maandag 11 augustus 2008
woensdag 16 juli 2008
DigitalMe on ubuntu
A few months ago I tried to get the ubuntu community interested in porting an infocard identity selector to ubuntu. No luck since.
By chance I found out that there is progress on the linux front. A month ago the bandit project published a .deb DigitalMe install package for Ubuntu. You can find it at the digitalme download site.
And yes, it works. The package delivers a painless install of the digitalme identity selector. The package adds a DigitalMe entry in the tools section of the applications menu. You can manage you infocards from within the identity selector.
On the digitalme site you can also find a digitalme firefox add-on.
By chance I found out that there is progress on the linux front. A month ago the bandit project published a .deb DigitalMe install package for Ubuntu. You can find it at the digitalme download site.
And yes, it works. The package delivers a painless install of the digitalme identity selector. The package adds a DigitalMe entry in the tools section of the applications menu. You can manage you infocards from within the identity selector.
On the digitalme site you can also find a digitalme firefox add-on.
zondag 29 juni 2008
Identity 2.0 developments
I just learned about the Liberty Identity Assurance Framework project. It seems that there are thoughts about the problem that I described earlier, see my remarks about a trust model for identity providers. The framework consists of an XML schema, that (in fact) describes several standard claims about the use of identity information. You might say, my proposed 'authlevel' and 'authmethod' claims. And the framework states that there is the need for a certification method for websites that deliver identity services.
Problem solved. Or is it? As far as I can see Liberty does mention the certification requirements for identity assurance functions, but I feel that this is not exactly what I wanted, IAF looks like a heavy, perhaps even overweight solution. Pity that there is so little expertise in The Netherlands, or I might have known earlier and perhaps reviewed stuff.
Mike Jones mentions a verified age certification service. This too looks like a promising development. But it demonstrates the problem that I described: who is IDology and what kind of assurance do they provide? Please don't see this as an attack on them, but their verification process is based on accessing public verification information, like name and address. But they don't know me, only the information that I provide, like an address. Unless I'm wrong, this is not enough. The idea of providing assurance for just a limited claimset seems ok, though.
Besides, why should I trust such a third party? It would mean that a service provider/relying party registers IDology on their own 'white list'.
I will look into both developments (there's a lot of information) and report my findings.
Problem solved. Or is it? As far as I can see Liberty does mention the certification requirements for identity assurance functions, but I feel that this is not exactly what I wanted, IAF looks like a heavy, perhaps even overweight solution. Pity that there is so little expertise in The Netherlands, or I might have known earlier and perhaps reviewed stuff.
Mike Jones mentions a verified age certification service. This too looks like a promising development. But it demonstrates the problem that I described: who is IDology and what kind of assurance do they provide? Please don't see this as an attack on them, but their verification process is based on accessing public verification information, like name and address. But they don't know me, only the information that I provide, like an address. Unless I'm wrong, this is not enough. The idea of providing assurance for just a limited claimset seems ok, though.
Besides, why should I trust such a third party? It would mean that a service provider/relying party registers IDology on their own 'white list'.
I will look into both developments (there's a lot of information) and report my findings.
vrijdag 27 juni 2008
Trust model for Identity Providers
A few weeks ago I blogged about the problem of identifying the trust level of an identity provider. See my blogpost earlier. Since, I've been pondering about this problem and discussing it with a few experts.
In PKI the trust problem is solved. There are root-level CA's, who trust eachother by means of cross certification. And that is a heavily secured environment with underpinning contracts, certification schemes and more. Anyway, it means that a certificate holder of one CA, can trust a certificate holder from another CA, even though they don't know eachother.
We can reuse digital identities from one identity provider (be it an OpenId or an Infocard provider), but these digital identities only replace the proprietary userid/password identities at service providers/relying parties. A service provider cannot know if the identity presented is a real or a fake one. Even a 'managed' Infocard has no meaning, because there is no standard way of identifying the real identity. You can't even prove the trust level of an identity provider, leave alone the identities provided.
A service provider could use a white list of trusted IP's, but there goes the openness. Every SP should do it for himself. You could also use federation, but that means making trust agreements between IP's and SP's. But there goes the openness too.
What if we could verify the trust level of an identity provider that we don't know? In that case the identity provider might also provide the trust level of an identity. Was the digital identity proven by means of a official physical passport, or was it only provided through a web form and is the trust level of the digital identity low?
There should be a third party certifying the trust level of Identity Providers. Here's a scenario:
- A user supplies a digitalid to a service provider.
- The SP identifies the IP.
- If the IP is on a certified 'white list' of IP's with a certain trust level, then the digitalid 'inherits' the trustlevel of the IP.
And if the digitalid contains a claim by the IP that the digitalid was provided to a user after validation of an official passport, than you might conclude that the digitalid is correct. The authentication level could be considered High.
So:
- There should be a classification scheme with trust levels (trust high or low, or mayby only just high level IP's)
- There must be a public white list referring Identity providers (and mayby also their trust level)
- We need a 'white list' trust level-protocol that can be used to check the trust level of IP's from a white list provider
- The White list owner needs an accreditation scheme to certify IP trust level (and perhaps we also need an accreditation scheme to certify the 'white list' providers if there are more than just the one white list)
- There should be a standard claimtype that states the authentication level used by the IP (also something like low: no auth, medium: just passport number, high passport presented by subject and a copy archived by the IP).
- There might be a standard claimtype that states the authentication method of the digitalid (also a code like low: userid/password, medium: two factor, high: biometrics)
result:
digitalid by IP1 claims: authclass high, authmethod medium
Check trust level of IP1 (using the trust level protocol)
If the trust level of IP1 is high (it can be found using the trust level protocol), then the IP can be trusted and the digitalid provided by IP1 is valid and can be give the authorisation that belongs to the owner of digitalid.
If the trust level of IP1 is low, of unproven, then the digitalid cannot be trusted, the digitalid should be treated like any userid/password combination.
Perhaps this will mean that a trusted IP can provide several types of trusted digitalids with authlevel low-med-high and authmethod low-med-high at different costs. There must be a business model for this.
Well, I will just keep on dreaming :)
This might be a solution, but I fear that it may take some time and it will cost a lot of money. And perhaps this has already been taken care of. Please let me know.
In PKI the trust problem is solved. There are root-level CA's, who trust eachother by means of cross certification. And that is a heavily secured environment with underpinning contracts, certification schemes and more. Anyway, it means that a certificate holder of one CA, can trust a certificate holder from another CA, even though they don't know eachother.
We can reuse digital identities from one identity provider (be it an OpenId or an Infocard provider), but these digital identities only replace the proprietary userid/password identities at service providers/relying parties. A service provider cannot know if the identity presented is a real or a fake one. Even a 'managed' Infocard has no meaning, because there is no standard way of identifying the real identity. You can't even prove the trust level of an identity provider, leave alone the identities provided.
A service provider could use a white list of trusted IP's, but there goes the openness. Every SP should do it for himself. You could also use federation, but that means making trust agreements between IP's and SP's. But there goes the openness too.
What if we could verify the trust level of an identity provider that we don't know? In that case the identity provider might also provide the trust level of an identity. Was the digital identity proven by means of a official physical passport, or was it only provided through a web form and is the trust level of the digital identity low?
There should be a third party certifying the trust level of Identity Providers. Here's a scenario:
- A user supplies a digitalid to a service provider.
- The SP identifies the IP.
- If the IP is on a certified 'white list' of IP's with a certain trust level, then the digitalid 'inherits' the trustlevel of the IP.
And if the digitalid contains a claim by the IP that the digitalid was provided to a user after validation of an official passport, than you might conclude that the digitalid is correct. The authentication level could be considered High.
So:
- There should be a classification scheme with trust levels (trust high or low, or mayby only just high level IP's)
- There must be a public white list referring Identity providers (and mayby also their trust level)
- We need a 'white list' trust level-protocol that can be used to check the trust level of IP's from a white list provider
- The White list owner needs an accreditation scheme to certify IP trust level (and perhaps we also need an accreditation scheme to certify the 'white list' providers if there are more than just the one white list)
- There should be a standard claimtype that states the authentication level used by the IP (also something like low: no auth, medium: just passport number, high passport presented by subject and a copy archived by the IP).
- There might be a standard claimtype that states the authentication method of the digitalid (also a code like low: userid/password, medium: two factor, high: biometrics)
result:
digitalid by IP1 claims: authclass high, authmethod medium
Check trust level of IP1 (using the trust level protocol)
If the trust level of IP1 is high (it can be found using the trust level protocol), then the IP can be trusted and the digitalid provided by IP1 is valid and can be give the authorisation that belongs to the owner of digitalid.
If the trust level of IP1 is low, of unproven, then the digitalid cannot be trusted, the digitalid should be treated like any userid/password combination.
Perhaps this will mean that a trusted IP can provide several types of trusted digitalids with authlevel low-med-high and authmethod low-med-high at different costs. There must be a business model for this.
Well, I will just keep on dreaming :)
This might be a solution, but I fear that it may take some time and it will cost a lot of money. And perhaps this has already been taken care of. Please let me know.
maandag 2 juni 2008
Trusting cards
A lot of fuss about a claimed hack of Microsoft Cardspace by some German researchers. Microsoft acted quickly and they should, trust is vital. Users have to trust security measures before they use them. And they should understand why and how these measures work.
Glad that the matter of the hack is solved. But there is still the problem of users who are not aware of the why and how.
Glad that the matter of the hack is solved. But there is still the problem of users who are not aware of the why and how.
donderdag 15 mei 2008
The Hague Declaration
Andy Updegrove just mentioned this initiative. So being a firm believer in Open Everything, I just signed this petition.
Have a look en feel free to add your name to the form too.
Have a look en feel free to add your name to the form too.
woensdag 9 april 2008
Trust level Identity Providers
I would like my company to use infocard with claims as an identification/authentication method for customers and personnel, even as an authorisation scheme. We are a relying party, mapping claims to user authorisations in our information systems. But what is the level of trust of an infocard that's presented by a user.
In order to verify an on line identity, a relying party will validate the supplied digital identity (infocard) and check claims.
A relying party can distinguish managed cards from self issued cards. That way an IP can identify trusted (managed) identities from untrusted (self issued) identities. These identities in fact obtain the same level of trust as userid's and passwords, very little trust.
But, can a relying party distinguish between identity providers that supply managed cards? I have not yet found information on this matter, still studying. Unless there is a standard 'Identity Provider trust level' definition, every 3rd party IP is alike. Every IP could give out the same claims. But some claims are more valuable than others. Some can be trusted, where others cannot.
If there were a standard 'Identity Provider trust level' definition, such a mechanism should be certified. An Identity Provider could than demand proof of the trust level of identity providers.
Besides there should be several standard claims about the authentication method used at issuing. Face to face, physical passport used, digital passport used. That way we can identify what rights we can assign to a user, based on the trust level of his digital identity and on the authentication method used for presenting the infocard.
We might even become an Identity Provider ourselves, issuing valuable digital identities (infocards of course). But in order to do that, we must know how to make our digital identities standard trusted identities, that cannot be mistaken for digital identities issued by less trusted Identity Providers.
In order to verify an on line identity, a relying party will validate the supplied digital identity (infocard) and check claims.
A relying party can distinguish managed cards from self issued cards. That way an IP can identify trusted (managed) identities from untrusted (self issued) identities. These identities in fact obtain the same level of trust as userid's and passwords, very little trust.
But, can a relying party distinguish between identity providers that supply managed cards? I have not yet found information on this matter, still studying. Unless there is a standard 'Identity Provider trust level' definition, every 3rd party IP is alike. Every IP could give out the same claims. But some claims are more valuable than others. Some can be trusted, where others cannot.
If there were a standard 'Identity Provider trust level' definition, such a mechanism should be certified. An Identity Provider could than demand proof of the trust level of identity providers.
Besides there should be several standard claims about the authentication method used at issuing. Face to face, physical passport used, digital passport used. That way we can identify what rights we can assign to a user, based on the trust level of his digital identity and on the authentication method used for presenting the infocard.
We might even become an Identity Provider ourselves, issuing valuable digital identities (infocards of course). But in order to do that, we must know how to make our digital identities standard trusted identities, that cannot be mistaken for digital identities issued by less trusted Identity Providers.
Abonneren op:
Posts (Atom)