Anyway, I have decided to pick up the virtual pen again. Maybe of interest is that I took up Eve Maler’s suggestion to join the XML Summer School in Oxford this month. I will be attending the full five day course with colleague Dipak. It looks like it’s going to be a lot of fun and it’s a chance for me to stop fiddling around with XML and web services and go a bit more professional.. Be warned, Internet!

Other things I will do this month?

• In two weeks I will be in Berlin again for a weekend visiting my girlfriend. So far I got a really good impression of Berlin. Lots of forests and lakes outside of the centre and an overall relaxed mood (and of course, German beer). It’s good, try it..
• I am going to take up regular blogging again. I am currently reading A Crowd Of One by John Clippinger. The book was recommended by the guys over at Burton Group for discussion at the Catalyst conference last week. Unfortunately, I’m not important enough to attend this kind of meetings, but that does not stop me from reading recommended books I have only read the first hundred pages, but I think it’s an excellend read if you want to know more about us, the human beings. I will probably post some comments about the book soon.

All the best in the meantime!

I’ve blogged a couple of times on two-factor authentication and managing identities locally (on a device). I will call this client side Identity Management (c-IdM). The obvious counterpart of this would be server side IdM (s-IdM?). Now, s-IdM is an area where a lot discussion takes place, especially via the blogosphere. Server side IdM is about managing and simplifying communication of your identity in the network, via a set of protocols (SAML2.0, OpenID, WS-Federation etc.) and entities called Identity Providers.

For me it’s interesting how these two ‘sides’ of IdM interact with each other:

As we strive to reduce sign on/authentication events by aggregating them via IdPs, strong authentication becomes much more important; impersonating the user at the IdP can grant access to multiple services! So, the more you federate your identity, the more you require strong authentication.

The multi-factor approach of the Identity OS (c-IdM!) is therefore fundamental for the success of federation and reduced sign on (s-IdM).

• Product proliferation. By standardizing an Identity OS and its interface it will become possible to deploy all the different two factor auth solutions on one platform and one interface. The Advanced Client standard seems a safe bet to me. Also think of a Cardspace-like GUI to select your credentials.
• User password management. A solution to the password problem would be to have one password to authenticate to the Identity OS. Users will most likely choose the same PINs/passwords for their different credentials anyway (or am I the only one who chooses the same PIN for my different SIMs?). This would still be two factor authentication as the credential on the Identity OS platform is something you have and the password to access it is something you know.
• Interoperability of authentication mechanisms. Mentioned before. Liberty Alliance’s Advanced Client specs could be the starting point.
• Cost effectiveness. A hardware token deployment is of course much more challenging and expensive than a simple software deployment; downloading a credential to the Identity OS is cost free!
• Password and software security. The security of the credentials and the software is dependent of the deployment of the Identity OS. As I mentioned in my previous approach, Cardspace and ICP are examples of an Identity OS with different levels of security; OS layer and device layer. The hardware approach sounds like the safest option, but care should be taken that applications making use of the credentials in the Identity OS should never release the credentials. The deployment of the credentials into the Identity OS is also of importance. Provisioning protocols have to support confidential supplier-to-Identity OS communication.

Based on these arguments a well implemented Identity OS should be able to remove the current challenges in two-factor authentication. Feel free to disagree with me on some of my points though!

I have been thinking lately about multi-factor authentication. Two factor authentication (a requirement for many critical systems) is frequently described as ‘something you know’ and ‘something you have’. On the Internet most applications apply single factor authentication in the form of username/password.

There are some examples of two factor authentication out there though. Banks have issues their customers with hardware tokens, while network operators use SIMs to access the network (in the SIM case the physical SIM is ‘something you have’ while the PIN serves as ‘something you know’).

All those second factors have one thing in common: it’s hardware dedicated to a limited set of applications on a ‘closed’ and proprietary platform. Wouldn’t it be great to have a single reusable platform for second factors?

This is where Microsoft Cardspace and Intel’s Identity Capable Platform come into the picture. I think both can be considered platforms for second factors, and both have different approaches. A second factor has to be ‘something you have’, which can be interpreted as ‘something that can’t be copied or stolen to some other place’. It basically implies that our customizable second factor platform is an environment where we can insert and remove credentials (the second factors), in a secure way.

• Cardspace qualifies as such an environment as it is able to add ‘Information Cards’ (second factor) and store/execute these securely. Cardspace also allows local user authentication through username/password (first factor) and in the future biometrics (third factor!). Microsoft were in an (obviously) unique position to do this the right way because they own the OS. A ‘normal’ application would be vulnerable to a large range of virus and malware threats, where an OS native application has more protections in place. Still, Cardspace is as secure as the operating system it is built in and time will tell if this is good enough to provide a second factor. It will definitely take some time to convince critical applications like online banking that Cardspace is trustworthy for multi-factor authentication.
• Intel’s ICP (and also ARM Trustzone) are hardware environments with a limited operating system that allow the inserting, executing and removing of credentials. These hardware platforms are able to do the same things as Cardspace but are implemented in silicon (therefore potentially more secure than Cardspace). These technologies rely on the security of hardware with a limited software functionality instead of the more general purpose operating system that is Windows.

In both cases the security of the whole credential life-cycle (protocols!) determines the level of trust people will have in the second factors provided by their platforms. Microsoft allows users to manually import their Information Card into the Cardspace Client, while the ICP is based on Liberty Alliance Advanced Client protocols.

This has lead me to believe that there should actually be an Identity OS, which is a set of functions that is just able to provide the right amount of identity related services (more on this in later posts). By keeping the functionality small, the risk of a vulnerability will be mitigated. This Identity OS could then be implemented either in silicon, on a USB dongle, an SD card or in the OS.

The Identity OS could solve interoperability issues with two-factor authentication and provide a uniform and extensible (mooooore factors) platform for identity management. Let me know what you think..

The whole idea of a software SIM comes from the following two points:

• First of all, SIM cards are an extremely convenient way to do authentication as they require minimal user interaction during the process of authentication; only a PIN suffices in most cases. We only use SIM cards to authenticate us to a network provider though.
• A SIM is basically an authentication application that is implemented in silicon during manufacturing. Because of this, the SIM’s functionality in under control by the manufacturers and the mobile operators. These parties have traditionally been very protective about their technology.

You’d say it makes a lot of sense to leverage its user friendliness for other purposes (e.g. online payment). In order to do that however we have to find ways of opening up or bypassing the manufacturing process. The big question is: how can we do that?

The answer is actually quite simple: delay the implementation of a SIM application in silicon until it is under the customer’s control.

To make this work we need a silicon-based (or similar) security environment that is customizable at any time. At the RSA conference Liberty Alliance workshop in February Intel, HP and two of my managers at BT demonstrated a proof-of-concept where a software credential was provisioned over the Internet to a user’s device. More importantly, the user device made use of a technology from Intel called Identity Capable Platform (ICP) that enabled the software credential to be protected by a silicon environment..

The provisioned software credential was ultimately used to access BT’s Wi-Fi network. The provisioning protocols are implemented by Intel and HP and are based on Liberty Alliance’s Advanced Client specifications. A technology like Intel’s ICP, coupled with secure provisioning protocols, enables an open SIM solution described before while sticking to the strict security requirements necessary.

More information on this and the demo can be found at:

• You can find BT’s (and Intel’s ICP) RSA conference slideset at the bottom of this Liberty Alliance page.
• Conor Cahill (Intel) frequently blogs about this.
• Telco2.0 with an interesting article.
• MWD Advisors with a post on Advanced Client.
  
• Network World coverage of Liberty Alliance’s Advanced Client and the RSA demo.

Loads of interesting discussion going on over the past couple of days and I’ve met a whole load of nice people. The good thing (for me!) is that I am finally starting to find my way around the verious issues and standards in the identity management area.  A lot of the people I’ve been working with in Liberty Alliance and people attending the Open Space are renowned bloggers and post regularly about all kinds of technical issues, about their work in IdM.. It more or less inspired me to try and do the same thing.

Therefore from this post onward the occasional work related items will show up in the midst of my travel pictures.. Let’s see how that goes

Oh yeah, regarding the subject of this post: it’s WARM here and air-conditioning is difficult..

I’ve been quite busy the last couple of weeks, both with my work (more Liberty Alliance stuff, very exciting!) and with my lovely girlfriend, Nadine. But anyway I’m making up for it now by (at long last) posting my adventures in India.

The trip last year November was awesome and most of the pictures speak for themselves. Have a look at my Picasaweb album (link below) where I put captions at some of the pictures.. More pictures will follow soon, because I think I only got Nerea’s pictures and my own.. JataPower: I need you!

The Big India Trip

Enjoy these and remember: more blog posts coming up:

• Trip to Bristol, Bath and Stratford-upon-Avon with Nadine (pictures are already available here)
• A new holiday coming up beginning of next month (will it be The Highlands or Ireland?)
• Brussels for the next Liberty Alliance meeting in April, looking forward to that one.

Cheerio then!

Mark

And now here I am on the West coast, on a business trip for BT. And you know what? I love it over here I have put up some pictures of my first two days in San Francisco on Picasaweb.

San Francisco

Today started with me putting on my suit for the Liberty 2.0 workshop.. I do still feel a bit out of place though as a young boy amongst all these ‘big guys’. These people know each other for a long time as Liberty Alliance started some 5 odd years ago.. I am sure though that I will feel a bit more comfortable over the next couple of days.. Still a lot of meeting new people to do! After the workshop today I decided to go out and explore the area around the hotel. I really like these little adventure trips, because you get to see a lot more of everyday USA life than when just staying in the hotel lobby for the evening. (Duh) Some observations:

• Every american has a huuuge car. They all look like bloody Canyoneros

• Every road has a minimum of 5 lanes it seems.. Wow, wish we could afford this luxury in Holland, but sadly enough, we don’t have enough land to do that! Hmmm, we can always dig up some more ocean..

• I have become a fan of the Starbucks culture. Even in Ipswich I have ditched Cafe Nero and Costa in favour of Starbucks.. The coffees and frappucinos are nice and I just like the overall atmosphere over there. There’s a Starbucks here at the corner of every street. Cool.

• I have finally seen a lot of the candies, drinks and cookies from Seinfeld.. The Junior Mints and Snapples! They really do exist! I love seeing those things you know, being a big Seinfeld fan.

• I had dinner in a pizzaria called Amici.. Everything looked quite Italian, but Marcello would definitely tell me it had nothing at all to do with Italy! The pancetta was just… wrong The thing that I really liked though was the fact that they ‘boxed up’ my leftovers. So cool. I just finished the ‘doggie bag’ a couple of minutes ago in my hotel room. It’s really good and again: seen it on Seinfeld and now in real life. Perhaps something to consider in Europe? As the waiter told me: “you pay for it so it’s only fair to be able to take it home with you!”.

• What is up with giving all those tips all the time. I have no clue how much I should tip these people. I am currently giving between 10 and 15 %. Any good?

So here I am now typing up this whole story from my comfy sofa in my hotel room. I think I like this travelling on my own.. You can just see so much and get so many great impressions when wandering around the streets of California. Oh and yes, it does indeed help a lot that it is warm and sunny over here. It’s January and 18 degrees, woooooo! All in all, I am enjoying San Francisco and can thus far only agree: God Bless America.

More from me at a later stage.. Ciaaao

I’ve decided to go with a whole new approach though! My previous blog posts tried to cover work, life, hobbies, travelling and what more. It was simply too much. Plus, I wanted to post something every day even though I did not really have anything to blog about. Such a schedule requires a great deal of creativity which I am sadly lacking at this moment. 

The new blog format will be purely based on my travel experiences. The last two months I have been to India, Austria, Slovenia and now San Francisco.. That’s good isn’t it? I really love this lifestyle too… I’ve got so many stories to tell and pictures to show about all of these trips and what better than to use my blog for this purpose. I will start today with a post about my stay here in San Francisco.. Who knows what happens next. Heck I might even write something about my India trip and New Years eve in Ljubljana at some point.

As my good friend Robert Jordan would say: RAFO (“read and find out”, he didn’t like all of his nosy fans asking questions about what would happen in the next dozen books of “Wheel Of Time” apparently)