Writing blog posts is not business as usual. Most posts take a while to become published. And since I have to do more work and write some more stuff for the Dutch information security magazine, this blog gets less attention than I planned beforehand.
A new tool on my Nokia N900 smartphone (great little device) might help me writing small posts easier. Perhaps I can create a few smaller blog posts, that take less research and pondering. This is the first try...
donderdag 24 februari 2011
dinsdag 27 oktober 2009
Stork and other assurance frameworks
As I wrote earlier am involved in the Dutch OpenID.nl+ initiative to help grow the acceptance of OpenID (and to a lesser degree Information Card) in The Netherlands. Within the initiative Identity Providers and Relying Parties define an interoperability standard whereby Relying Parties can rely on digital identities from Identity Providers, based on the verification level of identity attributes by the participating Identity Providers. RP's can authorize users based on the verification information in the claims.
The Trust Framework is based on the assumption that trust derives from the reliability of the identity provider (including the reliability of the identity priovisioning process) and from the reliability of the use of a digital identity. Meaning that there are two parameters: trust in the identity as verified by the identity provider and trust in the use of an identity by the individual owning a digital identity (proof of posession). IdP's must adhere to a certification scheme to prove their reliability. The OpenID.nl+ initiative manages the white list with trusted IdP's.
International developments like STORK also define authentication assurance levels, but these levels are a combination of Identification (by the IdP) and the method of authentication (by the user, based on proof of identity). These assurance levels are the product of a mix of both parameters.
The strange issue is that for certain levels a low level of trust in the process can be compensated by using a strong form of authentication. So QAA2 can be the result of accepting an identity that's hardly verified by an identity provider, but requiring a one time password. Strangely, that would mean that the IdP may not fully know the individual who is issued a digital identity, but you know for sure that the user of the digital identity is the rightful owner of the identity. So someone logging in as Mickey Duck may not really be Mickey Duck, but he is the rightful owner of Mickey Duck's digital id.
In the OpenID.nl+ initiative the net effect may be the same, for most combinations, but the vision on trust is more distinct, the implementation offers a lot more granularity (because of the trust model), although implementing this granularity is not yet part of the roadmap.
In my opinion you shouldn't require a combined assurence level, but you should demand a certain level of trust in ownership of a digital identity and the use of a digital identity.
I will probably get this al wrong, since this model is widely accepted, but then again, maybe I'm not.
The Trust Framework is based on the assumption that trust derives from the reliability of the identity provider (including the reliability of the identity priovisioning process) and from the reliability of the use of a digital identity. Meaning that there are two parameters: trust in the identity as verified by the identity provider and trust in the use of an identity by the individual owning a digital identity (proof of posession). IdP's must adhere to a certification scheme to prove their reliability. The OpenID.nl+ initiative manages the white list with trusted IdP's.
International developments like STORK also define authentication assurance levels, but these levels are a combination of Identification (by the IdP) and the method of authentication (by the user, based on proof of identity). These assurance levels are the product of a mix of both parameters.
The strange issue is that for certain levels a low level of trust in the process can be compensated by using a strong form of authentication. So QAA2 can be the result of accepting an identity that's hardly verified by an identity provider, but requiring a one time password. Strangely, that would mean that the IdP may not fully know the individual who is issued a digital identity, but you know for sure that the user of the digital identity is the rightful owner of the identity. So someone logging in as Mickey Duck may not really be Mickey Duck, but he is the rightful owner of Mickey Duck's digital id.
In the OpenID.nl+ initiative the net effect may be the same, for most combinations, but the vision on trust is more distinct, the implementation offers a lot more granularity (because of the trust model), although implementing this granularity is not yet part of the roadmap.
In my opinion you shouldn't require a combined assurence level, but you should demand a certain level of trust in ownership of a digital identity and the use of a digital identity.
I will probably get this al wrong, since this model is widely accepted, but then again, maybe I'm not.
donderdag 10 september 2009
Open Trust Frameworks for Open Government
As I wrote earlier, the biggest problem in the identity 2.0 space is the absence of trustworthy public Identity Providers. I called for a trust framework that would enable differentiation in trust levels for identity providers. Of course that requires some major party to define the standards.
There is some great news about the development of a standard trust framework for identity providers. Initiated by the US Government the Open Trust Framework for Open Government was formed. In a White Paper the methods are described.
There are other initiatives, like the Dutch OpenIDPlus. Let's just hope that these initiatives will converge into an interoperable international standard.
There is some great news about the development of a standard trust framework for identity providers. Initiated by the US Government the Open Trust Framework for Open Government was formed. In a White Paper the methods are described.
There are other initiatives, like the Dutch OpenIDPlus. Let's just hope that these initiatives will converge into an interoperable international standard.
woensdag 26 augustus 2009
Facebook game review Spymaster
After playing Mafia Wars for a few weeks, I accepted an invitation to join Spymaster. Spymaster is all about the spying game, you're a secret agent (either Russian, American or British) doing jobs and killing enemies. Here too you get energy and health, time based, and use it to do tasks and attacking other agents.
Gameplay is easy. Energy permitting, you select a task and do it. By doing a task you deserve more or less experience points, depending on the outcome of the task. When you get enough xp's you enter a new level and you unlock more jobs and other level adversaries.
You also earn money, that you can use to buy stuff. Weapons (to gain more attack of defense power), safe houses (to earn a steady income).
After playing for a few days, I decided to stop playing the game. It was boring. Every level you would do a task and succeed or not. You would injure an enemy or not. The 'or not' value was to big for me to enjoy the game. Due to the random results, buying weapons and attacking lesser agent seemed to make no difference. I lost some fight and I never understood why. Probably I'm not a spy.
The gameplay was a unrewarding.
The game looked complex. There are spies and spymasters in 'rings' and I never found out how people came to belong to my ring, or how many spymasters were on my side.
The atmosphere in the game was not great. The text mode screen lacked any visual clue about actions or status. Just plain white on black. The only nice feature was the ihntermezzo while wainting for the results of a fight. Gunshots or an animation of an agent on screen. That's about it.
It's a great way to gain plenty followers on Twitter. I did connect my Twitter account to Spymaster, status messages were converted to tweets. Nice if you need followers.
Gameplay is easy. Energy permitting, you select a task and do it. By doing a task you deserve more or less experience points, depending on the outcome of the task. When you get enough xp's you enter a new level and you unlock more jobs and other level adversaries.
You also earn money, that you can use to buy stuff. Weapons (to gain more attack of defense power), safe houses (to earn a steady income).
After playing for a few days, I decided to stop playing the game. It was boring. Every level you would do a task and succeed or not. You would injure an enemy or not. The 'or not' value was to big for me to enjoy the game. Due to the random results, buying weapons and attacking lesser agent seemed to make no difference. I lost some fight and I never understood why. Probably I'm not a spy.
The gameplay was a unrewarding.
The game looked complex. There are spies and spymasters in 'rings' and I never found out how people came to belong to my ring, or how many spymasters were on my side.
The atmosphere in the game was not great. The text mode screen lacked any visual clue about actions or status. Just plain white on black. The only nice feature was the ihntermezzo while wainting for the results of a fight. Gunshots or an animation of an agent on screen. That's about it.
It's a great way to gain plenty followers on Twitter. I did connect my Twitter account to Spymaster, status messages were converted to tweets. Nice if you need followers.
Facebook game review: Mafia Wars
A smart game, quite addictive. The first levels are mastered by doing Jobs. Jobs like 'Auto Theft' or 'Recruit a Rival Crew Member'. You need enough energy to do the job. And energy just grows in time (depending on the type of the character you choose up front). A job gives you hard cash and experience points. The cash can be used to buy you weapons or property. That's a second dimension of the game: buy property and protect it form robbing by the mob.
And of course there's a third dimension: you can attack and rob others. That takes health and stamina and enough attack and defence powers to beat the enemy.
Once you join the game, you do this by accepting an invitation. That is important: you belong to the mafia of the friend who invited you, but your friend belongs to your mafia. Both players and both plays are independent, but you can interact, by giving gifts to the members in your mafia. Gifts like weapons, loot items (I received a Rembrandt painting), or energy. And you can help one another by doing jobs, thereby earning money and so on.
After you learned plaing the game in New York, you can move on to Cuba. Same kind of play, but it feels a bit different, in a different atmosphere, well done.
So far the game. And does it work?
Yes, it's addictive. The first levels are mastered quite fast. But later on you will find that choices made earlier have an effect later in the game. If you decide to buy a lot of attack power, your energy will grow slowly, enabling you to do jobs less quickly. Growing a mafia family is also very important. A large family gives a lot of power and you'll need that.
Higher levels are reached less easily, larger intervals, but also greater rewards. This game requires some strategic thinking on the part of the player. Plain luck is just a small factor.
Overall, playable, untill all levels are mastered, but I haven't got there yet...
Something different: facebook game review
If you're on Facebook, you must have noticed invitations from friends to join them in an online game. A few weeks ago I decided to take part in a few games, what use is a game if you don't play it?
So I became a member of a mafia family in the Mafia Wars game. Later I got involved in Spymaster and lately I have been running a farm in Farm World.
What they have in common is how a player can grow from easy challenges to harder challenges, that get unlocked once a level is mastered. A level is mastered after a numer of experience points is reached. The first levels are reached quite fast. You win points, buy stuff and play with or against other players, who you may not even know.
These games run on top of Facebook, so they use the facebook knowledge of your friends network. And one problem may be that in order to play harder levels, you will accept invitations from other players, that you don't know. They will join your facebook network too. Be ware of this risk!
I will post a few game reviews in the next few days.
So I became a member of a mafia family in the Mafia Wars game. Later I got involved in Spymaster and lately I have been running a farm in Farm World.
What they have in common is how a player can grow from easy challenges to harder challenges, that get unlocked once a level is mastered. A level is mastered after a numer of experience points is reached. The first levels are reached quite fast. You win points, buy stuff and play with or against other players, who you may not even know.
These games run on top of Facebook, so they use the facebook knowledge of your friends network. And one problem may be that in order to play harder levels, you will accept invitations from other players, that you don't know. They will join your facebook network too. Be ware of this risk!
I will post a few game reviews in the next few days.
zaterdag 20 juni 2009
Jim Harper and identity claims
The best book about identities that I read is Identity Crisis by Jim Harper. After you read the book, please come back and check this concept:
A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust level of the identity information. An identity provider can issue digital identities based on a visual verification of a person, but also based on nothing more than an email address. The IdP may be trusted, but the value of the identity based on visual verification can be different from the identity based on an email verification.
Identity Providers should add this value of the identity in the digital passport. A claim should be used to differentiate identity trust level. The same goes for authentication (I will come back to this later).
Jim Harper identifies 4 different kinds of identity:
The first type of identity can be verified by visual verification of a physical id by the Identity provider. The IdP could check a user's passport or driver license. It is a very strong identity, based on some form for biometrics: visual check of the photo on an official document.
The second type of identity is the assigned identity. That could be an email address. It can be verified by addressing the identity (a claimed email address can be verified by e-mail verification).
The something you know identity is the shared secret. The IdP can verify by using a payment from a bank account. That fact that someone can make a payment through a trusted source must have some value in itself.
The last type is just an id issued by an IdP, without any verification. It's just handed over to a person (probably after an identity check, but that's not important, because that would make it a type 1 identity)
If the IdP would add a claim based on the type of identity and if relying parties would know how to interpret this identity, the trust level could be objectively identified.
I suppose that better classifications and claims could be defined, but I just like Harpers ideas. I just tried to analyse some of Harpers concepts, sorry for any trouble :)
A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust level of the identity information. An identity provider can issue digital identities based on a visual verification of a person, but also based on nothing more than an email address. The IdP may be trusted, but the value of the identity based on visual verification can be different from the identity based on an email verification.
Identity Providers should add this value of the identity in the digital passport. A claim should be used to differentiate identity trust level. The same goes for authentication (I will come back to this later).
Jim Harper identifies 4 different kinds of identity:
- something you are
- something you are assigned
- something you know
- something you have
The first type of identity can be verified by visual verification of a physical id by the Identity provider. The IdP could check a user's passport or driver license. It is a very strong identity, based on some form for biometrics: visual check of the photo on an official document.
The second type of identity is the assigned identity. That could be an email address. It can be verified by addressing the identity (a claimed email address can be verified by e-mail verification).
The something you know identity is the shared secret. The IdP can verify by using a payment from a bank account. That fact that someone can make a payment through a trusted source must have some value in itself.
The last type is just an id issued by an IdP, without any verification. It's just handed over to a person (probably after an identity check, but that's not important, because that would make it a type 1 identity)
If the IdP would add a claim based on the type of identity and if relying parties would know how to interpret this identity, the trust level could be objectively identified.
I suppose that better classifications and claims could be defined, but I just like Harpers ideas. I just tried to analyse some of Harpers concepts, sorry for any trouble :)
Abonneren op:
Posts (Atom)