Adventures of an Eternal Optimist

“Never get too busy for a good haircut.” — Bill Clinton

Before:	After:

Mark Wahl got me thinking last week, with his second post on trust and the mythology of PKI.

Often, when involved in discussions around online trust, I hear the sentiment “if only we could do it as well as they do in the real world”. When expressed, it is always greeted with nods of acceptance; as if we can all just move on to saving some other part of the little ‘ol world if we could just hit such a milestone as emulating real world trust.

But what of the real world, this supposed Elysium of trust bliss? Nobody assumes that cash can’t still be counterfeited. Nobody assumes that passports and drivers licenses and birth certificates can’t be obtained fraudulently. Nobody thinks that elections can’t be rigged. People get away with all sorts of crimes in the real world, by successfully creating trust relationships that are then abused. We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?

Let’s take an example from Mark Wahl’s post. I’m not sure he meant to contrast the two in exactly the way that I’m about to contrast them – but nevertheless, let’s compare the “Trusted Root authority” list on the Windows platform, to the “Trusted Adult” list that Mark pointed to in his post (I’m not sure if this list was taken verbatim from the Netsmartz site, or whether Mark paraphrased – I was unable to see such a list on the Netsmartz site, but I may have simply overlooked it).

As a very simplistic definition, the ‘Trusted Root Authority’ list contains a list of entities that may issue certificates which, when successfully validated by the browser, will result in a “closed lock” icon such as this: . Non-validating certificates, on the other hand, will be flagged for attention by the user.

The theory is that while you can’t necessarily count on those certificates to be used in good faith, you should be able to count on the certificates being issued in good faith — and that introduces some level of accountability into the whole affair. There is one extra level of assurance in a certificate that chains to a member of the ‘Trusted Root Authority’ list.

This is a similar concept to many of the members of the ‘Trusted Adult’ list that Mark Wahl talks about. By the documented definition a ‘Trusted Adult’ can be

• family members,
• caregivers,
• family friends,
• teachers,
• counselors,
• coaches,
• clergy members,
• youth leaders,
• and law-enforcement officers.

Obviously, proof of list membership shouldn’t be sufficient assurance to place trust in all cases, just as a little closed lock icon with a blue background shouldn’t be sufficient assurance, a point that Mark makes in his post. When someone displays a police shield, they are evoking a chained certification – but the fact that the person has been issued a badge does not mean that they aren’t a criminal, it only means that in committing a crime they are, in addition to breaking the law, also breaking an agreement that they had with the certifying authority. Possession of a badge gives some amount of assurance to citizens who must decide whether to comply with orders from an individual based on the strength of the backing authority that the person represents, combined with a risk assessment as to what due diligence was done by the certifying authority to ensure that the extra assurance is properly placed. The badge also provides accountability, in case the individual acts in a manner not in accordance with their authoritative position.

Seems to me that the lists have a lot in common.

With regard to the online list, Mark says:

A further danger is that the level of trust provided by path validation will be conflated in a user’s mind with trust of identity providers, and in the future, with the trust of identities issued by that identity provider.

This exact thing happens all the time in the real world. You place initial trust in a cop because you trust the agency he/she represents. You place initial trust in a priest because you trust the agency he/she represents. You place initial trust in a teacher because of the agency he/she represents. But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergo.

No matter how perfect the system might get, people will need to know how to keep themselves safe, and the more they know and understand the tools at their disposal to expose the bad guys of the world, the safer they can be. They have to be street-smart, discerning and skeptical. Trusting someone/thing after validating their credentials is not perfect, but it is still better than trusting them without validating their credentials. Trust is not simple, and vigilance is required no matter what – all you can do is use the tools at hand to filter out as many of the bad guys as you can. People who don’t understand or use the tools are more at risk.

For example – recently a 14-year-old girl endured 10 days in a hole suffering at the hands of a psycho because she didn’t or couldn’t discern that the hand-drawn police insignia on his shirt was not the real thing. Note that this crime occurred in spite of whatever measures might have been taken by the local police force to ensure that their credentials could not be counterfeited, stolen, or fraudulently obtained. I can see no way in which the police force could have prevented this poor assignment of trust. The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly. The only way to prevent these kinds of attacks is to raise awareness and improve the sophistication of the general populace.

My point here is that we on the technology side can’t do everything. We can only make things harder in the cases where a sophisticated attacker tries to remove the warning signs that a savvy user might recognize. No matter how good our technology gets, poorly educated users will still be at risk. We need to help them understand who to trust, in real life and online, because at the end of it all, whether we are trusting an internet banking website or a chat room pal or a man with a shiny brass badge, we are making a personal choice that has risk attached to it, and nobody can make all of the risk go away… Trust is not a destination, it is an ever-changing journey. In the real world and everywhere else.

Well, DIDW 2006 has been over for a couple of days. Here are my slightly schizophrenic thoughts, now that I’ve had a chance to go over my experiences:

This year marked a big change in topics of discussion. There was a lot of ‘deployment experience’ content, the content on which IT personnel make their case for the expense of attending the conference in the first place. I did not however, hear a lot of hallway discussion surrounding provisioning, or single sign-on. Not even much discussion around (passive) federation.

There was a lot of interest in user-centric technologies, but my impression was that the interest was in personal application first and foremost. What I mean by that is that it seemed that many attendees identified as a user more than as an IT shop. It isn’t surprising, really – the B2C advantages are obvious, and the technology itself is just plain fun to geek out on. Plus, I think that the personalities involved in user-centric technologies make it hard to not want to find out more. That kind of pioneering passion and enthusiasm is easy to find enticing.

Luckily, on Thursday Ping helped to bring the user-centric stuff more officially into the realm of usefulness for the DIDW demographic with their presentation on Understanding Infocards in an Enterprise Setting. By talking about “passive” and “active” federation, they introduced a simple way to contrast the 2-party system vs. the 3-party system. How nice to have a way to characterize what is happening and to help make decisions about when user control is desirable within and at the borders of the Enterprise. Also during that presentation, Ping announced that Ashish Jain’s Managed Card IdP implementation will be open sourced. I’m very happy about that and can’t wait to play!

On the vendor floor, I saw at least three different vendors demonstrate use of some combination of Infocards and OpenID. It didn’t look like the big deal that it was, to be honest, it all just looked to me like such options had always been there. It seems obvious as well that the number of login options will hit a natural limit. Three options (for example OpenID, Information Card, Username/Password) is a nice number — how many more can be added before it gets confusing? I’m interested to watch and see who wins the login form real estate war, and when the war starts not just in proof of concept, but in reality.

I was hoping to see a deployment presentation from a Liberty member this year, detailing their rollout of ID-WSF. Was it too soon? Am I allowed to make a request for next year?

One thing I think was lacking was a central place for everyone to get together at night. The theory was that this place was the vendor floor, and there were receptions planned there on monday and tuesday night — but the problem was that people had to leave to get food, since there were only appetizers at the reception. Once everyone splintered up to eat, they stayed splintered. There just wasn’t a sense that it was a party… I thought that the gambling theme of DIDW in Denver was a much more social event, even if I did suffer the indignity of lasting less than .05 seconds on the electronic bull :-)

All in all, DIDW 2006 was entertaining and educational. I liked the pairing of IOS with DIDW — kudos to the organizers of both events for thinking to team up. I think that IOS provided excellent grounding for later DIDW talks. Next year DIDW will take place in San Francisco – I hope I’ll be there to do it all over again…

Those of you who weren’t able to get to the Identity Open Space Meeting in Santa Clara, California on Monday, you missed out! There were only 5 time slots for talks, which resulted in some tough decisions where two interesting talks happened at the same time…

There were two CardSpace-related talks, one of which I hosted and one of which I took notes for. The notes from the two sessions are now on the IOS wiki here and here.

The first talk was entitled ‘Easy Questions about CardSpace‘, and was hosted by Bill Barnes. It was a full-contact kind of talk, with many other members of the CardSpace team present and pitching in to help people get an idea of the technology. I tried to paraphrase as many of the questions as possible for the wiki, if any of you were present, it would be nice to have my perceptions of the questions & answers sanity checked, just in case I am misreprenting anything.

The second talk was entitled ‘Hard Questions about CardSpace‘ – thanks very much to Bob Blakley, who somehow managed to take lightning fast notes while being a very active participant as well! We had a number of members of the CardSpace team up front, and they fielded a varied and lively set of inquiries. I think some interesting topics were surfaced that were of benefit both to the participants and to the CardSpace team too. I encourage you to check out the notes.

I also attended other great sessions – one on OSIS and also a primer detailing what OpenID, i-names, and Higgins do. The quality of the content was extremely high.

The Digital ID World conference is underway as we speak. The highlight for me so far has been the vendor floor – it is truly amazing to see what new things are coming down the pipe. Most of the demos I’ve seen have a triple authentication login page – ie, you can choose whether to use username/password, information cards, or OpenID. That seems very civilized to me, and I think that this unified acceptance of multiple authentication methods gives customers a very cozy sense of stability.

I’m eagerly awaiting a talk later today entitled “Understanding infocards in an Enterprise Setting“, with Kim Cameron and Ping’s Patrick Harding. I’ll let you know what happens…

Paul, Dave, you’re both right about nothing detracting from deep thinking up here — because the kinds of places we get to go when we take even a short break inspire deep thinking, rather than distracting from it…

Still, it’s hard to get back into the swing of city things after a whole week out there :-)