Like public tags, there is a strong interest here to have a generic Web platform to handle such thing tags, which would need to follow some basic principles:

• Be thing-centric. The tag must be primarily associated to the thing, whatever it is, and it should be able to provide information about that thing (e.g., link to user manuals, warranty information). On the opposite, the tag should not solely be a direct marketing fixture for the thing’s manufacturer and/or distributor.
• Give power to the thing’s owner and users. The tag is associated to something, this thing is owned by someone, and that person need to have control over the tag. Except from the core thing information mentioned above, the owner should have control on what they want the tag to do. If I want to use the tag conveniently placed on my coffee machine to launch my e-mail every morning, I should be able to do so, as long as I still have a way to access the other information associated to the tag when I want to. And if my daughter wants the same tag to trigger some other default action when she scans it, it’s fine too.

If we combine these two items, we get to an interesting VRM idea: the tag on the thing is the link between the thing’s owner/user and any businesses that may be linked to it, and the user keeps some control:

• The user/owner can contact the businesses if required.
• The businesses associated to the thing can contact the thing’s owner, only as authorized by the owner.
• The owner of a thing can transfer the ownership to another individual, who then becomes the contact for the businesses.

In a world where objects often have a lifecycle involving several individuals, this is a great way for businesses to keep in touch with the actual user of their products, while providing more control to the end users. Like usual, I strongly believe that this interaction strategy is likely to have better returns for businesses than basic “advertising push” strategies. And the service to users is real, even if it is limited to providing access to information related to their things.

Once again, I haven’t found anyone doing something even remotely similar to this among all the NFC companies that are popping up everywhere. If you are doing this or know someone who is doing it, please comment on this; I would love to take a look.

The issue is rather simple. A school has issued RFID badges to track attendance, a student refuses to wear the badge, she gets expelled, a judge issues a stay, an we are now waiting for the trial. I also wear a RFID badge at work every day, and that doesn’t bother me much (well, it bothers me a bit: I usually wear it “visibly”, but not too much, as I don’t like the idea of the dangling name tag around my neck). This badge helps me getting into offices; it could also help me get connected to internet, and many other things. However, there is a big difference: my badge is a proximity badge. When I want to enter a room, I wave it to a reader; when I want to access internet, I insert it in a card reader. I can be tracked, but there are clear limits on what can be tracked. In that particular schoool’s case, things are different: the badges are designed to be read from a distance, without any badgeholder interference.

This is transparency, of course, and it could make your life easier. Think about a restricted area’s door opening just because you are arriving: sounds nice, doesn’t it? That makes it more convenient than a standard badge. However, this convenience implies that you trust the badge’s issuer, at least enough to believe that they won’t read your badge to monitor your every movement, like how much time do you spend in your office (working), or elsewhere (potentially not working). Here, the issue is the lack of user engagement from the user. With such a system, the user ends up believing/fearing that she is the victim of pemanent surveillance, and this may just be true.

This problem is not specific to this case. Gemalto has a technology called eGo that faces similar issues. This technology communicates through the body to establish a secure link between a reader and a personal device. To take the access control example, a door could open when you touch it. It is better than simply using RFID, but not much. With this technology, you can be tracked whenever you touch something, and some people will (understandably) not like it. Of course, it is easy to design limits. For instance, one could imagine a specific, clearly marked pad that you have to touch in order to start the authentication: then, there is a specific gesture, which can be interpreted as an acknowledgement. For RFID, this is more difficult to do, especially in crowded areas like schools, where several badges are likely to be readable at any time.

This post is actually turning into advertisement for Natural Security. This startup proposes a contactless device that communicates with a fingerprint reader that can be integrated in a variety of envionments. When you swipe your finger, you are authenticated, and then a transaction can occur. You don’t need to take the card out of your pocket or purse, but you are doing a specific simple gesture to acknowledge your intention to do something. On top of that, you are authenticated, which is a nice bonus. Security, naturally and esaily; I guess that this is where the company name comes from.

Once again, no system is foolproof, and heavy surveillance could be achieved with most products, just like fraud remains possible in most cases. However, good security systems should allow/encourage the institutions and corporations who use them to respect their users’ privacy, just as much as they should encourage/force the end users to comply to the security rules. As I mentioned in the previous post, end users aren’t security providers’ customers, but they have rights, which are often hard to understan, and it is also our responsibility to help our customers respect these rights.

One final note about RFID at school. If this system is installed, it is likely that it will soon replace human checks, and sudents will be able to escape class or other oblgations by swapping badges or putting their badge in somebody else’s pocket. Why? Because a human being looking at badges performs an authentication by matching the ace on the badge and the face of the person wearing it, where a RFID system simply counts badges, and doesn’t care about human beings. What a package: you get less privacy and less security.

To celebrate that, I have decide to attend the opening session this year. We started by an enthusiastic eID spporter from European Union, promising us all regulations and standards ready for 2014, which sounds interesting. After all, there are very interesting deployment in countries like Belgium and Estonia, which could be extended.

Then, we get a panel, with the question below. Speakers are Christian van der Valk, from TrustWeaver, Herrmann Sterzinger, from G&D, Massimo Cappelli, from Global CyberSecurity Center, and Marie Figarella, from Gemalto.

Why has eIAS services not been a success to date?

• Is it really the case? There haven’t been failures, there are many services ready to,use, and a lack of recognition, with a common perception that digital signature ismore difficult than it actually is.
• Citizen certificates are too expensive, and the use cases are not compelling enough. Thisis changing in some places, like in Austria, where the state pays the citizen certificate.
• Market fragmentation and lack of trust and confidence are the two main issues. They may even be linked because the fragmentation does not allow the development of global solutlons, deployed across Europe.
• Issues have been legal and societal, not technical. Fragmentation and lacking use case are the most important,

How would the new electronic identification and trust services regulation improve on this situation?

• Moving from directive to regulation is important
• Making it global would be good, but also hittin some limits, in particular regarding discrepancies in privacy requirements.
• Moving to a regulation will limit fragmentation, the scope will be larger, going beyond signatures to seals, timestamps, and more. Mobility between states will also be greatly improved. Finally, supervision should be improved.

What additional key actions would be necessary to make eIAS a success?

• Sharing identity and authentication between public and private spheres would help. Also,aligning with the global market with help, including private support, like Adobe. Also, the recognition of non-PKI solutions would be required (that sounds interesting)
• Moving beyond web authentication is required. Moving to global regulation loses things, such as already deployed eIDs, which do not comply to the new regulation, and also existing standads and existing profiles.
• Bureaucratic simplification associated to eIAS would be great help. We are also missing a common framework of expertise, with collaboration between national agencies. Thereisalso a digital and cultural divide, which hurts wide adoption. Finally, including soft identity would increase the use of strong identity, if it can be used in our everyday life.
• Associate reliable digital identity with a portable secure elemnt, to allow 2-factor authentication. Build an open and interoperale secure Internet. Privacy by design. Push digital identity on all SIM cards to benefit from NFC

Now, that’s quite interesting. The views from the panelists are quite consistent. The question that puzzles me most is the relationship between national and private identity. I am left wondering what opportunities will be given to private companies and web providers to leverage this eID. Making this happen would be a great boost to eIAS.

I also liked Gemalto’s analysis and proposals, which was short and to the point, except the last point, of course; mandating SIM-based identity for NFC is ludicrous and pure lobbying, at least because the SIM is not the only way to access NFC.

So, an interesting first panel, although there haven’t been many suprises and illuminating discussions.

What? No standard on the digits that may/may not be disclosed? I couldn’t get the facts from EMV or others (if you know, I am interested), but I noticed that although the digits printed on most of my (French) credit card receipts are the same (9 digits following the pattern xxxx xx00 0000 000x), some of my receipts include the infamous 4 last digits, and an Italian receipt includes the 8 first digits. Just with these few examples, I would say that, either there is no standard about which digits to show/hide, or the standard is not applied anyway. It is not difficult to guess that this is most likely not better on Internet, and not only at Amazon.

On this particular issue, I would blame Apple, because the information they require to grant access to an iCloud account is not sufficient (e-mail, billing address, partial credit card number). In particular, Apple allows you to forget the answers to your security questions, which doesn’t sound very good.

Mat Honan recommends in his paper to move beyond passwords and to adopt two-factor authentication. This sounds sensible, and I approve this move. However, in the present case, how useful would that be? If a cloud vendor uses two-factor authentication, then there must be a procedure for lost tokens. And this procedure better be good.

Not that it’s that complicated to design a procedure that works. We can for instance rely on existing infrastructure, like the Post Office. You can request your password to be snailmailed to you in a Certified Letter, which will require in-person delivery at your home or authentication with a government ID at the post office. This works perfectly against hackers, because they are not good at physical actions that require real presence.

However, this has some trade-offs: delay and price. Changing a password online is about free and instantaneous, whereas sending a physical letter has a cost, and it will take at least one day. I am ready to accept this delay and this cost to protect my most important cloud accounts, because I have some understanding of the risks. Not everybody does.

This actually represents an interesting role for two-factor authentication tokens: end-user education. Because they are a physical object, any user will understand that a new one needs to be sent if it is lost or compromised. And although they won’t be happy, they may/should/will associate the cost and delay associated to the token replacement to the security of their account.

My first post will be a rant about something that is very-much holiday-related for me: package deliveries. I am a big-time online shopper, which means that I often get deliveries. And of course, during the holiday season, I get a lot of deliveries, from many different vendors.

Until recently, My deliveries were all coming to the office, as this was a local tradition in our Trusted Logic office. However, now, I work in an office with much fewer people, and sometimes from home, so it is not as easy to organize deliveries at the office. So, this holiday season, I got everything shipped at home.

Of course, I live in a closed residence (some code is required to get in), and my postal address allows you to find my mailbox easily, but not necessarily my house (no street numbers). All of this makes me a perfect guinea pig for testing delivery services.

So far, the best service remains the basic Post Office service. They have the key to the mailbox, so they will use it for anything that fits in it. Just great. Of course, if it doesn’t fit, I have to run to the Post Office and stand in line for a while. Even their express service is worse, because they need a signature. So, if I’m not home, they will not leave the package, however small, and I’m back to the Post Office.

With other delivery companies, things get much worse. First, going to the Post Office is not an option, because their “regional center” is often 30 or 40 kilometers away. Then, they don’t have the key to my mailbox, so they won’t leave a package, however small.

And finally, they call you when they are blocked right in front of a locked gate, or waiting outside your door. Even for me who works close from home, this is not very easy to handle, because we are not always immediately available, and because the guy can’t wait indefinitely. In the end, the “express” package took 24 hours to rush from Hong Kong to Nice, and one full week to get delivered. Not efficient.

So, what’s missing? Let’s consider two things:

• I can’t manage the delivery. I can track the package, I can know that the delivery guy has started and will try delivering to an empty home, but I can’t do anything about it.
• I can’t sign off for a delivery when I am not home. So, the guys won’t leave the package in my mailbox.

Now, if we look at both issues, we easily find out that this is a trust issue: delivery companies are not sure of who I am, so they will not trust me. Why so? Because they are not able to associate me to my package when I am at home, in front of them.

This definitely looks like a problem that can be solved. Companies like TrustFabric already allow you to selectively share information with companies. They don’t support this yet, but there is definitely some information that I would like to share with delivery companies (possibly including a detailed map, GPS coordinates, or whatever may get them to me).

Having this link through a trusted third party also solves the other issue. If I simply associate my TrustFabric account to a public credential (OpenID or similar), I can now login to their site and update the directions for the delivery, to lead them to where I actually am, or to acknowledge the fact that I am allowing them to leave the package in my mailbox without a written signature (a digital one will do).

As TrustFabric and others are getting their offers ready, this is getting closer to reality. Let’s hope for this new year that they will cover this delivery nightmare, and I will not have to do the same rant.

The best part is about the data you provide when subscribing (you can find a copy of the original decree in this article). Here is a rough translation of this part of the text:

3° For persons abovementioned in 1 and 2 of I in the same article, information provided when subscribing a contract by a user, or for creation of an account:
a) The idenfier of the connection, at the moment of the account creation;
b) The first name and last name or the business name;
c) The associated postal addresses;
d) The pseudonyms used;
e) The associated electronic mail addresses or account identifiers;
f) The phone numbers;
g) The password as well as the data allowing to verify and modify it, in their latest up-to-date version ;

All of this is pretty scary, but the last one is the scariest: the government wants my password! This is going to simplify the gathering of evidence for anti-terrorist teams (they are the ones who don’t require a warrant or any judge order to get the information): they can just login as you and send the incriminating e-mail. This part of the story has been widely discussed on French media, with wide-ranging opposition to the measure, so it is not very interesting.

I would like, however, to point to a sentence that we can found at the very bottom of the decree:

Data mentioned in 3° and 4° only need to be kept if the persons [sites] usually keep them.

OK. So, they will get any information that I give to Internet sites. However, it should be more difficult for the government to get access our passwords, forat least two possible reasons:

• Good service providers hash/encrypt passwords. This means that the government will get data that allows them to perform dictionary attacks, but not the passwords directly, because the service providers simply don’t keep that data as such.
• Federated identity doesn’t use passwords. Nothing in the list mentions authentication tokens or things like that, so this is a good way not to disclose your passwords.

This last sentence can therefore be considered as a reminder to be very careful about our authentication methods on Internet. Even if this decree eventually gets repelled and/or modified, you can never be sure that your next government is not going to do something similar. So, here are some reminders:

• Use good passwords. It is the only way to protect yourself from dictionary attacks.
• Use different passwords. Do not use the same passwords on all sites. This is another layer of protection against dictionary attacks, but also an obvious protection once one of your passwords is disclosed and/or compromised.
• Use a federated identity provider, like an OpenId service. If possible, use one that is not represented in your country, in order to make sure that your passwords are out of reach of your government.
• Use alternative authentication methods. Choicces are difficult, but there are programs that will generate random passwords, manage them for you in a secure manner (that’s the tough part), and have you authenticate in original ways (n-factor, biometry, etc).

All of this is sound advice, and it will also contribute to protecting you against other bad guys.

To conclude, I will make a political comment, which is unusual here: I hate the sentence just above, and I hate to consider my government as one of the “bad guys”. I am French, European, and I believe that government should be on our side. However, having a government that promotes the use of Internet for “freedom fighters” in oppressed countries and collects passwords from “terrorists” at home is a bit scary, as we all know that someone’s terrorists often are someone else’s freedom fighters. And, as mentioned by Simon Phipps, the U.S. is not doing any better by developing an Internet panic button for democracy activists that is probably illegal in the U.S.

The value of the first wave was in the information itself (static Web, a.k.a. Web 1.0); the value of the second wave was in the sharing of information (social web, a.k.a. Web 2.0); the value of the third wave will be in the personalization of the Web experience. One of the key points is here the selection of information, the curation of information, as we are increasingly overflowed with information and content. Companies like Louis Ray’s my6sense are proposing to do just that.

On his post, Doc Searls compares the client-server relationship to a calf-cow relationship, with a strong dependency relationship between a service provider and its users, as exemplified by Facebook, Twitter, and many more. This kind of relationship puts the entire control in the hands of the service provider, which seems very wrong. Doc Searls’ example of Apple’s App Store conditions is the perfect example of this flawed relationship.

Everybody agrees that the personal Web includes personal mobile devices like smartphones and tablets, combined with contextual information, in particular location information. Personal devices will be important for building the personal Web, but not every application running on these devices belongs to the Personal Web. Old-style social services and information feeds will still be around, but making them “personal” on a mobile device is not sufficient.

A personal application needs to truly aim at providing the user with the best possible experience. In this best possible experience, of course, spam, unwanted ads, and other useless content should be gone. This can of course be considered as a threat to a flourishing business model by mobile marketers around the world. However, some other guys will see that as a wonderful opportunity: how to work with the users to bring them commercial information that they value? After all, most of us are actually considering a few purchases at any given time, and timely information about the offer would have a wonderful conversion rate. Let me take an example: I am currently looking for a bed for my son, because his bad quality bed broke. Today, I have two solutions to get information about beds: (1) take my car and drive around the area looking at furniture stores, or (2) Google what I am looking for, and search individually on each site. Both approaches are terribly ineffective, I just want to find a “bed for a 5-year-old boy, including plenty of storage, and if possible a small pull-out desk”. Well, this search is almost intractable, and I can’t find what I am looking for.

Of course, that is what VRM is about. Together with personalized curation, this is an important part of the Personal Web, but there is more into it. In particular, I want to regain ownership on my data, because it is mine. And I want to decide with whom I want to share it, and be able to change my mind.

If we go beyond VRM applications, the Personal Web will affect all aspects of computing. Let’s consider one of my favorite examples, Java Card 3.0 Connected. So far, this technology has failed to find a market. The main idea was to sell super-SIM cards to MNOs, allowing them to push more (static) content and more (social) services to their (captive) users. It didn’t work, for many reasons, but mostly because “smartphones ate our market”.

Java Card 3.0 Connected has some advantages, though: it is local, it is secure, it provides a Web interface. And it is really personal, in particular when it sits in a mobile phone. So, maybe that we can try to find someone (MNO for a SIM, but maybe also a phone manufacturer for an embedded SE, or anybody else for a secure SD Card) who would like to exploit this personal, interactive, secure token to bring elements of the Personal Web to their users. Plenty of applications are possible; the business model don’t necessarily exist today, but the space will be taken before the business model is ready.

So, let’s see who takes the space …

Why Flattr? Well, I looked around, and I really liked the idea behind it. I decide on a fixed amount on money to spend every month, and this amount is shared between all the items that I “Flattr” during a given month. The amounts don’t have to be enormous (minimum is 2€ per month), but the idea is here to regain power over our consumption of information.

Also, Flattr is also getting in the real world, with the possibility to use QR-code tags on physical items, allowing for instance visitors to show their appreciation for a work of art they see somewhere without necessarily buying it. This is supported by an Android application, which is even better.

Now, the question is to know whether what revenue Flattr will bring me compared to Google. My Adsense revenue was really small on this blog, around 20€/year, which basically paid for the hosting. Of course, that’s not the real reason for maintaining this blog. And actually, this is one additional reason to move to Flattr: in addition to the potential revenue, Flattr gives me the ability to get some information about the users who like what I write, share ideas with me, and other “social” advantages.

I’ll keep you updated on this. If I have the courage, the next step is SEO. For some reason, it has always been hard for me to become interested in this, but I would really like to see if this can make me climb up the charts. Also on the stack, the global look and feel of the site is becoming far from perfect, and the latest additions aren’t really well integrated; expect a few experiments in the coming weeks.

Even though I was not writing actively, I have spent a lot of time thinking of the business side of things (must be an age thing). Over the year, I have developed a passionate view of user-centered businesses, and more generally, of the fact that business does not necessarily have to be evil.

Reading about VRM, and regularly reading the Harvard Business Review has helped me develop a few new ideas. In particular, reading Umair Haque’s The New Capitalist Manifesto has been one of the highlights of 2010, because the book does not simply mention has business should be better, but it also shows how some businesses are already benefitting from being better, and that feels really good. If you want a bit of that feeling, reading the book is the best way, but you can also take a lookat the book’s blog.

The next part is to apply all these nice principles. I don’t know yet where and what my 2011 job will be about, but I will definitely spend some time and energy on that, and I hope that I will be able to share some of these thoughts here. But here are a few ways to start rebooting our business of smart cards and mobile security, by reminding a few things:

• Real people don’t really care about security. This doesn’t mean that we shouldn’t care about it, it means that we should naturally include it in products that real people want to use. Security is not a selling point, and bad security is not always considered an issue.
• Our mobile device is our personal device. We use our mobile phones for a lot of things, and that’s why these devices can be used to do even more. Our mobiles are our most personal connected object, let’s make it our root of trust.
• A mobile is more secure than a PC (today). Yes, using SIM cards and Trusted Execution Environments is important; but today, our mobile devices remain much more secure than our (Windows) PC, at least because they are less targeted. This may change, but it gives a nice window of opportunity for pushing interesting trust-related products with little security headaches.
• Over 90% of the people of the world are poorer than we are. Not everybody has an iPhone, but most have a mobile phone. Most don’t have bak accounts, but they have money. All of us need to exchange, to communicate, to trust, etc. We just have different ways. Let’s not just consider the habits of the rich.

So, I wish us all to remix all of this into fresh technical and business ideas, and to make something out of these in 2011.

Plus, of course, the usual wishes for health, wealth, and most importantly, happiness, extended to all the people you care about. And to spice things up, let’s hope for some good, disruptive change that will make our lives better.

• The client gets a SAML token from Security Token Service (STS) using WS-Trust protocol.
• The client puts the SAML token into the message.
• The server verifies SAML token and makes authentication and authorization decision.

Of course, the actual authentication occurs in the first step, between the client and the STS. After that, it is all a question of trust between the server and the STS that has generated the SAML token. With this scheme, we can avoid direct authentication between the client and the server.

Nothing really new, but I really liked their explanation, based on a parallel with the JavaOne conference badges. When you arrive to JavaOne, you first go to registration. There, you need to prove your identity by showing an officla ID to the attendant, who will then prepare the badge that grants you access to the conference. In addition, the attendant will add some ribbons that describe your specific attributes. For instance, I have the “Speaker” and “Alumni” ribbons. These ribbons are attributes that complement your basic identification, and allow you to get authorized in some circumstances. For instance, I can get into the speaker lounge, and I got an alumni jacket.

The conference badge acts like a SAML token: the basic badge shows that you have been authenticated, and the additional attributes describe some of your characteristics.

The model can be slightly enhanced by using two levels of STS. The idea is that the user will get a SAML token from a local STS, and use that token. The server will then get that token to another STS (local to the server), and get in return another SAML token, suited to its needs. With this scheme, both the client and the server only need to trust a single STS. The business of trust is entirely delegated to the two STS’s, who need to share each other. This clearly separates the trust issues from the rest.

Interesting presentation, but I still don’t feel enlightened about identity in the cloud. There is another session tomorrow on the topic, I hope that I will be thrilled.