Posts filed under ‘Info_Cards’

Worth keeping an eye on…

… how the Identity Governance Framework (IGF) continues to evolve. There’s a recent Liberty webcast by Phil Hunt of Oracle New Standards to Protect Privacy Through Governing Policy to get a good feel for the state of play.

… how CardSpace and U-Prove integration pans out. Paul’s conjectured integration is food for thought. So is the comment to his post by Christian Paquin (now part of Microsoft’s Identity and Access Group) that”One design goal (at least, for me) will be to minimize the integration changes for all participants involved in the data flow.”

… how identity-based encryption continues to progress. Interesting article in The Register about a research paper released at the Eurocrypt 2008 conference describing a new cryptographically strong “primitive” that advances functional encryption. Functional encryption tries to simplify things over PKI by allowing data to be encrypted using attributes directly tied to the recipients.

… the fascinating discussions at Liberty’s Privacy Summit. An interesting recent presentation by Sun’s Robin Wilton is a good example which gives a good overview of the ‘Ladder’, ‘Onion’ and ‘Silo’ models.


April 24, 2008 at 9:40 pm 3 comments

Privacy and government as a Justifiable Party

In response to my post When is government a Justifiable Party? Kim Cameron expressed some concerns. In summary, these were creating an attractive target for hackers; the collapsing of “previously independent contexts together”; “minimize disclosure and aggregation of information”; and, finally, Kim’s opinion that he “wouldn’t touch this kind of challenge without Information Cards.”

I need to first clarify that, as Kim pointed out, this is a personal blog. The official position remains that igovt services are for the use of people and organisations interacting with government.

Issues that may arise if igovt services are extended to the private sector are being considered. These issues include thinking about whether government is a justifiable party or not in such transactions. A final recommendation to government will only be made after thinking this through and a further Privacy Impact Assessment (PIA) looks at all the issues and mitigations proposed.

It’s important to keep in mind the context. We are talking about the dangers of social networking where sites such as Facebook and Bebo are unwilling and unable to do their bit in keeping our kids safe online. It is important that responsible people try to work out a solution that works for both these websites and their customers.

Kim makes some good points which, thankfully, have already been considered.

The most important architectural consideration is that igovt splits identity verification (who you are) from authentication (your online activities) into two separate services run by two different government departments. The first is provided by the proposed Identity Verification Service and the second by the Government Logon Service using pseudonymous identifiers.

This has the additional benefit of providing protection from hackers. Guaranteeing a hacker will never get through an online service is impossible. Instead, in addition to data encryption, splitting data into silos such that no single breach- external or internal- results in getting all the information is a sensible design approach. In fact, this is precisely the “very distributed, encrypted information storage” that Kim advocates.

Another important part of defence-in-depth is to minimise the amount of data stored. In the case of the Identity Verification Service, it is restricted to four identity attributes- name, date of birth, place of birth, and sex. I’d expect private businesses (including social networking sites) to use the identity verification as a one-off and not the authentication component to log on a person each time they access the online service. This hardly qualifies for Kim’s description of “handling ‘digital explosives’ of a greater potency than has so far been the case anywhere in the world.”

Next, the collapsing of independent contexts. On the contrary, we aren’t looking at collapsing contexts. Indeed, if anything, context separation is strengthened by the use of service-specific identifiers. The Identity Verification Service creates a persistent, meaningless identifier per service to avoid data sharing by Service Providers even if they collude. This is somewhat similar to the Austrian ID system.

This then leaves Identity Provider collusion. Kim places his faith in technological solutions such as U-Prove and Idemix. On this, I differ with Kim.

Protecting and enhancing the underlying trust relationship between people and government is too important to rely on technological solutions alone. Sure, good technology is vital but, in my opinion, needs to be complemented by other instruments: oversight, independent assessments by experts, public consultation, policies, designing in privacy (such as separation of identity and authentication as well as use of service-specific identifiers) and, last but not the least, legislating the privacy protection.

For example, the power of choice is at least as important as getting the technical solution right.

I think Information Cards are really good, hence my mixed reaction to Microsoft’s acquisition of U-Prove and my exchange with Kim about continuing to make U-Prove widely available. But to think that technological solutions alone- no matter how great they are- can, in themselves, provide adequate trust in government is simply unrealistic.

Constructive criticism is a positive thing- it makes good things better. However, it requires people engaged in the debate to take the effort to fully understand what’s being discussed. In the spirit of promoting this, I invite interested people to take a look at the presentation I did in September last year at the Technology and Privacy Forum hosted by the Office of the Privacy Commissioner, New Zealand which describes both the big picture and the detail of privacy protection.

As a final word, as you’ll see from slide 15 of the presentation, the one thing that I do agree with Kim is that the laws of identity are applicable!

April 7, 2008 at 11:11 pm 4 comments

BC & NZ: Info Cards & Liberty Specs

As the last post for the year, there was a temptation to look back and reflect on the past year. All that changed after I heard a recording of Jon Udell interviewing Dick Hardt in IT Conversations. It made me realise how the real opportunities and challenges lie ahead of us, not behind.

In the interview, Dick talks about the work being done for the Government of British Columbia, Canada (BC) to develop a claims-based identity metasystem. Essentially, the work is an Identity 2.0 and Info Cards rendition of traditional government to people interactions.

New Zealand’s approach, GOAAMS delivered under the “igovt” banner, is perhaps best understood from the 2007 IDDY Award webcast. Both the slides and the webcast recording (needs WebEx Player) are now available.

The drivers that Dick articulated for BC are the same for NZ:

– better service delivery that requires information held across various government departmental and organisational silos to somehow be brought together in a secure and privacy-protective manner; and

– giving citizens better access to the information held about them by government.

However, the implementation paths are different. The BC project is based on Info Cards while the NZ one will probably go down the Liberty Alliance’s specs path but allowing Info Cards as an optional UI.

One thing everyone will agree with is that both implementation paths have their own pros and cons. Over time, hopefully differences will not matter too much but given the current state of interoperability, they do. And that translates into substantial differences in architecture, customer experience, the “mental model”, requirements on information providers, ability to join up service delivery, and the uptake strategy.

While the similarities in outcomes between the BC and NZ approaches are important, it is the differences in implementation that provide a great insight into the opportunities and challenges for both governments. Work on comparing and contrasting the two should throw up areas that both governments need to consider in their respective efforts.

To me, that is a very important piece of work to do next year.

In the meantime, it’s time to get the barbie (BBQ) going and break out the beer. I hope you have a great holiday and, like me, come back refreshed and ready for a cracker year ahead.

December 21, 2007 at 8:39 pm 1 comment

NZ: CardSpace – SAML interop

One of the two new projects that the Microsoft New Zealand Innovation Centre is funding involves integration of Windows CardSpace with SAML 2.0.

The project is to make the Authentication Programme’s all-of-government shared services, called “igovt”, accessible via CardSpace. According to Microsoft, “this technology will enable users to safely provide their digital identity to online services.”

Working on the project will be Microsoft’s Mark Rees together with Kiwi IT firm Datacom over the next four months. Igovt is based on SAML and the Microsoft-funded project will go some way in implementing CardSpace-SAML interoperability.

CardSpace and igovt make a great combination.

CardSpace provides an intuitive and natural user interface for people to manage their identity and authentication to online services. As CardSpace (and other identity selectors) progress towards the tipping point and CardSpace itself gets refined, a new paradigm for accessing secure online services is brewing.

On the other hand, igovt provides people with the option to verify their identity to NZ government agencies, online and in real-time, to a high level of confidence. In addition, igovt lets people use a single logon (password, token, etc.) to access all online government services. All of this with the highest levels of privacy protection.

When people verify their identity, one of the core design principles of igovt is for people to fully understand and view what identity information is being sent to the agency (Service Provider). In addition, active consent is a critical element of privacy protection. Currently this requires a browser re-direct to the igovt website, something that CardSpace will admirably eliminate, without any reduction in user control or privacy protection.

December 3, 2007 at 10:02 pm Leave a comment

Concordia & interoperability

I was looking at the meeting notes from the Concordia workshop held last month in conjunction with Digital ID World. It’s clear that the project is gathering momentum.

The areas that were identified as A-priority tasks represent some major issues facing deployers and are worth listing (details are available in the meeting notes):

  • WS-Federation/SAML
  • Infocards/SAML
  • IdP discovery
  • WS-Federation/SAML metadata lessons
  • WS-Federation/SAML metadata distribution and lifecycle
  • Interop endpoints

Already there has been some progress in the telecon of 9 October. So, for people interested in interoperability issues, it’s worth keeping an eye on the work.

A colleague presented a use case at the September workshop covering the work being done in New Zealand. One of the interesting things, from my perspective, was to see how the roadmap has evolved to cover a wider range of identity attributes with parallel increase in use of the Liberty Alliance specs.

I thought the final slide was interesting as it examines the case for convergence over interoperability. Both Concordia and the industry in general has settled for interoperability but my colleague made some excellent points why the goal of convergence still remains important to deployers:

  • “Interoperability solves a business problem today, but…
    – Ongoing fight against divergence
    – Requires Interop elements (explicit or implicit)
    – Creates future work to manage
    – Difficult to manage across organisational boundaries
  • Convergence prevents business problems tomorrow…
    – Simplicity”

Having said that, it’s probably fair to say that out-of-the-box interoperability between identity protocols is a difficult enough (but worthy) immediate objective.

October 18, 2007 at 8:47 pm Leave a comment

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter