Starting the Hyperledger Indy test pool reachable on your WIFI network






Hyperledger Indy's README.md explains how to start the @Sovrin test pool on localhost using docker and in a docker network.


Doing it this way the pool is not reachable from clients that are not on your local machine.
Building a mobile app then has the problem that the phone can't talk to the test pool because neither localhost nor the private docker network are reachable.

Starting the test pool on a specific IP address

Dockerfile ci/indy-pool.dockerfile supports an optional pool_ip param that allows changing the IP address of the pool nodes in the generated pool configuration.

You can start the pool with e.g. the IP address of your development machine's WIFI interface so that mobile apps in the same network can reach the pool.

# replace 192.168.179.90 with your wifi IP address
docker build --build-arg pool_ip=192.168.179.90 -f ci/indy-pool.dockerfile -t
Continue reading "Starting the Hyperledger Indy test pool reachable on your WIFI network"

On presuming competence

A few weeks ago, while our car honked its way through dense traffic in Delhi, I imagined an Onion headline: American Visitor Seeks To Explain What He’ll Never Understand About India.

By the norms of traffic laws in countries where people’s tendency is largely to obey them, vehicular and pedestrian traffic in the dense parts of Indian cities appears to be chaotic to an extreme. Yet it’s clearly at least … well, organic. People do seem to go where they want, individually and collectively. Somehow. Some way. Or ways. Many of them. Alone and together. Never mind that a four-lane divided highway will have traffic moving constantly, occasionally in both directions on both sides—and that it includes humans, dogs, cattle, rickshaws and bikes, some laden with bags of cargo that look like they belong in a truck, in addition to cars, trucks and motorcycles, all packed together and honking constantly.

Continue reading "On presuming competence"

Second W3C Web Authentication (WebAuthn) Candidate Recommendation (CR)

W3C logoW3C has published a second W3C Candidate Recommendation (CR) for the Web Authentication (WebAuthn) specification. The second Candidate Recommendation is at https://www.w3.org/TR/2018/CR-webauthn-20180807/.

This draft contains a few refinements since the first candidate recommendation but no substantial changes. The new CR was needed to fulfill the W3C’s IPR protection requirements. The few changes were based, in part, upon things learned during multiple interop events for WebAuthn implementations. The working group plans to base coming the Proposed Recommendation on this draft.

Building an Android App with Sovrin





Thanks to the hard work of Mohammad Abdul Sami Sovrin enthusiasts now have support building libindy for Android in the master branch of our repo.


You can now build the libindy libraries for Android by just running a script. Yeah!
If you want to spare that building process you can download the libraries from Evernym. Thanks!

Now what? You have a libindy.so for arm, arm64 and x86, but how do you use it?

I have created an Android Studio sample application DroidLibIndy that you might use as a starting point (if you don't like reading blog posts).

Still reading? Here is a list of quirks you need in your flashy new Indy-App.

  1. First you have to put the libindy library into the correct jni folder e.g.:
    app/src/main/jniLibs/arm64-v8a
    This other way to do this did not work for me.
  2. Source code and Target compatibility have to be Java
    Continue reading "Building an Android App with Sovrin"

A helpful approach to personal data protection regulation

Enforcing Data Protection: A Model for Risk-Based Supervision Using Responsive Regulatory Tools, a post by Dvara Research, summarizes Effective Enforcement of a Data Protection Regime, by Beni Chugh, Malavika Raghavan, Nishanth Kumar & Sansiddha Pani. While it addresses proximal concerns in India, it provides useful guidance for data regulators everywhere.

An excerpt:

Any data protection regulator faces certain unique challenges. The ubiquitous collection and use of personal data by service providers in the modern economy creates a vast space for a regulator to oversee. Contraventions of a data protection regime may not immediately manifest and when they do, may not have a clear monetary or quantifiable harm. The enforcement perimeter is market-wide, so a future data protection authority will necessarily interface with other sectoral institutions.  In light of these challenges, we present a model for enforcement of a data protection regime based on risk-based supervision and the use

Continue reading "A helpful approach to personal data protection regulation"

The Sovrin Foundation

Summary: This article describes the role that the Sovrin Foundation and associated groups play in governing, operating, and using the Sovrin Network. The Sovrin Network is designed and intended to be decentralized so understanding the key influence points and community groups is important.

Freifunk Mesh

In Decentralized Governance in Sovrin, I wrote:

The Sovrin Network is a global public utility for identity that we all own, collectively, just like we all own the Internet.

When I say Sovrin is "public," I mean that it is a public good that anyone can use so long as they adhere to the proper protocols, just like the Internet. Sovrin is created through the cooperation of many people and organizations. Enabling that cooperation requires more than luck. In Coherence and Decentralized Systems, I wrote:

Public spaces require coherence. Coherence in Sovrin springs from the ledger, the protocols, the trust framework, standards, and market incentives.

Continue reading "The Sovrin Foundation"

New Paper: Why do people share fake news?

I’m really proud of this paper. It’s my attempt to further a new model of media effects that takes into account active audiences, media messages, and technological affordances. I focus on conservative audiences for fake news as a case study.

Basically: People share fake news because it furthers partisan narratives that are promoted by mainstream (mostly) conservative media and expresses personal and political identity.

Findings:

  • Most fake news isn’t political, but sensational. Still more is created to be polysemic and appeal to people across the political spectrum in order to increase viewership (and therefore money).
  • Conservative fake news doesn’t exist in a vacuum. Much of it builds on “deep stories” that have been present on Fox News for decades.
  • The mainstream media (NYTimes, WaPo, etc.) is tied to an elite, liberal identity. Part of this is due to years of conservative media promoting the idea that urban elites look Continue reading "New Paper: Why do people share fake news?"

Poor Little Piggie

Years ago we were sharing stories about our children. I was recounting to Natalie my favorite funny stories about her. She share with me a funny story about Miles. This little animation is my attempt to keep that memory in animation form.

I hope it is close to what you told me Nat.

IETF Token Binding specifications sent to the RFC Editor

IETF logoThe three core IETF Token Binding Specifications have been sent to the RFC Editor, which means that their normative content will no longer change. It’s time to move implementations to version 1.0! The abstract of the Token Binding over HTTP specification describes Token Binding as:

This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections.

We describe both first-party and federated scenarios. In a first-party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client subsequently returns to the server, to the TLS connection between the client and server. Such bound security tokens are protected from misuse since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections.

Federated token bindings, on the other hand, allow Continue reading "IETF Token Binding specifications sent to the RFC Editor"

Exploring Self-Sovereign Identity in India

Summary: I spent almost two weeks talking with people about self-sovereign identity in Switzerland and India. I'm more excouraged than ever that self-sovereign identity holds the key to real change in how we live our digital lives with security, privacy, and dignity.

Visiting a fertilizer distribution center near Vijayawada to see Aadhaar in action

I'm just finishing up my travel to Switzerland and India to talk about self-sovereign identity. The trip was amazing and full of interesting and important conversatons.

The TechCrunch event in Zug was very good. I was skeptical of a one-day conference with so much happening in a short time, but thanks to great preparation by those running the show and all the participants, it exceeded my expectations in every way. I spoke on a panel with Sam Cassatt of and Guy Zyskind from Enigma. Samantha Rosestein was the moderator.

But it was the conversations I had with people at the event that really made it interesting. Self-sovereign identity Continue reading "Exploring Self-Sovereign Identity in India"

Window Media Creation Tool 8gb Error

Well, in a twist of fate that I am still bemused by, I am in Microsoft-land now and this fact has led me inevitably to my first Windows install since about 2008.  It went pretty well, except that I didn’t have the recovery key for the previous installation, so had to do a scratch install.  You’d think it would be easy, since they give you a tool that does all the hard work! All you need is a USB drive of at least 8gb to become the installation media.

But then you put in your larger-than-8gb USB drive and the program says “Your USB must be at least 8gb!!”.   You reformat, you think “Maybe I need FAT32”, etc.  No luck.  All roads lead to the mysterious 8gb error, even when your USB drive is empty and large.

So you look online, and the forums Continue reading "Window Media Creation Tool 8gb Error"

Security Event Token (SET) is now RFC 8417

IETF logoThe Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Continue reading "Security Event Token (SET) is now RFC 8417"

When a thunderstorm appears right on top of an airport

This is the situation at Newark Airport right now:

Those blobs are thunderstorms. The little racetrack in upstate New York is an inbound flight from Lisbon in a holding pattern.

Follow the link under that screen shot. Interesting to see, in close to real time, how flights on approach and departure dodge heavy weather.

I’ll be flying out of there in a few hours myself, to India, for the firs time. Should be fun.

Without enforcement, the GDPR is a fail

And the same goes for California’s AB-375 privacy bill.

The GDPR has been in force since May 25th, and it has done almost nothing to stop websites that make money from tracking-based-advertising stop participating in the tracking of readers. Instead almost all we’ve seen so far are requests for from websites to keep doing what they’re doing.

Only worse. Because now when you click “Accept” under an interruptive banner saying the site’s “cookies and other technologies collect data to enhance your experience and personalize the content and advertising you see,” you’ve just consented to being spied on. And they’re covered. They can carry on with surveillance-as-usual.

Score: Adtech 1, privacy 0.

Or so it seems. So far.

Are there any examples of publications that aren’t participating in #adtech’s spy game? Besides Linux Journal?

 

Identity and India

Summary: In July I'll be circling the globe to talk about self-sovereign identity and learn about how others are approaching and using it.

Aadhaar enrollment drive ar Bareilly, UP, India

The first half of July I'm going to be on the road speaking about self-sovereign identity in Switzerland and at two events in India. This is my first time in Switzerland and India, so I'm looking forward to the trip and meeting lots of interesting people.

The event in Zug is the TC Sessions: Blockchain 2018 event on July 6th. I'll be speaking on self-sovereign identity in an afternoon session.

There are two events the following week in India. The first is the IEEE-SA InDITA Conference in Bangalore on July 10-11. DITA stands for "Digital Inclusion through Trust and Agency" and I like that theme. The Internet Identity Workshop organizers, Kaliya Young, Doc Searls, Heidi Saul, and myself, are helping organize this event, so it will be Continue reading "Identity and India"

OpenID Connect Token Binding Specification Updated

OpenID logoThe OpenID Connect Token Bound Authentication specification has been updated in response to developer feedback and in anticipation of the IETF Token Binding specifications finishing. Changes were:

  • Adjusted the metadata to indicate supported confirmation method hash algorithms for Token Binding IDs in ID Tokens.
  • Updated references for draft-ietf-tokbind-protocol to -19, draft-ietf-tokbind-https to -17, draft-ietf-oauth-token-binding to -07, and draft-ietf-oauth-discovery to -10.
  • Explicitly stated that the base64url encoding of the “tbh” value doesn’t include any trailing pad characters, line breaks, whitespace, etc.

(The representation of the Token Binding ID in the ID Token is unchanged.)

Thanks to Brian Campbell for doing the editing for this draft.

The specification is available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

IETF logoA new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

An HTML-formatted version is also available at:

OAuth 2.0 Authorization Server Metadata is now RFC 8414

OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of Continue reading "OAuth 2.0 Authorization Server Metadata is now RFC 8414"

Travel updates 2018

I’m trying to keep my travel schedule fairly light so I can finish the book, but here’s what’s coming up:

  • June 29- July 1: CSST Decennial Sociotech Futures Symposium – Ann Arbor, Michigan
  • Two personal trips to NYC in July, one including a dissertation defense 🙂
  • October 10-13: AOIR in Montreal; participating in the Early Career workshop and presenting on a great panel on disinfo featuring me, Sam Woolley, Francesca Tripodi and Caroline Jack
  • October 27-28: Locked out of Social Platforms: An iCS Symposium on Challenges to Studying Disinformation (IT University, Copenhagen, Denmark) – keynote
  • November 2: “My Mother Was a Computer”: Legacies of Gender and Technology” digital humanities symposium at William & Mary, Williamsburg, VA

OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference

OpenID logoI gave the following presentation during the June 2018 Identiverse Conference:

News included:

Action items included: