Rainer Hörbe's blog

MAPPING at the IGF 2014

The MAPPING team held a panel session at the Internet Governance Forum in Istanbul. I commented with a blog entry, arguing that a Shengen Net is not a huge VPN, but needs to have a fundamentally different architecture

EUSTIX: new focus team for "Mapping the Internet"

The transition into a digital society is putting up a challenge for policy makers who need to consider the competing objectives of the innovation ecosystem, consumer protection, intellectual property rights, law enforcement and privacy. Will there be different Internets - a safe one with security, accountability and redress, and a uncensored one featuring better anonymity? Would strict forms of protection of privacy, security or intellectual property rights result in an excess of repression and censorship, or discourage innovation? Would pseudonymity be a feasible compromise? What are the legal and technical measures that are appropriate?

MAPPING - Managing Alternatives for Privacy, Property and Internet Governance - is an EU-funded project to work out a better understanding and contribute to an enabling framework for managing the digital transition and improving the innovation climate in Europe. EUSTIX, with its cross-cutting topic of trust, privacy and identity, is participating in the project to coordinate the contribution of Austrian stakeholders.

Read more unter Focus Team: Internet Governance, Privacy and IPR if you are interested to join the discussion.

Trust in the Digital World - Vienna 2014" Conference: 7/8.April 2014

"Enabling the Economics of Trust"
EUSTIX is coordinating together with EEMA, TDL and the Austrian Chamber of Commerce this conference, which focuses on discussion and consultation rather than presentation, is essential for anyone involved in the digital identity debate. We look forward to welcoming you for the two days of 7th and 8th April 2014, in Vienna.


Main topics are:

Trust: business vs. economics vs. value
eID enabling new lines of business and location factor
Security vs. Privacy
Roles of government vs. private sector
Information Sharing (NIS, CERT)

Broker function for Service Providers in eHerkenning IDM

The Dutch eHerkenning IDM system features a 3-tier architecture with a broker between service providers and identity providers. However, the interface between the broker and the SP has several updates per yer and is not fully compliant to standard SAML profiles. For smaller operators the is quite a burden.
Inter Access offers a broker (slim) to convert between the SP and the eHerkenning Broker, to offload the technical integration burden. At the same time it offers a single integration to the technically different DigiD federation for citiens. (Presentation at #IDN13)

Remark: LFRZ follows the same approach with the Standardportal in the upcoming version 2 of PVP in the Austrian Government-internal federation.

Swedish eID system revision

Identity.Next in Den Haag by Nils Fjelkegard:
The Swedish eID system was known in the past for relying mainly on BankIDs, and a telco as well. In 2011 the Swedish eID boards was installed that will steer the transition to a new system. It is a complete overhaul of the system, with new purchasing structures, non-PKI credentials and the migration to a SAML 2.0 (Saml2Int profile) federation.
The current usage rates is about 300m lodgings per year, with 20% use by the government. The current system costs the government approx. 3 eurocent per login at this volume. The new system will probably move to subscriptions fees, such as per person and month, to better support high volume services.

NSTIC Trust Framework Gap Analysis

Ken Klingenstein gave a presentation at the Terena REFEDS meeting on the progress of NSITC pilot projects. A particular interesting point is the gap analysis that the American Association of Motor Vehicle Administrators performed on trust frameworks. From key findings:
The prescriptive TFs tended to be either excessively domain-centric or failed to take account of the unique legal status of government agencies, particularly state government; issues of sovereignty, statutory authority, liability and grant of authority will need to be fully addressed in the Project TF.

Veranstaltung Wirtschaftsportalverbund in der Wirtschaftskammer

Der Arbeitskreis Wirtschaftsportalverbund der Austriapro präsentiert unter dem Titel Vertrauen schaffen durch gemeinsames Management elektronischer Identitäten Konzepte und Anwendungsfälle von föderiertem Identitätsmanagement. Der AK Wirtschaftsportalverbund hat eine starke Überlappung mit den österreichischen Mitgliedern von EUSTIX und komplementäre Ziele beim Aufbau von eID-Systemen.

Webseite der Veranstaltung

Veranstalter: AUSTRIAPRO
Termin: 28.05.2013 13:00 - 17:00
Veranstaltungsort: Wirtschaftskammer Österreich, Saal 2. Wiedner Hauptstraße 63, 1045 Wien

ABA Identity Management Legal Task Force Meeting (London, Dec 10-11)

This meeting brought together lawyers and other identity experts from the EU and U.S. to discuss the legal challenges of identity management. Hans Graux and Andrea Servida presented the views from the perspective of the EC's new eID regulation draft, the U.S. perspectives were presented by Naomi Lefkovitz NSTIC. Other public sector viewpoints came from David Rennie (UK Cabinet Office Identity Assurance Programme) and the eCODEX project.
Besides the public sector efforts there are priveate sector services that do operate across multiple jurisdictions, although in closed systems, i.e. not addressing consumers/citizens. Identrust provides a trustframwork that its clients use in 175 countries, and the SAFE Biopharma framework is used by CAs that comply with both the Federal Bridge policy and requirements to issue qualified certificates. 
ISOC's Christine Runnegar shed a light on the differences of data protection legislation in different continents, however was unable to provide a simple, fast and consistent solution to all the consequential problems ;-)
Renaud Sorieul, Director of UNCITRAL's International Trade Law Division explained the status of identiy management in UNCITRAL. The are aware that this is an important and upcoming problem, however did not put the topic on the agenda yet. Given the available resources UNCITRAL will need contributions from members, but could then be an appropriate forum to esablish international treaties.

Consent als last resort

At today'S ISOC Federation across boundaries meeting in Prague there was a session on "context and consent". JANET's (UK academic federation) position is interesting: do not ask for consent if it is a binary choice anyway. This is partially founded on the requirement of freely given consent. Their best practice is to integrate the release of attributes to a relying party as a notification, that offers the choice to continue or cancel the transaction.

Will dumb browsers become extinct with the Web Crypto API?

From the point of identity services web browsers lack intelligence. The only access to identity management is relying on the TCP stack using TLS and client certificates, which proved to be neither scalable nor secure in the standard case. Browsers do not know their identity providers and cannot reliably execute the cryptographic primitives of hashing, signing verifying etc.
Multiple initiatives including Microsoft's Cardspace failed to mitigate the problem with plugins or active clients. OIX (driven by Google) is moving the problem to the cloud using the Account Chooser concept.
W3C, late in the game, is up to fix the problem at the source. The Web Cryptography API spec (now available as a working draft for public comment) is about extending the browser's security model at the application (=Javascript) level. By providing the user agent with operations on keys, signatures etc. it shall enable applications in the browser to achieve crypto-grade confidentiality, integrity and authenticity.
This effort has to complete the W3C process and be adopted by the browser venders. Although this might take years, the approach is absolutely worthwhile. Please support it! It will help bowsers to be not dumb any more regarding security. It won't help to filter dumb contents, alas.

RFC 6711: An IANA Registry for Level of Assurance (LoA) Profiles

Finally this RFC was published. Its intend is to have a single normative point of reference for security policies like NIST SP 800-63, Kantara IAF and other schemes that have levels of Assurance, Assurance Levels, Security Classes etc. This is the starting point for any mapping and interoperability execise.

Craig Burton: SAML is dead


Craig (@craigburton) said at the Cloud Identity Summit (#CIS2012) that SAML is dead. He argues:

  • SAML is the Windows XP of Identity. OAuth is Android, OpenID Connect IOS and Shibboleth Linux
  • No funding. No innovation. People still use it. But it has no future
  • SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.

The ensuing twitter storm gave a topic for the following analyst panel session:

Sally Hudson (IDC):

SAML will be augmented and extended. From a quantitative perspective SAML’s life expectancy can be comparted with age-old mainframe authentication sytems: they still made 200m $ in 2011. However, there will be newer, more adapted technologies.

It will also be interesting to see how a competition between SAML and OIDC evolves. The story between SAML and WS-* stalled the federation market for a considerable time.

Steve Coplan, 451 Research:

SOAP will not stay forever, rather be replaced by REST. SAML might not support all use cases, but will have a place to stay. It might not accommodate new architectures coming up the next 3-4 years, like the mobile/app space.


Kantara’s Global Trust Framework Survey shows that 75% of all federations in production use SAML WebSSO. (In my talk tomorrow in Track C)


My 2 cents: SAML is mature. SAML is functional and scalable for bread and butter business applications. To do large projects in 2012 and 2013 it is still the safe bet.

Austrian eGov Federation exceeds 200 applications

The Austrian Portalverbund, registered 200 eGovernment applications in the 10th year of production operation. This is number 4 in the Kantara Global Trust Framwork Survey in the Relying Party category. In addition to these applications an estimated 1500 applications are operated in the same technical infrastructure, but under bilateral agreements or in an enterprise context. This shows a clear network effect with the majority of government employees as active users in the federation.
Portalverbund is an intra-government federation of federal, state and local government agencies and social insurance bodies. 

NSTIC moves ahead establishing a governance structure

2 months ago NIST released its recommendations on establishing a governance structure. While 12 groups worked out proposals to convene and support the Identity Ecosystem Steering Group, NIST published their own draft of definitions and by-laws to foster the dicussion. This draft describes the structure, responsibility of roles, policies and procedures to support the charter that was included in the recommendations. 
With the selection of pilot projects due in August 2012 and the establishment of the governance structure the next big milestone for NSTIC is in reach.

Intel SSO: not new, but with opportunity in HW-integrated SSO

The 451 Group's whitepaper analyzes the Intel/McAfee strategy to enter the identity management-as-a-service market. Like Symantec Intel parters with Salesforce.com, enabling Salesfore to become an IdP. 

Subscribe to RSS - Rainer Hörbe's blog