If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Adactio: Journal - Identity and authority

What most interested in reading this post was the reminder that actually it doesn’t matter how much we all talk about “identity” - it will ultimately come down to how it gets used by applications and the associated user experience. I’d never seen Jeremy Keith’s blog before so find it interesting how this discussion is framed from different perspectives (ie, from the web development side, rather than that of looking at “identity” in, and of, itself).

Jeremy’s comment about the differences between trust and authority is particularly striking for one who is looking at security and identity - there’s an instant parallel between the methods used in hierarchical systems (PKI for instance) and more distributed systems (OpenID or PGP), although this throws up some interesting points about the interaction of PKI and trust-based identity systems - at some point we generally require cryptographic verification of an identity. I’d actually suggest that, in these examples, authority, as described, is derived merely from a multi-layered “trust relationship” and the examples of this failing (newspaper reports &c) show this.

If I visit a web site, protected by an SSL certificate I can choose whether or not to trust the site based upon which organisation signed it - likewise with a newspaper (or online journal for that matter) - I can choose to trust the content depending on who the author and editor are and the publishing organisation. The problem comes in that, generally, some layers of the trust are removed from the end user - browsers have “trusted” roots that will remove prompting; the newspaper (by its very existence) gives a presumption of trust to the reader - as systems scale it becomes more difficult for individuals to personally verify claims and we rely on others to do it for us and this naturally breaks as multiple layers are involved. Alice may trust Bob to a level of 50%; If Bob trusts Clara 50% then Alice only trusts Clara 25% - obvious, but worth stating for these purposes - if a particular (trans)action requires a level of trust at 40% then Alice will deal only with Bob.

The point about authority is that the levels of “trust” involved are much higher, through choice, enforcement on a construct such as a warranty; Bob, by exercising “authority” rather than expecting trust, will back it financially or legally providing an incentive to rely on his assertions and decreasing the risk in doing so.

Identity, Security & Me » Blog Archive » InfoSec Europe 2007 - Thoughts

I was going to post about my own experience of Infosec on Wednesday, but Paul Toal beat me to it and, frankly, my summary is pretty much the same as his (that’s disappointing, if you don’t want to read his post ). The only comment I will make is about the vendor (I can’t remember who they were) that were giving away condoms - imagine explaining the presence of that to the wife - “It was a three day information security conference, pretty dull really”

What I did want to follow up on was what Paul said about Bruce Schneier’s presentation, which although not strictly relevant to what I do was interesting nonetheless. The general theme of the talk was about the permanence of data and the way that the “younger” generation feed every aspect of their lives onto the web - MySpace, Flickr, YouTube and now Twitter all play a part in this. Schneier’s main argument was that we (I say that like I’m an old man!) shouldn’t try to stop them, but should provide the tools to ensure that the data can be erased at some point in the future, or maybe even have a time limit on that. I’m not entirely sure, but I think that the permanence of data is one of the things that people like about this - the fact that I can give someone a URL to my holiday snaps on flickr and know that, pretty much, it’ll be there forever is a good thing. This was emphasised in this post by Mark Cuban in which he discusses the web as a personal, digital archive. His title hints at something that I discussed back in November (although I now have the top search result for my name!) about how search is so important - one of the areas that Schneier touched upon was that, kids being kids, things will get recorded that they may not necessarily want a future employer to see and that until attitudes change there will be casualties of a generational battle.

As if needed, I witnessed a further re-enforcement of this point about a generation gap this morning on the BBC in an interview with Jellyellie (frankly, I’ve absolutely no idea who the hell she is, but apparently, she’s written a book - thanks Google) and some guy who I didn’t catch the name of. The whole thing seemed like media tripe, but I did catch one choice quote from the guy saying that “chatting” to people on the Internet can never be as good as getting out there and meeting people “properly” and that sitting in a dark room the whole time is unhealthy. I agree on his second point, but his first just smacks of exactly the attitude that Schneier discussed - just not getting the point that, in some ways, the contact is better - a bigger, wider circle of friends, spread across the globe, with different interests and importantly where gender and race are unimportant.

This is important stuff - I’d read recently (original BBC article) about teenagers using online identities in a throwaway fashion and I wonder how this squares up. I suspect that certain aspects of online life don’t contribute to a person’s overall “sense of identity” and these can quite easily be discarded, but others (a blog, MySpace page &c) are kept and cherished (I also think there’s a correlation to be explored here with email addresses - whilst I use a single address for most of my dealings I keep other addresses handy for certain things - some of those addresses I could lose without a worry; many people deal with spam in this way). There must be a balance here and perhaps it merely demonstrates how easily one aspect of a digital identity can be removed before it causes a negative effect (a bad reputation could be likened to gangrene!) on the whole and this is something we can all learn from the younger generation.

Kim Cameron’s Identity Weblog » Weaknesses of Strong Authentication?

I think there are a few elements of this that are worth exploring - most specifically, in security design the idea of layers counts for a great deal and the analogy of the castle is a particularly good one. Strength in depth, but with each layer designed so that when (not if) a breach occurs there’s always another layer of protection. One other facet of security where a castle analogy is used is in discussion of “single sign-on” (SSO, or more correctly “reduced sign-on”) - we use the term “keys to the castle” to refer to a breach in the initial authentication; once that takes place an attacker has free reign throughout the bailey of the user’s environment and the effect of that single breach can be much more devastating - the isolation of components is removed.

As a result, it’s generally advisable that when implementing SSO that a stronger authentication mechanism is used - the increased threat from the lack of isolation can be partially offset by reducing the risk that the initial authentication is compromised. In this sense the strong authentication isn’t the weak element; the reason we need authentication is because when we build the castle the walls need to have holes in them (often a drawbridge). Someone needs to be in a position to open the door, often following the challenge “friend or foe” and that is where the authentication is required. Where Cardspace will provide benefit is in providing a stronger authentication mechanism than the traditional username / password combination - both for individual resources and to a whole domain fronting a protocol such as OpenID or SAML.

Phishing attack evades bank’s two-factor authentication | The Register

If nothing else this serves as a reminder of how security systems can only mitigate against the risk of attack and not prevent it completely. Using a one time password (OTP) as described here only reduces the attack vectors by limiting the time that an attack can take place. Of course, adding mutual authentication to a system would further reduce the risk as would enabling users to have more control over the authentication methods used.

This, of course, is the reason that “user-centric” identity methods have been developed, and in this area in particular the use of cardspace can be seen to be of most advantage. I doubt that “phishing” will ever be completely eradicated, but the work taking place at the moment will go a long way towards helping users to avoid these situations in future.

There’s been a lot of debate about the value of “free” downloads of music, books &c which has had some focus on the element of publicity gained by giving away a product for free - a technique used by bands such as the Arctic Monkeys to generate a fan-base which led to a commercial success.

Scott Adams (of Dilbert fame) has weighed in on this argument with an interesting analogy about underpants (it’s better than I make it sound), which got a mixed response from Techdirt. I usually like the writing from Techdirt, but they’ve sort of missed the point with the analogy about how an artist should retain an element of control over how and when the product is distributed.

Adams has responded with this post. A key part of this…

I can’t steal a jacket from JC Penney and hope they understand that it’s good publicity, thus causing several people to buy the same jacket. It isn’t my right to make that decision, even if I happen to be correct.

It’s fairly simple to take this analogy and extend it so that JC Penney may want to take the choice to give away their product - most likely to a movie star on Oscar night (movie stars do wear JC Penney clothing, don’t they?) in order to increase the value of it overall, but they individual circumstances will determine whether this is a good move or not. Regardless, the only people who should be in a position to make that decision are JC Penney themselves! It might be a good idea for a line of jackets, but not for shoes. It might work for Penney but not for another clothing outlet. The crux is that, when applied to digital music, some bands may be better releasing some material for free in order to increase the value of the “brand” overall. What worked for the Arctic Monkeys before they were famous may not work the same at this stage in their careers! In fact, we expect marketing & sales to techniques to change in any sector over time.

Interestingly, one of the common comments from the Techdirt team is that organisations commonly fail to recognise which industry they are in (and hence who their competition is). I think, when applied to music (or even Adams himself) that this is true to a degree - not only does Adams compete against other book/cartoon authors, and other things in the “leisure” space, but he also competes against himself - his past work, his future work and his other, current work. This was highlighted in something I’ve seen recently about why musical artists/bands tend to fail as fashions change - one of the reasons is that each successive release has to compete against the entire back catalogue… (if anyone can point me in the right direction, let me know).

Over the past week the use of biometrics in schools (in particular) has received a lot of media attention - one of the key uses being to “pay” for school meals. Such a system has some big advantages - the reduction in bullying and the loss of stigma for those children who receive subsidised meals are two key benefits (the social inclusion element was a matter actually mentioned at this event).

The usual arguments for both sides were bandied around the media. My own initial thought on the matter was that it probably isn’t such a bad thing - after all, the full fingerprint isn’t stored in the system and as long as data isn’t shared with other systems (the criminal justice IDENT1 programme, for instance) and is deleted at the appropriate time, then the privacy of the child can be maintained and the benefits realised (not that I have any faith at all in our Government to not actively encourage should data leakage).

It seems I wasn’t alone in this belief - Kim Cameron has written a series of posts on the topic (starting here in which some of the myths about convention biometrics are dealt with. This post in particular is instructive and shows how current biometric systems work - producing a template of the biometric with a known algorithm - against which a result is matched. For some reason I’d assumed that these systems worked more in the way of what I now know to be Biometric Encryption (link to PDF by Ann Cavoukian and Alex Stoianov), but this is obviously not the case!

Kim follows this up with a further explanation from Cavoukian and Stoianov which describes how easily standard biometric templates can be matched across discrete databases - even when there is no explicit link between them!

“The linking of the databases can be done offline using template-to-template matching, in a very efficient one-to-many mode.”

Kim concludes with the statement

I had not understood that you can so easily correlate conventional biometric templates across databases. I had thought the “fuzziness” of the problem would make it harder than it apparently is. This raises even more red flags about the use of conventional biometrics.

This is where my provisos on when this is acceptable come in - identity data and biometrics in particular need to handled with sensitivity (even more so when it concerns children), but even with the right political and economic safeguards the technology has to be correct. As things stand we have a scenario where inadequate technology is being used for unsuitable purposes under the umbrella of a “higher goal” that is ill advised at best.

Things have been busy again recently - I’ve got a string of posts to make, which I’ll be getting round to, but in the meantime I’ve made a few more changes to this site. First and foremost I’ve added the capability for adverts - text only! - and hopefully also on the RSS feed. This should help to mitigate the hosting costs that I’m suffering from

I’ve trimmed the page layout a little, which should hopefully help with performance, but the biggest effect on that (so far) looks like being switching to PHP5. This change will also be required for something I’ve been testing (around authentication!) - hopefully I’ll have that in place in a few weeks time.