Identity Archives
Up to Technology Stir Fry
January 23, 2008
UK federation Technical Statistics
I was recently asked to give a presentation to a group of people involved with service delivery for the UK federation. The result is Technical Statistics: What they tell us, and what they don't.
There are some interesting statistics in there (for example, the high degree to which the fairly young JANET Server Certificate Service has already taken off) but the other theme of the talk was that there is an awful lot going on that we probably can't understand without a lot more direct interaction with the membership.
I've also uploaded the slides to slideshare, if you'd like to give that a try.
Posted by Ian at 11:46 AM | Comments (0) | TrackBack | Permalink
January 9, 2008
McShib Talk on Core Attributes
I gave a presentation to the second meeting of the McShib group last month covering An Identity Provider’s Guide to the Core Attributes (of the UK federation).
I made an audio recording of the presentation. I ran "a bit long" on the day (70 minutes), but once I have edited out the coughing and some of the rambling I'll post a synchronised audio+slides version.
Links referenced during the talk:
Posted by Ian at 12:17 PM | Comments (0) | TrackBack | Permalink
January 2, 2008
Responsible Behavior
People have observed that this blog can from time to time be characterised as "a nearly impenetrable thicket of geekitude". I can't really argue with that, and I have no intention of making any kind of New Year resolution to "mend my ways".
On the other hand, I do sometimes wonder about rating my posts in terms of a new metric: how many Wikipedia entries would you have to reference to explain this to the man on the Clapham omnibus?
One of my favourite cartoon sites — xkcd.com — also finds the need to peg the MOTCO-meter once in a while. Responsible Behavior is a good example; I have to rate it a four at least:
Do you agree? More interestingly, what do you think the answer will be in ten years?
Posted by Ian at 6:12 PM | Comments (0) | TrackBack | Permalink
December 30, 2007
Thawte WoT Notary
![[thawte Web of Trust notary seal]](http://www.iay.org.uk/identity/seal_wot.gif)
I am now a (very junior) notary in the thawte Web of Trust. An assurance from me is worth 10 points towards the 50 required for a personal e-mail certificate with your own name on it.
More details are available for those who are interested.
Posted by Ian at 7:47 PM | Comments (0) | TrackBack | Permalink
September 3, 2007
MicroID
As part of one of the more deeply nested yak shaving exercises I've been working through recently, I have added MicroIDs to various pages on this site. For example, the header for the main index page for this blog now includes the following elements:
<!-- MicroID for '/' variant of URL --> <meta name="microid" content="mailto+http:sha1:b887e662ed3d811e665ef4a034e018a521a5467d" /> <!-- MicroID for '/index.html' variant of URL --> <meta name="microid" content="mailto+http:sha1:ed938d07588303f4eeee45adfef090221e0c692e" />
A MicroID is a very simple way of making a verifiable statement about the ownership of a page. The specification goes into more detail, but essentially the value you see is constructed by independently hashing your e-mail address and the URL of the page in question, concatenating those results and then hashing once more.
The way you use a MicroID in practice is as supporting evidence for a claim of ownership to some third party who already knows your e-mail address. If you say "I own that page" to such a third party, they can compute the same MicroID value from your e-mail address and the page's URL and then check for a match within the page's <meta name="microid"> headers. You can see this claim checking by looking at the "verified" links in my claimID profile.
MicroID is an improvement on the perhaps more obvious approach of just embedding your e-mail address in the page because it doesn't reveal your e-mail address to things like spam address harvesters. It also improves on a simple hash of the e-mail address by including the URL in the calculation because all pages owned by the same e-mail address are thereby given different MicroIDs. This in turn means that pages can't be grouped together, even anonymously, by web spiders. Looked at from this point of view, a MicroID is a salted hash of the e-mail address.
I'm pretty sure that you could do the same job with one or even two less hash operations (for example, the URL is known by definition, so hashing it serves no purpose that I can see), but for static pages performance is not a concern. If I was running a large content site with dynamically generated pages, though, this aspect of MicroID might put me off a little.
Note that although a MicroID looks a little like a digital signature (of the URL) it really isn't; in particular, a MicroID can easily be repudiated because anyone knowing your e-mail address can generate MicroID values "for" you and put them on any pages they please. In other words, you can use it to help confirm ownership of something by a claimant, but not to prove ownership by someone who denies the connection.
Generating the MicroID values for blog pages in particular was made simpler for me by Phil Windley's MicroID plugin for Moveable Type. I did have to tweak it a little to correspond to the current MicroID spec, as Phil's plugin as distributed generates what is now thought of as a "legacy" format lacking the scheme and algorithm specifiers.
Posted by Ian at 12:48 PM | Comments (0) | TrackBack | Permalink
August 21, 2007
"Trust" Bonus Track
I've previously mentioned my Networkshop 35 presentation in Exeter, and the fact that some of the material I prepared went unused because of lack of time.
As an experiment, I've narrated the unused slides and they are now available for download in one of the following formats:
- QuickTime 800x600 H.264 (24MB)
- iPod video format (19.5MB)
- Windows Media 640x480 (26MB)
The presentation is a little under 20 minutes long. Please let me have feedback if you find this kind of thing useful, or for that matter if you find my voice too soporific or annoying. I'm considering doing more along these lines, and it would help to know in advance whether I'd be wasting my time.
Gearheads can read on for technical details…
Continue reading ""Trust" Bonus Track"
Posted by Ian at 1:15 PM | Comments (0) | TrackBack | Permalink
May 8, 2007
Networkshop 35 Talk
I recently attended Networkshop 35 at the University of Exeter and presented a short talk on The UK Federation and Shibboleth: Nuts and Bolts. The idea was to discuss some of the technical challenges involved in the interplay between the UK Access Management Federation for Education and Research and the Shibboleth software, and talk about some future solutions to some of the issues.
As you can see from the integrated slide and video version of the talk available from the conference site, I knew in advance that I'd be short of time so on the day covered only the first two main topics: metadata and discovery.
I didn't want to lose my thoughts on "trust" in the federation context, though, so instead of deleting the slides entirely I left them attached to the published version of the presentation. You can download the slides if you're interested.
The University of Exeter, where Networkshop 35 was held, is fairly photogenic. I've uploaded a few snaps to give the idea.
Posted by Ian at 1:15 PM | Comments (0) | TrackBack | Permalink
March 28, 2007
Federated Access Management Animation
We're moving house at the end of next month. I'm told that the new neighbours have been told that I'm "in computers" and that they are all looking forward to meeting us. Hopefully this doesn't mean they want me to fix their broken Windows machines.
The good news is that if I need to explain what I actually do on the identity side of things, the JISC have just come to my rescue by producing a new animation explaining federated access management. The voice-over is pitched at a fairly non-technical level, and the little animated <Subject>s act out the scenes with a surprising amount of expression and a fair bit of wit. They remind me a lot of the little green guys in Darwinia, in fact.
This is not the sort of thing you'd use to communicate with a techie who wanted to know the difference between Browser/POST and Browser/Artifact, but it's a pretty good introduction to some of the basic ideas for everyone else.
[Link]
Posted by Ian at 9:02 AM | Comments (0) | TrackBack | Permalink
November 30, 2006
Federations 101
In more UK Federation-related news, I've been invited to give a short presentation next week as part of a panel session at the Fall 2006 Internet2 Members Meeting in Chicago.
I've been asked to keep the impenetrable geekitude down to non-toxic levels by sticking to a description of policy issues rather than implementation and technology. You can get the other stuff from me pretty much any time.
Posted by Ian at 6:10 PM | Comments (0) | TrackBack | Permalink
UK Federation Launched
Today was the official launch of the UK Federation, or the UK Access Management Federation for Education and Research to give its Sunday name. This is a huge deal for everyone involved, myself included: some people have been working towards this point since around 2000 (I'm a relative newcomer, only having put a couple of years into it so far).
In the longer term, this will be a fairly important system for many more people: after all, the UK Federation is a federated identity framework for the whole of the UK education and research sectors, which I'm told involve perhaps 18 million people. If we do our job well over the next few years, though, the best case is that like all good infrastructure it will just sink down below the point where people even notice it. That's a hard job, and we've only just started on it.
Posted by Ian at 5:50 PM | Comments (0) | TrackBack | Permalink
November 13, 2006
PGP/GPG Keys
I generated my first PGP RSA keypair way back in 1993. Some friends and I played around with PGP for e-mail for a while, but at the time few people knew about encryption and even fewer cared: the "no-one would want to read my mail" attitude meant that convincing people they should get their heads round all of this was a pretty hard sell. The fact that the software of the day was about as user-friendly as a cornered wolverine didn't help either.
The PGP software had moved forward a fair bit both technically and in terms of usability (up to "cornered rat") by 2002, when I generated my current DSS keypair. By this time, it was pretty common to see things like security advisories signed using PGP, but only the geekiest of the geeks bothered with e-mail encryption.
Here we are in 2006: I still use this technology primarily to check signatures on things like e-mailed security advisories (I use Thunderbird and Enigmail), but I've finally found a need to use my own key, and it isn't for e-mail.
Over the years, PGP (now standardised as OpenPGP) has become the main way of signing open source packages so that downloaders have a cryptographic level of assurance that the package they download was built by someone they trust. Of course, the majority of people still don't check these signatures but systems like RPM often do so on their behalf behind the scenes.
I've agreed to take on some limited package build responsibilities for such a project recently, so I've installed the latest versions of everything and updated my about page so that people can get copies of my public keys. Of course, there is no particular reason anyone should trust those keys; this is supposed to be where the web of trust is supposed to come in, by allowing someone to build a path to my keys through a chain of people they trust (directly or indirectly). Unfortunately, my current public key is completely unadorned by useful third-party signatures. If you think you can help change that (i.e., you already know me, already have an OpenPGP keypair and would be willing to talk about signing my public key) please let me know.
Posted by Ian at 12:47 PM | Comments (0) | TrackBack | Permalink
April 30, 2006
Internet Identity Workshop 2006
On the other hand, who can do other than stand in awe in front of the Workshop logo, shown here? A dog, wearing a mask, sitting in front of a computer: perhaps the oldest gag in the digital identity game. I'd say "priceless", but in fact you can buy merchandise.
Posted by Ian at 11:17 AM | Permalink
November 29, 2005
WAYFs and Discovery
Of course, the real reason I was in Windermere was not to photograph ducks but to present some slides on the discovery problem in Shibboleth. You can download a copy of the presentation "WAYFs and Discovery" here (1.4MB PDF).
The abstract (accidentally omitted from the meeting material) was:
The standard model of Identity Provider discovery in Shibboleth deployments is that of a federation-supplied, central discovery service called a WAYF. Although an essential backstop, this approach has significant shortcomings. We present some recent work in the area of multi-federation WAYFs, and review alternative discovery technologies (both present and future) that allow deployers to improve the user experience.
My co-author Rod Widdowson can be found here.
Posted by Ian at 3:10 PM | Comments (0) | TrackBack | Permalink
October 31, 2005
Virtual Vanity
Every so often I vanity-google my own name, just to see what happens. I'm sure you do the same; who can resist?
I've been the number three "Ian Young" (according to Google) for a while. At number four is a chap at Intel who also shares a middle name with me, although as he apparently has 34 patents and invented the insides of lots of cool things he really by rights ought to be higher. He gets top billing for "Ian Alexander Young", though.
Judging by the logs, some people find it easier to google for "Ian Young" than they do to remember the URL for this site. When looking at the server logs for the last month, though, I discovered that a fair number of people look for "iay" too. I've been using that identifier to log into things since about 1979 and sometimes have difficulty remembering my "human name", but I didn't realise this applied to other people too. Of course, they may have been looking for The Institute for the Study of Antisocial Behaviour in Youth, which comes above me in that search. No, the picture of the antisocial youth on their web site isn't of me.
This is all rather strange but to me the most bizarre thing of all is that my Second Life avatar gets two of the only six hits for "Alexander Daguerre" (with the quotes this time). I suppose if I had thought about it, I could have looked for a combination Google had no record of and had the results page all to myself. How long before people start choosing names for their children that way?
Posted by Ian at 3:44 PM | Permalink
October 13, 2005
Dick Hardt at OSCON
Speaking of identity, Dick Hardt of Sxip gave a cracking keynote at this year's Open Source Conference.
If you're at all interested in digital identity (and you're not allergic to Larry Lessig's presentation style), I highly recommend spending taking the fifteen minutes required to watch this. It is very light on technical details, but gets across the critical differences between "old style" digital identity and the so-called "Identity 2.0" systems that are starting to emerge. It even manages to be entertaining while it does so. And the pictures of a Vancouver "Cold Beer and Wine" store bring back memories…
Posted by Ian at 6:05 PM | Comments (0) | TrackBack | Permalink
October 12, 2005
ACLU Pizza
I've been scanning old entries from Kim Cameron's Identity Weblog, catching up on things I missed the first time round. I'm only up to January so far, but there's a lot of good thinking in there as well as links to some gems. One of the things I hadn't seen before is an ACLU advertisment portraying a world in which the local pizza delivery company knows far more about you than they need to.
I find this to be quite a plausible and chilling picture of Identity Gone Wrong, although I'd probably worry more about those in authority having this kind of ability than about the pizza company. I'm sure there are people who would say that such things couldn't happen, and that the ACLU are being needlessly alarmist. However, as you're watching each of Kim's Laws of Identity being broken, it's quite easy to hear someone softly saying "we're doing this for your convenience" or "we're doing this for your security" in the background.