January 18, 2010

E-mail Certificates

The Thawte Web of Trust, for which I was a fairly junior notary, was shut down recently. This included revoking all existing certificates back in November, at least according to Thawte's FAQ on the closure. Amusingly — but perhaps not surprisingly to anyone familiar with the area — I've had to date precisely no queries relating to my continued use of the supposedly revoked personal e-mail certificate.

The only other S/MIME certificate authority I'm aware of that does Web of Trust type identity validation is CAcert; unfortunately their root certificate isn't trusted by most browsers and e-mail clients and until that happens (if it ever does) I can't recommend them as a replacement. Similarly, the lack of built-in PGP/GPG support in current mail clients rules that system out for most people.

If you had a Thawte S/MIME e-mail certificate, you may have been able to trade it in for a 1-year equivalent from VeriSign free of charge. Unfortunately, after the first year it looks like VeriSign charge $19.95 per annum even for a "persona not validated" certificate, which doesn't sound to me like a lot of bang for your buck.

One alternative for the cost-conscious is Comodo's Free Secure Email Certificate product. Again, this is "persona not validated" but should be sufficient for most uses and you can't beat the price.

Posted by Ian at 12:21 PM in Identity | Comments (0) | Permalink

November 24, 2009

FAM09: Metadata Aggregation

Metadata aggregation as a route to cross-federation inter-operation continues to be my main focus for the year, and yesterday I delivered a presentation on the subject at JISC's Federating the next generation event.

I think the talk went reasonably well; a couple of people remarked that they liked having the key concepts separated out and clarified. People even chuckled in the right places a couple of times.

Checking Twitter for the #FAM09 tag I find that the main thing a couple of people took away from the talk was a snarky remark I made about XSLT. Curiously, I find that I'm fine with that.

As usual, here's a PDF version of my slides from the presentation:

20091123-Metadata-Aggregation.pdf

There are a fair number of animated diagrams in this talk, and not as many words as usual. That might mean that some parts are hard to follow without hearing me talk. I'm going to try and get hold of the audio recording made at the time and will upload a slide-synchronised version of the talk later if possible.

Posted by Ian at 8:14 AM in Identity | Comments (0) | TrackBack (0) | Permalink

November 1, 2009

No Hats

Please do not take photos with hats on

Seen on a recent trip to San Antonio, Texas, which is probably the last place you'd expect to see any attempt to constrain the use of any kind of headwear.

Obviously they don't mean you can't wear your own hat while taking photos; what they want to prevent is people wearing the display hats for the purposes of having their photographs taken. Or at least I think so; there were no hats in the vicinity of this particular notice.

Posted by Ian at 2:01 PM in Photography | Comments (0) | Permalink

November 1, 2009

Imperfect

Many of us, particularly if we have been programmers, have got into the habit of regarding computers as flawless execution engines. People with more of an electronics background tend to be a bit more sceptical, I think.

I've been trying to figure out why I couldn't burn a Fedora 11 DVD to upgrade one of my oldest machines for several months now. I had checked the SHA-256 hash of the download then copied the file from the server where I run BitTorrent across to a desktop machine's external hard drive. The burned disk verified against the image on the machine that created it but the installation self-test always failed, claiming the disk was corrupt. I tried burning from the same image on another machine; I tried burning at different speeds; I tried different blank DVDs. No change.

Finally, today, I thought to try verifying the hash on the copied image rather than the original one. It was different. Comparing the original download with the copy, I discovered two locations in the copy where byte 0x12 of a block had dropped the 0x08 bit.

It's probably not a coincidence that the machine on which I made the corrupted copy has recently come back from a couple of extended "warranty repair" holidays during which first the main system logic board and then (at my strong and repeated insistence) the actual DRAM were replaced. The machine had been having some intermittent problems involving applications shutting down unexpectedly; these looked like memory issues to me but the manufacturer's diagnostics had always given it a clean bill of health. As an old-school computer guy, of course, I know that the manufacturer's diagnostics never detect real memory issues.

The moral of the story? I'm not sure there is one: "faulty hardware sometimes gives the wrong answer" seems rather an obvious thing to say. On the other hand, if you are aware of the concept of metastability in electronics, you know that there's no such thing as perfect hardware as long as the logic needs to talk to the outside world. So we can reduce the frequency of odd weirdness to the point where we never expect to encounter it, but we can never make it go away altogether.

Posted by Ian at 1:16 PM in Hardware | Permalink

May 22, 2009

Concepts and Methods V1.10

I've talked about a metadata exchange approach to inter-federation working here before. Since my last update, I think we've seen some level of acceptance in both the technical and policy communities that this is — at least in principle — a valid approach, and there is work going on in a variety of places on that basis.

One thing that has become apparent as that work has developed is that we need to look at some of our basic assumptions with a fresh eye: complex problems can be often be simplified by looking at them from a different direction. To that end, Chad La Joie (of SWITCH and Shibboleth) and I have put together Interfederation and Metadata Exchange: Concepts and Methods, the current version of which you can download here:

concepts-v1.10.pdf

The main aim of Concepts is to provide a framework in which it is possible to think clearly about identity federations in a multi-federation world. This involves first separating concerns and then recombining them in new ways, leading to what we think is probably best thought of as a global metadata layer. There is also coverage of some of the technical implications of such an approach, but we've tried to keep that part as light-weight as possible here.

During the recent Internet2 Member Meeting in Arlington, this document was also reviewed by Scott Cantor, Steven Carmody, Josh Howlett, Leif Johansson, Thomas Lenggenhager and Valter Nordh. We are grateful to our colleagues for their many constructive comments, which we have have tried to incorporate faithfully in the current version. I will leave it to those individuals to state whether, and to what degree, they endorse our conclusions.

Posted by Ian at 10:38 AM in Identity | Comments (0) | TrackBack (0) | Permalink

May 14, 2009

Details, Details

I've been using Apple's Mighty Mouse on my desktop machines for a couple of years now. I quite like them, although the mouse's inability to represent both mouse buttons being held down at the same time makes it necessary to keep a conventional mouse around for things like gaming.

This is a nice mouse to use, though. For example, it makes a nice solid mechanical click when you use the left or right buttons (even though there is really only one mechanical button — the whole mouse — touch sensors inside give you two "logical" buttons).

There's even a tiny clicking sound when you squeeze the side buttons or roll the little trackball around. You can hardly hear these sounds in a normal office, but they make all the difference to the "feel" of the device. And, until today, I would have meant that literally: I'd have sworn that I could feel the little clicks through my fingertips.

Today, quite by accident, I discovered that the mouse does not make these tinier sounds if it isn't plugged in… or, in the case of the wireless version, if you take the battery out.

Yes, there's a tiny speaker inside, whose only purpose is to make sounds that are almost — but not quite — too quiet to hear.

Posted by Ian at 3:27 PM in Hardware | Comments (2) | TrackBack (0) | Permalink

April 29, 2009

Lessons

I'm in Arlington, Virginia this week for the Internet2 Member Meeting. As usual, lots of good hallway conversations and meetings. I had to work my passage this time by contributing a presentation to a joint session on Building on Success: from Identity Federation to Interfederation.

As well as the traditional statistics about how large the UK federation has become, I talked a bit about some of the things I think contributed to its success. This was more in terms of broad concepts than details, the idea being to give people thinking of setting up new federations a guide to some of the tradeoffs involved.

As usual, here's a PDF version of my slides from the presentation:

20090428-Lessons-iay.pdf

Posted by Ian at 2:43 PM in Identity | Comments (0) | TrackBack (0) | Permalink

April 12, 2009

FAM Futures

Earlier this month, I led a couple of breakout sessions at the UK Serials Group's conference in Torquay.

I knew that I'd have a wide range of people in the room in each session, so I put together a slide deck that would have something for everyone and talked about different subjects to different levels on each of the two days.

Some of the slides won't make much sense without explanation, but others do stand alone, I think. If you're interested, here's a PDF version of the slides stripped of the animations:

20090331-Futures-noanim.pdf

Posted by Ian at 1:08 PM in Identity | Comments (0) | TrackBack (0) | Permalink

February 18, 2009

Bedside Chocolate

Bedside Chocolate

This is another "snapshots from my travels" picture, from a recent trip to Zürich, Switzerland.

In many countries, it's common to find an inedible boiled mint on your hotel pillow. In Switzerland, hoteliers apparently have tastebuds that work.

Posted by Ian at 6:09 PM in Photography | Comments (0) | TrackBack (0) | Permalink

October 15, 2008

Avoiding the Martians

Alastair at UHI comments on my most recent Metadata Interchange document revision. His post highlights a couple of places where I can see I need to clarify what I'm proposing in a future revision. I recently purchased a copy of the OmniGraffle diagramming tool, and Alistair's post is a good example of why… sometimes a simple diagram really can be clearer than large amounts of plain text. Misunderstandings aside, I think we agree on most things.

One area where I've felt for some time we all need to express things more clearly is with regard to that thing we call "trust". I usually break this down first into "technical" trust (which allows you to know you're talking to the entity you think you are) and "behavioural" trust (which gives you expectations about the behaviour of a known entity). This isn't the whole story by all means, but does allow us to see that trust isn't a singular property; it's more like a stack or chain of elements that we can build up into something we can actually use.

Any federation can choose to act as a trust broker at many levels; for example, one federation may have strictly enforceable rules controlling member behaviour while another may leave behavioural trust to bilateral arrangements between members (such as the commercial contracts that are usually present in content licensing situations). The UK federation is towards the latter end of the scale: as all federations do, it acts as a broker of technical trust, but mere presence of an entity within the UK federation's metadata has never carried any behavioural guarantees.

What this means is that if you're used to operating in something like the UK federation, your stance is already to treat everyone as a potential ray-gun-toting Martian unless you have some specific reason to view them otherwise. Adding more Martians from other federations therefore doesn't change anything; the important thing that an inter-federation agreement adds is the assurance that the originating federation has registration procedures strong enough to prevent a Martian from masquerading as someone you have a real relationship with, and conversely provides technical trust strong enough to support you in picking the entities you do want to do business with out of the sea of entities you don't care about.

Posted by Ian at 5:33 PM in Identity | Comments (0) | TrackBack (0) | Permalink