Sovrin In-Depth Technical Review

Summary: Sovrin Foundation has engaged Engage Identity to perform a security review of Sovrin's technology and processes. Results will be available later this summer.
The <a href="">Sovrin Foundation</a> and <a href="">Engage Identity</a> announced a new partnership today. Security experts from Engage Identity will be completing an in-depth technical review of the Sovrin Foundation’s entire security architecture.

Sovrin Foundation is very concerned that the advanced technology utilized by everyone depending on Sovrin is secure. That technology protects many valuable assets including private personal information and essential business data. As a result, we wanted to be fully aware of the risks and vulnerabilities in Sovrin. In addition, The Sovrin Foundation will benefit from having a roadmap for future security investment opportunities.

We're very happy to be working with Engage Identity, a leader in the security and identity industry. Established and emerging cryptographic identity protocols are one of their many areas of expertise. They have <!--more--> experience providing security analysis and recommendations for identity frameworks.

The Engage Identity team is lead by Sarah Squire, who has worked on user-centric open standards for many organizations including NIST, Yubico, and the OpenID Foundation. Sarah will be joined by Adam Migus and Alan Viars, both experienced authorities in the fields of identity and security.

The final report will be released this summer, and will include a review of the current security architecture, as well as opportunities for future investment. We intende to make the results public. Anticipated subjects of in-depth research are:
  • Resilience to denial of service attacks
  • Key management
  • Potential impacts of a Sovrin-governed namespace
  • Minimum technical requirements for framework participants
  • Ongoing risk management processes
Sovrin Foundation is excited to take this important step forward with Engage Identity to ensure that the future of self-sovereign identity management can thrive and grow.

An Archimedian Approach to Personal Power in the Land of Giants


On a mailing list that obsesses about All Things Networking, another member cited what he called “the Doc Searls approach” to something. Since it was a little off (though kind and well-intended), I responded with this (lightly edited):

The Doc Searls approach is to put as much agency as possible in the hands of individuals first, and self-organized groups of individuals second. In other words, equip demand to engage and drive supply on customers’ own terms and in their own ways.

This is supported by the wide-open design of TCP/IP in the first place, which at least models (even if providers don’t fully give us) an Archimedean place to stand, and a wide-open market for levers that help us move the world—one in which the practical distance between everyone and everything rounds to zero.

To me this is a greenfield that has been mostly fallow for the duration. There Continue reading "An Archimedian Approach to Personal Power in the Land of Giants"

Thirty years ago today… and at last I knew Pittsburgh

This appeared in the Columbus Dispatch on Tuesday, May 19, 1987 on page B1…

“I didn’t expect to win,” said Sheila Richter of Minneapolis after taking top honors, or dishonors, in an annual bad writing contest that drew more than 10,000 entries. “I knew my entry was dreadful, but I didn’t know it was that dreadful.” Richter, who works at the University of Minnesota, wins a personal computer and “whatever public humiliation may come her way,” said Scott Rice, an English professor at San Jose State University and founder of the Bulwer-Lytton Fiction Contest. Richter’s winning entry reads: “The notes blatted skyward as the sun rose over the Canada geese, feathered rumps mooning the day, webbed appendages frantically pedaling unseen bicycles in their search for sustenance, driven by cruel Nature’s maxim, ‘ya wanna eat, ya gotta work,’ and at last I knew Pittsburgh.”

Clarified Security Considerations in Using RSA Algorithms with COSE Messages

IETF logoA slightly updated version of the “Using RSA Algorithms with COSE Messages” specification has been published in preparation for IETF last call. Changes were:
  • Clarified the Security Considerations in ways suggested by Kathleen Moriarty.
  • Acknowledged reviewers.
The specification is available at: An HTML-formatted version is also available at:

Pragmatic Redux: Connecting to React

There is a lot to like or dislike about Redux but let’s say the decision to use it has been made and now you need to understand Redux for professional reasons. This post is a good place to start because you first question is most likely how does my component get its data and react to changes in the data? Redux connects to React by wrapping it – hype-word is higher-order component but, in the end, what you get after calling react-redux function connect is a React component placed inside another to enhance or encapsulate. Redux data is provided as properties by the wrapper component. So called mapStateToProps, first function you pass to connect, decides which part of Redux store should be passed as properties to the wrapped component. Changes to are detected by the wrapper component which listens to Redux store. When changes occurs, wrapper component re-renders the wrapped component. Concerns over irrelevant changes and
Continue reading "Pragmatic Redux: Connecting to React"