my.info.card: my Infocard Identity Selector Plugin Development Blog

Here are a few thoughts on "authentication" and "authorization" in my own words.... (I hope you can understand what I am trying to say or imply). Please read this if you know how to differentiate between jokes and serious stuff....

I am Rohan Pinto, also known as "rohan" to some, by an "employee ID number" to my employer (you wish I published that number, didnt you ?), "ldapguru" according to folks who use my website, "Mr. Pinto" to those who look up to me (no kidding.. there are a few... a very few...), "Sir" (to the world, If I ever get to do better in life than Sir, Richard Branson), "baby" to my wife, "daddy" to my kids, "thengdi" to some, "ron" according to a few, "kramer" to some, "attacker" according to Kim, "hey you" to others who just dont care...

Anyway, the point is, I have several identites, each for a "specific" use-case blogs.sun.com/images/smileys/wink.gif" class="smiley" alt=";-)" title=";-)" />
Now, my wife would never accept the credential "daddy", nor would my kids accept anything other than "daddy". Similarly, others too have their own criteria for whats accepted and whats not.

The "criteria" is NOT something set or asserted by me. It's something that the "Relying Party" sets for themselves.

I probably do have the ability of presenting another credential to my "Relying Party", But would the "Relying Party" BUY THAT ?

Nothing stops me from presenting my "self asserted identity" to any of the "Relying Parties". I being a "human-component" have the ability to understand and know the (sometimes partially, and sometimes everything: based on how much info I have about the "Relying Party") criteria for acceptance by these "relying parties". Based on that info, I could establish an identity that closely matches the "acceptance criteria" of my "Relying Party", and probably get my "Relying Party" to open doors and welcome me in.

Hey, this whole exercise about "identity management" is to make the world a better/safer/secure place, aint it ?. I think that providing a platform whereby "identities" can be spoofed, and "created" is just silly. Who are we really helping? "ourselves" or "somebody else" ?

The way I look at it is, that the "Relying Party" has this box of treasure. I would like to see that treasure and claim my share.... In order to do so, the "Relying Party" has their own set of criteria of acceptance. If "my authenticated & authroized identity credentials match their criteria, I am given a key. I can use that key and open the treasure box anytime, however many times I want to". The point is, that the key is "GIVEN" to me after the fact that I have "successfully" authenticated and also "authorized" myself in a one step or a multi step process. (usually a multi step process). However even If I have a "pre-authenticated/pre-authorized" "key", I still need to present it to the "keeper" of the treasure and authenticate myself again every time I need to gain access. Even after authenticating myself all over, the "keeper" would still need to "authorize" me every single time.

The first step is gonna be to ensure that the "identity" is who he/she or even an "it" really is. There's no way that the "Relying Party" is gonna take the "presented secure identity token" and rely on it. One may say that the "secure token presented" can be validated against a specific set of criteria, But hey thats "authorization". Why would the "Relying Party" take the pain of "authorizing" a fake to begin with... If the "Relying Party" has assurance that the "identity" is valid, then the "authorization" step begins....

One not only needs to ensure that the "identity" is not a "fake" but also needs to ensure that the "identity" is stepping in from the front door, and then also have the ability to validate the "identities" other unique "characteristics" prior to even cross checking if the acceptance criteria matches the "identities" profile.

Am I selling something her... maybe... maybe I am....
Have you heard of nFactor Authentication yet ?? Well, if not, you will... soon... (I'm in the process of patenting and trademarking it) Trust me. you will hear from me.....

Anyway, back to the topic on hand... USER-CONTROLLED-IDENTITES.
I personally think that it's not a good thing. But I cannot force everybody to agree with my views. Like I have a right to my own view, you have your rights too. So all said and done, I see that the industry is making this huge "noise" about user-controlled-identities. Why fight it, I'll flow with it....

But in the process...., instead of just accepting the fact, I thought of making user controlled identites a wee bit more secure... and easier to implement and use. So I've comeup with my own "ANTI Laws of Identites" explanations...(No Offense Kim, I'm having fun with terminology. It's been a long hard day today...)

1. User Control and Consent: The user sure can consent, but control NO !!!. I meet my wife, she recognizes my "pre-authenticated" characteristics and "identity" and says, Hi "baby". I only consent my saying "yes love".
   LOL... I'm having fun today.. aint I ??
   
2. Minimal Disclosure for a Constrained Use: Minimal Disclosure NO !!!. With my wife there's no "minimal disclosure". I'm not sure if your's does.
3. Justifiable Parties: True Very Very True. I Concur. Both me and my wife need to constantly justify our commitment to each other. Trust me. We really really do. no kidding honest.... Dont you ? It's not because we distrust each other, it's reassurance. Just like folks like to reassure themselves about how good they look by repeatedly asking for opinions...
4. Directed Identity: In my case (example) the "identity" assertion is a two-way street. Not only would the "identity" need to assure itself of the authenticity of the "Relying Party", but the "Relying pArty" also needs assurance that the "identity" is a "trustWORTHY" "Identity".
5. Pluralism of Operators and Technologies: If I see myself as the "Relying Party" I need to not only recognize an identity called a "wife" but also recognize and know the difference in characteristics between identites like "daughter", "son" "employer", "mom", "dad", "friend" etc...
6. Human Integration: I Disagree than human Intervention needs to be a Law. Human intervention is necessary but not always. My coffee maker can brew only coffee and not make chicken soup. If I try to add chicken strips and water, I do not get coffee. My coffee maker is intelligent enough to know the difference between coffe beans/powder (the 2 characteristics of a presented identity that it can relate to, and is in it's list of criteriea to brew good coffee).
7. Consistent Experience Across Contexts: emmm.. how do I go about this one.. This is a hard one... Lets see.... How usable would today’s computers be had we not invented icons and lists that consistently represent folders and documents. Hey I really do not care about icons. I live in a "shell". Even though i'm not "Born Again" I live in a shell, a "Bourne shell". In my world, there are no "icons". However I am classified as an "attacker". How could you relate to me, and prevent me from doing what I (probably) could do, If I didnt care about "icons". You need to relate to me... the "threat". And if you succeed in doing so, that would be a HUGE step forward in making the world a better/safer/secure place.

that was fun... I just hope and pray that Kim takes this as a joke in good stride... This is plain old "food for thought" with a humourous twist. (it's sounds humorous to me at least. If it's not; maybe my taste in jokes is real bad...)

Next topic is "Secure User Controlled Digital Identities" and my version of enabling it's usage without having to implement or assert the adoption of a new "proprietary" standard or protocol. (if not the immediate next blog post, it would be a topic that I would soon post something on)