IIW - User contributions [en]

What do regular web devs need to know about ID

2010-05-19T15:03:35Z

Laurel Fan: Created page with ''''Monday – Session 3 - E''' * Convener: Laurel Fan * Notes-taker(s): Laurel Fan ==Discussion notes, key understandings, outstanding questions, observations, and, if appropri...'

'''Monday – Session 3 - E'''

* Convener: Laurel Fan
* Notes-taker(s): Laurel Fan

==Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps==

This was a small session -- not a lot of solutions, mostly statement of the problem (and some free association...)

Most regular web devs don't care about identity. They care about what identity enables, such as:
* putting a user's action/content into buckets
* acting as the user on another service (post to facebook wall)
* getting information about a user (name, photo, friends list)
** to personalize content
** so the user can give you this information without filling in another form

Single sign on isn't that attractive by itself. It's easy to maintain your own username/password, email verification etc. There's a library for that. It's hard to depend on other sites, and explain this to the user (Do we need an I forgot my OpenID button?)

If there's a library, people will use it. Better if it's built into PHP, Rails, etc. (Oauth seems to have learned this)

Voluntary Oblivious Compliance

2010-05-19T14:39:10Z

Laurel Fan:

* Download slides: [[File:M_2E_VoluntaryObliviousCompliance.ppt]]
* [http://docs.google.com/viewer?url=http%3A%2F%2Fiiw.idcommons.net%2Fimages%2Fb%2Fbc%2FM_2E_VoluntaryObliviousCompliance.ppt View in Google docs viewer]

Voluntary Oblivious Compliance

2010-05-19T14:38:51Z

Laurel Fan: Created page with 'Download slides: File:M_2E_VoluntaryObliviousCompliance.ppt [http://docs.google.com/viewer?url=http%3A%2F%2Fiiw.idcommons.net%2Fimages%2Fb%2Fbc%2FM_2E_VoluntaryObliviousCompl...'

Download slides: [[File:M_2E_VoluntaryObliviousCompliance.ppt]]
[http://docs.google.com/viewer?url=http%3A%2F%2Fiiw.idcommons.net%2Fimages%2Fb%2Fbc%2FM_2E_VoluntaryObliviousCompliance.ppt View in Google docs viewer]

File:M 2E VoluntaryObliviousCompliance.ppt

2010-05-19T14:35:41Z

Laurel Fan: Powerpoint slides for the "Voluntary Oblivious Compliance" session

Powerpoint slides for the "Voluntary Oblivious Compliance" session

P2P Network Version Vega

2010-05-19T14:33:10Z

Laurel Fan: Created page with ''''Issue/Topic:''' P2P Networks Version Vega '''Monday – Session 2 - F''' '''Convener:''' Markus '''Notes-taker(s):''' dsearis '''Discussion notes, key understandin...'

'''Issue/Topic:''' P2P Networks Version Vega

'''Monday – Session 2 - F'''

'''Convener:''' Markus

'''Notes-taker(s):''' dsearis

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

There are three architectures.

Centralaized... FB, Twitter, passport

Decentralized, Server-based, somewhat distributed... PDX, OpenID

Distributed. Meshable. No servers. Computer to computer. Like bittorrent. This is VersionVega.

Look up peeople by i-names. Yes, i-names need a centralized registry, but it's possible to store these in the network itself. People have done it. I havewnt' done it yet. For example: CSpace.

Demo with two machines, one Windows, one Mac.

Windows machine has a background system that exposes the api and servces, he can access the api and background. Needs TCP and UDP.

Two apps, customlight and Restarbot. Launches Customlight, which is the main browser app. Distrib net with five proxies. There is the concept of a node runlevel. Choice to start a new network or connect to an existing one.

''Andy:'' It's not an XRI lookup, but a local lookup of the = name.

At the high level there is an XDI store. Strong certification. Based on RDF triples. Can store XDI statements in a distributed way.

The one weak point of the story is that i-Names are centralized.

The point of using i-names is so everybody can use a private/public key pair. Once they start communicating the session uses noting from i-names. A piece of data may end up being stored on multiple nodes by replication.

''Andy:'' what if the network goes down, wher eis it?

''Markus:'' gone. Think of the data as in the network,

''Drummond:'' Lead access with link contracts?

''Markus:'' no.

Storage is one of two major functions that the network provides. The other is simple messaging,. I can send messages between individual nodes.

Built into the network is the concept of groups or multicasting. Members can send messages to any or all of those in a given group.

This one is build on XULrunner. So running this is very similar to running a firefox connection. The extention manager looks like Firefox's .

Showed a voting mechanism.

''Mary Rundle:'' what about Malware?

Using a library called Freepastry, which has a lot of protection and intelligence.

Open Source? Haven't thought about it.

Recovering a Lost Identity

2010-05-19T14:30:14Z

Laurel Fan: /* Can we do better than Email? */

''Can we do better than Email?''

'''Session:''' Monday Session 2 Space D

'''Convener:''' Michael Sprague

'''Notes-taker(s):''' Michael Sprague

'''Tags for the session - technology discussed/ideas considered:'''
multi-factor authentication, strong authentication, recovery, legal

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

Lively discussion… a dozen or so participants… many open questions…

As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.

The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.

These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.

Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.

Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.

Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.

Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?

Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.

Recovering a Lost Identity

2010-05-19T14:29:55Z

Laurel Fan: /* Recovering a lost identity. Can we do better than Email? */

==Can we do better than Email?==

'''Session:''' Monday Session 2 Space D

'''Convener:''' Michael Sprague

'''Notes-taker(s):''' Michael Sprague

'''Tags for the session - technology discussed/ideas considered:'''
multi-factor authentication, strong authentication, recovery, legal

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

Lively discussion… a dozen or so participants… many open questions…

As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.

The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.

These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.

Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.

Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.

Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.

Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?

Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.

Recovering a Lost Identity

2010-05-19T14:29:20Z

Laurel Fan:

=Recovering a lost identity. Can we do better than Email?=

'''Session:''' Monday Session 2 Space D

'''Convener:''' Michael Sprague

'''Notes-taker(s):''' Michael Sprague

'''Tags for the session - technology discussed/ideas considered:'''
multi-factor authentication, strong authentication, recovery, legal

'''Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:'''

Lively discussion… a dozen or so participants… many open questions…

As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.

The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.

These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.

Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.

Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.

Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.

Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?

Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.

Recovering a Lost Identity

2010-05-19T14:27:31Z

Laurel Fan:

*Issue/Topic:* Recovering a lost identity. Can we do better than Email

*Session:* Monday Session 2 Space D

*Convener:* Michael Sprague

*Notes-taker(s):* Michael Sprague

*Tags for the session - technology discussed/ideas considered:*

multi-factor authentication, strong authentication, recovery, legal

*Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:*

Lively discussion… a dozen or so participants… many open questions…

As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.

The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.

These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.

Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.

Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.

Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.

Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?

Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.

Recovering a Lost Identity

2010-05-19T14:25:48Z

Laurel Fan: Created page with 'Issue/Topic: Recovering a lost identity. Can we do better than Email Session: Day – Number - Space Location _Monday – Session 2 - D Convener: Michael Sprague Notes-tak...'

Issue/Topic: Recovering a lost identity. Can we do better than Email

Session: Day – Number - Space Location _Monday – Session 2 - D

Convener: Michael Sprague

Notes-taker(s): Michael Sprague

Tags for the session - technology discussed/ideas considered:
multi-factor authentication, strong authentication, recovery, legal

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Lively discussion… a dozen or so participants… many open questions…

As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.

The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.

These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.

Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.

Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.

Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.

Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?

Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.