Archive for the ‘Security’ Category

Wednesday, June 7th, 2006

The term “Single Sign-On”, and/or it’s typical acronym “SSO”, is used all over the place — for example in piles of specifications from various SDOs (Standards Developing/Development Organization) and other orgs (eg corporations, .edu world, government, etc). Does anyone — including the authors of said specifications — actually believe that a person would ever have a single set of credentials that they wield everywhere?!#%$^

I don’t believe most folks actually believe that. However, this discussion is decidedly NOT over. I too had thought it was — but then I was recently talking with another security protocol professional who was thinking that we, in the SSTC, were being presumptuous because we employed the “SSO” term, and he thought we were taking it literally, as in “single sign-on”. Which of course we don’t, and are not doing.

Rather, what most everyone appears to acknowledge, including us in the SSTC is that people will end up with some finite set of credentials, or personas, or identities (or whichever word you want to use according to the taxonomy/lexicon to which you subscribe), where the number of credentials is likely > 1 for any given person (but doesn’t have to be of course, it is zero for a lot of people on the planet as yet (in terms of the Internet)).

Note that this is the situation we’re in today, however those of us “in the know” create a new set of creds (eg username & password) for most every Internet site with which we establish a relationship. However, the hope of those of us behind various SSO technologies (e.g. SAMLv2) is that given deployment of these technologies, netizens will gradually have the option to maintain fewer credentials (aka personas) to wield with the sites/services we utilize. Thus our lives will be at least somewhat more simple and thus this interpretation for the “SSO” term. QED, etc.

So where does that leave the term represented by “SSO”? Personally, I subscribe to it’s real-life meaning being:

“simplified sign-on“

The perspective here being that (hopefully), given the emerging SSO-enabling technology (e.g. SAMLv2, Identity Web Services, etc.), it will begin to be deployed such that most all of us Netizens will have the opportunity to simplify our lists of site login credentials (I have > 80 last time I counted) and (hopefully) arrive at a more manageable number of credentials (aka personas) where n < 20 and hopefully for those who really want to, have n < 10. The foregoing quantities are just my personal off-the-cuff estimates, YMMV.

Average Rating: 4.6 out of 5 based on 261 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Identity, Security, Usable | 1 Comment »

Wednesday, June 7th, 2006

Dan Boneh yesterday announced the open registration (free, as in beer) for the 2nd Annual TIPPI Workshop at Stanford University. Looks like there is an interesting batch of papers to be presented, which have relevance to recent discussions on the IETF-HTTP-Auth@ mailing list (especially threads during May-2006, e.g. “New draft on anti-phishing requirements”, “BOF proposal”, “BOF Request: WARP – Web Authentication Resistant to Phishing”).

Average Rating: 4.5 out of 5 based on 273 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Events, Identity, Security, User Interface, Workshops | No Comments »

Friday, June 2nd, 2006

There will be an “Identity Open Space (IOS)” Unconference held in Vancouver BC in Jul-2006, during the same week as the Liberty Alliance Project holds their quarterly members’ meeting in the same town. In fact, all Identity Open Space attendees are invited to attend the Vancouver Liberty members’ meeting!

This IOS event is billed as a co-production of the Internet Identity Workshop (IIW) Organizers (nominally Kaliya Hamlin, Doc Searles, and Phil Windley) and the Liberty Alliance Project.

This idea of co-locating an IOS event with the Liberty meeting is a great idea for several reasons, not the least of which is that it fosters convergence in the Identity space, and Identity is what Liberty has been all about from the beginning.

I attended the IIW2006 conference and found it to be quite interesting, stimulating, informative, and a great idea exchange venue.

Kaliya’s blog entry about IOS Vancouver — also known as “IdentityOSVan” — is HERE.

Johannes Ernst also blogged about it, entitling it (amusingly enough) “Un-Liberty?“.

Very much unfortunately, I won’t be able to attend due to overlap with a long-planned family vacation. 🙁

Average Rating: 4.5 out of 5 based on 254 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Events, Identity, Liberty / SAML, Security, UnConferences | No Comments »

Friday, June 2nd, 2006

If you are aware of the term “traffic analysis“, then you’ll perhaps find this blurb from Steve Bellovin, concerning reference to an awareness of messaging patterns in Elizabethan times, on the Cryptography mailing list, to be of interest…

Elizabethan traffic analysis

Average Rating: 4.7 out of 5 based on 256 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Security | No Comments »

Wednesday, April 19th, 2006

So my colleague Paul Madsen (ha ha — no, that’s not him, altho he *is* a “Dr.” — this is him) has published a humorous blog posting about “Alice and Bob” w.r.t. how they are employed in examples in various (Liberty) specifications.

In fact, Alice and Bob have had a long relationship in the security/crypto world, going back into the 1970’s it appears, and they have become part of “the tradition” therein.

Here’s a (old) overview of their doings, tying their escapades back into fundamental facets of computer security, cryptography, and information science…

The Story of Alice and Bob

Average Rating: 4.5 out of 5 based on 161 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Humor, Security | No Comments »

Thursday, April 6th, 2006

This slide deck, from the recent Black Hat Europe 2006 conference..

Silver Needle in the Skype, by Philippe BIONDI and Fabrice DESCLAUX (2006)

..provides an intriguing look inside the Skype executable, revealing the fairly great lengths its creators went to in attempting to obfuscate its code and workings. Also dissected are the ciphering techniques applied to Skype PDUs (protocol data units, aka packets). The deck illustrates creatively effective use of various debugging/disassembling tools. Icing on the proverbial cake are their some-assembly-required instructions for how to patch skype.exe for use in creating your own closed, private P2P network 🙂

This work adds to the body of openly disseminated information about this very closed P2P network and program. For reference, here are two earlier analyses..

An Analysis of the Skype Peer-to-Peer Internel Telephony Protocol, by Salman A. Baset and Henning Schulzrinne (2004)
Skype Security Overview â€“ Rev 1.6 – 1/26/05, By Simson L. Garfinkel.

Average Rating: 4.8 out of 5 based on 221 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Security, Software engineering, VoIP | No Comments »

Saturday, March 11th, 2006

My colleague and friend, Susan Landau, works (in one of her multi-facets) at the intersection of privacy, security, and public policy. I find it a good idea to keep up on what she’s writing in these areas. She doesn’t (yet?) have a blog per-se, but watching the publications section of her homepage works pretty well — hence there being a link to her page in my sidebar here. She has a couple of recent articles on the multi-faceted topic of the Internet/VoIP and wiretapping/CALEA that are interesting and provocative…

Average Rating: 4.5 out of 5 based on 227 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Public Policy, Security, VoIP | No Comments »

Saturday, March 11th, 2006

I recently co-authored a major rewrite of the so-called “SIP SAML” I-D, crafting it into an actual SAMLv2 profile and binding, now (rather plainly) entitled “SIP SAML Profile and Binding”. Here’s the publication announcement: I-D ACTION:draft-tschofenig-sip-saml-05.txt.

Here is the abstract:

This document specifies a Session Initiation Protocol (SIP) profile of Security Assertion Markup Language (SAML) as well as a SAML SIP binding. The defined SIP SAML Profile composes with the mechanisms defined in the SIP Identity specification and satisfy requirements presented in “Trait-based Authorization Requirements for the Session Initiation Protocol (SIP)”.

Average Rating: 4.8 out of 5 based on 192 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Identity, SAML, Security, SIP | No Comments »

Saturday, March 11th, 2006

The “SIP Identity” Internet-Draft, whose lead author is my colleague Jon Peterson, was recently blessed by the IESG and is to be issued as a “Proposed Standard” RFC. Here’s the announcement: Protocol Action: ‘Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)’ to Proposed Standard.

Average Rating: 4.7 out of 5 based on 280 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Identity, Security, SIP | No Comments »

Saturday, March 11th, 2006

My colleague John Kemp has blogged a quick, accurate (although partial) tutorial on the Liberty Authentication Service, of which I was the original designer (see my bibliography). I hope he gets the time to post part 2 of his write-up!

Average Rating: 4.7 out of 5 based on 197 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Identity, Liberty / SAML, Security, Uncategorized | No Comments »

Archive for the ‘Security’ Category

Pages

Archives

Categories