The past two weeks I have had an iPad with me. We are doing some tests on how to use ebook readers for education. Testing, after all, needs to be done in realistic environments, like by the coffee table and in bed.  The device is not yet available in Norway, which makes some of the user interfaces weird because the AppStore does not work.  Applications have to be downloaded to a special account at a PC and then transferred by iTunes to the device.  The iPad is a cool gadget, and my sons really want one (mommy, I wish we had one for real that we could share).

On to the login:

  1. You do not log in to the iPad itself.  It is open for anyone with physical access.  Yes, it can be closed, but I operate with default.
  2. You do desperately need an iTunes account.  Without iTunes, the device is worthless.
  3. A normal person cannot change iTunes accounts without damaging major stuff (iPad, arteries, marriage).  It is just too difficult, and you end up cursing.
  4. You need accounts all over the web to access content, even if much of the content works through App Store.  Examples of accounts I ended up with after a few days: iTunes (see 2), various wireless networks (including eduroam), Amazon (to use the Kindle app), email, gaming accounts (not linked to the App Store, so this worked in Norway), twitter, Feide (for federated login)

The short summary

iPad is a portal, with iTunes as its portal framework, and a beautiful user interface.  It suffers all the usual portal problems

  • There is only one world view
  • The portal operator locks you in
  • The portal operator  can lock you out
  • Authentication is a mash-up of various solutions, with issues about reusing login

The usual portal advantages include a coherent user interface, a business model that is defined by the portal operator and apps added according to guidelines.

Watching YouTube on the iPad rocks.  Some of the apps are just beautiful (epicurious, New York Times), and the weird size makes sense for something sitting in your lap.

My son wanted one iPad that we could share in the family, but the iPad is a personal device, where sharing is not intended.  This is partly a result of the iTunes business model, and partly a result of the “tweak and download apps until I cry”-attitude the user is lured into.  Or the last could be just me, running wild in the hope of getting better stuff.

I am concerned about the lock-in of the iTunes business model.  Free speech in society is often measured by how much smut we are willing to put up with, and the iPad apps are smut free.  On the other hand, a quick search yielded a number of web based iPad-friendly porn sites.  You can take free speech out of the regular apps, but the users route around it.


January is the month for reporting on last year, and the biggest change in the way I used Internet last year was the headset.  I never leave home without it, either a discrete white one for my cell phone, or a clunky one with a good microphone for my laptop.

Why do I bother to drag a headset around?  Because podcast and phone conversations are really important to me.  And I have started to watch video systematically, and include video search in my information searches.  When I had to stay around for 20 minutes after my swine flu vaccine shot, I could watch an interesting YouTube video about learning metadata standardization on my cell phone.

When are headsets useful:

  • Headsets make the Internet available in noisy situations, and my life is sometimes noisy.
  • Headsets make me available to the world, and filters information for the others since they avoid the noise in my surroundings
  • Headsets support person to person communication, and I like talking to people
  • Headsets support feelings, since the sound of your voice gives me a lot more information than text and emoticons
  • Headset comes with the cell phone, which is a body part

Late summer 2009 the swine flu scare caused us to investigate a scenario where 40% of the work force and students in higher education has to work from home because of quarantine rules and parents staying home to care for children.  Main advice: buy headsets for everyone! Video is not all that important, but sound is critical.  Other issues that we investigated includes services for shared authoring and phone meeting infrastructure.  Luckily the scenario never materialized, but the advice stands: buy a good headset!

One thing that bugs me: the lack of federated authentication and good authorization mechanisms for conference facilities.  Phone conferences and many video conferences are set up by sharing secrets.  Other multi-party conferences are managed by social networking facilities where people have to be contacts or friends to be able to join a conference.  Some facilities rely on the good ol’ Security-by-obscurity for access, where being wide open is useful but risky.  Another thing that bugs me is gatekeepers for video conferences, they are just plain nasty and non-communicative.  And some of the video conference user interfaces should be taken out behind the barn and shot, to get them out of their misery.

and we like it!

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications, as stated on the OAuth web site.

Why do we like OAuth?

  1. It is simple.  Most of the bad security implementations are done by people with good intentions and low skill.  Understanding the issues involved greatly improves the changes of making the right choices.
  2. It solves a real hard problem: giving access to your stuff without sharing your identity.
  3. Plays well with others.  OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth helps delegating rights to a process acting as you, without losing privacy or compromising security.  And the specification is short and possible to understand.  Replacing shared secrets is a really good idea.  Replacing hardcoded application-based passwords is an even better idea.  Replacing spoofing of user by logging in as root/admin and then emulating the actual user is a great idea.  And all of this may be done by OAuth.

One use case is getting access to your data on your behalf, but on a different site while not giving away your identity from the first site. Another is the TCS eScience Personal Portal (aka Confusa) that will use OAuth to authenticate a command line client tool to a web-based service that issues short-lived certificate. Then they will extend it further using OAuth for web-based delegation of proxy-certificates; collaborating with a Norwegian University.  Some other use cases that people in my neighbourhood has been playing with so far

The Australian higher education federation has developed a proposal for Implementing Levels of Assurance in a Trust Federation using PKI and Shibboleth

The proposal was commented by Alex Reid as

in Australia we are going with the concept of a “floor of trust” which is rather higher than NIST’s Level 1 assurance level, as it implies/requires that an independent (responsible) authority (namely the University of an agent of the university) has verified the identity to some degree – more, anyway, than the self-validating Level 1 assurance that OpenID, Facebook, etc provide.

The need for level 1,5 seem to crop up in various contexts, as self-asserted identity is not considered good enough for some use cases.  Those use cases does not want to support the full level 2, with a separate gadget (or one-time passwords), since the cost is deemed too high. We might have to wait for Incidents, to assess if the cost of Level2 is really higher than having multiple Incidents in our community.  Cost-effectiveness of security measures is tricky, as the real cost is know only after something went Wrong.

Levels of Assurance is either a quagmire where the most brilliant minds of our community will fall, or an interesting space to watch.  Could be both at the same time, and we could market this whole discussion as a reality show where we charge enough money from TV to cover the costs of implementing it.