W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: Position Paper for W3C Workshop on Identity

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 27 Apr 2011 23:14:50 +0200
Cc: "<public-xg-webid@w3.org>" <public-xg-webid@w3.org>
Message-Id: <277AEF26-184E-4F8B-9236-F005D7A7336A@bblfish.net>
To: Peter Williams <home_pw@msn.com>

On 27 Apr 2011, at 19:52, Peter Williams wrote:

> If the uni has a business school specializing in accounting, an MBA will make the person not bad at accounting assurance. It's a lot better than me, with my science degrees.
> If the uni is royal holloway (London) and you do the specialized master on information security, again a masters or diploma (higher) is not bad - for information assurance.
> But an accounting/security audit performed by either person does not meet public policy. neither use prescribed methods, so the result from any audit firm us equivalent.

That's because the uni does not audit the work of those accountants, it audits their education. 
I audit my friends.
You audit yours.
The go club audits people's ability to play go.

> If the uni-qualified person gets a cissp certification (should be easy for royal holloway folks). You are now fit to be trusted in a ca firm - to cooperate with an FBI order say (assuming personality and politics fits). A wikileaks activist would qualify but be rejected on politics (assume the covert part would be compromised). If the person shows lack of political disclosure, hiding wikileaks association say, again this is a reason for elimination (from a ia trust job, specifically).
> If the auditor performs tests, the certified ia engineer can be assumed familiar and can assist get to the facts desired. If the facts depend on records, in an periodic audit, one can be assumed to know how not to fail the audit due to missing procedural steps ( numbered pages are missing... Etc).
> If one offers a compensating control (all our employees are born and raised citizens with current disa clearances) we don't need to rely on those evil foreign university transcripts (full of assumed malice and unreliability - being from foreign sources, Assumed inherently untrustworthy by us govt processes). Thus one show by design and operations the risk of foreign influence is controlled by assumption (reasonable), so that the auditor does not need to now go sample the foreign transcript process (which doesnt exist, being made irrelevant by the citizen test).
> The ca audit I passed was carefully structured to play the ia game. One of the hardest criteria sets to pass concerns networking (just choc full of gotchas, and expense). So, for a root ca (and it's audit) don't network the computer. Really.
> Another gotcha set concerns correctness , of key management. Software crypto is hard to test and audit. F0r root ca, one had to show fips 140-1 level 3 compliance - which essentially denies any software claims, and tests the entire lifecycle of keys (distinguishing the semantics of key erasure from key destruction say), with an accountability trail for each and every cloned key (for dr purposes, since all devices fail). All is subject to realtime sampling, testing, and comparison with the stated handling rules. One test wheter junior staff know the rules, and what happens when both senior folks are on trips (during the 2am emergency).

yes, and after all those audits the CA's just check people's e-mail addresses and send them the CA!

> Etc etc
> It gies on for 100 more pages, like this. No. Its A 1000 pages. It's endless.
> This is information assurance.
> NSA has a nice website on the topic, being the ia lead in the us. Getting anyone to do it , given the cost and hassle factor, is hard - especially when revenues just don't support the overhead (eg realty mls business). Its easy to do if your a defense contractor on billion dollar contracts (being an aspect of general quality management). If consumers pay per person $50 a year for cloud office, with sufficient numbers and a standard set of software perhaps it's economic. For small mainstreet firms hosting web apps , it's prohibitively expensive. The mere fact Henry installed the 59 router from the supermarket dooms the audit to fail (or be prohibitively expensive, more likely).
> So reason by analogy. What test does the ministry of education perform on the test centers for public school exams done in high schools , to assure the public that the proctoring is doing what the (non deceived) public expect of proctoring and national education certificates?

yes, something like that. If you want to look at it through auditing glasses, that's how it works. Not everything has to be fail proof to work. You know a lot of things around you, as I pointed out before, even though you don't and cannot know you are not a brain in a vat on alpha centauri being made to think you are typing these e-mails. 

> My cissp is something I cite (since I struggled to pass, even after all my years of security experience). My ccna is something I failed  (despite 20 years of doing certain but not all packet switching defile) but I cite too (being reassurance I'm not a fraud, in basic data switching)  I don't cite my ccsp or  much as the course runners gave me what I now judge to be 90% the actual exams to practice, beforehand. This makes them pointless American  it certifications (for assurance purposes, as any science major can cheat, having great exam technique by that point). Not totally useless (I did 12 months self study in 2 weeks, and could really understand the curriculum, allowing a year of further very focussed self teaching). But not something  I'd cite to get a job actually fixing high end cisco or Microsoft systems. I'd be a fraud, offering false assurances.
> Make sense now?
> Nothing to do with cert technology. Applies to 15th century ciphers too. Just more important for certs, as the damage is so much greater (worldwide public confidence).
> On Apr 27, 2011, at d8:39 AM, Henry s <henry.story@bblfish.net> wrote:
>> On 27 Apr 2011, at 17:21, peter williams wrote:
>>> You might want to browse it - being all about the technology topics you
>>> often struggle with. ON the other hand, when looking at life anew, sometimes
>>> ignorance helps - so you is not drawn into the older mental models.
>>> Anyways, there are three terms of art:
>>> Identity  verification
>>> User authentication
>>> Information assurance
>> Ok, so when you go to a university, the Uni educates you, then tests you,
>> then gives you a degree. That is information assurance! What is the information?
>> Uni assures { X has Degree;
>>               field :medicine
>>               course </2011/Med/Liver> .. }
>> Presumably that means that he knows a certain amount about the subject. But nothing
>> is absolutely final of course as you point out. His thesis may have been plagiarised, 
>> as recently happened in Germany when the Minister of Defence was found to have employed 
>> someone else to write his thesis.
>> http://online.wsj.com/article/SB10001424052748704506004576173970765020528.html
>> If the university had given Karl-Theodor zu Guttenberg a WebID, they would not remove
>> their claim from his doctoral certificate page.
>> So it is easy to do assurance using WebID, and to remove assurance too.
>> Henry
>>> A term of art is rarely discussed in Wikipedia or a common dictionary.
>>> Identity verification is that act which a notary performs when he/she
>>> authenticated an individual through personal knowledge or, more likely,
>>> checking your passport or drivers license as evidence of id. The notary
>>> attests to having done that act, while then making a statement. Early in
>>> certs, for use by early Apple Mac users, one got a X.509 cert by first going
>>> to a notary, obtaining the affidavit mentioned, and then sending that as
>>> evidence of (notary-based) id verification to the CA .
>>> User authenication is the presentation of the cert to a relying party, along
>>> with a signature showing control over the private key.
>>> Information assurance has nothing to do with any of the above, except when
>>> computers are used in the processes above. If you want a birth cert from the
>>> state of Hawaii, there is information assurance practices - that support the
>>> status of a bit of paper as a "record". Long form records may be valid
>>> legally, for the purposes of id verification; or may not. Because assurance
>>> rules change, only shoft form record may not be valid, legally. Assurance
>>> rules may require "originals", and not copies, and may distintuish certified
>>> copies (from copies, and from originals). A certified copy may have to be
>>> emboseed, by a particular seal (acting as a unique signing device.)
>>> In the computer world, IA often comes down to the security audit, for the
>>> data center. If you are Comodo selling cert, and your resellers apply
>>> computers to access the minting services, and that channel is protected
>>> poorly, one can have the ridiculous situation in which the auditor performed
>>> investigations and tests that qualified the information assurance legvel as
>>> "sufficient", but non the less the channel is insecure. That's because, IA
>>> is about rules, not security. Its similar to an accounting audit that says
>>> the firm is not crooked, but it goes bust anyways. What matters is that the
>>> tests shew it was not crooked, to "assure" the public, using the services of
>>> public certified accountants.
>>> Yes apple assure the public their phone is safe. Doesn't mean the fine print
>>> of the contract is not set to allow them and their friends to spy on you, in
>>> a manner you find offense - since you didn't KNOW you agreed to it!? Its
>>> deceptive, despite the assurance. The US government assures the public that
>>> new citizens are suitable citizens. Doesn't mean they are not ex-SS
>>> officers, having spent years designed terror weapons, having run factorys
>>> making them and having actually killed 20k civilians...(in London) in
>>> attempt to terrorise an entire population. Assurance means they now fit
>>> American rules, which change with the times.
>>> In the CA world, the government generally seeks assurance that the firms
>>> will "do the right thing" - when asked. (This means spy, when served a
>>> covert order.) Its an important assurance, that the firm has CEO and staff
>>> that are "oriented" - and trustworthy, and can be trusted (to maintain the
>>> secrecy of the covert surveillance order, and scope the interception to the
>>> named individual, not the operators ex-spouse...).
>>> Put a key in the RDFa of the document. See what happens... its not logical,
>>> but then neither is a non-deterministic search that guesses.
>>> -----Original Message-----
>>> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
>>> On Behalf Of Henry Story
>>> Sent: Tuesday, April 26, 2011 11:44 AM
>>> To: peter williams
>>> Cc: 'Dominik Tomaszuk'; public-xg-webid@w3.org
>>> Subject: Re: Position Paper for W3C Workshop on Identity
>>> On 26 Apr 2011, at 20:34, peter williams wrote:
>>>> Please remove the link to
>>>> http://agendabuilder.gartner.com/IAM4/WebPages/SessionList.aspx?Speake
>>>> r=7019
>>>> 95 for my name. Or just remove my name all together (whichever is
>>> easiest).
>>>> I do not want an association with Rapattoni to be inferred by readers.
>>>> Im mostly making a point, tuned to webid, that individuals are in 
>>>> charge - and do NOT need an organizational affiliation. They also do 
>>>> NOT need evidence of standing (such as garner though me worth inviting 
>>>> to talk about the needs of realty, to others deploying websso).
>>>> I know, it's a hard habit to break, since individuals have no standing 
>>>> in academia; only having any authority when introduced as "faculty" 
>>>> (which then governs one's credentials and one's reputations).
>>> But I thought many of your points on this list was on the importance of
>>> Information Assurance. 
>>> Are universities, companies posting profiles about people not well establish
>>> ways of doing information assurance?
>>> Henry
>>>> -----Original Message-----
>>>> From: public-xg-webid-request@w3.org 
>>>> [mailto:public-xg-webid-request@w3.org]
>>>> On Behalf Of Dominik Tomaszuk
>>>> Sent: Tuesday, April 26, 2011 7:43 AM
>>>> To: public-xg-webid@w3.org; Henry Story
>>>> Subject: Re: Position Paper for W3C Workshop on Identity
>>>> On 26.04.2011 12:09, Dominik Tomaszuk wrote:
>>>>> On 26.04.2011 10:36, Henry Story wrote:
>>>>>> Ok, the paper is ready for xhtml export. Any further changes can 
>>>>>> then be edited in the xhtml.
>>>>> OK. In a few hours XHTML+RDFa version will be ready.
>>>> Alpha version without CSS, valid XHTML+RDFa:
>>>> http://ii.uwb.edu.pl/~dtomaszuk/webid.html
>>>> Regards,
>>>> Dominik Tomaszuk
>>> Social Web Architect
>>> http://bblfish.net/
>> Social Web Architect
>> http://bblfish.net/

Social Web Architect
Received on Wednesday, 27 April 2011 21:15:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC