January 12, 2012
Just My Type
Santa was good to me this year, and brought me a copy of Just My Type: A Book About Fonts, by Simon Garfield.
If you've ever had a copy of the Letraset Catalogue on your shelf, or know what (rather than who) Arnold Böcklin is and can recognise it in the street, you'd enjoy reading this. If you can instantly tell Helvetica and Arial based only on their respective lower-case 'a's, it might be a bit simplistic for you.
A word to the wise: skip the chapter on Eric Gill's personal habits. No Wikipedia link for that one.
Posted by Ian at 4:43 PM in Books | Permalink
October 11, 2011
Google+
I've been pretty disappointed by social networking "products" up to this point. I do use Twitter once in a while, but it's pretty ephemeral stuff. I think that's fine, it means I don't have to worry about missing anything.
When I was very young and naïve, I thought Facebook looked pretty interesting. In practice, the level of sheer malevolence displayed by the company and its founder have stopped me from using it for anything other than keeping up with the family.
Ever hopeful, I now have a presence on Google+. It's possible that this new service will end up as malign as Facebook, but for now at least I feel much less like I am being packaged up and sold as product. It seems, really, like a social network done right.
All that seems to be missing is the people.
Posted by Ian at 9:19 AM in Identity | Comments (0) | Permalink
March 27, 2011
The Avant Cellist
I stumbled upon the music of Zoë Keating (specifically, Tetrishead) some years ago in, of all places, an early Dawn and Drew podcast. The latter fell victim to my "unsubscribe from one thing every week" rule four or five years ago, but I come back to this hypnotic music again and again.
You should, of course, run out and buy all of her music directly from her web site in order to increase the likelihood that we'll all have more to enjoy in the future. The thing that prompts this post, though, is a short documentary film. It was made by Intel as some kind of advertising ploy for a semiconductor product that they happen to manufacture, but thankfully that's not too blatant and the film is well worth its six minutes. The soundtrack is superb, as you might expect.
Posted by Ian at 12:07 PM in Miscellanea | Permalink
January 3, 2011
New Roots
I run a simple X.509 Certification Authority for internal systems, and certain external systems used by clients (the majority of external systems use commercial certificates). From 2011-01-02, this CA will use a new root certificate:
- PEM: iay-ca-g1-2011.crt
- DER: iay-ca-g1-2011.cer
The SHA1 fingerprint for this certificate is:
- 34:6E:CB:19:25:15:E7:94:ED:AF:A4:F1:C4:79:BF:92:C5:8B:3C:D5
For reference, the previous root certificate is here:
- PEM: iay-ca-g1-2006.crt
- DER: iay-ca-g1-2006.cer
The last certificate issued under the old root certificate expires on 2011-01-23.
Posted by Ian at 1:15 PM in Security | Comments (0) | Permalink
December 2, 2010
Surviving Interfederation
I gave a presentation to FAM10 back in October in Cardiff, in the "Not for the faint hearted" session. You can download the slides as a PDF file from the illustration on the right.
My working title was "How to Survive the Coming Zombie Apocalypse", but the presentation was really about how to survive the transition from cozy local federations to federated operation in the global internet. Whether that looks like a scary prospect depends, of course, on how conservative you've been to date: UK federation recommendations have always emphasised the difference between technical trust and behavioural trust, and the talk goes into some detail on this topic.
Understanding trust allows you to protect yourself against the zombie hordes (sorry, I mean "entities not bound by your local federation's behavioural norms"). The other topic covered in detail is how to benefit from interfederation by making sure that you're running software capable of interoperating widely.
Posted by Ian at 11:58 AM in Identity | Permalink
September 29, 2010
BEER
BEER is the current attempt at a decent acronym for a new service in the federated identity space. BEER stands for [Bunch|Bucket|Bag] of End Entities Registry, and you should be profoundly glad we didn't go with any of the earlier names.
You can find out more about it at the project's wiki; Nicole Harris has a pretty good summary of the idea and what it might mean.
One thing that seems to be confusing people about BEER is that it's easy to make the assumption that it's trying to be a federation along the lines that we have at present, just with less strict membership rules. I'm not saying that such a thing wouldn't have a use (TestShib has been very useful for many people, although it leans so far towards openness that some would argue that it falls over), but this is not what BEER is about.
It's probably more helpful to look at BEER as a new kind of thing, an independent registrar of metadata. Its job is to assure the authenticity of the metadata it publishes (in terms of establishing that the metadata for an entity has a connection to the owner of the associated domain) without attempting to make guarantees about any of the things you might later layer on top of that "technical trust". As such, it's aiming to be a component in an overall trust framework rather than a complete solution in the way that many of the existing federations see their role.
Whether such a service has a long term role to play depends on whether the various existing federations start to converge in terms of their view of their own roles, and of course whether that convergence is in the direction of monolithic trust or in the direction of separation of the different trust components. Both approaches have supporters, of course, and we'll just have to see how things work out. It will be obvious from previous posts that I'm in the "separate the concerns, behavioural trust is end-to-end" camp, which I'd broadly characterise as the design we chose for the UK federation, and which I think has worked out pretty well in that community.
By coincidence, I'll be talking at FAM10 next week about how to survive a scary post-apocalyptic future in which not all UK federation metadata originates from the federation's own members, and BEER will certainly be on the agenda. As will beer, of course, although probably not during the talk.
Posted by Ian at 12:22 PM in Identity | Permalink
June 25, 2010
Bureaucracies and Thermodynamics
Another eternal principle, well put:
Bureaucracies temporarily suspend the Second Law of Thermodynamics. In a bureaucracy, it’s easier to make a process more complex than to make it simpler, and easier to create a new burden than kill an old one.
[from The Collapse of Complex Business Models by Clay Shirky]
Posted by Ian at 10:50 AM in Humour | Comments (2) | Permalink
May 19, 2010
How Many Elephants?
I've been thinking a fair bit these last few months about the notion of misaligned incentives. Both professionally and in the public policy sphere, people optimise for what's best for them individually; if you want a particular outcome, you need to make sure that everyone involved has an incentive towards making that outcome a reality.
I recently came across this perfect expression of the idea, which I pass along here without further comment:
It's true: never let the guy with the broom decide how many elephants can be in the parade.
Posted by Ian at 4:28 PM in Humour | Permalink
May 17, 2010
Free Cake: Not a Lie
I'm making a note here: "Huge Success".
Portal is free for the next few days, on both PC and Mac.
If you've never played it, Portal is pretty hard to describe. Instead, I'll just direct you to the trailer.
Posted by Ian at 11:22 AM in Humour | Permalink
January 18, 2010
E-mail Certificates
The Thawte Web of Trust, for which I was a fairly junior notary, was shut down recently. This included revoking all existing certificates back in November, at least according to Thawte's FAQ on the closure. Amusingly — but perhaps not surprisingly to anyone familiar with the area — I've had to date precisely no queries relating to my continued use of the supposedly revoked personal e-mail certificate.
The only other S/MIME certificate authority I'm aware of that does Web of Trust type identity validation is CAcert; unfortunately their root certificate isn't trusted by most browsers and e-mail clients and until that happens (if it ever does) I can't recommend them as a replacement. Similarly, the lack of built-in PGP/GPG support in current mail clients rules that system out for most people.
If you had a Thawte S/MIME e-mail certificate, you may have been able to trade it in for a 1-year equivalent from VeriSign free of charge. Unfortunately, after the first year it looks like VeriSign charge $19.95 per annum even for a "persona not validated" certificate, which doesn't sound to me like a lot of bang for your buck.
One alternative for the cost-conscious is Comodo's Free Secure Email Certificate product. Again, this is "persona not validated" but should be sufficient for most uses and you can't beat the price.
