Exploring Self-Sovereign Identity in India

Summary: I spent almost two weeks talking with people about self-sovereign identity in Switzerland and India. I'm more excouraged than ever that self-sovereign identity holds the key to real change in how we live our digital lives with security, privacy, and dignity.

Visiting a fertilizer distribution center near Vijayawada to see Aadhaar in action

I'm just finishing up my travel to Switzerland and India to talk about self-sovereign identity. The trip was amazing and full of interesting and important conversatons.

The TechCrunch event in Zug was very good. I was skeptical of a one-day conference with so much happening in a short time, but thanks to great preparation by those running the show and all the participants, it exceeded my expectations in every way. I spoke on a panel with Sam Cassatt of and Guy Zyskind from Enigma. Samantha Rosestein was the moderator.

But it was the conversations I had with people at the event that really made it interesting. Self-sovereign identity Continue reading "Exploring Self-Sovereign Identity in India"

Window Media Creation Tool 8gb Error

Well, in a twist of fate that I am still bemused by, I am in Microsoft-land now and this fact has led me inevitably to my first Windows install since about 2008.  It went pretty well, except that I didn’t have the recovery key for the previous installation, so had to do a scratch install.  You’d think it would be easy, since they give you a tool that does all the hard work! All you need is a USB drive of at least 8gb to become the installation media.

But then you put in your larger-than-8gb USB drive and the program says “Your USB must be at least 8gb!!”.   You reformat, you think “Maybe I need FAT32”, etc.  No luck.  All roads lead to the mysterious 8gb error, even when your USB drive is empty and large.

So you look online, and the forums Continue reading "Window Media Creation Tool 8gb Error"

Security Event Token (SET) is now RFC 8417

IETF logoThe Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Continue reading "Security Event Token (SET) is now RFC 8417"

When a thunderstorm appears right on top of an airport

This is the situation at Newark Airport right now:

Those blobs are thunderstorms. The little racetrack in upstate New York is an inbound flight from Lisbon in a holding pattern.

Follow the link under that screen shot. Interesting to see, in close to real time, how flights on approach and departure dodge heavy weather.

I’ll be flying out of there in a few hours myself, to India, for the firs time. Should be fun.

Without enforcement, the GDPR is a fail

And the same goes for California’s AB-375 privacy bill.

The GDPR has been in force since May 25th, and it has done almost nothing to stop websites that make money from tracking-based-advertising stop participating in the tracking of readers. Instead almost all we’ve seen so far are requests for from websites to keep doing what they’re doing.

Only worse. Because now when you click “Accept” under an interruptive banner saying the site’s “cookies and other technologies collect data to enhance your experience and personalize the content and advertising you see,” you’ve just consented to being spied on. And they’re covered. They can carry on with surveillance-as-usual.

Score: Adtech 1, privacy 0.

Or so it seems. So far.

Are there any examples of publications that aren’t participating in #adtech’s spy game? Besides Linux Journal?

 

Identity and India

Summary: In July I'll be circling the globe to talk about self-sovereign identity and learn about how others are approaching and using it.

Aadhaar enrollment drive ar Bareilly, UP, India

The first half of July I'm going to be on the road speaking about self-sovereign identity in Switzerland and at two events in India. This is my first time in Switzerland and India, so I'm looking forward to the trip and meeting lots of interesting people.

The event in Zug is the TC Sessions: Blockchain 2018 event on July 6th. I'll be speaking on self-sovereign identity in an afternoon session.

There are two events the following week in India. The first is the IEEE-SA InDITA Conference in Bangalore on July 10-11. DITA stands for "Digital Inclusion through Trust and Agency" and I like that theme. The Internet Identity Workshop organizers, Kaliya Young, Doc Searls, Heidi Saul, and myself, are helping organize this event, so it will be Continue reading "Identity and India"

OpenID Connect Token Binding Specification Updated

OpenID logoThe OpenID Connect Token Bound Authentication specification has been updated in response to developer feedback and in anticipation of the IETF Token Binding specifications finishing. Changes were:

  • Adjusted the metadata to indicate supported confirmation method hash algorithms for Token Binding IDs in ID Tokens.
  • Updated references for draft-ietf-tokbind-protocol to -19, draft-ietf-tokbind-https to -17, draft-ietf-oauth-token-binding to -07, and draft-ietf-oauth-discovery to -10.
  • Explicitly stated that the base64url encoding of the “tbh” value doesn’t include any trailing pad characters, line breaks, whitespace, etc.

(The representation of the Token Binding ID in the ID Token is unchanged.)

Thanks to Brian Campbell for doing the editing for this draft.

The specification is available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

IETF logoA new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

An HTML-formatted version is also available at:

OAuth 2.0 Authorization Server Metadata is now RFC 8414

OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of Continue reading "OAuth 2.0 Authorization Server Metadata is now RFC 8414"

Travel updates 2018

I’m trying to keep my travel schedule fairly light so I can finish the book, but here’s what’s coming up:

  • June 29- July 1: CSST Decennial Sociotech Futures Symposium – Ann Arbor, Michigan
  • Two personal trips to NYC in July, one including a dissertation defense 🙂
  • October 10-13: AOIR in Montreal; participating in the Early Career workshop and presenting on a great panel on disinfo featuring me, Sam Woolley, Francesca Tripodi and Caroline Jack
  • October 27-28: Locked out of Social Platforms: An iCS Symposium on Challenges to Studying Disinformation (IT University, Copenhagen, Denmark) – keynote
  • November 2: “My Mother Was a Computer”: Legacies of Gender and Technology” digital humanities symposium at William & Mary, Williamsburg, VA

OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference

OpenID logoI gave the following presentation during the June 2018 Identiverse Conference:

News included:

Action items included:

What’s wrong with bots is they’re not ours

In Chatbots were the next big thing: what happened?, Justin Lee (@justinleejw) nicely unpacks how chatbots were overhyped to begin with and continue to fail their Turing tests, especially since humans in nearly all cases would  rather talk to humans than to mechanical substitutes.

There’s also a bigger and more fundamental reason why bots still aren’t a big thing: we don’t have them. If we did, they’d be our robot assistants, going out to shop for us, to get things fixed, or to do whatever.

Why didn’t we get bots of our own?

I can pinpoint the exact time and place where bots of our own failed to happen, and all conversation and development went sideways, away from the vector that takes us to bots of our own (hashtag: #booo), and instead toward big companies doing more than ever to deal with us robotically, mostly to

vrmcrmconduit
Continue reading "What’s wrong with bots is they’re not ours"

Multi-Source Identity

Summary: Multi-source identity systems like Sovrin enabled richer digital identity transactions that mirror the decentralized, ad hoc nature of identity in the physical world.

Audio Mixer

In the physical world, people collect and manage identity credentials1 from various sources including governments, financial institutions, schools, businesses, family, colleagues, and friends. They also assert information themselves. These various credentials serve different purposes. People collect them and present them in various contexts. When presented, the credential verifier is free to determine whether to trust the credential or not.

Online, identity doesn't work that way. Online identity has traditionally been single-source and built for specific purposes. Online, various, so-called "identity providers" authenticate people using usernames and passwords and provide a fixed, usually limited set of attributes about the subject of the identity transaction. The identity information from these systems is usually used within a specific, limited context. Social login allows it to be used across Continue reading "Multi-Source Identity"

OAuth Device Flow spec addressing initial IETF last call feedback

OAuth logoThe OAuth Device Flow specification (full name “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices”) has been updated to address comments received to date from the IETF last call. Thanks to William Denniss for taking the pen for this set of revisions. Changes were:

  • Added a missing definition of access_denied for use on the token endpoint.
  • Corrected text documenting which error code should be returned for expired tokens (it’s “expired_token”, not “invalid_grant”).
  • Corrected section reference to RFC 8252 (the section numbers had changed after the initial reference was made).
  • Fixed line length of one diagram (was causing xml2rfc warnings).
  • Added line breaks so the URN grant_type is presented on an unbroken line.
  • Typos fixed and other stylistic improvements.

The specification is available at:

An HTML-formatted version is also available at:

Wanted: Online Pubs Doing Real (and therefore GDPR-compliant) Advertising

This is what greets me when I go to the Washington Post site from here in Germany:

Washington Post greeting for Europeans

So you can see it too, wherever you are, here’s the URL I’m redirected to on Chrome, on Firefox, on Safari and on Brave. All look the same except for Brave, which shows a blank page.

Note that last item in the Premium EU Subscription column: “No on-site advertising or third-party tracking.”

Ponder for a moment how the Sunday (or any) edition of the Post‘s print edition would look with no on-paper advertising. It would be woefully thin and kind of worthless-looking. Two more value-adds for advertising in the print edition:

  1. It doesn’t track readers, which is the sad and broken norm for newspapers and magazines in the online world—a norm now essentially outlawed by the GDPR, and surely the reason the Post is running this offer.
  2. It sponsors
    Continue reading "Wanted: Online Pubs Doing Real (and therefore GDPR-compliant) Advertising"

Deprecating the Password: A Progress Report

EIC logoI gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.

The presentation abstract is:

If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!

The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook,

Mike presenting at EIC 2018
Continue reading "Deprecating the Password: A Progress Report"

Ongoing recognition for the impact of OpenID Connect and OpenID Certification

OpenID logoThis week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

My

Alex Simons 92% OpenID Connect
Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"

OpenID Certification wins 2018 European Identity and Cloud Award

OpenID Certified logoThe OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

GDPR will pop the adtech bubble

In The Big Short, investor Michael Burry says “One hallmark of mania is the rapid rise in the incidence and complexity of fraud.” (Burry shorted the mania- and fraud-filled subprime mortgage market and made a mint in the process.)

One would be equally smart to bet against the mania for the tracking-based form of advertising called adtech.

Since tracking people took off in the late ’00s, adtech has grown to become a four-dimensional shell game played by hundreds (or, if you include martech, thousands) of companies, none of which can see the whole mess, or can control the fraud, malware and other forms of bad acting that thrive in the midst of it.

And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor

Continue reading "GDPR will pop the adtech bubble"