PHP
http://web.mac.com/john.kemp/php-xml-sig.html

Of various bits of networked computing identity history

Wednesday, December 20th, 2006

Someone had posted on the private-club IDworkshop@ list…
>
> If you were to look back on the entire evolution of digital identity
> systems to date, what would you highlight as some of the key milestone
> events?

And my small contribution to the resulting stream-of-consciousness thread was (essentially, i’ve edited it some)…

In terms of more recent developments in online identity in a computing context (as opposed to, say, a PSTN context), the invention of a notion of an “account” (aka identity/identifier) mapped to a user and/or department/org is one of the earliest building blocks. Note that this can apply to batch processing as well as time-shared processing (i had an account when i was doing my first batch jobs on a CDC3150). This is the paper that ostensibly began the notion of time-sharing..

R.W.Bemer, “How to consider a computer”, Data Control Section,
Automatic Control Magazine, 1957 Mar, 66-69
http://www.trailing-edge.com/~bobbemer/PUBS-1.HTM

http://en.wikipedia.org/wiki/Bob_Bemer

http://en.wikipedia.org/wiki/Time-sharing

http://en.wikipedia.org/wiki/Multiuser

Also note that in IBM TSO (time share option) users could send interactive messages to each other — this was my first personal experience with what we would today call an “IM” system.

Also in terms of IM, the first distributed IM system, in the sense of today’s AIM/Y!/Gizmo/Skype/etc, that I heard about was MIT’s Project Athena’s Zephyr, which was in wide use at MIT in the latter half of the 80’s.

http://en.wikipedia.org/wiki/Zephyr_%28protocol%29

http://en.wikipedia.org/wiki/Project_Athena

Then there was one of the first truly personal computers, the Xerox Alto (conceptualized in 1972), which was subsequently networked via Metcalfe & Bogg’s Ethernet, which then gave John Shoch and Jon Hupp the fertile ground in which to realize John Brunner’s SF prescient imagining of “worms” infesting computer networks…

http://en.wikipedia.org/wiki/Alto_%28computer%29

http://en.wikipedia.org/wiki/Ethernet

http://en.wikipedia.org/wiki/John_Brunner_%28novelist%29

http://vx.netlux.org/lib/ajm01.html

Note that within Xerox, especially in Palo Alto, the Alto was essentially a production machine. At PARC, by the late 70’s, everyone had one, even secretaries – there were several thousand of them built. Email (Grapevine) was used extensively for everything, including communicating with building facilities.

Birrell, A. D., Levin, R., Needham, R. M. and Schroeder, M. D.:
Grapevine: An Exercise in Distributed Computing“. Communications of the ACM, 25(4), pp. 260-273.

In terms of Kerberos, it was based on Needham & Schroeder’s work, published in 1978..

Roger M. Needham and Michael D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers”, Communications of the ACM, 21(12) p 993.

..and which was the basis of the XNS Authentication protocol, which pre-dated Kerberos.

Oh, and in terms of Public Keys, Kohnfelder’s 1978 thesis “Towards a Practical Public-Key Cryptosystem” is predicated on Diffie and Hellman’s paper of 1976 “New Directions in Cryptography” as well as R, S, & A’s famous paper.

http://en.wikipedia.org/wiki/Loren_Kohnfelder

http://en.wikipedia.org/wiki/Martin_Hellman

http://en.wikipedia.org/wiki/Whitfield_Diffie

http://theory.csail.mit.edu/~cis/theses/kohnfelder-bs.pdf

R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of th ACM, 21(2):120ñ126, February 1978.

And of course, the above only scratches the surface of this large body of work….

Geek Alert: Start-up generates random numbers from space

Thursday, December 14th, 2006

Ok, so if yer hip to cryptography at least some, then you know that to do truly strong crypto, one needs a source of very random numbers. This is not all that easy, it turns out. If you’re unaware of this little subtle-but-way-important detail, check out Ross Anderson‘s book Security Engineering and Bruce Schneier‘s Applied Cryptography.

Anyway, so these creative geeks are apparently going for outer-space-based events as sources of noise from which to generate their randomness. The article from zdnet UK (originally) is here..

Start-up generates random numbers from space

Note that the article has pointers to various other orgs providing ostensibly random numbers over the Internet.

A nod of acknowledgment to Dan Geer, who’s post to the Cryptography@ list was the source for this post.

SAML: deployments of, and references to — from OASIS Adoption Forum 2006

Wednesday, December 13th, 2006

The procedings of the 2006 OASIS Adoption Forum (28,29-Nov-2006, London) are here..

OASIS Adoption Forum
http://www.oasis-open.org/events/adoptionforum2006/proceedings.php

SAML figures prominently in many of the talks. Below, I’ve sorted the talks by whether they are discussing actual SAML implementations and/or deployments, planning to use SAML, or the talk references SAML in context.

The presos, unto themselves, illustrate a large and growing SAML deployment community, apparently amounting to millions of identities in aggregate, in the near future if not now. Of course, they are just illustrating a tip of the iceberg, e.g. the extensive Shib-based community, enterprise deployments, etc are not necessarily reflected here.

Deployments/Implementations Employing SAML…

Keynote Presentation – The NHS, Standards, Security & Identity Management
Mark D. Ferrar

Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution
Maarten Koopmans

The Identity and Authorization Management in e-Government System: Requirements and Implemention Methods
Chuan Liu

The Role of SAML for Identity Management in the Danish Public Sector
Søren Peter Nielsen

GUIDE Project for a Consistent Approach to Identity Management Across the EU and Its Use of SAML and Liberty Alliance
Keiron Salt

XML, Web Services and SOA: Data Protection and Privacy Opportunities and Challenges in the Government Sector
Rich Salz

Deployments planning to employ SAML…

Case Study: The British Columbia Attorney General implementation of Web Services Security
Toufic Boubez

References to/of SAML…

The Need of SDO Collobaration as an Enabler of SOA in NGN
Abbie Barbir

Towards Trusted Web Services
Kevin Blackman (see slide 28)

Practical Cases of One e-Identity for Different Web-Solutions
Zivko Lazarov

ITU-T Presentation
Georges Sebek

Of course these reference SAML…

XML Security Standards: Overview for the Non-Specialist
Hal Lockhart

Extensible Access Control Markup Language (XACML) Update
Hal Lockhart

[at time of writing this post, the content of the above two .ppt files was reversed relative to their labeling on the web page (and above). i reported the bug, it may be resolved at some point. I’ll update this page if necessary once the proceedings page is fixed.]

So yer not sure why I brought a Gong?

Monday, December 11th, 2006

Eve Maler wrote, in her post about the Un-Talent Show at IIW2006b last Tue evening 5-Dec-2006

UPDATE: … about the gong. I’m not sure exactly what possessed JeffH to bring it with him, but he’s local and he’s a drummer, so QED, I guess! Kaliya used it throughout the IIW event to signal session transitions and such.

Well, some people bring cameras, ipods, whatever to meetings/conferences. I bring various wacky things from time-to-time. I suppose bringing one of my gongs is “friendlier” than bringing my sword, though some would argue the sword could be whacked on tables or whathaveyou to signal session transitions…

JeffH with sword, in office.