Author Archives: stevepepple

RSA 2010

If you are going to be at the RSA Conference this year, we look forward to talking with you.

The RSA Security Expo
Monday March 1st – Thursday March 4th

VeriSign Booth #1717
(see map below)

San Francisco, CA
Moscone Center

This year, we’ve worked with VeriSign to integrate TrustBearer’s technology with VeriSign’s Managed PKI (MPKI) product, and we’ll be showing demos of this joint solution at the VeriSign booth.

We’ll also be showing our updated OpenID and SAML identity provider, which now allows users to register their computer with VeriSign MPKI. Similarly, users with PIV and CAC smart cards, and many other security devices, can use their credential for multi-factor authentication to web applications like Google Apps, Salesforce, and Basecamp.

If you would like to schedule a meeting with us during the conference, send us an email:

To learn what we are up to during the conference, follow us on Twitter: @trustbearer.


Showcase with EXTENSION at HIMSS 2010

We’ll be at HIMSS 2010 next week with EXTENSION Inc., showing the EXTENSION HealthID product:

HIMSS 2010
Monday March 1st – Thursday March 4th

Booth #5955
Atlanta, Georgia World Congress Centre

Show Hours Are:

  • Monday, March 1, 12:30 pm – 5:30 pm
  • Tuesday, March 2, 10:00 am – 1:00 pm and 2:30 pm – 5:30 pm
  • Wednesday, March 3, 10:00 am – 1:00 pm and 2:30 pm – 5:30 pm

If you are at HIMSS this year, we’ll look forward to talking with you.

The Use and Abuse of Identifiers

In my line of work at TrustBearer, we work with a number of different identifiers, be they OpenID URIs, usernames, or email addresses. In this way, I probably don’t have an realistic appreciation for how most people using such identifiers think and feel about their email addresses,  usernames, or twitter handles. And for this reason, I’ve found the research of doctoral student Ben Gross (@bengross) quite interesting and valuable.

In short, Gross has found that people have rather personal feelings about the identifiers that they are assigned and used, and they have a hard time using these identifiers how they would like, or how their employer expects them to.

Much of this research was discussed in a recent presentation at BayChi San Francisco (a chapter of the ACM Special Interest Group on Computer-Human Interaction).

Gross’s research involved talking with people in two types of companies, financial and creative, about the identifiers they use at work and in their personal life. His findings help explain why people often accidentally (and purposely) misuse identity systems:

  • Most people are managing a few email addresses, dozens of usernames and passwords, and several other identifiers, and they make very complex social decisions about how and why they use these identifiers.
  • The people Gross talked with wanted their identifiers to be their own name—even John Smith— or something meaningful and easy-to-remember.
  • People want to use personal and other identifiers at work; if they have trouble with identity and communications  systems at work, they use personal ones, e.g. their Hotmail.
  • Everyday use of identifiers can involve technical concepts, which are foreign to most users.
  • Some people Gross talked with started using an identifier in a certain way, but they don’t remember the initial reason or preference for this.
  • People usually don’t understand and often dislike and avoid identity system policies and rules.

Gross also has looked into what people know and don’t know about their privacy related to identifiers. Like something you are or something you have, the things that you are assigned, such as a IP address, a location, or a web cookie, act as identifiers. And it is these identifiers that are most often used on the web for tracking people’s behavior and information (See Kim Cameron’s recent post about browser fingerprints). In this case, Gross looks forward to better applications and tools that allow average web users to control their privacy and for more transparent policies with regard to what information companies or other entities store and track.

Gross’ dissertation and published writings are available on his website. He has written about OpenID and OAuth on his blog at The Messaging News.

Bureaucrats with Badges

There was a peculiar piece in the American Spectator online last week, a “Special Report” by Mark Hyman. The author lists a number of unfortunate circumstances by which harmless passengers, many times military personnel, have been delayed or hassled by TSA and airport security protocols. He blames these anecdotal mishaps on “government bureaucrats armed with ‘rules, policies and procedures’ and employing no commonsense.”

He goes on to question a number of security and procedural policies in government and military institutions, which he thinks are unnecessary and demeaning to the personnel at these institutions. As a primary example, Hyman makes the case that the rules for issuing and renewing CACs (Common Access Cards) are unneeded and absurd.

He is miffed because he did not renew his CAC before it expired and he had to go though a bureaucratic process to straighten this out:

“My CAC had expired days earlier so I contacted an issuing office to get a replacement. A clerk in the ID card office informed me that all appointments had to be made online using the intranet. Yet, my expired CAC prevented me from using the intranet system. In spite of my predicament the clerk told me, “Our policy requires all appointments to be scheduled online. If you are unable to use the intranet, then there is nothing more I can do.” It sounded like the beginning of an Abbott and Costello routine.”

“Rather than fight this particular battle, I decided to renew my CAC at another issuing office. While there, I was asked to produce a picture ID. I showed my state driver’s license. I was then asked for a second form of ID and was told the CAC was not acceptable since it expired five days earlier. A week earlier it would have been valid, but on this day it was deemed worthless. So I showed the clerk my company-issued ID card that looked as though it was made on an office computer and laminated at the local Kinko’s. As a matter of fact, that was exactly how that ID was manufactured. But it was good enough. The clerk accepted the flimsy company ID over the just-expired military CAC.”

Hyman concludes,

“What makes this episode even sadder is that the military CAC is generally not accepted as a valid form of identification for use by visitors to the Pentagon. Visitors must also have a Pentagon-issued ID or another form of identification such as a state driver’s license. The reason, according to a security officer, is that at least one machine that manufactures CACs and several hundred blank CACs are missing and presumed to have been stolen. Security officials do not know which CAC is valid and which is a forgery.”

The latter claim is nonsensical and shows that the security officials Hyman chats with are miss informing him about how his CAC works. This too, expresses a common misconception— that possession of the card is the only thing that verifies identity.

To his point about the pains of standing in line to renew something only to find that you don’t have the right materials: I can empathize with this, but I cannot gather what rules Hyman thinks are silly, and which are reasonable. Is he arguing that he shouldn’t have to have a CAC, or that he should be able to use his expired CAC, by itself, for renewal? And what does this have to do with policy created by top-level military and government officials?

What is clear from reading the piece is that he doesn’t like the rules much because he doesn’t understand why they are in place. He wanted an exception so he could use his expired CAC. Similarly, in another of his examples, he complains that his wife couldn’t renew her own CAC using an expired passport.

There are two fundamental questions that would help Hyman better appreciate these rules: Why are identification badges, such as CAC cards, used? And, how is the true identity of a badge-holder verified? In other words, what is a CAC good for anyways?

The military provides several resources for answering these questions. In fact, had Hyman consulted these, or unofficial resources, anytime before his CAC expired he would have had less of a hassle renewing it.

Identity, and the privileges we associate with it, is an abstract thing that is difficult to verify. The best way for a large institutions to verify a person’s identity is to gather the various artifacts of identity, such as a state driver’s license, for this person and grade the validity of these items and the authority of the institution who gave the item.  The bureaucratic pronouncements on this process (i.e. presidential directives and policies) say that the best way to verify the identity and authorization of millions of people is to create a system of rules that make the procedures repeatable, reliable, and safe. (One such rule may reason that an expired identity artifact should not be considered valid, even if it was valid yesterday.)

Now, the process of using a CAC card is not as simple as it could be. Systems that use badges for the identification of people and the verification of people’s permissions and authority are complex and imperfect, but this is not a problem of bureaucracy. It’s more a matter of improving these systems for most users and reminding users, like Hyman, why they were given a badge to begin with.

Interview with Eugene Spafford

TrustBearer is located in Indiana and—as it might be expected— several members of the company, including the company’s founder, are graduates of Purdue University, in Lafayette, IN. A couple of TrustBearer’s Purdue alums studied at the Center for Education and Research in Information Assurance and Security (CERIAS), under the direction of Gene Spafford.

Gene Spafford is a well-known programmer, researcher, and educator in the field of computer and information security. He is perhaps best known for his analysis of the first internet-distributed worm in 1988, the Morris worm. He also has a knack for punch security metaphors.

Spafford was recently interviewed by Tom Field of the Information Security Media Group. It’s a thoughtful, thorough interview, which is well worth sharing. The subject of the interview concerns information assurance education. Spafford was asked about the current state of information assurance:

SPAFFORD: Well, it is still rather chaotic. There are a range of issues and priorities within the field where education can be directed; some of the education is directed towards people who are practitioners, who are going to be on the front lines running systems. Some are oriented towards management-type positions that are setting policies and ensuring compliance. And there still is a community focused on the research aspects, more how to solve problems that are just emerging.

We don’t really have a common curriculum that runs across these, although there are a couple efforts that are underway to try define parts of it, and it is isn’t really certain what the best practices are, what the background expertise should be for these positions. So it is still an area that is evolving quite rapidly.

In the interview, Spafford also talks about how information assurance and security have changed over the past couple of decades:

When I really saw the start of this field in the late 80’s and early 90’s, most of the people who were involved had a deep understanding of issues of machine architecture, encoding, network protocols, and really understood the systems at a low-level. What we see now for many educational institutions is they are focusing on high-level applications, web security, JAVA, running prepackaged firewalls and IDS systems, and many of the people going to that educational path are not exposed to those low-level details, even though some of the attackers are exploiting those low-level details. So we have seen a split off of that kind of expertise in two areas, both the research arena and also some in the forensics arena.

But of course the field has also grown; the level of threat has changed significantly. If we go from the late 80’s/early 90’s, there wasn’t any commercial use of the Internet, and it didn’t have the global reach it does now. So the issues of social engineering, fraud, phishing, many of the other kinds of false information presentation and mailed-around exploits didn’t exist back then. So we have seen a huge evolution in the threat picture, in the target set, and in the overall understanding of what security in computing is all about.

Related Links

Spafford Interview on C-SPAN An expansive (30 min) general interest interview with Spafford on the state of internet security and identity protection.

Do We Need a New Internet? New York Times piece on the future of internet security, including a discussion of Spafford’s work.

Healthcare PKI in Denmark

In this post, I muse on Denmark’s implementation of a country-wide system for secure, up-to-date sharing of EMRs and patient identity federation. But I primarily want to share a links  for those interested in what they are doing:

A Cute Introduction

Last week Barack Obama visited Copenhagen to support his home city’s bid to have the 2016 Olympics hosted in Chicago. Later this year the U.S. President will meet with international leaders in Copenhagen for a UN summit, negotiating the successor to the Kyoto protocol.

In U.S. political news, the international happenings in Denmark have offered a nice break from the ongoing, rancorous national debate over reforming the U.S. health care system. Political events have stirred a broader conversation about the overall state of American health care, such as the cost and effectiveness of the current system. In a moment of free association, the events in Denmark reminded me of some interesting things about that nation’s health care system: the Danes are rather progressive—no, not because they’ve socialized, I’ll entirely leave this matter aside—in regards to they’re health care IT infrastructure.

What is Denmark Doing?

Denmark’s system is interesting so I’ll share what I’ve learned of the nation’s overall approach to health care IT and, in greater detail, discuss their implementation of PKI.

There are many Danish organizations involved with the reform of health care IT. Foremost are MedCom, the Danish Centre for Health Telematics, who is the coordinating organization for health care in Denmark and manager of the Danish Health Data Network; the National Board of Health for Denmark, who developed the data model and terminology server for the system, and leads the country’s overall health IT stragegy; and the Ministry of Science, Technology and Innovation (MTVU) in Denmark, who develops most of Denmark’s technical standards and recommended a standard for Service-Oriented Architecture (SOA) identity federation to be used in various Danish systems.

The National Board of Health’s stated goal for the reformed system was “to provide a connected health care sector in which health professionals have access to all relevant EHR data regardless of where citizens seek treatment and no matter where or when this information was registered.” Lofty, indeed 1. Unlike most countries, though, Denmark has robust broadband access in most of the country. And most general practices and hospitals already use electronic medical records (EMRs). The National Board of Health knew it would need to implement a nationwide SOA for the secure web sharing of data.

Implementation of PKI

Denmark built it’s PKI on top of it’s existing virtual private network (VPN) architecture, which is made available to all health care providers in the country, and it was already in use by many for remote collaboration. At the behest of  MVTU,  SAML was selected as the framework for identity federation and the exchange of authentication assertions. Health care professionals are issued DanID, a X.509 certificate from the Danish OECS CA. The following step explain how authentication is performed between Danish health systems 2:

  1. User authenticates as part of login to local EHR system and a digitally signed, SAML assertion is created.
    – this is a SAML security token, referred to as a virtual health professional identity card.
  2. A direct request is made to a central security token service (STS), which checks the validity of the local system’s digital signature, the user’s signature, certificate validity and revocation status, and core certificate attributes3.
  3. STS signs the SAML token and sends a response to the local system.
  4. The SAML security token can be used until it expires (after 24 hours).

Denmark PKI

I’m not sure what plans Denmark has for the authentication of everyday citizens to health care services and portals4. The foundations are certainly in place. The infrastructure for the clinical exchange of medical records, which utilizes the Danish Central Person Registry (number), provides a unique identifier for all national patients. is a public portal for Danish citizens where patients can access (some) of their health information, receive online consultation, schedule health services, and renew prescriptions/treatments. While Denmark does not issue electronic ID cards, each citizen is given a digital certificate, which is automatically derived from that citizen’s CPR number. With a combination of these parts, each Danish citizen could use their digital certificate for authentication to and for the signing of health documents.

Lesson from Denmark’s System?

What can be learned from Denmark? Well, one could try to point out the things Denmark has done right, as Gartner did in their study, which will be either unmissable or made up: Denmark used a “[g]radual approach with realistic time frames”; they gave “Incentives to vendors”; they used a “project-based approach”; they “[kept] an appropriate balance between central coordination and local leadership.”; the country has a “culture of consensus”.

As all observers have pointed out, its too early to tell what improvements the reformed IT changes have made. What Denmark seems to have done right is to start with a basic, but sound architecture that makes use of existing infrastructure and technologies. They have similarly, worked to make the systems simple, affordable, and feasible for all of the country’s health providers, using open standards and technologies.

Beyond the broader success of the program, I was interested to understand how adoption and use of the PKI has been. But, it seem too early to ascertain the problems with the reformed system or understand the parts of the systems that will need to be improved. From TrustBearer’s perspective, we are interested in problems experienced while deploying and using PKI,  issues such as interoperability between relying systems, certificate policies, certificate validation, and renewal, distinguishing between levels of identity assurance, and usability for end-users. I could not find much information in regard to these issues in the Danish system, so this will be a topic left for future blog posts. One thing of note was that developers involved in the Danish project found some things lacking in the the SAML/XML schema, because its was not possible to express certain types of requirements and policies as part of an authentication/authorization assertion5. (This is related, rather loosely, to a problem TrustBearer was trying to solve in another context, signifying the strength of an authentication method in the OpenID Provider Authentication Policy Extension.)

1. A Federation of Web Services for Danish Health Care

2. As outlined in A Federation of Web Services for Danish Health Care.

3. Exchange of tokens over SOAP.

4. There is a least one pilot of software-certificate-based PKI access for out patients.


Zittrain on Privacy and Security in the Chrome OS

What happens to  consumers’ privacy and security when the web is their operating system?

In the New York Times this week, Jonathan Zittrain, professor of Internet Law at Harvard Law School, co-director of the effort, and author of The Future of the Internet— and How to Stop It, offers a forward-looking, non-technical review of the Google Chrome OS, which was officially announced last week.

Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it’s not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others — through Facebook, MySpace or Twitter — having it all online can make a lot of sense.

The cloud, however, comes with real dangers.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

The danger Zittrain foresees is manifold. As he expressed in The Future of the Internet, Zittrain worries that we-as-users will hastily adopt portable, ‘connected’ computers, like Apple’s iPhone, potentially forgoing much of the software and services offered by today’s Internet.

To further facilitate glitch-free operation, devices are built to allow no one but the vendor to change them. Users are also now able to ask for the appliancization of their own PCs, in the process forfeiting the ability to easily install new code themselves. In a development reminiscent of the old days of AOL and CompuServe, it is increasingly possible to use a PC as a mere dumb terminal to access Web sites with interactivity but with little room for tinkering. (“Web 2.0” is a new buzzword that celebrates this migration of applications traditionally found on the PC onto the Internet. Confusingly, the term also refers to the separate phenomenon of increased user-generated content and indices on the Web—such as relying on user-provided tags to label photographs.) New information appliances that are tethered to their makers, including PCs and Web sites refashioned in this mold, are tempting solutions for frustrated consumers and businesses.

But we have to expect that the Chrome OS will a fundamentally open system, allowing user’s to install any software and get pretty much anywhere on the web. The danger then, in Zittrain’s view, with the Chrome OS, is more an issue with the current state internet: The Internet was not designed with privacy and security in mind:

Some [dangers] are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.

Now, Zittrain points out that consumer laws can regulate many of these sort of problems. But he’s arguing the gate-keepers of the net (i.e. Mircrosoft, Amazon, Google), will improve security and privacy for only select applications, leaving the rest of the web in the dust.