Identity and Privacy - Page 4

Sun’s OpenID IdP: Business Purpose

Part of a series on Sun’s OpenID@Work initiative; see the introduction for more context.

One of the interesting things about security is that you can never make anything 100% secure. You need to figure out what the risks are, how likely they are to occur, and what the damage will be if something bad does happen, and then make your plans accordingly. In most countries I’ve lived in, that means putting locks on the house doors and using them; in Canada we also have a security alarm but none of the apartments I lived in in Germany had one. Different countries, different risks (houses are often easier to break into than apartments that aren’t on the ground floor), and different plans for minimizing risks.

So it is with computer systems, and with the OpenID IdP we put up. The amount of effort that is worth putting into securing a system depends on how important the system is, and what the expected damage is if something goes wrong. So in the formal security review of the system, one of the first questions was, what’s the purpose of this system? How does that purpose balance the risks of running it? Any time you make information available via the web, there is a risk that the information will be stolen or compromised so you need to know where that might happen, what the probability is of it happening, what the expected damage is, etc.

The business purpose for the OpenID IdP was, and still is, to gain experience in using OpenID, and to make openid identifiers available for Sun employees on an experimental, opt-in basis. Sun employees do not use OpenID for any mission-critical or important business applications within Sun. A couple of the reasons for that are that this is an experimental service, that is not guaranteed to be available 24/7, and with limited user support. OpenID is also an untrusted protocol. It has some well-known susceptibilities to phishing and other attacks, only some of which can be mitigated by good programming (at least in version 1.1, the version we deployed since 2.0 isn’t finished yet). So this service that we put up was expressly made available to Sun employees for their personal, not business use. The fact that it also guarantees that a person with an authenticated openid.sun.com OpenID is a Sun employee is almost a side-effect. We thought that maybe some consumer sites (or relying parties) might offer special deals for Sun employees, or whitelist advantages, but we haven’t seen any yet. Yes, we’re on the whitelist at AOL, but I’m not sure what advantage that’s going to bring.

So, what are the results of our experiment? If you look at it in terms of what our little project group learned in terms of putting up an experimental test deployment, it was great. I got to play around with OpenSSO code and learn more about load balancing than I did previously. (As a reminder, OpenSSO is open source, as is the OpenID extension we used, so feel free to download them and try them out.) We get a lot of queries from people both within and outside of Sun wanting to know what OpenID is about, how it works, what people use it for, all of which we can answer on the basis of “well, in our deployment it looks like this”.

In terms of how many people actually use the service each week? Well, that number is pretty low. Under 35 accesses of some consumer site (relying party) per week, most weeks. I have my own theories as to why this is the case; the most obvious to me is that it’s harder to use OpenID than the alternative username/password approach. On all the sites I use that are OpenID-enabled, I need to have an account already and then can use my openid identifier as an alternative means to log in. But if I already have a username and password stored in my browser, it’s only one click to use that, whereas to use my openid identifier, I have to click on the icon, fill in the openid identifier, wait until it redirects, sign in at the Sun OpenID IdP, wait until it redirects again… it just takes a lot longer. Being the paranoid type that I am, I have added my openid information to some of these sites so that if I forget my password, or lose it when I reinstall the OS, I have a back-up login method, but that’s not reason enough to use my openid identifier regularly. In the absence of some special deal for Sun employees, or a site enabling login without registration, there just isn’t enough motivation for me to go through those extra steps.

Getting back to the risk and security issue, we did make the system secure for the things we thought really important. We are using commercial-grade software (OpenSSO is the open source variation of Access Manager) to keep people’s information secure, and users are not allowed to use the same user name or password that they use for Sun’s internal systems, just in case they’re stolen by some rogue site. We use HTTPS for everything except the openid identifier itself and the system has been tested to ensure it responds appropriately to a number of expected exploits. So users don’t have to worry about their information being compromised, as long as they don’t give it away themselves. The one weak spot is that we use password-based authentication, which is more susceptible to phishing than some other systems; more about the reasons for that in a later post.

Sun’s OpenID IdP: Introduction

This is the first of a series of posts on Sun Microsystem’s OpenID@Work service, which is an OpenID Identity Provider available for use by Sun employees.

[Update: I was asked what the purpose of these postings is — it’s simply to share our experiences in the hope that they’re helpful to others.]

I was part of the team that put up the OpenID Identity Provider. I wrote a lot of the pages, revamped Sun’s default style sheet to work with the HTML I wanted on the pages, and took part in all the discussions about policies and security. I’m also the “data steward” for the IdP, responsible for ensuring that our policies regarding data privacy are carried out. Given that range of tasks in the project, it’s no surprise that when we divvied up the areas for blogging, I picked the policy questions, and other people on the team will blog about other areas. We’ll be cross-linking to each others’ posts, of course. For example, here’s Gerry’s introduction.

One of the good things about working for Sun is that there are a lot of people with relevant expertise, who also understand the need to be flexible. We spent a lot of time discussing the user policy with the people in the Chief Privacy Office (who also let me write it in language people can understand), we had security experts review not only the deployment but also the OpenID specification (they’ll be blogging more on those aspects themselves), and on the technical side many people went out of their way to help. As an example, I spent most of one weekend trying to figure out a weird MIME type problem with the web server with Murthy Chintalapati (aka cvr), him emailing “try this”, me emailing back “nope, didn’t work” until we eventually solved the problem. In this series I’m going to be talking about a few of the issues we discussed, and how we resolved them. This is not to say we came up with perfect solutions, or that they are necessarily applicable to other companies or circumstances, but at the very least they will give you things to think about if you’re considering a similar project.

We were heavily influenced by Sun’s experience with blogging, to the extent that many of our discussions about “should we do this” were answered by “blogs.sun.com did it successfully and here’s how”. The similarity between the user policy documents is no coincidence, for example.

If you’re looking for technical documentation on Sun’s OpenID system, try Hubert Le Van Gong’s infrastructure description and OpenID @ Work — Architecture.

Privacy and Identity

One of the better pieces on identity and privacy that I’ve read recently, and well worth everyone reading, whether you do anything much with identity management or not, is from David Weinberger. Identity management in an unequal world discusses how when signing up for things is easier, people can take advantage of that to ask us to sign up more often, to give more information than we really need to. I’ve been well trained at Sun to ask now why anyone needs the information they’re asking for. Can’t they do with less information? What are they going to do with it? These are the basic questions everyone needs to ask every time some web site or shop asks for personal information of any sort, basically why do they want it and why do I need to give it? If more people ask the reason why, maybe fewer companies will be needlessly intrusive.

Naming Names

Phil Karlton said (at least once in my hearing anyway) that naming things was one of the two hard tasks in computer science (reading X Toolkit Intrinsics — C Language Interface, to which he contributed, will give you some idea why he said it); I discovered the truth of this yet again when writing the FAQ for our Identity Provider for OpenID. In this case, it was even more convoluted, being about what to name the thing that names names.

When a Sun employee signs up at the Sun IdP there is no necessity for them to put their real names in the fields marked “first name” and “surname”; they can use a fictitious name if they choose (or put nothing at all). In common English, this fictitious name is often called a pseudonym. The various dictionary.com definitions of pseudonym would seem to fit this usage very well, so I was preparing to use it in the FAQ. Except for, it turns out that those steeped in identity management terminology tend to find that plain-English usage of the word confusing.

In SAML, for example, a pseudonym is defined as A privacy-preserving name identifier assigned by a provider to identify a principal to a given relying party for an extended period of time that spans multiple sessions; can be used to represent an identity federation. In Liberty Alliance work, the definition is An arbitrary identifier assigned by the identity or service provider to identify a Principal to a given relying party so that the name has meaning only in the context of the relationship between the parties. The same or similar meaning is used within WS-Security (the user identity [is] provided in a SAML assertion as a pseudonym) and WS-Federation (A pseudonym service allows a principal to have different aliases at different resources/services or in different realms, and to optionally have the pseudonym change per-service or per-login).

So in order to make life easier for those poor, easily confused identity management experts, I’ll be using the term “fictitious name” in the FAQ, where I would otherwise have used “pseudonym”, an added cost of one letter and one word per usage. I hope they appreciate my efforts to help them.

Sun and OpenID

I’ve been heads-down on a project which was just announced (though not yet up and running, so I’m still working hard with the rest of the team on final details) about Sun putting up an OpenID IdP (identity provider). The idea is that this IdP will verify that the person using an OpenID of the form http://openid.sun.com/username is a Sun employee. Everything else is self-asserted, so people can use pseudonyms and non-Sun email addresses, but they will be a Sun employee. It’ll be interesting to see what happens and how we can use it, once it’s live. That info will be posted to developers.sun.com/identity as soon as the IdP is up and running.

I’ll be posting some technical details of what I’ve been doing, and some tips and tricks to help someone else take the OpenSSO code and customize it; others on the team will be blogging about their pieces.

It’s been a fun project and it will be even more fun seeing what people do with it. We’re using the tag sunopenid, or you can follow along on Planet Identity.

Privacy in the Internet Age

Darren Barefoot has some interesting thoughts about privacy in the internet age and the way in which today’s north american teenagers are growing up posting everything about their lives on the internet. Up till now, most of the discussion I’ve read on the subject has revolved around the effects on future careers of posting potentially embarrassing stuff on the web. Derek Miller points out that bosses will also have embarrassing stuff up on the web, although there will still be a generation gap there for some years until those future bosses become bosses (assuming that most bosses will still continue to be older than many of the people they employ).

We’re starting to discern the outlines of some likely effects of this now. For example, if I get an interesting email from someone I haven’t heard of, I’ll look them up in Google or Yahoo search, or LinkedIn. I don’t necessarily ignore the email if I don’t find any information about the person, but I can see that happening in the future — if you don’t exist in search engines, is that going to be considered weird?

Finding people I’ve lost touch with is getting easier every year, as long as they haven’t changed their name. I’ve managed to track down old friends, and others (who did change their name after marriage) have managed to track me down. Mind you, I’m relatively easy to find.

One effect I’m wondering about is on politicians: currently politicians either have to be squeaky clean, or good at hiding things the electorate might not like to hear about. Rudy Giuliani’s personal life includes three marriages and gay friends, all well-documented; in previous years this would have made a presidential campaign basically impossible. Now it just makes it more difficult, or maybe it’s just discussed more; in future years when more information is available about everyone on the internet, and hiding these things is going to be impossible, will voters be more accepting?

One interesting aspect to this is how little information is available about Google’s founders — and more than a little ironic, given how easy they’ve made it to find information about other people. An article on Mother Jones, via Bruce Schneier, has more.