Networkshop 35 Talk

View from Networkshop 35

View from Networkshop 35

Originally uploaded by iay.

I recently attended Networkshop 35 at the University of Exeter and presented a short talk on The UK Federation and Shibboleth: Nuts and Bolts. The idea was to discuss some of the technical challenges involved in the interplay between the UK Access Management Federation for Education and Research and the Shibboleth software, and talk about some future solutions to some of the issues.

As you can see from the integrated slide and video version of the talk available from the conference site, I knew in advance that I'd be short of time so on the day covered only the first two main topics: metadata and discovery.

I didn't want to lose my thoughts on "trust" in the federation context, though, so instead of deleting the slides entirely I left them attached to the published version of the presentation. You can download the slides if you're interested.

The University of Exeter, where Networkshop 35 was held, is fairly photogenic. I've uploaded a few snaps to give the idea.


Federated Access Management Animation

We're moving house at the end of next month. I'm told that the new neighbours have been told that I'm "in computers" and that they are all looking forward to meeting us. Hopefully this doesn't mean they want me to fix their broken Windows machines.

The good news is that if I need to explain what I actually do on the identity side of things, the JISC have just come to my rescue by producing a new animation explaining federated access management. The voice-over is pitched at a fairly non-technical level, and the little animated <Subject>s act out the scenes with a surprising amount of expression and a fair bit of wit. They remind me a lot of the little green guys in Darwinia, in fact.

This is not the sort of thing you'd use to communicate with a techie who wanted to know the difference between Browser/POST and Browser/Artifact, but it's a pretty good introduction to some of the basic ideas for everyone else.



Federations 101

In more UK Federation-related news, I've been invited to give a short presentation next week as part of a panel session at the Fall 2006 Internet2 Members Meeting in Chicago.

I've been asked to keep the impenetrable geekitude down to non-toxic levels by sticking to a description of policy issues rather than implementation and technology. You can get the other stuff from me pretty much any time.


UK Federation Launched

Today was the official launch of the UK Federation, or the UK Access Management Federation for Education and Research to give its Sunday name. This is a huge deal for everyone involved, myself included: some people have been working towards this point since around 2000 (I'm a relative newcomer, only having put a couple of years into it so far).

In the longer term, this will be a fairly important system for many more people: after all, the UK Federation is a federated identity framework for the whole of the UK education and research sectors, which I'm told involve perhaps 18 million people. If we do our job well over the next few years, though, the best case is that like all good infrastructure it will just sink down below the point where people even notice it. That's a hard job, and we've only just started on it.


I generated my first PGP RSA keypair way back in 1993. Some friends and I played around with PGP for e-mail for a while, but at the time few people knew about encryption and even fewer cared: the "no-one would want to read my mail" attitude meant that convincing people they should get their heads round all of this was a pretty hard sell. The fact that the software of the day was about as user-friendly as a cornered wolverine didn't help either.

The PGP software had moved forward a fair bit both technically and in terms of usability (up to "cornered rat") by 2002, when I generated my current DSS keypair. By this time, it was pretty common to see things like security advisories signed using PGP, but only the geekiest of the geeks bothered with e-mail encryption.

Here we are in 2006: I still use this technology primarily to check signatures on things like e-mailed security advisories (I use Thunderbird and Enigmail), but I've finally found a need to use my own key, and it isn't for e-mail.

Over the years, PGP (now standardised as OpenPGP) has become the main way of signing open source packages so that downloaders have a cryptographic level of assurance that the package they download was built by someone they trust. Of course, the majority of people still don't check these signatures but systems like RPM often do so on their behalf behind the scenes.

I've agreed to take on some limited package build responsibilities for such a project recently, so I've installed the latest versions of everything and updated my about page so that people can get copies of my public keys. Of course, there is no particular reason anyone should trust those keys; this is supposed to be where the web of trust is supposed to come in, by allowing someone to build a path to my keys through a chain of people they trust (directly or indirectly). Unfortunately, my current public key is completely unadorned by useful third-party signatures. If you think you can help change that (i.e., you already know me, already have an OpenPGP keypair and would be willing to talk about signing my public key) please let me know.

Internet Identity Workshop 2006

Internet Identity Workshop logo

Phil Windley, Kaliya Hamlin and Doc Searls are running the Internet Identity Workshop 2006 this coming week. It sounds interesting, but Mountain View is a little out of my way.

On the other hand, who can do other than stand in awe in front of the Workshop logo, shown here? A dog, wearing a mask, sitting in front of a computer: perhaps the oldest gag in the digital identity game. I'd say "priceless", but in fact you can buy merchandise.


WAYFs and Discovery

Of course, the real reason I was in Windermere was not to photograph ducks but to present some slides on the discovery problem in Shibboleth. You can download a copy of the presentation "WAYFs and Discovery" here (1.4MB PDF).

The abstract (accidentally omitted from the meeting material) was:

The standard model of Identity Provider discovery in Shibboleth deployments is that of a federation-supplied, central discovery service called a WAYF. Although an essential backstop, this approach has significant shortcomings. We present some recent work in the area of multi-federation WAYFs, and review alternative discovery technologies (both present and future) that allow deployers to improve the user experience.

My co-author Rod Widdowson can be found here.

Virtual Vanity

Every so often I vanity-google my own name, just to see what happens. I'm sure you do the same; who can resist?

I've been the number three "Ian Young" (according to Google) for a while. At number four is a chap at Intel who also shares a middle name with me, although as he apparently has 34 patents and invented the insides of lots of cool things he really by rights ought to be higher. He gets top billing for "Ian Alexander Young", though.

Judging by the logs, some people find it easier to google for "Ian Young" than they do to remember the URL for this site. When looking at the server logs for the last month, though, I discovered that a fair number of people look for "iay" too. I've been using that identifier to log into things since about 1979 and sometimes have difficulty remembering my "human name", but I didn't realise this applied to other people too. Of course, they may have been looking for The Institute for the Study of Antisocial Behaviour in Youth, which comes above me in that search. No, the picture of the antisocial youth on their web site isn't of me.

This is all rather strange but to me the most bizarre thing of all is that my Second Life avatar gets two of the only six hits for "Alexander Daguerre" (with the quotes this time). I suppose if I had thought about it, I could have looked for a combination Google had no record of and had the results page all to myself. How long before people start choosing names for their children that way?

Dick Hardt at OSCON

Speaking of identity, Dick Hardt of Sxip gave a cracking keynote at this year's Open Source Conference.

If you're at all interested in digital identity (and you're not allergic to Larry Lessig's presentation style), I highly recommend spending taking the fifteen minutes required to watch this. It is very light on technical details, but gets across the critical differences between "old style" digital identity and the so-called "Identity 2.0" systems that are starting to emerge. It even manages to be entertaining while it does so. And the pictures of a Vancouver "Cold Beer and Wine" store bring back memories…

ACLU Pizza

I've been scanning old entries from Kim Cameron's Identity Weblog, catching up on things I missed the first time round. I'm only up to January so far, but there's a lot of good thinking in there as well as links to some gems. One of the things I hadn't seen before is an ACLU advertisment portraying a world in which the local pizza delivery company knows far more about you than they need to.

I find this to be quite a plausible and chilling picture of Identity Gone Wrong, although I'd probably worry more about those in authority having this kind of ability than about the pizza company. I'm sure there are people who would say that such things couldn't happen, and that the ACLU are being needlessly alarmist. However, as you're watching each of Kim's Laws of Identity being broken, it's quite easy to hear someone softly saying "we're doing this for your convenience" or "we're doing this for your security" in the background.



Subscribe to RSS - Identity