Archive for August, 2005

The Seven Laws of Identity


Just reading an article on the Laws of Identity, which states the observed nature necessary for all identity systems in the online and offline world. 

It’s just hitting home, how important and fundamental to our way of life that these Laws exist and are adhered to by all. As a Software Developer, I have followed many of the Laws of Identity when implementing products without consciously knowing them or thinking about why I do.


Here’s my thoughts on the Laws


  1. User Control and Consent

The first law states that a User must have Control of which Identity is used when communicating with a system and must give consent to use an Identity. This seems obvious but it becomes apparent that even Windows tends to inadvertently violate this Law with it’s NT authentication (which automatically proffers up the NT Username to any requesting application or network resource without the user knowing). Perhaps Windows Vista is heading towards resolving this issue? I somehow doubt it…


Although there have been implementations where their not bending this law slightly has lead to an impossibly annoying implementation, an example being the security fix to Outlook which requires a user to "Allow access for 1 Minute" to Outlook (anyone who’s used MS Project with Outlook will know what I’m talking about)


  1. Minimal Disclosure for a Constrained Use


Even I’ve violated this one a couple of times, but not to a major extent, perhaps collecting Mobile Phone numbers in a web site when it wasn’t necessary. Some websites violate this so badly and it leads to fake data being provided. If a web site asks for my birth date I give it a fake one, just because I don’t trust them.


  1. Justifiable Parties


I was considering going with Passport for one of our applications not too long ago, it now seems that this would have an adverse effect on the perception of security of our application. Despite the obvious usability improvement of a unified identity, I’m not sure that if I was a user that I would understand what MSN was doing in between this application and me, if MSN knows I’m logging in, what else do they know?


  1. Directed Identity


This states that some identities should be able to be used anywhere, and some are only for a particular system and no other. I wish this law was stated to the people who designed Bluetooth technology. That has to be the most fundamental violation of this Law ever. And everyone from the average Mobile phone user, to the person driving their Bluetooth enabled Car is suffering because of the lack of thinking going into it’s design.


  1. Pluralism of Operators and Technologies


This is obvious I suppose, every system works differently and therefore has different requirements.


  1. Human Integration


This Law addresses something I’ve felt quite strongly about for many years, that we can secure the channel from my computer to the server in another country 100 times better than we can secure the channel from the computer to the person sitting in front of it. It reminds me of episode of The Simpson’s where Burn’s accesses a "secure" part of his Nuclear reactor by having to pass through an Eye Scan, Face Scan, Voice Scan, Hand Scan, several solid steel doors only to kick a stray cat out the fly screen back door, swinging open in the breeze. I remember years and years ago in high school having devices that would sniff keyboard strokes and log them so that we could steal the teachers passwords. This doesn’t even address the issue of, the computer not knowing if it’s really me sitting there at the keyboard. Biometric fingerprint readers will help but I think it’s only the tip of the iceberg.


  1. Consistent Experience Across Contexts


This has to be one of the most difficult problems to solve, but the most beneficial for everyone. Users will find it easier to use an Identity, not having go through their short list of usernames and passwords. Users will trust web sites and feel comfortable providing their private data to the appropriate systems which increases usage of those systems.


One question lingers for me which is even with all of this it doesn’t address the "how do I know I can trust you" issue for users. Regardless of whether I can prove I’m purchasing my book from, how do I know I can trust to keep my information private and secure. A classic example of this issue is the 500,000 credit card numbers that were "lost" by couriers transporting a data backup tape. How do we really know that the system is backed up by proper and secure procedures, and that our data is not being misused?


Unfortunately that one is an even bigger challenge to deal with.


Leave a comment

The low down on the NZ trip

Well, now that I have a bit of spare time (too much in fact, bored out of my mind) I thought i’d give the low down on the trip to NZ.
Our trip started on the North Island at Palmerston North where we caught up with relatives, which was great. Stayed there for 3 days. During that time we checked out the Te Apiti wind farm and Owlcatraz, an animal sanctuary about an hour out of Palmerston. Before long it was off to the South Island for me and Lizzy.  First thing we experienced of the South Island was the amazing view from the ferry. Everything was straight out of a postcard, and that was just the beginning.
We picked up the hire car and it was straight to Blenheim to stay for the night, before heading off on an 8 hour journey to Fox Glacier the next day.  On our way to Fox Glacier we stopped to check out the blow-holes at pancake rocks on the west coast of the South Island.
The next day was the Fox Glacier walk, such an amazing experience to walk on top of one of the biggest Ice Glaciers so close to sea level. Got some spectacular photos of it too.
The next day we drove to Queenstown for some action and adventure. We went on the Shotover Jet boat rides, which travel at 80km/h through tight canyons, all the while doing 360 spins every now and then for good measure. The wind was bloody freezing but all in all a great day. Then we spent a couple of days snowboarding, loads of fun but we really hurt afterwards.
Regrettably we spent the last two days of our trip in Dunedin, had a bad experience with the Hotel changing their name from Bentley’s to the Saville without notifying us, drove past the thing three times before going in and asking what was going on, got a fairly rude reply. Generally not that thrilled with the town itself.  Lanark Castle however was amazing, an immaculate restoration, a real credit to those who restored it.


Back to the Grindstone

Well we’re back from NZ and man what a trip, without a doubt the best holiday I think I’ve ever been on. Never felt so relaxed, seen so much and had so much fun. Pity I had to work today, don’t think I was quite ready for it.

Leave a comment

And I thought the translation in our software was bad…

I was sorely mistaken to think we had some of worst translations in our software.
Such as "We are an ASP company" coming out in Korean as something along the lines of "We are an Ammunition Supply Point"
But this has to take the cake, thanks to Malik for the link


Google misses the mark

This has to be the funniest "miss" i’ve ever seen google make. I was looking at sites that link to me and, Lets just say that my blog entry on Smart Clients was not what the searcher must have been looking for! Lol
Would’ve thought "best Arse on the web" would have given much better results than my crappy blog

Leave a comment

Bed blogging the only way to go

I have finally realised the perfect time for me to blog is when I’m lying flat on my back in bed, waiting for my brain to slow down enough to sleep. And as painful as it is to type with two thumbs while holding up your pda, it’s still more conveniant than when sitting at a desk with access to a real computer that affords me the ability to do something useful with my time. For those of you that can’t sleep, I definitely recommend an O2 xda IIs with a wireless lan… sure beats counting sheep!

Leave a comment