So, the long family vacation has been on for over 2 weeks, and it really feels good to unwind a little. We started on Big Island, went on to Kauai (where I got - after 28 years of planning on doing this - my diving certification with KAS^[1]), and are now on O'ahu. The differences between these islands never cease to amaze me. Here are a few pictures that we have put up so far:


Snow and Telescopes on Mauna Kea


The evening view from our balcony on Hawai'i


Me after hiking to the top of the dormant Pu'u Huluhulu


Sunset on Kaua'i on Turkey Day


Waimea River Canyon

[1] My experience with KAS was really superb. I had Damion McGinley as my instructor - he was fun and relaxed, but still made me go through alll the drills over and over again. One of the best things was that he knew the area and the aquatic wildlife quite well, so I got to see many critters and turtles.

Over the next few weeks blogging will be light, since I am traveling. I hope to be back to here for IIW...

Mike made a very good remark on the OSIS General mailing list that seems relevant to the discussion between Pam, Paul, and myself about assurance in distributed security:

There's a reason that self-issued cards didn't provide any ability to transmit a credit card number or national ID number. The good news is that Identity Providers sending such sensitive information are likely to not be willing to transmit it to relying parties they don't have a business relationship with. Once you're using managed cards for payment rather than typing credit card numbers into web forms, you'll definitely have additional layers of protection working for you. [...]

I fully agree with Mike here: as fas as I understand, Mike is describing the IdP deployment model that Paul and I have been championing over the use of self-asserted cards for sensitive attributes.

tag: assurance, identity, cardspace

Paul found an "periodic" table of data visualizations, which is quite nice in its own right (Paul: I think I have seen a knowledge map of the identity landscape some time ago). But I certainly prefer this "periodic" table of ... beers (hmmm).

tag: humor, beer

Through Nico Williams a real interoperability story:

Alan Wright reports that the Solaris team recently completed the Solaris kernel CIFS service. That's right: CIFS (i.e. Windows networking) is now on par with NFS and other kernel-level system services. To be able to achieve this goal, the Solaris folks had to create some really innovative pieces of technology:

• To allow Windows style SIDs in the process credentials, they are now allowing negative and ephemeral UIDs and GIDs.
  
• ZFS now supports all kinds of DOS attributes and full NTFS ACLs, i.e. ordered ACEs with SIDs.
  

All persistent data (like filesystem records) are dealing with actual SIDs, while non-persistent kernel and memory objects are using the ephemeral negative UIDs. The later are not stable across a reboot, but an ID mapping daemon performs the necessary translation between the SID and its UID.

With this new technology on the horizon, my new home project on a Solaris storage appliance for the basement ("Codename Filer") looks brighter than ever ...

tag: interoperability, cifs, solaris

... that I will not let anybody break my windows - also, they seem to be a little stronger than the Jones' windows, at least the big one in the spotlight.

In the latest round, Pamela explains how a particular authentication should be considered to have a particular level of assurance. Paul takes the time to address some of the issues Pamela raises, but before we loose track of where we started, I would like to point back to the initial discussion between Pam and Paul:

Paul wrote:

In discussing Cardspace's relaxation of the SSL requirement for RPs, Pam writes

We now theoretically will have three different assurance levels going, based on three different ssl certificate levels (no certs, regular certs, and HA certs).

For there to be 3 Cardspace assurance levels would imply that the LoA is the same for self-asserted and managed cards. Is this the case?

Pam originally thought about three levels of assurance that were bound to the level of the certificates: none, regular, EV^[1]. Paul noted that the level of assurance depends on a number of factors, with technology and deployment architecture only having a small part in this. Paul and I then tried to elaborate in more detail how technical and non-technical factors affect the assurance an user and a RP can place into the transaction.

The reason I started this discussion was that - in my mind - the security certificate used in a particular authentication or authorization transaction is essentially only one reputation factor: by wielding an SSL or EV certificate you demonstrate that a particular company (the CA) thinks that you are who you say you are. This certainly affects assurance, but - by itself - it is rather useless.

The identity provider model (which derives from the mutual trust model in Kerberos) adds a very significant layer to the assurance model: It goes beyond the generic assurance by e.g. a CA by offering information (authentication, attributes) about a particular group of users - the IdP is by far more specific than the CA. Additionally - as Paul points out - a trustworthy IdP is typically a company with deep pockets - someone a RPor an user can sue for damages if something goes wrong. Note that the Windows CardSpace system support such an IdP deployment by using managed cards with Issuer policy. I expect this to be the default deployment for CardSpace, if it gets selected by large organizations.

Self-issued cards or managed cards from any IdP (the OpenID model) do not offer the comfort of sueable deep pockets to the RP. A RP that trusts an authentication that is done by anyone but himself will find himself in a rather dangerous situation: if something goes terribly wrong (e.g. some nasty mal-ware rootkit stole my self-asserted cards along with usage logs and sent them to a criminal for use with my bank) the burden is then on the RP to prove that the authentication token it received did not originate at my Windows CardSpace client, but at the criminal's computer. In an IdP model this burden is with the IdP^[2].

Thus with all respect to Pam's critique, I do have to insist on my original point: the technical factors (like an EV cert or lack thereof) play some role in the level of assurance, but only to establish a baseline. What allows RPs and their customers to truly trust in an identity system are the deployment parameters (including such "mundane" but at least equally important things as e.g. physical security), and - most importantly - the established mechanisms of society for enforcement, arbitration, and liability management.

tag: assurance, cardspace, identity

[1] By the way: the recognition that different types of security certificates might even on influence the assurance you have about a transaction invalidates Ben Laurie's argument that third parties do not add additional assurance.

[2] If I were a cynic, I'd might come up with this argument: Since there is likely a contract between a RP and an IdP, and the IdP has all kinds of lawyers working for them and an interest in precting itself and its users (to a degree), the RP would actually be much better off with self-issued cards: if something breaks, the RP can

• blame the end-user about their lack of security precaution and sue them for negligence,
  
• rest assured that no large number of lawyers will counter-sue them,
• offer the end-user a token of reparations ("We will cover 50% of your losses") and earn tons of goodwill for marketing purposes.
  

Fortunately, I am not a cynic.