[cap-talk] Any hope in RSA 2008?

Sun Apr 13 23:27:59 CDT 2008

If this mail is too much of chatter then please let me know.

Þann 13. apríl 2008 ritaði Karp, Alan H <alan.karp at hp.com>:
> I just returned from RSA 2008 and can answer that question with with a resounding "Sort of".

So, an definite maybe then?

>  There was still the usual nonsense.  "User identity needs to flow freely between services.", is only one example of many.

Reminds me of the situation of the Zebra Copy copier knowing who were
employed by HP. In my opinion that is and will often degenerate to
messy and unworkable.
 (I imagine, and interpolate from observations in my experience, that
Alice at HP sometimes authenticates as Carol of HP at Zebra Copy due
to policy change propagation latency issues.)

>  On the plus side, there was an undercurrent running through most of the conference, managing fine-grained rights.
> It was in Art Caviello's keynote (http://www.rsaconference.com).  Even Craig Mundie said some intelligent things about access control, but I think they were accidental.  The same theme appeared on the show floor, with many of the booths at least mentioning the problem.  Of course, nobody had a clue of how to do it, but at least they're aware it's a problem.
>
"They"* say that first step of treatment is to acknowledge the problem.
I take that as an good sign.

>  I made a point of talking to someone technical at every booth that mentioned Identity and Access Management or Single Sign On (SSO).  Everyone understood me when I explained the dangers of SSO.  One small company from Singapore actually knew of the problem and required a user click on the first use of a new authentication.
In my mind "Single Sign On == single point of failure (to be
extensively attacked)"

-snip-
>  I also attended the Groundhog Day panel session, which was a disappointment.  Their proposed solution was to react faster and write better code.  When I pointed out that's what we've been saying for 30 years and shouldn't we try something different, they looked at me like I was speaking in tongues.

I wonder how they would react to self-evolving worms. Nobody can react
fast enough to such an beast. (And nota bene people with incompatible
Buxton Indexes** are often incomprehensible to each other. (Their
being next ~3 weeks while yours, I presume, is <~3 years))

-snip-
>  Several of the talks included examples of service composition, variants of Alice invokes Bob who invokes Carol.  In each case I asked whose rights got used on the call to Carol.  The answer was always Alice's.  I then asked what prevented Bob from abusing Alice's rights.  The answer was always that there was nothing that could be done.  I then put in a plug for my talk.
>
The exact reason I wont use such composed services.
And nice plug ;-)

>  Speaking of my talk, it went well.  They kept me around for 30+ minutes asking a bunch of questions.  Some were skeptical.  I ran into one guy the next day who said, "I left your talk thinking this is fecockteh (Yiddish for screwed up).  Walking in this morning I stopped on the sidewalk, slapped my head, and realized that of course it's right."  That's a typical reaction.
>
Glad to hear it.
Best dialogues are with skeptics that question even their own skepticism.
(Something might be lost in translation so here is also the original
in Icelandic:
  Bestu rökræðurnar eru við efamenn sem efast jafnvel um sínar eigin
efasemdir)
And I take the fecockteh-turn-around as an further good sign.

<rest of quoted text omitted>

-Baldur Jóhannsson

* slang used to mean an unspecified group of people why sounding specific.
** Buxton Index is how long into the future the entity in question
(can be an individual, committee, company and so on) plans.