Andreas Ã…kre Solberg writes on his Feide blog..
simpleSAMLphp 0.3 is launched. Most interesting in this new release is the SAML 2.0 IdP functionality. The documentation is not covering everything in detail yet, but it should be sufficient to get something up running.
The simpleSAMLphp 0.3 package also features a Shibboleth 1.3-compatible SP written in PHP.
Here’s someone — Phil Duba — out in the wide web-developer world who’s picked up the SAML specs, largely figured them out, and is working on integrating it (SAML-based SSO) into sites built with Cold Fusion…
SAML and ColdFusion – Part 1
http://www.philduba.com/index.cfm/2006/12/29/SAML-and-ColdFusion–Part-1SAML and ColdFusion – Part 2
http://www.philduba.com/index.cfm/2007/2/9/SAML-and-ColdFusion–Part-2
Cool Stuff.
The latest revision of the SAML HTTP POST-SimpleSign Binding Spec is here…
draft-sstc-saml-binding-simplesign-02
http://www.oasis-open.org/committees/download.php
/21715/draft-sstc-saml-binding-simplesign-02.pdfDiff version: draft-sstc-saml-binding-simplesign-02-diff
http://www.oasis-open.org/committees/download.php
/21716/draft-sstc-saml-binding-simplesign-02-diff.pdf
The salient difference between this new rev of this spec and the prior rev (which is at “Committee Draft” maturity level and out for Public Review) is that now we sign the SAML protocol message’s raw XML representation, rather than base64 encoding it first (as we specified in the previous revs of this spec). The reason for this change is..
Experimentation shows that many web browsers alter linefeeds when submitting form controls that span multiple lines. Since base64-encoded data often wraps, it is not possible to guarantee that the values submitted will match what the original signer produced, resulting in verification failures. Using the raw XML content as a component of the octet string addresses this issue.
..which is a direct quote from the new spec revision (at line 205).
JeffH sez check it out.
Well, I’m using the term “debate” loosely here because it seems to me, given the marshalled evidence, there isn’t much of a debate to be had, but in any case, Microsoft has responded to Peter Gutmann‘s cost analysis of the DRM subsystems in Windows Vista (of which I’d written about earlier), and also in system hardware that has anything to do with handling of so-called “premium content” (i.e. content encoded onto newly emerging HD-DVD and Blu-Ray discs). Their reply is here..
Windows Vista Content Protection – Twenty Questions (and Answers)
http://windowsvistablog.com/blogs/windowsvista/archive
/2007/01/20/windows-vista-content-protection-
twenty-questions-and-answers.aspx
Peter Gutmann’s rebuttal to Microsoft’s response is here..
Microsoft’s Response
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html#response
..which is an appendix of his overall “Cost Analysis of Windows Vista Content Protection” paper.
If you are at all curious as to the veracity and logic of Microsoft’s response, it is worth reading Peter Gutmann’s response in detail.
The Liberty Alliance will be holding a workshop in Redwood Shores, CA on 22-Jan-2006. Perhaps the event catch-phrase “Liberty 2.0” can be perceived as jumping on the arguably overwrought “2.0” meme coursing through the web these days, but we did in fact recently complete the ID-WSF v2.0 specification set, which I’d noted in these pages earlier this fall.
The event will be quite informative for those wishing to learn more about Identity-based Web Services, with Conor, Eve, JohnK, PaulM, and Mary Ruddy speaking.
Here’s relevant pointers…
Announcing Liberty 2.0 Workshop on Jan. 22 in Redwood Shores, CA
Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…
A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
Note that this analysis dovetails with Bruce Schneier‘s overall “DRM is futile” piece from 2001…
The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3
And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…
Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx
..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.
To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”
Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?
[update 25-Dec-2006]
Peter has updated his analysis paper to provide pointers to publicly available sources.
Various folks in what is becoming known as the “scripter” community, i.e. people who code in Perl/PHP/Python/Ruby scripting languages, have complained that SAML is “too hard” to implement, for essentially two reasons..
The first excuse is becoming more and more moot as tools and techniques proliferate and experience grows.
The second is, it appears, becoming more mitigated with the appearance of various packages that implement XMLdsig for the scripting world. Here’s pointers to a couple…
Rob Richard’s XMLseclibs for PHP
http://www.cdatazone.org/index.php?/archives
/13-SUNs-OpenSSO-project-is-new-home-to-xmlseclibs-code.htmlXMLsig for Dynamic Languages (Ruby, Python, PHP and Perl)
http://xmlsig.sourceforge.net/
Now, I hear that some in the scripter community perhaps won’t like the XMLsig package because it is scripting languages wrapped around C wrapped around the xmlsec library (http://www.aleksey.com/xmlsec/), rather than a “native” scripting-language implementation, which is what Rob Richard’s apparently is. Well, time will tell, and in any case, it is good to see this base beginning to get covered.
[later addition; 27-Dec-2006]
John Kemp points out that he wrote up a brief HowTo paper on writing essentially a library similar to XMLsig-for-Dynamic-Langs, for PHP, back in April 2006. Since Aleksey Sanin has already done the work of implementing XMLdsig, it seems to me to make sense to take advantage of it. Here’s JohnK’s material…
PHP XML Signatures
http://appliedlife.blogspot.com/2006/04/php-xml-signatures.htmlXML Signatures in PHP
http://web.mac.com/john.kemp/php-xml-sig.html
Someone had posted on the private-club IDworkshop@ list…
>
> If you were to look back on the entire evolution of digital identity
> systems to date, what would you highlight as some of the key milestone
> events?
And my small contribution to the resulting stream-of-consciousness thread was (essentially, i’ve edited it some)…
In terms of more recent developments in online identity in a computing context (as opposed to, say, a PSTN context), the invention of a notion of an “account” (aka identity/identifier) mapped to a user and/or department/org is one of the earliest building blocks. Note that this can apply to batch processing as well as time-shared processing (i had an account when i was doing my first batch jobs on a CDC3150). This is the paper that ostensibly began the notion of time-sharing..
R.W.Bemer, “How to consider a computer”, Data Control Section,
Automatic Control Magazine, 1957 Mar, 66-69
http://www.trailing-edge.com/~bobbemer/PUBS-1.HTMhttp://en.wikipedia.org/wiki/Bob_Bemer
Also note that in IBM TSO (time share option) users could send interactive messages to each other — this was my first personal experience with what we would today call an “IM” system.
Also in terms of IM, the first distributed IM system, in the sense of today’s AIM/Y!/Gizmo/Skype/etc, that I heard about was MIT’s Project Athena’s Zephyr, which was in wide use at MIT in the latter half of the 80’s.
Then there was one of the first truly personal computers, the Xerox Alto (conceptualized in 1972), which was subsequently networked via Metcalfe & Bogg’s Ethernet, which then gave John Shoch and Jon Hupp the fertile ground in which to realize John Brunner’s SF prescient imagining of “worms” infesting computer networks…
http://en.wikipedia.org/wiki/Alto_%28computer%29
http://en.wikipedia.org/wiki/Ethernet
Note that within Xerox, especially in Palo Alto, the Alto was essentially a production machine. At PARC, by the late 70’s, everyone had one, even secretaries – there were several thousand of them built. Email (Grapevine) was used extensively for everything, including communicating with building facilities.
Birrell, A. D., Levin, R., Needham, R. M. and Schroeder, M. D.:
“Grapevine: An Exercise in Distributed Computing“. Communications of the ACM, 25(4), pp. 260-273.
In terms of Kerberos, it was based on Needham & Schroeder’s work, published in 1978..
Roger M. Needham and Michael D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers”, Communications of the ACM, 21(12) p 993.
..and which was the basis of the XNS Authentication protocol, which pre-dated Kerberos.
Oh, and in terms of Public Keys, Kohnfelder’s 1978 thesis “Towards a Practical Public-Key Cryptosystem” is predicated on Diffie and Hellman’s paper of 1976 “New Directions in Cryptography” as well as R, S, & A’s famous paper.
http://en.wikipedia.org/wiki/Loren_Kohnfelder
http://en.wikipedia.org/wiki/Martin_Hellman
http://en.wikipedia.org/wiki/Whitfield_Diffie
http://theory.csail.mit.edu/~cis/theses/kohnfelder-bs.pdf
R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of th ACM, 21(2):120ñ126, February 1978.
And of course, the above only scratches the surface of this large body of work….
Ok, so if yer hip to cryptography at least some, then you know that to do truly strong crypto, one needs a source of very random numbers. This is not all that easy, it turns out. If you’re unaware of this little subtle-but-way-important detail, check out Ross Anderson‘s book Security Engineering and Bruce Schneier‘s Applied Cryptography.
Anyway, so these creative geeks are apparently going for outer-space-based events as sources of noise from which to generate their randomness. The article from zdnet UK (originally) is here..
Note that the article has pointers to various other orgs providing ostensibly random numbers over the Internet.
A nod of acknowledgment to Dan Geer, who’s post to the Cryptography@ list was the source for this post.