![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
News from the conference circuit
Oct. 23rd, 2010 08:30 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
pauammaI may not have got the exact order right. Also, using first names because I only remembered those at best. Altogether, there were about 20 people, including the speakers.
Nat told us about the OpenID foundation (umbrella organization to evangelize OpenID, support protocol development, provide recommendations for use in specific industries or sectors, etc). It also takes steps to be able to retaliate if someone waves patents in contributors' or users' faces. Membership ($25/yr for individuals, $500 for small businesses (up to 25 people) and going up from there, up to $50K/yr for sponsoring members) required to contribute to standards.
John talked about the use of cross-domain authentication in US federal agencies, for each of 4 security levels with a bit about where these levels come from and what the requirements are for each. (OpenID is allowed only at the least sensitive level.)
Martine talked about a biometric (fingerprints-based) authentication and authorization device her company makes, that uses an intriguing method to pass opaque data through the user's computer to the device; have the application display an animated pic (basically, a row of flickering black and white bands) and have the user place the edge of the card against the image. Then, let the row of light-detecting thingies do its magic and acquire a confirmation or authorization token (including a text description of what it will authorize or confirm) that the user has to pass to the application to confirm the transaction.
Questions from the audience covered security (claimed to be immune to MITM data alteration attacks with proper application design), use with multiple applications (up to 112, with separate registration and credentials stgorage for each) and accessibility (if you have less than the 3 fingers required for device set-up, cannot align the device and the image, or are unable to watch the flickering image, you're out of luck). Someone also asked about the reasons for not using 2D barcodes, but I forgot what the answer was.
The there was buffet lunch, shop talk, and chit-chat. Then we sat down again after a while.
Joni talked about the Kantara Initiative, which works:
- on implementing certification and audit programs for identity providers (OpenID or otherwise) covering reliability of authentication, security, and privacy safeguards
- on developing standards for machine-readable metadata describing what guarantees for the above specific identity providers offer and which minimum guarantees users, applications, or services require.
It will support (supports?) multiple protocols and authentications frameworks.
John and Nat described OpenID/Artifact Binding, a variant of OpenID that requires the UA to pass only opaque tokens between OP and RP, instead of the whole set of OpenID parameters. Instead, those get exchanged directly between OP and RP, using the opaque tokens as transaction IDs. This alleviates problems related to URL length and POST vs. GET redirection (which is more of a problem with HTTPS). They segued into something multiparty called Contract Exchange (CX) that (IIRC) is designed to do the same thing as AX (Attribute Exchange) for several sources in parallel (with appropriate cross-source privacy and isolation safeguards), and ended with JSON signing and encryption. All of those should have draft standards available by the end of 2010, if they don't already.
Some guy whose name I forgot discussed data ownership and Personal Data Stores. He first covered the current situation, with data duplicated and fragmented across services, and at the mercy of providers' and lawmakers' whim when it comes to privacy, integrity, or even continued existence. Then he discussed his solution: a personal data store consolidating all data about and produced by him (which would presumably include his own data contributed to social-network and social-media sites) and putting it under his own control and policies.
Other services would either query his personal data store as needed, or (maybe - I tuned out for a few minutes at this point because I was reviewing my own slides one last time) search it for possibly relevant offers they should send him - I think he meant that when he said adding a "fly to Tokyo" entry to his diary should trigger an offer from Japan Air Lines, as opposed to him having to go to their website. I don't know whether he also discussed privacy controls, or how to avoid being deluged with Viagra spam following a "Urologist appointment" diary entry.
Pau Amma (me) discussed application-level problems with renaming of OpenID identities and dealing with history, stored identities that are no longer current or became ambiguous, and similar niceties, The talk quickly turned into a discussion with John and Nat on which OpenID features or components would help solve which problem, and which parts would require extensions to OpenID. HTMLized or PDFized version of slides available upon request.
Nat told us about the OpenID foundation (umbrella organization to evangelize OpenID, support protocol development, provide recommendations for use in specific industries or sectors, etc). It also takes steps to be able to retaliate if someone waves patents in contributors' or users' faces. Membership ($25/yr for individuals, $500 for small businesses (up to 25 people) and going up from there, up to $50K/yr for sponsoring members) required to contribute to standards.
John talked about the use of cross-domain authentication in US federal agencies, for each of 4 security levels with a bit about where these levels come from and what the requirements are for each. (OpenID is allowed only at the least sensitive level.)
Martine talked about a biometric (fingerprints-based) authentication and authorization device her company makes, that uses an intriguing method to pass opaque data through the user's computer to the device; have the application display an animated pic (basically, a row of flickering black and white bands) and have the user place the edge of the card against the image. Then, let the row of light-detecting thingies do its magic and acquire a confirmation or authorization token (including a text description of what it will authorize or confirm) that the user has to pass to the application to confirm the transaction.
Questions from the audience covered security (claimed to be immune to MITM data alteration attacks with proper application design), use with multiple applications (up to 112, with separate registration and credentials stgorage for each) and accessibility (if you have less than the 3 fingers required for device set-up, cannot align the device and the image, or are unable to watch the flickering image, you're out of luck). Someone also asked about the reasons for not using 2D barcodes, but I forgot what the answer was.
The there was buffet lunch, shop talk, and chit-chat. Then we sat down again after a while.
Joni talked about the Kantara Initiative, which works:
- on implementing certification and audit programs for identity providers (OpenID or otherwise) covering reliability of authentication, security, and privacy safeguards
- on developing standards for machine-readable metadata describing what guarantees for the above specific identity providers offer and which minimum guarantees users, applications, or services require.
It will support (supports?) multiple protocols and authentications frameworks.
John and Nat described OpenID/Artifact Binding, a variant of OpenID that requires the UA to pass only opaque tokens between OP and RP, instead of the whole set of OpenID parameters. Instead, those get exchanged directly between OP and RP, using the opaque tokens as transaction IDs. This alleviates problems related to URL length and POST vs. GET redirection (which is more of a problem with HTTPS). They segued into something multiparty called Contract Exchange (CX) that (IIRC) is designed to do the same thing as AX (Attribute Exchange) for several sources in parallel (with appropriate cross-source privacy and isolation safeguards), and ended with JSON signing and encryption. All of those should have draft standards available by the end of 2010, if they don't already.
Some guy whose name I forgot discussed data ownership and Personal Data Stores. He first covered the current situation, with data duplicated and fragmented across services, and at the mercy of providers' and lawmakers' whim when it comes to privacy, integrity, or even continued existence. Then he discussed his solution: a personal data store consolidating all data about and produced by him (which would presumably include his own data contributed to social-network and social-media sites) and putting it under his own control and policies.
Other services would either query his personal data store as needed, or (maybe - I tuned out for a few minutes at this point because I was reviewing my own slides one last time) search it for possibly relevant offers they should send him - I think he meant that when he said adding a "fly to Tokyo" entry to his diary should trigger an offer from Japan Air Lines, as opposed to him having to go to their website. I don't know whether he also discussed privacy controls, or how to avoid being deluged with Viagra spam following a "Urologist appointment" diary entry.
Pau Amma (me) discussed application-level problems with renaming of OpenID identities and dealing with history, stored identities that are no longer current or became ambiguous, and similar niceties, The talk quickly turned into a discussion with John and Nat on which OpenID features or components would help solve which problem, and which parts would require extensions to OpenID. HTMLized or PDFized version of slides available upon request.
