“Using RSA Algorithms with COSE Messages” specification approved for publication

IETF logoThe IESG approved the “Using RSA Algorithms with COSE Messages” specification for publication as an RFC today. A new version was published incorporating the IESG feedback. Thanks to Ben Campbell, Eric Rescorla, and Adam Roach for their review comments. No normative changes were made. The specification is available at: An HTML-formatted version is also available at:

The Daily Tab for 2017_06_06

toomuchinformation I’ve decided I need to keep a public list on stuff that interests me, and to do it in a way that’s good to read now and easy to find later. The headline above is my first whack at a title. Required viewing::: A Good American. It’s a documentary on Bill Binney and the NSA by @FriedrichMoser. IMHO, this is the real Snowden movie. And I say that with full respect for Snowden. Please watch it. (Disclosure: I have spent quality time with both Bill and Fritz, and believe them both.) Bonus dude: @KirkWiebe, also ex-NSA and a colleague of Bill’s. (In case you think this is all lefty propaganda, read Kirk’s tweets.) Ice agents are out of control. And they are only getting worse (@TrevorTimm in The Guardian) WillRobotsTakeMyJob is brilliant. Check out its suggested jobs for titles it has no stats for. Yo to WaPo and the Continue reading "The Daily Tab for 2017_06_06"

Initial JSON Web Token Best Current Practices Draft

OAuth logoJSON Web Tokens (JWTs) and the JSON Object Signing and Encryption (JOSE) functions underlying them are now being widely used in diverse sets of applications. During IETF 98 in Chicago, we discussed reports of people implementing and using JOSE and JWTs insecurely, the causes of these problems, and ways to address them. Part of this discussion was an invited JOSE/JWT Security Update presentation that I gave to two working groups, which included links to problem reports and described mitigations. Citing the widespread use of JWTs in new IETF applications, Security Area Director Kathleen Moriarty suggested during these discussions that a Best Current Practices (BCP) document be written for JSON Web Tokens (JWTs). I’m happy to report that Yaron Sheffer, Dick Hardt, and myself have produced an initial draft of a JWT BCP. Its abstract is:
JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON-based security Continue reading "Initial JSON Web Token Best Current Practices Draft"

Saturday Night in London

It’s about 9:30pm on Saturday.  I’m in a bar, on Hackney road in London, that I simply stumbled upon while wandering around.  It is an incredible place.  It is called “The Natural Philosopher” and I heartily approve.  It is an odd and slightly twisted cross between an old fashioned victorian study, and a curio shop.  I would take a picture – but this isn’t the kind of place you take a picture in.  It’s meant not for Facebook check-boxing, but for people to sit and be in the moment.  And here I am, in the corner, working away at the laptop.  Better than trying to snap pictures though. I haven’t written here for a long time.  But I dream about it.  I live a kind of guilt-driven life in some ways – how can I write here, when there are so many other greater priorities, outstanding commitments, all the things Continue reading "Saturday Night in London"

Seeing is believing

I didn’t watch Monday’s debate between Donald Trump and Hillary Clinton. I listened to it, while I live blogged what I heard in a window on top of it. This was after getting up in the middle of the night at an AirBnB with terrible wi-fi in the middle of London. While Hillary scored some strong hits toward the end of the debate, I thought Trump sounded stronger, with many more quotable one-liners. So I gave the debate to him, much as I hated to. (Put me in the #NeverTrump column.) But in the morning everybody was giving the debate to Hillary. What did I miss? In a word: the video. When I watched some clips, it was clear that Hillary was winning. Trump looked rude and buffoonish, while Hillary did something wonderful: she looked into the camera as if into a friend’s eyes, while Trump mansplained away, and Continue reading "Seeing is believing"

An experiment 

Just wrote my first post on Medium. While I had read articles there regularly, I hadn’t ever written there. My instinct is to write here and nowhere else. But maybe I’m wrong. The only way I can find out is by writing on Medium and seeing what happens. So I did. Today. I shall watch … Continue reading "An experiment "

An experiment 

Just wrote my first post on Medium. While I had read articles there regularly, I hadn’t ever written there. My instinct is to write here and nowhere else. But maybe I’m wrong. The only way I can find out is by writing on Medium and seeing what happens. So I did. Today. I shall watch … Continue reading "An experiment "

Homework for Mozilla

outfox-trackersIt has been almost two years since I wrote Earth to Mozilla: Come Back Home, in response to the company’s conflicted dealings with the online advertising business. A lot has happened since then, including Mozilla hiring me to help make happen some of the stuff I suggested in that post. (Hats off to Darren Herman for bringing me in after I gave him and the company a hard time — and for being a huge advocate of The Intention Economy.) The most recent development on that path is a decision by Mozilla to exit the advertising business (beyond the whatever-it-is they get, passively, from searches). As Darren explains here, “Advertising in Firefox could be a great business, but it isn’t the right business for us at this time because we want to focus on core experiences for our users.” Much as it hurts the Mozilla staff and volunteers who worked Continue reading "Homework for Mozilla"

Grace Hopper Celebration and Presentation – Ethical Market Models.

In mid-October I had the opportunity to attend the Grace Hopper Celebration for Women in Computing for the first time. Here is a link to the paper that I presented – MarketModels-GHC Here are the slides
I also had the pleasure of working on a Birds of a Feather Session with Roshi from Google – she works on their identity team and was the one who asked me work on the session with her along with encouraging me submit a proposal for a lighting talk.
We had a great discussion about the internet of things and considering various ideas about what internet of things things…we might invent and how we might identify ourselves to them.
The conference is really a giant job fair for undergaduate women CS majors. There is not a lot there for mid-career women, all of the ones I Continue reading "Grace Hopper Celebration and Presentation – Ethical Market Models."

Glaciers moving at the speed of postings

ice-floes-off-greenland (Cross posted from this at Facebook) In Snow on the Water I wrote about the ‘low threshold of death” for what media folks call “content” — which always seemed to me like another word for packing material. Back around the turn of the millennium, John Perry Barlow said “I didn’t start hearing the word ‘content’ until the container business felt threatened.” Same here. But the container business now looks more like plumbing than freight forwarding. Everything flows. But to where?
Th timeline to the right of this it looks like a core sample of glacier ice, probing back to 1947, the year I showed up. Memory, while it lasts, is of old stuff which in the physical world would rot, dry, disintegrate, vanish or lithify from the bottom up. But here we are on the Web, which was designed as a way to share documents, not to save Continue reading "Glaciers moving at the speed of postings"

Why the strange uploads to @Flickr?

I’ve got 58,765 photos on Flickr, so far. These have 8,618,102 views, so far, running about 5,000 a day. The top count this last week was 11,766. Not that I’m into stats. I just want to make clear how deeply I’m kinda vested in it, as a photographer. (And that’s in just one account. I’m involved with three others as well, all by organizations to which I belong.) But man, it’s trying me lately. The main thing isn’t the UI changes, which are confusing, and seem to be happening constantly. (Though I’m sure they’re not. I just seem to be discovering new or changed things constantly.) Here’s the main problem. For some reason, large quantities of photos I don’t want being automatically uploading are uploading to Flickr. I don’t know where they’re coming from — other than me — or how they’re getting up there. I thought maybe it was the new
uploader1
uploader2
photos-export
Continue reading "Why the strange uploads to @Flickr?"

I’m Quoted in Guardian Article re: Ellen Pao

Yesterday a reporter called me up and asked me for comment on Ellen Pao. I said “What did you expect?” It became the headline! – I continued “Ellen was at the center of a high-profile sexual discrimination suit versus a major VC firm and she was put in charge of the teenage boy section of the internet. What did you expect was going to happen? It was inevitable that they would turn on her,” You can read the whole article here – I wasn’t the only one unsurprised by what happened. :)

‘What did you expect?’ Women in tech reflect on Ellen Pao’s exit from Reddit

When your Empire has no Clothes

How many data points does it take to call something a trend?  With the hack and subsequent data dump of the internal files of Hacking Team, a company most of us never even knew existed until this week, the world is getting to see a very public examination of the naked inner workings of an organization. This is the second time I can think of this kind of hack occurring.  The first was, of course, Sony Pictures. Some number of hackers have turned two different organizations inside out from a digital perspective, exposing even the mundane stuff for public ridicule.  And some of the most harshly ridiculed practices of all in both cases involved passwords and credentials. In the case of Sony Pictures, the effect was acutely embarrassing.  Scores of Excel spreadsheets, detailing personal, business, and IT system passwords, with filenames like “website passwords” and “usernames & passwords”.   When Gawker writes
sonypicturespasswordfiles
hackingteamexample2
hackingteamexample
Continue reading "When your Empire has no Clothes"

#mynameis my statement for the virtual press kit

I just wrote this up for the virtual press kit for the #mynameis protest.   With its real name / authentic name policy Facebook is violating the rights and dignity of thousands if not millions. Individuals of all stripes have authentic names that are not found on any of their legal paperwork.  In common law countries we have the right to define our own name and there rights need to be respected online. Identity is contextual. That is the same person may use different names authentically in different social contexts – within the Drag Queen and LGBT community – one name Lil Hot Mess for example and in a professional day job a completely different name – more likely one on formal legal paperwork but not necessarily.  These different contexts have their own contextual authenticity. Google+ when it began several years ago also had a real name or Continue reading "#mynameis my statement for the virtual press kit"

Because freedom matters

After one of my reluctant visits to Facebook yesterday, I posted this there:
If I were actually the person Facebook advertised to, I would be an impotent, elderly, diabetic, hairy (or hairless) philandering cancer patient, heart attack risk, snoring victim, wannabe business person, gambling and cruise boat addict, and possible IBM Cloud customer in need of business and credit cards I already have.

Sixty-eight likes and dozens of comments followed. Most were from people I know, most of whom were well-known bloggers a decade ago, when blogging was still hot shit. Some were funny (“You’re not?”). Some offered advice (“You should like more interesting stuff”). Some explained how to get along with it (“I’ve always figured the purpose of Internet ads was to remind me what I just bought from Amazon”). One stung: “So much for The Intention Economy.” So I replied with this:
Great to see ya’ll here. Glad you took the bait. Now for something less fun. I was told last week by an advertising dude about a company that has increased its revenues by 49% using surveillance-based personalized advertising.The ratio of respondents was 1 in a 1000. The number of times that 1 was exposed to the same personalized ad before clicking on it was 70. He had read, appreciated and agreed with The Intention Economy, and he told me I would hate to hear that advertising success story. He was correct. I did. I also hate that nearly all the readers all of us ever had on our own blogs are now here. Howdy. Writing on my own blog, which averages zero comments from dozens of readers (there used to be many thousands), seems a waste. Wanna write short? Do it in Facebook or Twitter. Wanna write long? Do it in Medium. Wanna write on your own DIY publication? Knock yourself out. And, because the bloggers among us have already done that, we’re here. So let’s face it: the leverage of DIY is going down. Want readers, listeners or viewers? Hey, it’s a free market. Choose your captor. I’ve been working all my adult life toward making people independent, and proving that personal independence is good for business as well as for hacking and other sources of pleasure and productivity. But I wonder whether or not most people, including all of us here, would rather operate in captivity. Hey, it’s where everybody else is. Why not? Here’s why. It’s the good ship Axiom: http://pixar.wikia.com/Axiom . Think about it. Earth is the Net. It’s still ours: http://cluetrain.com/newclues. See you back home.
That’s where we are now.    

Ello….on the inside

So. I FINALLY got my invitation to Ello. I go in…make an account. I check the Analytics section.
Ello uses an anonymized version of Google Analytics to gather and aggregate general information about user behavior. Google may use this information for the purpose of evaluating your use of the site, compiling reports on site activity for us and providing other services relating to site activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. To the best of our knowledge, the information gathered by Google on Ello’s behalf is collected in such a way that neither Ello, nor Google, can easily trace saved information back to any individual user. Ello is unique in that we offer our users the option to opt-out of Google Analytics on the user settings Continue reading "Ello….on the inside"

IIW topics so far

We keep track of topics folks want to talk about on our Identity Commons wiki. I figured I would pull the list out from there and share it here…Its looking good so far. What topics are you planning to present about or lead a discussion about at this IIW?
  • Notification management – Notifs
  • unhosted identity
  • Redelegation of OAuth bearer tokens
  • “OpenID Connect certification
  • Proof of Possession”
  • Trust-elevation (adaptive access)
  • IdM for future scientific collaborations
  • I am a member of the W3C Credentials Community Group (http://opencreds.org) and will present status/progress/goals/roadmap/use cases and how they relate to other identity initiatives.
  • OpenID Connect mobile profile
  • “Consent management UI and internals International consent issues”
What are you hoping to learn about or hear a presentation about at IIW?

Field Guide to Internet Trust Models: Individual Contract Wrappers

Individual Contract Wrappers

When providing information to a service, the requester also provides terms for how that information can be used. Service providers agree to honor those terms in exchange for access to the data, and compliance is enforced through contract law. Terms might include an expiration date, limits on whether the data can be re-sold, or whether it can be used in aggregate form. This model is the mirror image of the Sole Source.

Examples: Personal.com offers a service that provides end users with a place to store personal data. Service providers agree to abide by a set of agreements in order to use this data.

When to use:

Advantages: Provides an incentive for the requester to provide clear, correct, and up-to-date information. In exchange for accepting limits on how the data can be used, the service provider gains access to better quality and more complete data.

Disadvantages: Continue reading "Field Guide to Internet Trust Models: Individual Contract Wrappers"

Field Guide to Internet Trust Models: Centralized Token Issuance, Distributed Enrollment

A special case peer-to-peer network. Participants want to establish trusted identities that can be used securely for ongoing, high-value communication among organizations. A trusted, central provider issues identity tokens which are then enrolled independently by each service provider. Service providers are not required to cooperate or accept one another’s enrollments.

Examples: The most common examples are RSA SecurID and SWIFT 3SKey. Hardware tokens are issued by a trusted provider, which are then used to authenticate individual identities.

Each service will require the user to enroll separately, but once the user has registered they can use the token for future interactions.

When the requester wants to use a service, they’re authenticated using the token.

When to use: Strong Authentication across a range of business entities who may have different enrollment requirements.

Advantages: Can provide a high level of identity assurance to institutions spread across legal and national boundaries.

Disadvantages: Can be Continue reading "Field Guide to Internet Trust Models: Centralized Token Issuance, Distributed Enrollment"