Summary: I spent almost two weeks talking with people about self-sovereign identity in Switzerland and India. I'm more excouraged than ever that self-sovereign identity holds the key to real change in how we live our digital lives with security, privacy, and dignity.
I'm just finishing up my travel to Switzerland and India to talk about self-sovereign identity. The trip was amazing and full of interesting and important conversatons.
The TechCrunch event in Zug was very good. I was skeptical of a one-day conference with so much happening in a short time, but thanks to great preparation by those running the show and all the participants, it exceeded my expectations in every way. I spoke on a panel with Sam Cassatt of and Guy Zyskind from Enigma. Samantha Rosestein was the moderator.
But it was the conversations I had with people at the event that really made it interesting. Self-sovereign identity Continue reading "Exploring Self-Sovereign Identity in India"
Well, in a twist of fate that I am still bemused by, I am in Microsoft-land now and this fact has led me inevitably to my first Windows install since about 2008. It went pretty well, except that I didn’t have the recovery key for the previous installation, so had to do a scratch install. You’d think it would be easy, since they give you a tool that does all the hard work! All you need is a USB drive of at least 8gb to become the installation media.
But then you put in your larger-than-8gb USB drive and the program says “Your USB must be at least 8gb!!”. You reformat, you think “Maybe I need FAT32”, etc. No luck. All roads lead to the mysterious 8gb error, even when your USB drive is empty and large.
So you look online, and the forums Continue reading "Window Media Creation Tool 8gb Error"
The Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:
This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.
SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Continue reading "Security Event Token (SET) is now RFC 8417"
This is the situation at Newark Airport right now:
Those blobs are thunderstorms. The little racetrack in upstate New York is an inbound flight from Lisbon in a holding pattern.
Follow the link under that screen shot. Interesting to see, in close to real time, how flights on approach and departure dodge heavy weather.
I’ll be flying out of there in a few hours myself, to India, for the firs time. Should be fun.
And the same goes for California’s AB-375 privacy bill.
The GDPR has been in force since May 25th, and it has done almost nothing to stop websites that make money from tracking-based-advertising stop participating in the tracking of readers. Instead almost all we’ve seen so far are requests for from websites to keep doing what they’re doing.
Only worse. Because now when you click “Accept” under an interruptive banner saying the site’s “cookies and other technologies collect data to enhance your experience and personalize the content and advertising you see,” you’ve just consented to being spied on. And they’re covered. They can carry on with surveillance-as-usual.
Score: Adtech 1, privacy 0.
Or so it seems. So far.
Are there any examples of publications that aren’t participating in #adtech’s spy game? Besides Linux Journal?
Summary: In July I'll be circling the globe to talk about self-sovereign identity and learn about how others are approaching and using it.
The first half of July I'm going to be on the road speaking about self-sovereign identity in Switzerland and at two events in India. This is my first time in Switzerland and India, so I'm looking forward to the trip and meeting lots of interesting people.
The event in Zug is the TC Sessions: Blockchain 2018 event on July 6th. I'll be speaking on self-sovereign identity in an afternoon session.
There are two events the following week in India. The first is the IEEE-SA InDITA Conference in Bangalore on July 10-11. DITA stands for "Digital Inclusion through Trust and Agency" and I like that theme. The Internet Identity Workshop organizers, Kaliya Young, Doc Searls, Heidi Saul, and myself, are helping organize this event, so it will be Continue reading "Identity and India"
The OpenID Connect Token Bound Authentication specification has been updated in response to developer feedback and in anticipation of the IETF Token Binding specifications finishing. Changes were:
- Adjusted the metadata to indicate supported confirmation method hash algorithms for Token Binding IDs in ID Tokens.
- Updated references for draft-ietf-tokbind-protocol to -19, draft-ietf-tokbind-https to -17, draft-ietf-oauth-token-binding to -07, and draft-ietf-oauth-discovery to -10.
- Explicitly stated that the base64url encoding of the “
tbh” value doesn’t include any trailing pad characters, line breaks, whitespace, etc.
(The representation of the Token Binding ID in the ID Token is unchanged.)
Thanks to Brian Campbell for doing the editing for this draft.
The specification is available at:
A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:
Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.
The specification is available at:
An HTML-formatted version is also available at:
The OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:
This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.
The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.
Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.
Thanks to all of Continue reading "OAuth 2.0 Authorization Server Metadata is now RFC 8414"
I’m trying to keep my travel schedule fairly light so I can finish the book, but here’s what’s coming up:
- June 29- July 1: CSST Decennial Sociotech Futures Symposium – Ann Arbor, Michigan
- Two personal trips to NYC in July, one including a dissertation defense
- October 10-13: AOIR in Montreal; participating in the Early Career workshop and presenting on a great panel on disinfo featuring me, Sam Woolley, Francesca Tripodi and Caroline Jack
- October 27-28: Locked out of Social Platforms: An iCS Symposium on Challenges to Studying Disinformation (IT University, Copenhagen, Denmark) – keynote
- November 2: “My Mother Was a Computer”: Legacies of Gender and Technology” digital humanities symposium at William & Mary, Williamsburg, VA
I gave the following presentation during the June 2018 Identiverse Conference:
Action items included:
In Chatbots were the next big thing: what happened?, Justin Lee (@justinleejw) nicely unpacks how chatbots were overhyped to begin with and continue to fail their Turing tests, especially since humans in nearly all cases would rather talk to humans than to mechanical substitutes.
There’s also a bigger and more fundamental reason why bots still aren’t a big thing: we don’t have them. If we did, they’d be our robot assistants, going out to shop for us, to get things fixed, or to do whatever.
Why didn’t we get bots of our own?
I can pinpoint the exact time and place where bots of our own failed to happen, and all conversation and development went sideways, away from the vector that takes us to bots of our own (hashtag: #booo), and instead toward big companies doing more than ever to deal with us robotically, mostly to Continue reading "What’s wrong with bots is they’re not ours"
Summary: Multi-source identity systems like Sovrin enabled richer digital identity transactions that mirror the decentralized, ad hoc nature of identity in the physical world.
In the physical world, people collect and manage identity credentials1 from various sources including governments, financial institutions, schools, businesses, family, colleagues, and friends. They also assert information themselves. These various credentials serve different purposes. People collect them and present them in various contexts. When presented, the credential verifier is free to determine whether to trust the credential or not.
Online, identity doesn't work that way. Online identity has traditionally been single-source and built for specific purposes. Online, various, so-called "identity providers" authenticate people using usernames and passwords and provide a fixed, usually limited set of attributes about the subject of the identity transaction. The identity information from these systems is usually used within a specific, limited context. Social login allows it to be used across Continue reading "Multi-Source Identity"
The OAuth Device Flow specification (full name “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices”) has been updated to address comments received to date from the IETF last call. Thanks to William Denniss for taking the pen for this set of revisions. Changes were:
- Added a missing definition of access_denied for use on the token endpoint.
- Corrected text documenting which error code should be returned for expired tokens (it’s “expired_token”, not “invalid_grant”).
- Corrected section reference to RFC 8252 (the section numbers had changed after the initial reference was made).
- Fixed line length of one diagram (was causing xml2rfc warnings).
- Added line breaks so the URN grant_type is presented on an unbroken line.
- Typos fixed and other stylistic improvements.
The specification is available at:
An HTML-formatted version is also available at:
This is what greets me when I go to the Washington Post site from here in Germany:
So you can see it too, wherever you are, here’s the URL I’m redirected to on Chrome, on Firefox, on Safari and on Brave. All look the same except for Brave, which shows a blank page.
Note that last item in the Premium EU Subscription column: “No on-site advertising or third-party tracking.”
Ponder for a moment how the Sunday (or any) edition of the Post‘s print edition would look with no on-paper advertising. It would be woefully thin and kind of worthless-looking. Two more value-adds for advertising in the print edition:
- It doesn’t track readers, which is the sad and broken norm for newspapers and magazines in the online world—a norm now essentially outlawed by the GDPR, and surely the reason the Post is running this offer.
- It sponsors Continue reading "Wanted: Online Pubs Doing Real (and therefore GDPR-compliant) Advertising"
I gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.
The presentation abstract is:
If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!
The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook, Continue reading "Deprecating the Password: A Progress Report"
This week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.
On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:
My Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"
In The Big Short, investor Michael Burry says “One hallmark of mania is the rapid rise in the incidence and complexity of fraud.” (Burry shorted the mania- and fraud-filled subprime mortgage market and made a mint in the process.)
One would be equally smart to bet against the mania for the tracking-based form of advertising called adtech.
Since tracking people took off in the late ’00s, adtech has grown to become a four-dimensional shell game played by hundreds (or, if you include martech, thousands) of companies, none of which can see the whole mess, or can control the fraud, malware and other forms of bad acting that thrive in the midst of it.
And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor Continue reading "GDPR will pop the adtech bubble"