I am pleasantly surprised that the I4 wiki is up. Well, I guess, Pam is still polishing it. That must be the reason we haven't seen an anouncement. Anyway; thanks Pamela, great work already.
Here is a table I compiled from the last interops feature tables. The new wiki will probably produce something similar automatically. Perhaps not with this eye-hurting colors.
And there will be much more feature tests...
The Ruhr Uni Bochum claims that they can steal the security token in a CardSpace scenario.... The experts from the German computer magazine c't could not verify the attack...
After reading the paper that describes the attack I must say that I find it very unrealistic.
The attack is described for managed cards. The browser is tricked to load malicious code and then the real RP's code is loaded and presented to the user. The malicious code then loads the root certificate for the malicious RP's SSL certificate and asks the user to install it into the trusted store. This is the biggest assumption in the scenario. Next the user clicks the purple CardSpace icon.
Case 1) Auditing Mode
Assume that CardSpace is tricked to request a token for the malicious RP. When this is the first time CardSpace sees this RP (which is likely) then there might be little CardSpace can do to help the user to recognize the malicious site (because of the installed root certificate). When this is not the first time then CardSpace will warn the user who will probably terminate the transaction.
But who installs a root cert into a trusted store might continue the transaction even when CardSpace raise all flags and blinks all warning lights.
First: The IdP might reject to issue a token to an RP with which it does not have a contract or is outside the (enterprise) circle of trust. Then this attack does not work.
Second: When the IdP issues a token to the malicious RP then that RP can decrypt the token and read the (private) claims. Then it encrypts the assertion for the real RP. The malicious code in the browser (loaded from the malicious server) receives the newly encrypted token and presents it to the form for it to be submitted. The assumption that the malicious code can now reuse the security token to whatever purpose it likes at the RP is not true because the auditing mode restrict its use to the malicious RP.
Case 2) Non-Auditing Mode
Assume the same prerequisites as in case 1. The user is super stupid and the token is stolen and not restricted to the malicious RP. So whenever the real RP expects a security token the malicious code in the browser can provide it.
Do I have to say that an attackers code running inside my browser is probably deadly anyway? Even when the token is not stolen the likelihood that the claims will be a visible part of the "next" page is high, so they can be stolen this way too.
Can't wait to hear what Microsoft writes about this. I had a long busy day and will rethink the whole thing tomorrow.
Sometimes wishes become true.
I just whined about the cost for certificates but only a few hours later I found this offer from GoDaddy for opensource projects.
Have to wait how complex this gets... Sending the application was easy. Now I am waiting for approval...
I just enabled comments with openid on this blog.
Now you can have your nice "own" id instead of a google account.
Please make sure that you have sxipper installed to warn you about phishing attacks. Does sxipper examine the cert whether I have been at a site already? Have to look into this later...
Have fun with this very useful use of openid. If you are a product manager: While this is useful, please listen to your security guys, before jumping onto the openid train by enabling openid on your valuable site. Better enable information cards.
Extended validation certificates are not the cure for all problems.
The Register reports an XSS attack to Paypal.
I think that more than EV certs the identity metasystem needs affordable certificates for all.
Mike (one of those who need no sleep) blogged about Fun Communication's openid idtheft site and I encourage you to read Mike's post and try your personal idtheft immediately.
Back here?! Well, you knew all this already, didn't you?
But seeing it in action is another thing, I guess.
So where does this lead us? Remember the "openid dogfight" from September 2007? I too think that we need a spectrum of solutions. I agree that openid is for when an RP has "trivial" security requirements, but I think that trivial is not easy to define. At first your openid might be good enough for trivial things but its value grows with time. The more you use your openid the more valuable it becomes and then the risk you take by using the openid protocol becomes too great to accept. So let us all improve openid through e.g. PAPE. But why? To end up with another secure and inconvenient system? Thanks, no.
Kim's presentation is full of nuggets. Minimal disclosure tokens will be part of the future of CardSpace I believe.
While looking for input why "Claims will change everything" I found this presentation from Kim Cameron on the net.
Yes, we have the "proto-wand" and I want to turn it into our magic wand. I think that this is the true "iCard" and I hope that CardSpace will allow to have the cardstore on a secure mobile device not too far in the future.
Microsoft Germany offers the Microsoft 360° Security Days to German speaking architects, project managers and developers. One session for architects and project managers is about Microsoft CardSpace. I really hope this will be an inspiring talk given by a true believer of the claims paradigm.
It's a pity that a participant can not provide her claims by using information cards during registration for the event.
Anyway, I am happy that CardSpace is a topic. We need more events that advocate information cards. Worldwide and in other languages than English too. I hope that Microsoft Germany offers the slides of the session to the public after the event and not only to participants.
Anders Lundgren from RSA Labs just forwarded me a link to a Nokia research paper that describes an implementation of the Bandit's project architecture on mobile devices.
Too bad my attempts to contact Nokia regarding the Identity Metasystem failed. I tried to contact them right after Catalyst Barcelona but replies remained vague and dried out soon. I think that mobiles are THE target for information cards.
Maybe somebody from Nokia reading identity blogs reads this and we work together?
I think we are operating on common ground to a common goal and will benefit from a cooperation!
During the Internet Identity Workshop I thought that it might be time to "pretend" to relying parties that I don't have an email address. Some years ago I tried to live without a "C:" partition on a windows systems. I had several versions of Windows installed on different partitions and at some point in time removed the oldest version on C by removing the whole partition. After some time I gave up on this scheme because to many dump scripts and too many dump programmers insisted that either the system is on C or that the program or parts of it are installed on C. If you don't have a C than things start to fail in interesting ways.
Today, I think, that many relying parties (social sites) demand that I have a valid email address. I think that this might be an assumption that is more and more false as "social" people are using the social sites. Or more and more people will have email addresses but will not know that they have one.
So relying on email for "verification" (registration) or credential reset might not be a good idea. More probably the notion of an "account" is wrong to begin with.
During the OSIS session at IIW2008a we went through all the informationcard related features.
Drummond Reed demos Relationship Cards with the help of Asa Hardcastle
Asa using his eSissors to cut the relationship.
Demostyle inspired by Made to stick
One of the problems around managed cards is that if they are protected through username and password then the benefit to the user seems not as big as one might expect. The promise to get rid of passwords is not completely fulfilled because now instead of giving a username and passport to a RP I have to give one to the IdP. The user now is disappointed and the product management responsible for the introduction of information cards at the RP is unhappy because the user is disappointed.
Well, the promise was not to get rid of ALL passwords. The promise was to get rid of most passwords. The user has to authenticate to the IdP to get the security token.
CardSpace has alternatives to the username/password authentication at the IdP.
Reading through the proposed topics for IIW2008a I noticed that George Fletcher blogged about something that I want too.
Though calling it Identity Metasystem Markup Language seems a little too big, I think.
Anyway I posted something similar to the osis-general mailing list on May 2nd.
Using <link rel="metadata" ...> to indicate what the RP wants is a good idea, I think. This is very simple and very much simpler than embedded objects.
What I like most about this idea is that we might get rid of any RP login form etc all together. If the browser/UA/client notices this new "link" then it can display a dialog or whatever to the user and there is no need for RP generated login forms. This way we have a unified user experience at the user's choice.
What we need next: Do the same with privacy statements. There should be a "link" to the privacy statement of the RP (maybe this is part of the metadata already?). The privacy statement should be kind of machine readable too. I want the browser to be able to help the user to make the right decision here. Well, we need much more but this might be a start.
----
This topic is related to "identity selector advertising"... The selector should/could advertise to the RP that it understands to handle "link metadata" and then the RP could avoid sending <object type="application/x-informationcard" ..> because it now knows that the id selector will offer the user the option to send his claims.
Perhaps I am easy to impress or maybe I have a misconception about IP addresses, but I am still impressed by Jurassic ones.
Apple has 17.149.160.10
HP has 15.192.45.21
Everything smaller than 32 is from the Stone Age.
In the era of classless routing this is not that impressive anymore, but still...
| openinfocard.org (today) is 68.178.232.100 which is smaller than 128 but nothing to be proud of. And anyway the rule "smaller is bigger" does not count anymore. |  |
Today I re-viewed the Craig Mundie keynote from the RSA 2008 conference.
Many things were said that I liked:
So, for example, if you're putting together an online playground for young school kids, you really want to know about all the identities of the people who have access to that. You don't want people lurking in your playground if you don't really know who they are in a reliable fashion.Ripped out of context phrases from this video:
"LDAP is the COBOL of Identity Systems"
"Web-Services can be Hokus-Pokus or they can be usefull."
"Information should decay. Identity Entropy ; Identropy; Claims TTL"
Subscribe to Posts [Atom]
