dinsdag 27 oktober 2009

Stork and other assurance frameworks

As I wrote earlier am involved in the Dutch OpenID.nl+ initiative to help grow the acceptance of OpenID (and to a lesser degree Information Card) in The Netherlands. Within the initiative Identity Providers and Relying Parties define an interoperability standard whereby Relying Parties can rely on digital identities from Identity Providers, based on the verification level of identity attributes by the participating Identity Providers. RP's can authorize users based on the verification information in the claims.

The Trust Framework is based on the assumption that trust derives from the reliability of the identity provider (including the reliability of the identity priovisioning process) and from the reliability of the use of a digital identity. Meaning that there are two parameters: trust in the identity as verified by the identity provider and trust in the use of an identity by the individual owning a digital identity (proof of posession). IdP's must adhere to a certification scheme to prove their reliability. The OpenID.nl+ initiative manages the white list with trusted IdP's.

International developments like STORK also define authentication assurance levels, but these levels are a combination of Identification (by the IdP) and the method of authentication (by the user, based on proof of identity). These assurance levels are the product of a mix of both parameters.

The strange issue is that for certain levels a low level of trust in the process can be compensated by using a strong form of authentication. So QAA2 can be the result of accepting an identity that's hardly verified by an identity provider, but requiring a one time password. Strangely, that would mean that the IdP may not fully know the individual who is issued a digital identity, but you know for sure that the user of the digital identity is the rightful owner of the identity. So someone logging in as Mickey Duck may not really be Mickey Duck, but he is the rightful owner of Mickey Duck's digital id.

In the OpenID.nl+ initiative the net effect may be the same, for most combinations, but the vision on trust is more distinct, the implementation offers a lot more granularity (because of the trust model), although implementing this granularity is not yet part of the roadmap.
In my opinion you shouldn't require a combined assurence level, but you should demand a certain level of trust in ownership of a digital identity and the use of a digital identity.

I will probably get this al wrong, since this model is widely accepted, but then again, maybe I'm not.

donderdag 10 september 2009

Open Trust Frameworks for Open Government

As I wrote earlier, the biggest problem in the identity 2.0 space is the absence of trustworthy public Identity Providers. I called for a trust framework that would enable differentiation in trust levels for identity providers. Of course that requires some major party to define the standards.
There is some great news about the development of a standard trust framework for identity providers. Initiated by the US Government the Open Trust Framework for Open Government was formed. In a White Paper the methods are described.

There are other initiatives, like the Dutch OpenIDPlus. Let's just hope that these initiatives will converge into an interoperable international standard.

woensdag 26 augustus 2009

Facebook game review Spymaster

After playing Mafia Wars for a few weeks, I accepted an invitation to join Spymaster. Spymaster is all about the spying game, you're a secret agent (either Russian, American or British) doing jobs and killing enemies. Here too you get energy and health, time based, and use it to do tasks and attacking other agents.
Gameplay is easy. Energy permitting, you select a task and do it. By doing a task you deserve more or less experience points, depending on the outcome of the task. When you get enough xp's you enter a new level and you unlock more jobs and other level adversaries.
You also earn money, that you can use to buy stuff. Weapons (to gain more attack of defense power), safe houses (to earn a steady income).

After playing for a few days, I decided to stop playing the game. It was boring. Every level you would do a task and succeed or not. You would injure an enemy or not. The 'or not' value was to big for me to enjoy the game. Due to the random results, buying weapons and attacking lesser agent seemed to make no difference. I lost some fight and I never understood why. Probably I'm not a spy.

The gameplay was a unrewarding.
The game looked complex. There are spies and spymasters in 'rings' and I never found out how people came to belong to my ring, or how many spymasters were on my side.

The atmosphere in the game was not great. The text mode screen lacked any visual clue about actions or status. Just plain white on black. The only nice feature was the ihntermezzo while wainting for the results of a fight. Gunshots or an animation of an agent on screen. That's about it.

It's a great way to gain plenty followers on Twitter. I did connect my Twitter account to Spymaster, status messages were converted to tweets. Nice if you need followers.

Facebook game review: Mafia Wars

A smart game, quite addictive. The first levels are mastered by doing Jobs. Jobs like 'Auto Theft' or 'Recruit a Rival Crew Member'. You need enough energy to do the job. And energy just grows in time (depending on the type of the character you choose up front). A job gives you hard cash and experience points. The cash can be used to buy you weapons or property. That's a second dimension of the game: buy property and protect it form robbing by the mob.

And of course there's a third dimension: you can attack and rob others. That takes health and stamina and enough attack and defence powers to beat the enemy.

Once you join the game, you do this by accepting an invitation. That is important: you belong to the mafia of the friend who invited you, but your friend belongs to your mafia. Both players and both plays are independent, but you can interact, by giving gifts to the members in your mafia. Gifts like weapons, loot items (I received a Rembrandt painting), or energy. And you can help one another by doing jobs, thereby earning money and so on.
After you learned plaing the game in New York, you can move on to Cuba. Same kind of play, but it feels a bit different, in a different atmosphere, well done.

So far the game. And does it work?
Yes, it's addictive. The first levels are mastered quite fast. But later on you will find that choices made earlier have an effect later in the game. If you decide to buy a lot of attack power, your energy will grow slowly, enabling you to do jobs less quickly. Growing a mafia family is also very important. A large family gives a lot of power and you'll need that.
Higher levels are reached less easily, larger intervals, but also greater rewards. This game requires some strategic thinking on the part of the player. Plain luck is just a small factor.

Overall, playable, untill all levels are mastered, but I haven't got there yet...

Something different: facebook game review

If you're on Facebook, you must have noticed invitations from friends to join them in an online game. A few weeks ago I decided to take part in a few games, what use is a game if you don't play it?

So I became a member of a mafia family in the Mafia Wars game. Later I got involved in Spymaster and lately I have been running a farm in Farm World.

What they have in common is how a player can grow from easy challenges to harder challenges, that get unlocked once a level is mastered. A level is mastered after a numer of experience points is reached. The first levels are reached quite fast. You win points, buy stuff and play with or against other players, who you may not even know.

These games run on top of Facebook, so they use the facebook knowledge of your friends network. And one problem may be that in order to play harder levels, you will accept invitations from other players, that you don't know. They will join your facebook network too. Be ware of this risk!

I will post a few game reviews in the next few days.

zaterdag 20 juni 2009

Jim Harper and identity claims

The best book about identities that I read is Identity Crisis by Jim Harper. After you read the book, please come back and check this concept:

A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust level of the identity information. An identity provider can issue digital identities based on a visual verification of a person, but also based on nothing more than an email address. The IdP may be trusted, but the value of the identity based on visual verification can be different from the identity based on an email verification.

Identity Providers should add this value of the identity in the digital passport. A claim should be used to differentiate identity trust level. The same goes for authentication (I will come back to this later).

Jim Harper identifies 4 different kinds of identity:
  • something you are
  • something you are assigned
  • something you know
  • something you have
This classification is not at all developed for the purpose of digital identification (and it is not meant as a classification for authentication, read the book!) But could it be used for the IdentityTrustLevel claim?
The first type of identity can be verified by visual verification of a physical id by the Identity provider. The IdP could check a user's passport or driver license. It is a very strong identity, based on some form for biometrics: visual check of the photo on an official document.
The second type of identity is the assigned identity. That could be an email address. It can be verified by addressing the identity (a claimed email address can be verified by e-mail verification).
The something you know identity is the shared secret. The IdP can verify by using a payment from a bank account. That fact that someone can make a payment through a trusted source must have some value in itself.
The last type is just an id issued by an IdP, without any verification. It's just handed over to a person (probably after an identity check, but that's not important, because that would make it a type 1 identity)
If the IdP would add a claim based on the type of identity and if relying parties would know how to interpret this identity, the trust level could be objectively identified.

I suppose that better classifications and claims could be defined, but I just like Harpers ideas. I just tried to analyse some of Harpers concepts, sorry for any trouble :)

donderdag 18 juni 2009

Claims and white lists

Since there's no trust hierarchy for identity providers yet, some other mechanism should be developed to be able to trust third party identity providers. At least if we want to be able to use identity information within the digital identity, the digital passport, to act on. As long as a digital identity is used instead of userid and password, there is no problem. Any digital identity used on a site is as good as a self managed identity and password. But if a digital identity is used in a transactional way or if someone wants to access confdential information, some trust in the reliability of the digital identity of a user is needed to be able to control access.

As long as there's no structural solution for trust hierarchy in identity space, white listing is the answer. In a white list a service provider could state which identity provider's identities can be trusted. But that's just the first step.

The second step is that a service provider could allow the use of claims defined by the white listed identity provider. The service provider might accept specific claims issues by a specific identity provider.

In an earlier post I wrote that we would need only a few standard claims to be able to identify the value of a digital identity. What's needed is the level of verification of the identity by the identity provider and the authentication method. If these two claims would be standardised across identity providers and service providers, we would only have to whitelist an identity provider to be able to differentiate user authorizations based on the value of the digital identity.

Yesterday there was an interesting meeting of some potential Dutch OpenID relying parties and OpenID identity providers.
I will participate in a working group to explore the possibilities of standardising claims and trust level of identity providers. That second part is the tough one, it will require some form of accreditation. But if this works for OpenID, it will also work for Information Cards, of course.

zondag 3 mei 2009

European Identity Conference Munich

This week the 2009 version of the European Identity Conference will be held in Munich, Germany. I will be attending the conference and give a presentation in the Cloud Computing side track on thursday afternoon. I hope to get a lot of responses to the claims based access control (cbac) ideas and to the trusted identity provider solutions. More information on the idconf site.

donderdag 16 april 2009

myOneLogin ad

I just read one big ad (dressed as an article) for the myOneLogin service. It is some kind of identity broker, directed at enterprises and SMB's, facilitating single sign-on for cloud applications. It's a $3/month per user service that might replace the use of OpenID for enterprises users. It also addresses strong authentication needs and can cope with SAML.

Anyway: this has got nothing to do with identity 2.0. It's not the end user that is in control of his identity. This may be fine for enterprise use, but why would a company pay fot sso in the cloud? Enterprise sso (esso) may be considered a security measure (it makes sharing accounts by end users difficult). And if you employed esso, cloud apps should be handled as well.

I'm a little bit concerned about such developments. The problem with services like this (as wel as with OpenID) is that a central authority gets to know my whereabouts. Can these authorities be trusted? How about international regulations? Any clue? How do they handle logging and log analysis? Or log retention (I hope Not).

I'm happy with this kind of development, because it propagates the use of open standards like SAML.

Still, not for me, though. I prefer an internal esso and besides, the password store in firefox and ie is capable enough. It is great, however, that using sso you are into green computing, in pandemic planning and fuel conservation and thus protecting the environment. I don't know how, but it's in their About statement (at least in today's version) :)

dinsdag 31 maart 2009

European Identity Conference

Just a short update:
from 5th till the 7th of may I will attend the European Identity Conference in Munich. I will be presenting a few thoughts about Access Control in the Cloud, covering Claims Based Access Control and Identity Provisioning (in the fog...). My talk will follow Martin Kuppinger's in Stuart Boardman's forum. I'm looking forward to meeting lots of experts in the field.
Munich, twice within a year: last year I presented a similar story at The Open Group's architecture practitioners conference. I like this city :)

donderdag 26 februari 2009

Let's review too

Mike jones reported the availability of the Identity Metasystem Interoperability Version 1.0. This looks good news to me, progress being made, so all hands on deck for reviewing.