TCLP 2010-05-02 News

This is news cast 212, an episode of The Command Line Podcast.

In the intro, a quick update on the advertising experiment.

This week’s security alerts are Symantec plans to PGP and a massive quantity of GoDaddy hosted WordPress sites are under attack.

In this week’s news Cyber Privacy Act introduced that would use takedowns against personal info including the flaws that would go along with it, new report shows trillions contributed to the economy by fair use with specific examples of what that means though the point is how the report was produced, Mozilla releases first code for its identity system (which I briefly wrote about earlier ), and raised by Radio Shack inspired by a Wired article and resonating with Levy’s “Hackers”.

Following up this week USTR claims official ACTA draft proves prior rumors were false and MSIE9 to support HTML5 video but only with H.264.


Grab the detailed show notes with time offsets and additional links either as PDF or OPML. You can also grab the flac encoded audio from the Internet Archive.

Creative Commons License

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Yet Another Open Identity Push

At RWW, Marshall Kirkpatrick describes yet another open identity effort, not surprisingly from a coalition reacting to a popular but uncooperative service. And again it is Facebook inspiring this latest competitive, open specification.

I had to visit the specification section of the XAuth site to understand how it differs from OpenID and OAuth. The main difference appears to be that this protocol is designed to allow sharing between multiple social services and multiple third party sites without creating a combinatorial mess of code and behind-the-scenes requests. It takes a page from the PuSH spec, using a third party hub through which “extenders”, or service providers, and “retrievers”, or client sites, communicate. It has similar management capabilities to OpenID but lacks even the simplistic identity sharing capabilities, at least in the spec itself. I find that a bit of a step backwards in terms of more easily distributing and managing my social identity.

I am inferring that XAUth does, or will eventually, provide access to your social graph on an extender service. Kirkpatrick states that it will allow 3rd party sites to request information about you from participating social networks. It is unclear from the spec page how this will work in practice. Unless it is like a combination of OAuth and OpenID such that the authentication both logins in the user and establishes trust between the service provider and the client site. I wish that was made more clear in the project page though going by the examples Kirkpatrick shares, it has to be close to the way things will work.

If my theory is right, the social networks will be responsible for wiring XAuth into their existing account settings. I don’t find that prospective either attractive or confidence inspiring. Sure, if the specification tried to be too pushy about what implementers have to do, it risks sluggish adoption. However, giving the providers a more free hand makes it more confusing to users about what will and will not be shared, or even whether one of their social networks is participating in this system for 3rd party info sharing.

As I always do with these efforts, I have to ask why existing technologies were not deemed good enough for the task. Both OpenID and OAuth have had more time to bake and address not just the privacy issues they concede in talking to Kirkpatrick but the security issues a larval spec like this is inevitably going to exhibit. I get that OpenID and OAuth won’t scale well with a cluster of interacting sites and services but an incremental addition of a central hub would seem less risky than building yet another spec from scratch.

Facebook Adding Identity Layer to the Web

The site, Social Media Security, does a good job unpacking Facebook’s plans for sharing identity info with other sites. That this is continuous with Facebook’s moves to push more data into the public doesn’t make it any less troubling. This isn’t as concerning as Beacon but I suspect it has the potential to back fire in a very similar way.

What is worse is that theharmonyguy points out that Facebook didn’t actually have to change anything for much of your profile data to be available to other sites. Some of that is intentional, most of it is not.

I especially like his references to Kim Cameron and Danah Boyd. Both speak well to our more nuanced expectations around privacy and the handling of our information. To paraphrase Boyd, our posting of public info is not equivalent with an expectation that the info will be publicized, making it more public violates our privacy expectations.

Microsoft Releases Open Source Identity Framework

Reading through Peter Bright’s excellent write up of the announcement and framework at Ars reminds me very strongly of earlier research done by IBM in this space, with their Higgins trust framework. In short, the idea is to provide means for safely sharing private data, ideally not revealing any more than necessary to drive a particular transaction.

Beyond the wealth of detail Bright digs out, he also links to an hour long presentation by Dr. Stefan Brands who created the framework, U-Prove, and a free book available for download. Identity is an area where I actually am impressed with the caliber of talent Microsoft has been able to attract and the interesting research they have produced. As Bright points out, this hasn’t always led to successful products, but that doesn’t diminish the thought leadership in the space.

U-Prove is not likely to succeed in the wild much better than its predecessors, at least initially. The article has a pretty clear explanation of the chicken-and-egg problem, or reverse network effect, that has to be surmounted first. I am more optimistic than the author, though, as we have a few examples that have managed this difficult feat–OpenID and OAuth.

My other concerns, about Microsoft using a promise instead of a license or grant, are tempered by the very clear nature of the Open Specification Promise as irrevocable. The SDKs being provided also use a very permissive BSD license. The languages supported aren’t necessarily the best to help with techie adoption, C# and Java, but may provide fodder, if there is sufficient interest, to re-implement in other languages.

The State of OAuth

David Recordon has a good state of OAuth post on O’Reilly Radar which he developed with Chris Messina, Dick Hardt and Eran Hammer-Lahav, leading lights in Identity 2.0 all. He clarifies some of the recent concerns over the authentication system as well as tours recent developments and the roadmap ahead.

In particular, the development of OAuth WRAP sounds like the solid sort of grok-and-simplify step that is critical to the maturation not just of a technology but of a specification. Streamlining is key to further pressing adoption and in this case driving up the median security of cooperating web applications.

David and company clearly understand this, given how it clearly informs the incremental progress through WRAP on into the spin up of version 2.0. Here’s to more and better OAuth in 2010.