Archive for the ‘Identity’ Category

New rev of SIP-SAML profile

Tuesday, November 4th, 2008

There’s a new revision of the SIP-SAML profile spec..

SIP SAML Profile and Binding

The key changes in this revision are that we’re aiming for experimental track (for now) due to a subtle-but-important impedance mismatch with the “SIP Identity” spec (RFC 4474, which we build upon), and we’ve add an additional profile to the spec. This new profile simply specifies SAML assertion conveyance “by value” in the body of SIP message(s) rather than “by reference”.

Note that the overall notion of “SIP Identity” has been in-flux over the last year+. Once that set of issues is (hopefully) resolved, then we can do another SIP-SAML spec on the standards track.

Also, the SIP WG co-chairs have called for Working Group Last Call on this -05 revision.

=JeffH sez getcher comments in!

Stats – A Cool Group

Monday, March 10th, 2008

I just ran across this group at

Stats’s denizens post articles about and pointers to cool little gizmos/widgets/whathaveyous that one can use to leverage data.

I ran across it via this person’s profile..

Anthony Liekens

..he has a personal website where he offers..

Data mining musical profiles
Anthony Liekens, March, 28-April, 2 2007

..that article, and a web interface to his various tools.
=JeffH sez check it out 😉

[update] ps: note that sites such as have relevance to the more general notion of identity in that publishing the music one listens to is an aspect of one’s identity.

Will “open internet” IDM Migrate Towards “trust circles” ?

Monday, January 21st, 2008

Eve (aka xmlgrrl) posted the following bit of musing today..

Circles of trust: disaster? or really bad idea?

..which I tend to think hits the proverbial nail pretty squarely on the head wrt “open internet”, “trust all comers”, and “trust circles”.

One very small, detail-level comment I have on her post is that where she writes..

(where users are okay with this sort of back-channel communication)

..I would instead make it explicitly clear that “users” sometimes don’t have any direct say with respect to the machinations of the IT department on their behalf. Hence I would write it as..

(where users are okay with this sort of back-channel communication, or where they don’t have any say (e.g. in an enterprise deployment))

Note I don’t feel that the latter is necessarily a good thing, but it’s reality in corporate, governmental, and education worlds (at least), and no amount of attesting that “I want to own my identity data!” is going to change it any time soon (admittedly unfortunately). Besides one’s identity, outside of one’s own thoughts, “ a story“, as Bob Blakley noted a while back, but has been understood for quite a while by social scientists and philosophers (see, for example, Erving Goffman).

But I digress… 😉

New version of OpenID SAML comparison document

Monday, January 21st, 2008

I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:

(Draft) Technical Comparison: OpenID and SAML

Monday, December 17th, 2007

Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.

The resultant comparison paper, “Technical Comparison: OpenID and SAML – Draft 05” seems to me to be at a stage where it can be shared widely (i.e. on the web :) ), here it is..

..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).

I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.

So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.

=JeffH sez check it out.

Latest revisions of SAML-lSSO and SAML OpenID Profile

Friday, September 21st, 2007

I’ve updated the SAML-lSSO and SAML OpenID Profile specs just to bring them up-to-date with the latest revisions of various SAML and OpenID specs and to fix minor editorial issues. The SAML-lSSO spec is presently not a current IETF Internet-Draft — it’s prior version expired a few months ago. We’re thinking about whether we want to pursue that spec “officially” or not. The issue with it being that in implementing it, one can optionally turn security completely off — which is a “feature” various folks advocating for so-called “open Internet” identity management desire. But SDOs such as IETF, OASIS, W3C, Liberty Alliance, etc all would look askance at blessing such a spec. In fact the IETF definitely would not allow it to go forward in that they have an explicit policy against promulgating insecure protocols.

The SAML OpenID Profile is a simple hack I threw together a year or so ago (in a single afternoon) to prove the point that there’s nothing OpenID accomplishes protocol- and user-experience-wise that is inherently un-do-able with SAML. [1]

Anyway, here’s the links to said specs…

SAMLv2 Lightweight Web Browser SSO Profile

OpenID-SAML Lightweight Web Browser SSO Profile – Draft 02

=JeffH sez check ’em out.

[1] Note that I’m not claiming that they are equivalently “easy” to implement. By “implement” I mean to write code implementing the protocol on both or either the Relying Party or Identity Provider (aka OpenID Provider) side. Also note that I don’t use the term “implemneting” as a synonym for “deployment”. Also, I am not claiming that they are equivalently “easy” to deploy. Almost all the artifacts of deployment are inherent in how a protocol is implemented. A “feature” that’s often claimed about OpenID as a differentiator is that anyone with a minimally capable hosting environment can field an OpenID relying party. I.e. they don’t need root access, nor access to their webserver configuration, etc. In fact, the same is true with some (all?) of the “scripty” SAML implementations, e.g. ZXID being a case in point.

Of various bits of networked computing identity history

Wednesday, December 20th, 2006

Someone had posted on the private-club IDworkshop@ list…
> If you were to look back on the entire evolution of digital identity
> systems to date, what would you highlight as some of the key milestone
> events?

And my small contribution to the resulting stream-of-consciousness thread was (essentially, i’ve edited it some)…

In terms of more recent developments in online identity in a computing context (as opposed to, say, a PSTN context), the invention of a notion of an “account” (aka identity/identifier) mapped to a user and/or department/org is one of the earliest building blocks. Note that this can apply to batch processing as well as time-shared processing (i had an account when i was doing my first batch jobs on a CDC3150). This is the paper that ostensibly began the notion of time-sharing..

R.W.Bemer, “How to consider a computer”, Data Control Section,
Automatic Control Magazine, 1957 Mar, 66-69

Also note that in IBM TSO (time share option) users could send interactive messages to each other — this was my first personal experience with what we would today call an “IM” system.

Also in terms of IM, the first distributed IM system, in the sense of today’s AIM/Y!/Gizmo/Skype/etc, that I heard about was MIT’s Project Athena’s Zephyr, which was in wide use at MIT in the latter half of the 80’s.

Then there was one of the first truly personal computers, the Xerox Alto (conceptualized in 1972), which was subsequently networked via Metcalfe & Bogg’s Ethernet, which then gave John Shoch and Jon Hupp the fertile ground in which to realize John Brunner’s SF prescient imagining of “worms” infesting computer networks…

Note that within Xerox, especially in Palo Alto, the Alto was essentially a production machine. At PARC, by the late 70’s, everyone had one, even secretaries – there were several thousand of them built. Email (Grapevine) was used extensively for everything, including communicating with building facilities.

Birrell, A. D., Levin, R., Needham, R. M. and Schroeder, M. D.:
Grapevine: An Exercise in Distributed Computing“. Communications of the ACM, 25(4), pp. 260-273.

In terms of Kerberos, it was based on Needham & Schroeder’s work, published in 1978..

Roger M. Needham and Michael D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers”, Communications of the ACM, 21(12) p 993.

..and which was the basis of the XNS Authentication protocol, which pre-dated Kerberos.

Oh, and in terms of Public Keys, Kohnfelder’s 1978 thesis “Towards a Practical Public-Key Cryptosystem” is predicated on Diffie and Hellman’s paper of 1976 “New Directions in Cryptography” as well as R, S, & A’s famous paper.

R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of th ACM, 21(2):120ñ126, February 1978.

And of course, the above only scratches the surface of this large body of work….

A SAMLv2 Relying Party PHP Implementation

Wednesday, November 1st, 2006

So Pat Patterson has pulled a nice rabbit outta his hat and concocted a SAMLv2 Relying Party Implementation in PHP! I’m going to have to play with this one…

Switching on the Lightbulb

Q&A on the OpenSSO SAML 2.0 PHP work

A plug for Gizmo

Thursday, October 5th, 2006

So there’s this bit of software called Gizmo that’s pretty cool, available from It’s a SIP (Session Initiation Protocol) -based “softphone” widget, err.. gizmo, that allows one to make voice calls on the Internet, like VoIP, duh.

Anyway, obvious to anyone who’s paid a lick of attention the past few years, this competes with Skype. Since the Skype folk got a head start in this here land-grab internet property era we’re in, seems many of my colleagues have a skype account, but not many have a Gizmo one. So I’m posting this here to encourage folks to give Gizmo a try. Of course it offers all the features of Skype, and more (much larger concall size is one obvious feature bennie). And it is open-standards-based, as compared to Skype, which is so ridiculously proprietary they even went to enormous lengths to obfuscate their executable code, apparently in order to try stymie reverse-engineering (as I’d written about previously). So anyway, since I favor open-standards-based systems, and work in designing them (eg LDAP, SAML, ID-WSF, and now the SIP-world), I wish more folks would try Gizmo.

The only substantial complaint I’ve heard wrt Gizmo is that it can only register with Gizmo’s own SIP proxy server farms. Well, with the relatively recent version 2.x, this is remedied, and a Gizmo client can register with both the Gizmo proxies, and with any generic (and typically free, in the economic sense) SIP proxy you wish, eg, and, your own open-source Asterisk SIP server at home, or your company’s SIP server.

JeffH sez check it out.

ps: Of course, I’m also very supportive of open source SIP clients — I just haven’t had the time to check them out yet. There are some, though, so take a looksee here, or google for ’em. I’ll have to try some of them out and write about them. There’s also so-called “SIP hardphones” — I just got a SNOM 320 on my desk, and am exploring it. So far it’s pretty cool — although I can’t easily haul it around with me.

IDentity Deployment of the Year Award announced

Wednesday, August 9th, 2006

The Liberty Alliance will present the IDentity Deployment of the Year Award (IDDY, pronounced EYE-D) before the keynote at the DIDW (DigitalID World) conference this September. The announcement and nomination page is here…

IDentity Deployment of the Year Award

This sounds like a good idea to not only promote the “online identity” topic itself, but also spread some recognition for the folks who do the usually behind-the-scenes deployment work.