A precise analysis of the situation we are in, is given by Chris Palmer, Seth Schoen and Peter Eckserly  in It’s Time to Fix HTTPS.  They make some key points that I would like to see stressed more in the discussions:

  1. Usability is the number one problem for security on the Internet
  2. The security model for browser PKI certificates is not properly understood by users, developers or administrators.
  3. SSL certificates are subject to some perverse incentives that lowers the real security

I like the statement about security:

  • If people don’t understand it, we engineered it wrong.

and the more realistic statement

  • Let us start by making a security model that requires only one advanced degree to understand.

If the solution proposed in the presentation is a good one I do not know.  Any solution that trusts everchanging sources runs the risk of being gamed.  Any static solution runs the risk of not being updated.

I hope the last statement about making something that requires only one advanced degree is possible.  The current use of SSL certificates is what I regard as

  • The server promised to encrypt your communication, and they may be who they claim to be (but check out of band if you really care)

For the first time there has been a major study of ICT usage in Norwegian higher education, to complement the biannually ITU monitor that has been conducted since 2003 for primary and secondary education.

The main finding is that there is great variation in use of ICT in higher education.  Some factoids

  • 92% of lecturers publish their lecure notes (slides) for the students in their class.  Lecturers make a real effort to share information?
  • 97% of students find lectures notes useful.  The lecturers effort to share information is appreciated?
  • 85% use a learning management system for their teaching/learning, most students use LMS for handing in assignments.  LMS works for managing learning, facilitates the learning administration?
  • Students depend on SMS as their primary mode of communication.  Cell phones really are body parts for students?
  • Staff depend on email for communication with other staff, but the majority use LMS-messages to communicate with students.  Does this indicate that communication patterns mould on work needs, or just a age differential?
  • There is no age difference in the staff use of ICT or attitude towards ICT  Contradicts earlier studies, but aligns with the need to use ICT to get the job done?
  • 4% of lecturers regularly publish sound/video of the lectures online, 9% publish some lectures.  High profile, but still early stages?
  • Student use of presentation tools (powerpoint etc) disappears as students go from secondary to higher education. Learning patterns change?
  • Institutes with ICT in their strategies have higher usage and more varied use of ICT than other institutes.  Think about what you do, and what you changes?

The different communication modes are interesting to note, I wonder how that will continue to play out as cell phones get integrated into the rest of the Internet.

Students spend on average

  • 10.4 hours/week on personal ICT
  • 1.7 hours/week on ICT use during teaching activities
  • 9.4 hours/week on ICT-supported studying

Students spend over 20 hours/week using ICT.  Given that they also on average spend 9 hours/week earning wages, the high use of ICT forms a large part of the student’s life.

There are more facts on the split in services used by staff and students, and this will impact federation services.  That information will have to wait for another day.

Pair in facts beats house of guesswork, to quote one of my colleagues.

Equal access to information and open standards are important to ensure free communication.  The Norwegian government has mandated standards for use in public sector, some highlights are

  • ISO10646 character set, as represented by UTF8.  Mandatory for all new ICT projects effective immediately, unless there are really special needs.  From 1.1.2012 to be used for all information exchange.
  • Email attachments containing documents should use PDF or ODF as of 1.1.2011
  • Upgrading ODF version to 1.1 from 1.1.2010 for documents
  • All central web pages are mandated to use open formats for multimedia content
    • Video: Theora/Vorbis/Ogg or H.264/AAC/MP4
    • Sound: Vorbis/Ogg, MP3 or FLAC/Ogg
    • Pictures: JPEG or PNG

The character set and representation has been debated, but something was needed in order to include support for all the Sami languages and their character sets, as well as support for foreign character sets.  Internationalization of society leads to a greater need for representing names and other information in the correct way.  UTF8 is one representation, and it is not the worst.

Dare one hope for SAML2.0, preferrably with a eGOV profile, for inclusion in the next update of the standards catalogue in a couple of years?  We should prepare for that situation!

Trying to wrap my head around the concepts introduced by Kim Cameron, Kai Rannenberg and Reinhard Posch in Proposal for a Common Identity Framework

Kim Cameron is blogging about definitions for a common identity framework, explaining the concepts behind the paper.

Their definition for user centric is interesting

User-centric: Structured so as to allow users to conceptualize, enumerate and control their relationships with other parties, including the flow of information.

The work in Feide on consent, consent management and revamping user interfaces falls nicely into this definition. When the goal is to give users control over their relationship and give them tools to conceptualize the existing relations, we ended up with the federation Innsyn. I do not fully understand what is implied by “enumerate relationships”, but assume that this is similar to the consent management. It is interesting to note that user centric solutions can be achieved both on the client and server side of the traditional server-client model for services, but in order to do server side user centric solutions, the user must be given tools on the server side.

Another interesting concept in the paper is that not all assertions are true (but all Cretans are liars?)

It is key to the document that claims are assertions by one subject about another subject that are “in doubt”. This is a fundamental notion since it leads to an understanding that one of the basic services of a multi-party model must be ”Claims Approval”. The simple assumption by systems that assertions are true – in other words the failure to factor out “approval” as a separate service – has lead to conflation and insularity in earlier systems.

Being able to sort out assertions into claims and credentials may help us think clearer about the security needs. In psycology we learn that children will know the difference between true and false at the age of three-four, but in this case the security community has taken a few more years to sort out the issue. I wonder what that says about the maturity of our understanding?