Comments for Pomcor http://pomcor.com Research in Web Technology Tue, 14 Feb 2012 05:18:00 +0000 hourly 1 http://wordpress.org/?v=3.2.1 Comment on One-Click OpenID: A Solution to the NASCAR Problem by Francisco Corella http://pomcor.com/2012/02/13/one-click-openid-a-solution-to-the-nascar-problem/#comment-95 Francisco Corella Tue, 14 Feb 2012 05:18:00 +0000 http://pomcor.com/?p=456#comment-95 If you read the whole paragraph you'll see we are in agreement. In OAuth the relying party has to preregister with the identity provider. That's a BAD thing, because the user cannot freely choose any identity provider. Since the user cannot choose freely, the problem of how to communicate a free choice doesn't come up. So an OAuth relying party just shows one or two buttons with the logos of the identity providers (social sites) that it supports. And the user is redirected to the identity provider with a single click. What I'm proposing provides the same one-click simplicity in OpenID, without sacrificing the freedom of choice proviced by OpenID. To summarize: I do like OpenID better than OAuth :-) If you read the whole paragraph you’ll see we are in agreement. In OAuth the relying party has to preregister with the identity provider. That’s a BAD thing, because the user cannot freely choose any identity provider. Since the user cannot choose freely, the problem of how to communicate a free choice doesn’t come up. So an OAuth relying party just shows one or two buttons with the logos of the identity providers (social sites) that it supports. And the user is redirected to the identity provider with a single click. What I’m proposing provides the same one-click simplicity in OpenID, without sacrificing the freedom of choice proviced by OpenID.

To summarize: I do like OpenID better than OAuth :-)

]]> Comment on One-Click OpenID: A Solution to the NASCAR Problem by Andrew Arnott http://pomcor.com/2012/02/13/one-click-openid-a-solution-to-the-nascar-problem/#comment-94 Andrew Arnott Tue, 14 Feb 2012 04:30:00 +0000 http://pomcor.com/?p=456#comment-94 "OpenID. Unfortunately, this feature comes with a difficult challenge: how to provide the relying party with the information it needs to interact with the identity provider. OAuth does not have this problem because the relying party has to preregister with the identity provider, ..." Wait what? I think you've got it backwards. OpenID doesn't have the problems that OAuth has, because OpenID has discovery of Providers built-in, whereas OAuth has no such discovery built in. “OpenID. Unfortunately, this feature comes with a difficult challenge: how to provide the relying party with the information it needs to interact with the identity provider. OAuth does not have this problem because the relying party has to preregister with the identity provider, …” Wait what? I think you’ve got it backwards. OpenID doesn’t have the problems that OAuth has, because OpenID has discovery of Providers built-in, whereas OAuth has no such discovery built in.

]]> Comment on Pros and Cons of U-Prove for NSTIC by Francisco Corella http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-93 Francisco Corella Sun, 23 Oct 2011 00:45:00 +0000 http://pomcor.com/?p=321#comment-93 You could tell Pieter to make a .tar.gz file in addition to the .zip file and put it online so that the link works :-) You could tell Pieter to make a .tar.gz file in addition to the .zip file and put it online so that the link works :-)

]]> Comment on Pros and Cons of U-Prove for NSTIC by Francisco Corella http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-92 Francisco Corella Sun, 23 Oct 2011 00:37:00 +0000 http://pomcor.com/?p=321#comment-92 Thank you for the info and for the link to Rogaar's thesis. Best regards, Francisco Corella Thank you for the info and for the link to Rogaar’s thesis.

Best regards,

Francisco Corella

]]> Comment on Pros and Cons of Idemix for NSTIC by Pim Vullers http://pomcor.com/2011/10/10/pros-and-cons-of-idemix-for-nstic/#comment-91 Pim Vullers Fri, 21 Oct 2011 07:21:00 +0000 http://pomcor.com/?p=339#comment-91 Although I do not have actual figures for the performance of Idemix, I can tell that running the test cases provided with the library have an acceptable running time, i.e. at most a few seconds whereas I guess that the simple cases (without any of the advanced features) take less than a second. After our success with the MULTOS implementation of U-Prove we have now started working on an implementation of Idemix on a smart card. Here, again, we take a different approach then the original developers of the technology. We intend to implement the real Idemix protocols on the card instead of the DAA derivatives. However, we limit ourselves to the same functionality as our U-Prove implementation, that is selective disclosure. This means that we do not work on the advanced features of the technology, but we hope to get some decent performance by focusing on the core functionality, Kind regards, Pim Vullers Although I do not have actual figures for the performance of Idemix, I can tell that running the test cases provided with the library have an acceptable running time, i.e. at most a few seconds whereas I guess that the simple cases (without any of the advanced features) take less than a second.

After our success with the MULTOS implementation of U-Prove we have now started working on an implementation of Idemix on a smart card. Here, again, we take a different approach then the original developers of the technology. We intend to implement the real Idemix protocols on the card instead of the DAA derivatives. However, we limit ourselves to the same functionality as our U-Prove implementation, that is selective disclosure. This means that we do not work on the advanced features of the technology, but we hope to get some decent performance by focusing on the core functionality,

Kind regards,
Pim Vullers

]]> Comment on Pros and Cons of U-Prove for NSTIC by Pim Vullers http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-90 Pim Vullers Thu, 20 Oct 2011 14:50:00 +0000 http://pomcor.com/?p=321#comment-90 The correct link for [2] is http://rogaar.org/thesis/UProve10WithIntervalProofs.zip i.e. the link given in the thesis is wrong. The correct link for [2] is http://rogaar.org/thesis/UProve10WithIntervalProofs.zip i.e. the link given in the thesis is wrong.

]]> Comment on Pros and Cons of U-Prove for NSTIC by Pim Vullers http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-89 Pim Vullers Thu, 20 Oct 2011 14:47:00 +0000 http://pomcor.com/?p=321#comment-89 I can confirm that "proving that a secret is contained in an interval" has a large overhead. A Master student I supervised, Pieter Rogaar, implemented this functionality based on the C# U-Prove SDK. His thesis entitled "Attributes and tokens in U-Prove: Interval proofs and use cases" describes the underlying mathematics [1] as well as a usability study for U-Prove for several scenarios (focussing on IT-projects in The Netherlands). Improvements to the actual implementation [2] can be made depending on the encoding of the attribute and the definition of the interval, but an interval prove will still consume considerably more time than just showing the attribute. Kind regards, Pim Vullers [1] http://www.jbisa.nl/download/?id=17674007&download=1 [2] http://rogaar.org/thesis/UProve10WithIntervalProofs.tar.gz I can confirm that “proving that a secret is contained in an interval” has a large overhead. A Master student I supervised, Pieter Rogaar, implemented this functionality based on the C# U-Prove SDK. His thesis entitled “Attributes and tokens in U-Prove: Interval proofs and use cases” describes the underlying mathematics [1] as well as a usability study for U-Prove for several scenarios (focussing on IT-projects in The Netherlands).

Improvements to the actual implementation [2] can be made depending on the encoding of the attribute and the definition of the interval, but an interval prove will still consume considerably more time than just showing the attribute.

Kind regards,
Pim Vullers

[1] http://www.jbisa.nl/download/?id=17674007&download=1
[2] http://rogaar.org/thesis/UProve10WithIntervalProofs.tar.gz

]]> Comment on Pros and Cons of U-Prove for NSTIC by Christian Paquin http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-87 Christian Paquin Wed, 05 Oct 2011 14:27:00 +0000 http://pomcor.com/?p=321#comment-87 Francisco, Very interesting discussion, I’m looking forward to read the following posts. I’d like to provide high-level comments. First, regarding multi-show unlinkability, note that we define a U-Prove “credential” as a batch of (renewable, as needed) U-Prove tokens. Given the efficiency of the U-Prove protocols (especially when using the ECC variant), this _has_ proven quite practical in web scenarios (as demonstrated by our last two technology previews, http://www.microsoft.com/u-prove). Our current public specification describes a subset of fundamental features of the technology, carefully chosen to facilitate integration into existing identity systems (which are not equipped to make use of the more powerful minimal disclosure and revocation techniques). We are pursuing many initiatives to build the right feature set for the target scenarios. In particular, I’ll point you to the ABC4Trust project (https://abc4trust.eu/) where we are working (with IBM and other partners) to provide in a unified framework the missing features you mentioned. Best regards, Christian Paquin, Microsoft Francisco,

Very interesting discussion, I’m looking forward to read the following posts. I’d like to provide high-level comments.

First, regarding multi-show unlinkability, note that we define a U-Prove “credential” as a batch of (renewable, as needed) U-Prove tokens. Given the efficiency of the U-Prove protocols (especially when using the ECC variant), this _has_ proven quite practical in web scenarios (as demonstrated by our last two technology previews, http://www.microsoft.com/u-prove).

Our current public specification describes a subset of fundamental features of the technology, carefully chosen to facilitate integration into existing identity systems (which are not equipped to make use of the more powerful minimal disclosure and revocation techniques). We are pursuing many initiatives to build the right feature set for the target scenarios. In particular, I’ll point you to the ABC4Trust project (https://abc4trust.eu/) where we are working (with IBM and other partners) to provide in a unified framework the missing features you mentioned.

Best regards,

Christian Paquin, Microsoft

]]> Comment on Pros and Cons of U-Prove for NSTIC by Diskussion: “Pros and Cons of U-Prove for NSTIC” : Stephan Humer – Internetsoziologie http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-86 Diskussion: “Pros and Cons of U-Prove for NSTIC” : Stephan Humer – Internetsoziologie Wed, 05 Oct 2011 14:25:46 +0000 http://pomcor.com/?p=321#comment-86 [...] (Quelle: pomcor.com) [...] [...] (Quelle: pomcor.com) [...]

]]> Comment on Pros and Cons of U-Prove for NSTIC by John Bradley http://pomcor.com/2011/10/04/pros-and-cons-of-u-prove-for-nstic/#comment-85 John Bradley Tue, 04 Oct 2011 21:12:00 +0000 http://pomcor.com/?p=321#comment-85 Good analysis. I made the same points to Craig before U-Prove was sent to stand in the R&D corner at Microsoft. I do in some cases U-Prove & Idemix have benefits, though they tend to be oversold by there advocates. Having worked on IMI (InfoCard) my concern is deploying and synchronizing clients across devices. We are moving to a post PC world having a single desktop we access the net from is no longer the only problem to solve for. NSTIC needs to consider that having a choice of verifiably trustworthy Identity and attribute providers may be more practical than trying to solve the issue of IdP knowing where you use your credential through technology. Regards John B. Good analysis. I made the same points to Craig before U-Prove was sent to stand in the R&D corner at Microsoft.

I do in some cases U-Prove & Idemix have benefits, though they tend to be oversold by there advocates.

Having worked on IMI (InfoCard) my concern is deploying and synchronizing clients across devices. We are moving to a post PC world having a single desktop we access the net from is no longer the only problem to solve for.

NSTIC needs to consider that having a choice of verifiably trustworthy Identity and attribute providers may be more practical than trying to solve the issue of IdP knowing where you use your credential through technology.

Regards
John B.

]]>