Mike Jones: self-issued

Musings on Digital Identity

Author: Mike Jones Page 30 of 33

Building the Internet's missing identity layer

Gone Phishing

By

On May 26, 2008

In Information Cards, OpenID, Phishing Resistance, Windows CardSpace

Fun Communications‘ site idtheft.fun.de lets you mount your very own man-in-the-middle based phishing attack against the OpenID provider of your choosing. Rather than redirecting you to the OpenID provider you specify, it instead redirects you to a page impersonating the OpenID provider, created using content scraped from the real site behind the scenes.

This is the same kind of attack shown in Kim’s phishing video. idtheft.fun.de lets you have the fun of doing it yourself!

I tried it myself with several OpenID providers I use. Predictably, I was typically able to “steal” the passwords for OpenIDs when logging into them with passwords and hijack the resulting logged-in sessions. “Protecting” an account with a one-time-password (OTP) device did nothing to stop this; my “attack” still succeeded in hijacking the session established using a password in combination with an OTP value.

Two things did defeat these attacks. Because Information Cards generate site-specific sign-in information and the attacker’s site is different than the authentic site, even when I was “tricked” into submitting an Information Card to the imposter site, it didn’t give the imposter the ability to log into the real site. No shared secret was present to steal and no session was established to hijack.

The other thing that defeated this specific attack was the use of JavaScript in the sign-in process by the OpenID provider. While a slightly more sophisticated attack could almost certainly get past this obstacle, idtheft.fun.de apparently doesn’t correctly mimic JavaScript site features like “Sign In” buttons invoking an onclick method.

This ability to both phish passwords and hijack the resulting logged-in sessions is exactly why I and others are working on finishing the OpenID Provider Authentication Policy Extension (PAPE) extension. As I wrote when the first draft was published, PAPE enables “OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used.” It’s time for PAPE to become an OpenID standard.

What follows are screen shots from a successful phishing attack and a thwarted one — both against the same OP. The difference is whether passwords or Information Cards were used to log in.

Figure 1: idtheft start

Figure 1: About to mount my attack against my OpenID at myopenid.com. I’ve typed the URL of my OpenID into the relying party.

Figure 2: idtheft signin

Figure 2: Next, I’m logging in with a password. An observant user could notice several things wrong: the address bar shows the imposter’s URL, the imposter’s URL is present in the “You must sign in to authenticate to …” message, and the “Your Personal Icon” space is blank. Unfortunately, there is strong evidence that users are not observant.

Figure 3: idtheft allow

Figure 3: Phishing already accomplished. Same cues are present that something’s amiss. Of course, a more sophisticated attack could replace the imposter’s URL in the page with the “real one” in both of these screens, eliminating the most obvious cue. I scroll down and click “Allow Once”.

Figure 4: idtheft accomplished

Figure 4: Result after being redirected back to the “relying party”. Yes, that was my real password.

Next, I tried to attack my account again but was surprised that I wasn’t asked to log in this time. Of course — the attacker’s session was already logged in! So I signed out as the man-in-the-middle (that was weird), enabling me to try again.

My next steps looked just like Figures 1 and 2, except instead of typing a password I clicked the purple Information Card button. This brought me to:

Figure 5: idtheft cardspace

Figure 5: CardSpace informs me that I’ve never sent a card to this site before. An observant user would realize that they don’t normally see this screen and might decline. But then, we’ve already discussed how observant users aren’t. I click “Yes”, choose the card I normally use to log into myopenid.com, and send it.

Figure 6: idtheft prevented

Figure 6: Phishing prevented. “Error processing Information Card token” isn’t the most informative error message I’ve ever seen but behind it is great news: the phishing attack failed because the token constructed for the imposter site wasn’t usable at the real site.

And thanks to idtheft.fun.de, you can try this at home!

Fun Communication’s Fun Identity Innovations

By

On May 26, 2008

In Information Cards, OpenID, Phishing Resistance

Fun Communications logoJohannes Feulner of Fun Communications recently showed me three different identity sites they’ve created, each fun and valuable in its own way. The first, www.webcard-loyalty.com, lets companies create online loyalty cards for their customers. These loyalty Information Cards enable merchants to offer bonuses and discounts when the cards are used, similarly to how physical loyalty cards such as frequent flyer cards and frequent shopper cards are used to provide these benefits in the offline world. You can read more about “virtual loyalty cards” and about the innovation prize they won.

The second, openidbycard.com, dynamically creates a site-specific OpenID to use at an OpenID relying party from any Information Card offering the privatepersonalidentifier (PPID) claim. Type “openidbycard.com” as your OpenID identifier into any OpenID login form and an OpenID will be created for the site based on the site identity and the PPID returned by the card. While I understand value of using public identifiers (such as self-issued.info) in some contexts, it’s great to also have the choice of using unidirectional identifiers at OpenID sites.

Finally, idtheft.fun.de demonstrates the ability of attackers to mount man-in-the-middle attacks against OpenID sites (and lets you try it yourself!). The site phishes OpenID passwords and other information sent through the browser, all via web pages that look authentic, but that are actually under control of the attacker. This will be the subject of my next post.

IBM Product Release for Information Cards and OpenID

By

On May 21, 2008

In Information Cards, OpenID, Software

IBM logoAs reported in InternetNews (and brought to my attention by Tony Nadalin), IBM has expanded the scope of its Tivoli Federated Identity Manager product to include support for Information Cards and OpenID. This is a fantastic development, as it puts software enabling use of these user-centric identity technologies into the hands of IBM’s numerous important customers, ranging from enterprises to Internet businesses. Congratulations to IBM and the Tivoli team for this significant achievement!

The Certificate Odyssey

By

On May 4, 2008

In Information Cards, Pamela Project, Software, Windows CardSpace

I was just reading Ryan Janssen‘s post Becoming an RP with the Pamela Project (pt. 1) and when I got to the end where he wrote “Since it’s going to take a few hours to get my SSL cert issued and installed, I think I’ll post this and go outside for a break!” it reminded me of the certificate odyssey I went through in April last year. After eventually getting the certificate created and installed, I wrote this about it at the time to Stuart Kwan (hip Internet terminologist):

Getting and installing the certificate was an unbelievable odyssey. It was an *incredibly complicated* process, that in my case, involved many visits to Network Solutions’ and GoDaddy’s support sites, several hours of my afternoon on Saturday, using cryptic openssl commands on Linux to create a key pair and a cert signing request (and later to strip the password off the key pair so Apache would start without the password), lots of help on IM from Pam Dingle, and the creation or use of 6 different passwords. Oh, and the cert wasn’t even installed by that point!

And it would have been *so easy* to get any of the steps wrong and have a cert request that was incorrect or to obtain a cert that didn’t do what I wanted it to. I understand the value that certificates provide (and it’s substantial). But we, as an industry, haven’t exactly made it easy for people to obtain and use them…

I’m tempted to blog about that, but I won’t… :-)

But seeing that Ryan is about to go through the same odyssey, I’ve reconsidered, hence this post. I’m now eagerly awaiting part two of his description to see how his experience compares to mine.

Of course, now that CardSpace and other identity selectors have support for no-SSL sites, hopefully this will be an optional odyssey soon — employed only when the security benefits of SSL certificates are called for. I know that Pamela plans to add no-SSL support to PamelaWare for WordPress soon, so after that, the pain that I went through and that Ryan’s in the midst of during a beautiful sunny day on the Lower East Side can be a thing of the past.

CA Announces Support for Information Card Authentication in SiteMinder

By

On April 8, 2008

In Information Cards, Software

CA logoToday CA published the whitepaper “CA and Microsoft Support for User-Centric Identity and the Identity Metasystem” in which they describe their shared vision with Microsoft to build the Identity Metasystem. In particular, the whitepaper describes CA’s plans to enable SiteMinder customers to authenticate to resources protected by SiteMinder using Information Cards and to enable claims to be delivered to applications. Read Jeff Broberg‘s introduction to the paper and the whitepaper itself.

This is a fantastic development for the Identity Metasystem, as SiteMinder is a key component of the identity infrastructure for numerous businesses large and small across heterogeneous platforms, including some of the largest consumer web sites. I can’t wait to see the valuable and creative uses of Information Cards that will result from CA’s commitment to the Metasystem.

User-Centric Identity Interop at RSA in San Francisco

By

On April 1, 2008

In Bandit Project, Firefox, Higgins Project, I-names, Information Cards, Interoperability, JanRain, OpenID, Pamela Project, Phishing Resistance, Shibboleth, Software, Windows CardSpace

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm

Logos of RSA 2008 Interop Participants

Curtain Lifted on Information Card Support in OpenSSO

By

On March 31, 2008

In Information Cards, Interoperability, Software

OpenSSO logo

Congratulations to Gerald Beuchelt of Sun Microsystems and the rest of the OpenSSO team for their release of Information Card support in OpenSSO. As Gerald wrote:

It took quite a while, but by now it is out. Please welcome the Windows CardSpace Information Card extensions for OpenSSO:

https://opensso.dev.java.net/source/browse/opensso/extensions/authnicip/

When I started working on this last spring, I was not even hoping to see this released in open source and part of the OpenSSO extensions family in less than a year. It took the goodwill and talent of quite a few people to get this off the ground, but with the public release of this code and the upcoming OSIS interop during the RSA conference, OpenSSO is now “speaking ISIP” …

Just in time for the in-person interop testing at RSA!

The History of Tomorrow’s Internet

By

On March 30, 2008

In Claims, Information Cards, Pamela Project, People, Windows CardSpace

Ryan JanssenI recently encountered Ryan Janssen‘s insightful series entitled “The History of Tomorrow’s Internet” and immediately read the whole thing in one sitting. Among other gems, I found in it the clearest explanation of the value and promise of XRI/XDI that I’ve ever read. Great stuff!

The most recent installment detailed his experiences of “how it feels for a regular person to use Cardspace”. In particular, he documented his experience of using CardSpace for the first time to leave a comment on this blog. He introduced his narrative with:

… as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.

I’ll let each of you read his blow-by-blow narrative yourself. He closes with:

So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

Because I’m a member of the CardSpace team, I can say that as much as the team is understandably proud of what they accomplished in V1, they’re also pragmatic realists who are fully aware of the issues that Ryan documents so well and the vital importance of addressing them in our future releases. It’s exciting participating in that very process on the fifth floor of Microsoft building 40, day in, day out, as the team defines and refines what the next release will contain. Greatly improved usability is certainly one of our highest-priority goals.

I know that Ryan has also motivated Pamela and me to take a look at how the flow on the blog can be improved. PamelaWare for WordPress isn’t even yet a V1 release (it’s at v0.9 currently) and I know Pamela has lots of ideas on how to improve it. Ryan’s experiences will certainly help inform the next release.

Also, I’ll remark on these excellent observations:

Ready to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called self-issued.info ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.

Asking the user to verify his or her e-mail address is a way of obtaining a backup means of authentication that can be used in the case where user has lost his Information Card. Just like many accounts backed by passwords use e-mail in the “lost password” flow, PamelaWare uses e-mail to the user in the “lost card” flow and verifies ownership of the e-mail address at account creation time. Ryan correctly points out that if I had received a verified e-mail address as a claim there’s several steps we could have skipped. Making this scenario a reality is one of my personal goals for the Identity Layer we’re all building together.

There’s nothing like real user data to inform what needs to happen next. Thanks, Ryan, for taking the time to provide it to all of us. I look forward to reading the next installment of the series!

JavaScript Kung Fu Fighting!

By

On March 28, 2008

In Firefox, Information Cards, Windows CardSpace

Firefox logoThanks and congratulations to Axel for his new release of the Firefox Information Card add-on that tames all that JavaScript Kung Fu with ease! I’ve updated the pertinent OSIS interop results page from “Issues” to “Works”.

Interops in Progress

By

On March 25, 2008

In Federation, Information Cards, Interoperability, OpenID

OSIS logoTwo important identity interoperability demonstrations will occur at RSA two weeks from now: the OSIS User-Centric Identity Interop and the Concordia Multi-Protocol Federation Interop. During both you’ll see different projects and vendors publicly showing their identity software working together. But what you won’t see at the conference is what’s happening right now — the engineers behind these implementations working together to refine their deployments and their software to ensure that solutions that should work together in theory actually do in practice.

Like the previous OSIS Interop, the current one is testing both Information Card and OpenID implementations — sometimes in combination. I’m especially excited about this Interop for three reasons. First, the set of participants has expanded again by over 50% and includes many commercial deployments of these relatively new technologies. Second, much deeper testing is occurring than ever before. Thanks, in part, to significant efforts by Pamela Dingle and the Microsoft Identity Lab team, during this Interop not only are people trying their implementations with one another’s — they’re also systematically testing their support for an important range of protocol features using interop endpoints designed and deployed for this very purpose. Third, this Interop won’t end when the conference ends. Most of the participants plan to leave their endpoints up after the conference is over, enabling new participants to join and test later and for existing participants to re-test their implementations against the others when they deploy new versions. Visit the OSIS Interop demonstrations in person if you can, especially between 4:00-6:00 on both Tuesday and Wednesday during the conference.

Concordia logoThe Concordia Interop is showing the use of Information Cards to sign into both SAML 2.0 and WS-Federation based federations. Both these federations are using SAML 2.0 tokens carrying consistent authentication context information. (I believe that this is the first public demonstration of WS-Federation implementations using SAML 2.0 tokens.) Furthermore, the Concordia Interop demonstrates the ability to bridge between WS-Federation and SAML federations, allowing identities originating in one to be used to authenticate to services in the other. Visit the Concordia workshop during the conference on Monday from 9:00-12:30.

Finally, I’m not the only one excited by these Interops. Axel Nennker, Francis Shanahan, Gerald Beuchelt, Prabath Siriwardena, Scott Kveton, Vittorio Bertocci, and Will Norris have all written about the upcoming OSIS Interop. There’s also a press release from the Concordia project. Hope to see many of you at RSA!

Zend PHP Information Card Software

By

On March 24, 2008

In Information Cards, Software

Zend logoThe Zend Framework is an open source object-oriented web application framework for PHP used by parties large and small for building mission-critical web applications. As of release 1.5, the Zend Framework now includes support for accepting Information Cards. Read about it in Chapter 18 of the Zend Framework Programmer’s Reference Guide: Zend_InfoCard.

Furthermore, the Zend Information Card implementation can be used either as part of the Zend Framework or independently. A standalone download is available here.

Re: Microsoft’s Open Specification Promise

By

On March 16, 2008

In Interoperability

Ben Laurie wrote:

The Software Freedom Law Centre has published an analysis of the OSP. I don’t really care whether the OSP is compatible with the GPL, but their other points are a concern for everyone relying on the OSP, whether they write free software or not.

The “analysis” tries to insinuate that since Microsoft doesn’t promise that future revisions of specifications covered by the Open Specification Promise will be automatically covered unless Microsoft is involved in developing them, that it’s not safe to rely on the OSP for current versions either. This is of course false, as the OSP is an irrevocable promise that Microsoft will never sue anyone for using any of the covered specifications (unless they sue Microsoft for using the same specification, which is a normal exception in all such non-assertion covenants).

On this point, Gray Knowlton wrote:

It is unusual for promises like the OSP to automatically include every spec or all future versions (IBM’s pledge is exactly like ours). The norm is for new versions to be added to them to be covered. In the case of Sun’s statement new versions are automatically added only when they participate in the development of the new version to the extent that the OASIS IPR rules would then obligate them to provide patent rights under the OASIS IPR Policy. None of these promises include future versions of the specifications without any qualification.

While I normally wouldn’t wade into legal debates, I writing because I’m proud of what Microsoft has enabled for the industry through the OSP, and the “analysis” leaves some very false impressions. Gray does a great job of responding in detail so I won’t do so here. Please read his response before drawing any conclusions. In particular, I believe the OSP and similar promises from other industry leaders have laid a stable foundation for the broad acceptance and adoption of the protocols underlying Information Cards, Web Services, and other important interoperable industry-wide protocols.

I see no cause for concern.

Welcoming Credentica’s People and Privacy Technology to Microsoft

By

On March 6, 2008

In Claims, Cryptography, People, Privacy, U-Prove, Windows CardSpace

Stefan BrandsI’m writing today to publicly welcome Stefan Brands, Christian Paquin, and Greg Thompson, of Credentica to Microsoft’s Identity and Access Group. I’m looking forward to working with them and to us adding their fantastic minimal disclosure technology to our identity products. Like Kim, I’m excited!

I urge people to check out Stefan’s announcement, Kim’s detailed write-up about the significance of this technology (I love the phrase “Need-to-Know Internet”), and Brendon Lynch’s post on Microsoft’s Data Privacy blog.

Welcome to Microsoft!

Congratulations on the Higgins 1.0 Release

By

On February 21, 2008

In Higgins Project, Information Cards, Interoperability, Software

Higgins logoI’d like to extend congratulations to my colleagues from the Higgins Project for their Higgins 1.0 release today. This is a significant milestone in the development and deployment of interoperable identity software that lets people use their Information Cards on any platform or system.

This release includes a broad range of implementations, including Identity Selectors for Linux, FreeBSD, and Mac OS X, support for rich client applications, and a browser-based selector for Firefox on Windows, Linux, and Mac OS X, plus Identity Provider and Relying Party software. They’re even shipping a prototype “Selector Selector”, letting people choose between different Identity Selectors. See their Solutions page for more details.

From a personal perspective, I’ll say that it’s been a pleasure watching Higgins evolve from the vision statements discussed at the Berkman Center Workshops starting in early 2005 to today’s dynamic multi-faceted identity software project. Congratulations to the long-tailed mouse for today’s achievements! I know there’s lots more to come…

Re: OpenID kills Windows CardSpace?!

By

On February 19, 2008

In Information Cards, OpenID, Windows CardSpace

The thing that immediately came to mind when I read the subject of Christian’s post was Mark Twain’s famous remark, upon learning about rumors of his own demise: “The report of my death is an exaggeration”.

Apparently the German press hasn’t been following my blog (I’m hurt but not totally shocked :-)) or Kim’s or JanRain’s or VeriSign’s or Ping Identity’s or Andy’s or Dick’s or David’s or Drummond’s or Scott’s or Paul’s or so many others where we’re all talking about the valuable ways that Information Cards and OpenID work well together. And there’s more than just talk. For instance, the OpenID providers LinkSafe.name, MyOpenID.com, PIP.VeriSignLabs.com, and SignOn.com all enable account creation and login with Information Cards. Is this good for OpenID? Yes! Is it good for CardSpace (and other Identity Selectors)? Yes!

But lest anyone has the perception that Microsoft’s participation in OpenID somehow lessened our commitment to CardSpace, I’ll respond plainly: That is simply not true. I work in the corridors where the CardSpace team is actively building the next version (which incorporates lots of the great feedback we’ve received from users and partners on our present versions) and down the hall from where our server product is being built that will make it easy to issue and accept Information Cards. I can honestly report that both teams are excited, executing on their mission, and moving full speed ahead!

In answer to Christian’s question “Why didn’t Microsoft explain the whole picture in the moment of releasing such news?”, I’ll respond pointing out that the news of February 7th was about Microsoft and others joining the OpenID Foundation board — not about CardSpace, and we were comfortable with that. We are confident enough of the value that CardSpace brings to the table to also openly embrace other identity technologies where they make sense, without feeling that the existence of one diminishes the other. We are confident that others (including many of the leaders in the OpenID community) share this view.

So to our great partners like Christian who are out there rocking, building innovative identity solutions that are part of the “Identity Big Bang” with Information Cards and CardSpace I say this: Congratulations on your fantastic work! We’re fully behind you!

And to our great partners who are also helping create the “Identity Big Bang” by employing OpenID where it makes sense: We salute you too!

The Internet Identity Layer is still very much a work in progress. I’m thrilled to be part of making it happen and to be in a community that is collaborating and building upon one another’s work. And if I were on the outside watching, I certainly wouldn’t be holding my breath wondering if one of these identity technologies is going to “kill” the other one — especially when the truth is that they’re both stronger because of the other.

Information Cards, i-names, OpenID, Ruby, and Interop!

By

On February 17, 2008

In I-names, Information Cards, Interoperability, OpenID, Software

ooTao logoMy congratulations to ooTao and LinkSafe for enabling account creation and login at LinkSafe’s i-broker using Information Cards. Building on what I wrote earlier about I-names without Passwords at LinkSafe, Andy Dale recently wrote:

Working together Microsoft, LinkSafe and ooTao have developed the first Info-Card enabled i-broker. You can register for an i-name at LinkSafe and subsequently log in to any OpenID 2.0 relying party without ever entering a password. All of the security can be Info-Card driven.

We have made the Ruby RP Module deployed at LinkSafe available under BSD license along with a simple ‘hello world’ app that demonstrates driving the module.

inames logoSee Andy’s post for instructions on where to get the software and for a demo site where you can try it out.

And as long as I’m on the topic of trying out software, I thought I’d mention that the latest OSIS User-Centric Identity Interop is under way! Visit the new OSIS page and browse through the Interop Participants, the Software Solutions, and the Cross Solution Results. There’s more to come, including more participants (contact me if you’re interested!) and feature-specific tests, but I wanted to let people know that we’re out there testing our software together now, including both Information Card and OpenID implementations, with Interop demonstrations to occur at the RSA Conference in April. And of course, ooTao and LinkSafe are participating!

Microsoft Joins the OpenID Foundation and its Board of Directors

By

On February 7, 2008

In Information Cards, OpenID, Phishing Resistance

OpenID logoToday the OpenID Foundation announced that five leading technology companies, Google, IBM, Microsoft, VeriSign, and Yahoo! have joined the OpenID board of directors as its first corporate board members. This news comes a year and a day after the JanRain/Sxip Identity/Microsoft/VeriSign OpenID/CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference.

How are these events related, you might ask? As I see it, they’re both great examples of the industry working together to solve the digital identity problems that all Internet users presently face — in these cases, both in the context of OpenID.

A lot’s happened over that year-and-a-day that’s worth celebrating:

From a personal perspective, I’ve enjoyed working with colleagues from numerous companies (including from my own!) to help get us to today’s announcement, as well as working to bring safer, easier-to-user login and account creation to OpenIDs via Information Cards. Thus, I’m both pleased and honored to now be representing Microsoft on the OpenID Foundation board of directors.

Of course, today’s announcement is really only the end of the beginning. The real fun and value is still ahead of us, in the work we’ll do together. The draft PAPE specification needs to be completed. We need to drive relying party adoption of phishing-resistant authentication. And talk of an OpenID 3.0 that’s both easier and safer to use is already percolating on the mailing lists.

The Internet is still missing a much-needed ubiquitous identity layer. The good news is that the broad industry collaboration that has emerged around OpenID is a key enabler for building it together!

Information Card Relying Party Software for Python

By

On February 7, 2008

In Bandit Project, Information Cards, JanRain, Software

While you’ve seen posts about Information Card Relying Party code for lots of programming languages and environments here (ASP.Net, Ruby, Java, PHP, C) one language I haven’t posted about before is Python. To make up for that, here’s information about two Python implementations.

Bandit Code logoTurns out that the Bandits, in their inimitable style, have been quietly churning out useful code. In this case, Duane Buss built Python relying party code to use at the Bandit Project’s Code pages (Bandit Trac) and also released it for general use. After only minimal cajoling, he also created a demo Python relying party.

JanRain logoMeanwhile JanRain, another group well-known for producing high-quality identity code, also built a Python relying party implementation, in their case to use at MyOpenID.com. As Brian Ellin just wrote, JanRain has released their Python code for accepting self-issued Information Cards for all to use. Have at it, Python hackers!

ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel Final Report

By

On February 7, 2008

In Documentation

ANSI-BBB Identity Theft Prevention and Identity Management Standards PanelThe ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel recently issued its final report. Quoting from the report announcement:

Launched in September 2006, the IDSP was established by the American National Standards Institute (ANSI) and Better Business Bureau (BBB) to identify and catalog existing standards, guidelines, and best practices related to identity theft prevention.
Panel members considered the entire life cycle of identity management: from the issuance of identity documents by government and commercial entities, to the acceptance and exchange of identity data, and to the ongoing maintenance and management of identity information. Hundreds of documents — including the applicable laws, regulations, proposed legislation, white papers, and research studies and reports — are identified in the catalog.
The report also includes recommendations for business and government agencies to:

  • enhance the security of identity issuance processes to facilitate greater interoperability between the government and commercial sectors;
  • improve the integrity of identity credentials;
  • strengthen best practices for authentication;
  • augment data security management best practices such as the use and storage of Social Security numbers;
  • create uniform guidance for organizations on data breach notification and remediation;
  • increase consumer understanding of ID theft preventative strategies, including the benefits and limitations of security freezes.

This report provides one of the most comprehensive looks to date at the problem of identity theft and the fraud that accompanies it. It both surveys the current identity landscape and makes recommendations for business, government, and consumers to mitigate these threats both in the offline and online environments.

Come ‘n get it!

By

On January 10, 2008

In Documentation, Information Cards, Windows CardSpace

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesUnderstanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker, is now in print!. As I wrote for the “praise page” of the book:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

Come ‘n get it!

Page 30 of 33

Previous

Next

Powered by WordPress & Theme by Anders Norén