REEP Key Ceremony

The key ceremony for the REEP service took place on 2014-05-18 after the REFEDS meeting in Dublin, Ireland.

I witnessed this ceremony and was convinced that the key attached to this post as a self-signed X.509 certificate was generated during the ceremony within the hardware security module in Sweden that will be used by the REEP service to sign metadata served by it. To certify this, I have generated a detached signature file for reep.pem using my PGP key.

To the extent that you trust me to have taken care while witnessing the ceremony, you may find that validating my signature on reep.pem gives you some comfort that metadata documents signed by the private key associated with reep.pem are, indeed, legitimate outputs of the REEP service.

As an aside about the ceremony itself, proof that a particular computational event has occurred in a particular way is almost impossible in a world of networking and virtual machines. We've known this for a long time: the paranoia goes back at least as far as Ken Thomson's Reflections on Trusting Trust. We're not quite living in The Matrix, but the evidence of ones senses doesn't really go very far towards absolute proof. So what the other witnesses and I did during the ceremony — all we could do, really — was gain confidence by asking questions, taking photographs of the steps and trying to think of ways to validate them. For example, I was later able to verify that the pkcs11-tool command being used was indeed the one which would be installed on a system running 64-bit Ubuntu 12.04. Unless, of course, Leif foresaw that trick and subverted the md5sum command as well. It's turtles all the way down.

Future of Federations

I'm speaking later today as part of a session on the Future of Federations at the Internet2 Fall Member Meeting in Philadelphia.

Here is a PDF version of my slides. They are really just a list of the emerging technologies I think may affect identity federations in the short to medium term future; I think things are changing quickly enough that looking further forward than a couple of years is just too difficult.


UK federation Metadata Aggregation

diagram full of boxes and arrows

One of the systems I work on is the back end of the UK federation's metadata system. Although I've talked about this in several presentations, the bare structural diagram isn't very informative on its own. Here, I present a snapshot of the architecture, and go into a lot more depth on the what, how and why than you'd get from just the slide on its own (click on the image to get a larger version).

I hope that this article can perform double duty as a case study for the Shibboleth metadata aggregator tool, which acts as the engine behind the metadata system and to which I also contribute as a developer.



I've been pretty disappointed by social networking "products" up to this point. I do use Twitter once in a while, but it's pretty ephemeral stuff. I think that's fine, it means I don't have to worry about missing anything.

When I was very young and naïve, I thought Facebook looked pretty interesting. In practice, the level of sheer malevolence displayed by the company and its founder have stopped me from using it for anything other than keeping up with the family.

Ever hopeful, I now have a presence on Google+. It's possible that this new service will end up as malign as Facebook, but for now at least I feel much less like I am being packaged up and sold as product. It seems, really, like a social network done right.

All that seems to be missing is the people.


Surviving Interfederation

Please do not take photos with hats on

I gave a presentation to FAM10 back in October in Cardiff, in the "Not for the faint hearted" session. You can download the slides as a PDF file from the illustration on the right.

My working title was "How to Survive the Coming Zombie Apocalypse", but the presentation was really about how to survive the transition from cozy local federations to federated operation in the global internet. Whether that looks like a scary prospect depends, of course, on how conservative you've been to date: UK federation recommendations have always emphasised the difference between technical trust and behavioural trust, and the talk goes into some detail on this topic.

Understanding trust allows you to protect yourself against the zombie hordes (sorry, I mean "entities not bound by your local federation's behavioural norms"). The other topic covered in detail is how to benefit from interfederation by making sure that you're running software capable of interoperating widely.



BEER is the current attempt at a decent acronym for a new service in the federated identity space. BEER stands for [Bunch|Bucket|Bag] of End Entities Registry, and you should be profoundly glad we didn't go with any of the earlier names.

You can find out more about it at the project's wiki; Nicole Harris has a pretty good summary of the idea and what it might mean.

One thing that seems to be confusing people about BEER is that it's easy to make the assumption that it's trying to be a federation along the lines that we have at present, just with less strict membership rules. I'm not saying that such a thing wouldn't have a use (TestShib has been very useful for many people, although it leans so far towards openness that some would argue that it falls over), but this is not what BEER is about.

It's probably more helpful to look at BEER as a new kind of thing, an independent registrar of metadata. Its job is to assure the authenticity of the metadata it publishes (in terms of establishing that the metadata for an entity has a connection to the owner of the associated domain) without attempting to make guarantees about any of the things you might later layer on top of that "technical trust". As such, it's aiming to be a component in an overall trust framework rather than a complete solution in the way that many of the existing federations see their role.

Whether such a service has a long term role to play depends on whether the various existing federations start to converge in terms of their view of their own roles, and of course whether that convergence is in the direction of monolithic trust or in the direction of separation of the different trust components. Both approaches have supporters, of course, and we'll just have to see how things work out. It will be obvious from previous posts that I'm in the "separate the concerns, behavioural trust is end-to-end" camp, which I'd broadly characterise as the design we chose for the UK federation, and which I think has worked out pretty well in that community.

By coincidence, I'll be talking at FAM10 next week about how to survive a scary post-apocalyptic future in which not all UK federation metadata originates from the federation's own members, and BEER will certainly be on the agenda. As will beer, of course, although probably not during the talk.


E-mail Certificates

The Thawte Web of Trust, for which I was a fairly junior notary, was shut down recently. This included revoking all existing certificates back in November, at least according to Thawte's FAQ on the closure. Amusingly — but perhaps not surprisingly to anyone familiar with the area — I've had to date precisely no queries relating to my continued use of the supposedly revoked personal e-mail certificate.

The only other S/MIME certificate authority I'm aware of that does Web of Trust type identity validation is CAcert; unfortunately their root certificate isn't trusted by most browsers and e-mail clients and until that happens (if it ever does) I can't recommend them as a replacement. Similarly, the lack of built-in PGP/GPG support in current mail clients rules that system out for most people.

If you had a Thawte S/MIME e-mail certificate, you may have been able to trade it in for a 1-year equivalent from VeriSign free of charge. Unfortunately, after the first year it looks like VeriSign charge $19.95 per annum even for a "persona not validated" certificate, which doesn't sound to me like a lot of bang for your buck.

One alternative for the cost-conscious is Comodo's Free Secure Email Certificate product. Again, this is "persona not validated" but should be sufficient for most uses and you can't beat the price.


FAM09: Metadata Aggregation

Metadata aggregation as a route to cross-federation inter-operation continues to be my main focus for the year, and yesterday I delivered a presentation on the subject at JISC's Federating the next generation event.

I think the talk went reasonably well; a couple of people remarked that they liked having the key concepts separated out and clarified. People even chuckled in the right places a couple of times.

Checking Twitter for the #FAM09 tag I find that the main thing a couple of people took away from the talk was a snarky remark I made about XSLT. Curiously, I find that I'm fine with that.

As usual, here's a PDF version of my slides from the presentation:


There are a fair number of animated diagrams in this talk, and not as many words as usual. That might mean that some parts are hard to follow without hearing me talk. I'm going to try and get hold of the audio recording made at the time and will upload a slide-synchronised version of the talk later if possible.


Concepts and Methods V1.10

I've talked about a metadata exchange approach to inter-federation working here before. Since my last update, I think we've seen some level of acceptance in both the technical and policy communities that this is — at least in principle — a valid approach, and there is work going on in a variety of places on that basis.

One thing that has become apparent as that work has developed is that we need to look at some of our basic assumptions with a fresh eye: complex problems can be often be simplified by looking at them from a different direction. To that end, Chad La Joie (of SWITCH and Shibboleth) and I have put together Interfederation and Metadata Exchange: Concepts and Methods, the current version of which you can download here:


The main aim of Concepts is to provide a framework in which it is possible to think clearly about identity federations in a multi-federation world. This involves first separating concerns and then recombining them in new ways, leading to what we think is probably best thought of as a global metadata layer. There is also coverage of some of the technical implications of such an approach, but we've tried to keep that part as light-weight as possible here.

During the recent Internet2 Member Meeting in Arlington, this document was also reviewed by Scott Cantor, Steven Carmody, Josh Howlett, Leif Johansson, Thomas Lenggenhager and Valter Nordh. We are grateful to our colleagues for their many constructive comments, which we have have tried to incorporate faithfully in the current version. I will leave it to those individuals to state whether, and to what degree, they endorse our conclusions.



I'm in Arlington, Virginia this week for the Internet2 Member Meeting. As usual, lots of good hallway conversations and meetings. I had to work my passage this time by contributing a presentation to a joint session on Building on Success: from Identity Federation to Interfederation.

As well as the traditional statistics about how large the UK federation has become, I talked a bit about some of the things I think contributed to its success. This was more in terms of broad concepts than details, the idea being to give people thinking of setting up new federations a guide to some of the tradeoffs involved.

As usual, here's a PDF version of my slides from the presentation:




Subscribe to RSS - Identity