Virtually sitting at a meeting table

I'm taking part in some meetings via video conference at the moment. (This picture is from when I did it a couple of years ago, this is what I looked like as I was "sitting" at the table with the other people. I didn't know my photo was being taken so this is my concentrating face.) The meeting is with the steering group of the Polder Consortium. We're looking at how we can help all the organisations in the Wycliffe Global Alliance take part in seven streams of participation, mainly through a technological viewpoint.

Part of the reason we are able to do this is because of the expanded scope of the Polder Consortium to include other things than just identity issues. However identity, and trust are essential foundations for organisations working together, so they will play their part.

Tech videos from Africa

Steve Moitozo II, who is a fellow member of the Polder Consortium visited Africa recently and shot some interesting videos.

I've heard of Ushahidi (crowdsourcing information via SMS for, for example, at the site of a natural disaster) before, but I didn't know who was behind it. Steve met one of the co-rounder, Erik Hersman (who blogs at whiteafrican.com) and shot a short video of him.


Erik Hersman from Steve Moitozo 2 on Vimeo.
He's also behind another thing that crossed my radar a while back Brck "a backup generator for the internet". There are a couple of TED videos about him too. He's the son of Wycliffe missionaries.

There are a couple of other tech-related videos in Steve's Africa 2013 album:

• The impact of ITConnect - video.
• Lean Digital Publishing and Distribution of Audio Scriptures. I've blogged previously about portable audio Bible players, so there's another one that's available.

Changes at the Polder Consortium - not just Identity and Access Management any more

It's a while since I first wrote about the Polder Consortium. At the time it was set up to work on Identity and Access Management issues for those involved in the Bible Translation movement. It's started changing and expanding its focus into other areas, such as business architecture and project management. The wording on the website has started changing to reflect these changes, but there's more detail that will appear over there in the coming weeks. So if you're involved in IT in the Bible Translation movement then it's worth watching that website, or at least subscribing to the blog. It's worth pointing out that project management is not just an IT thing and so the project management stuff may be of interest to non-IT people when there's more detail on the website.

What does it mean to be logged in?

The last time I got fed up of my lack of knowledge on something I drew a poster about public key encryption. This time it's about what being logged in means. What is prompting this is the fact that more recent updates to Chrome have seemed to make it so that in some cases when Chrome restarts you remain logged in to a website where I'm sure you weren't before. So I'm finding out the different ways that websites keep you logged in. I usually write a complete blog post before I publish it, but this is going to be a public work in progress.

Wireframe:
HTTP is stateless. What about headers?
What different technologies keep the fact that you're logged in?

• cookies - session, time-limited
• technologies - PHP, ASP, others
• ASP session state
• anything else?

When you tick "remember me" what's going on? Is it clear whether it's remembering username and password?
How does the browser remember passwords? Is it secure?
What's going on with Single Sign On? (Ref this video: https://www.polderconsortium.org/fedid-in-global-missions)

Disclaimer

If you know about this stuff, and I get something wrong, please tell me, so we can make the world a better place, or at least this blog post. Bear in mind though, that I am simplifying. So when, for example, I say as below "you get a web page back" the proper way of saying that probably is something like "you get an HTTP response" which is in all likelihood a web page, but may not be in every circumstance. However I'm not going to say that, because I'm simplifying.

HTTP is stateless

You ask for a web page, you get a web page. You ask for another, you get that. The server isn't required to keep track of the fact that you asked for one just now. There are ways to get round that, one of which is cookies. I'm logged into a local MediaWiki (the software that Wikipedia runs on) site. Here's the cookie that gets sent to my computer every page I request.

I've obscured some of the strings in case they are a security risk, you never know. So there you can see a couple of relevant variables. PHPSESSID is the PHP way of keeping track of sessions, and bsm_bsm_session (where bsm is the name of my mediawiki instance) is probably a mediawiki specific cookie. __utma and __utmc are Google Analytics tracking. I don't know why they are involved.

This is the site that I first noticed I stayed logged into every time Chrome started up. That cookie is a session cookie, which are supposed to be deleted by the browser every time you shut it down. Chrome chooses not to do this though, if you enable "continue where I left off" in settings. I do that so that my tabs from my previous session are open, and apparently session cookies aren't deleted too, which is a feature.

ASP.NET

Which roughly means "how Windows servers do it" (ignoring older technologies). An authentication token is stored in a cookie or a page URL (source).

So what's in that cookie?

What determines whether a cookie or a URL is used?

Federated Identity and Identity Assurance - why you should care

Yesterday I read a blog entry from the UK Government Digital Service about Identity Assurance.

We’re helping develop a secure service that lets people log in to online government services more easily.

They link to this article by the Telegraph which describes it well (apart from the headline).

I've blogged before about the Polder Consortium where we're thinking about such things. Identity Assurance is part of Federated Identity. If you're in IT then I expect you're going to get friends and family asking you if it's OK to use your Facebook login to access government services. (I suspect a Facebook login may not reach the required standard of assurance.) I'm personally encouraged by the fact that they are consulting with people who worry about privacy.

I think, though, that if you're in IT it's worth understanding about federated identity, authentication, authorisation and assurance levels so at least you can have an informed opinion. (I'll point to a document that's soon going to become available when it does.)

In other news, as they say, the Polder Consortium has released some new standards, recommendations and notes, either because they've gone to Proposed state or because we've decided that some drafts are worth making public.

Polder Consortium

For the past few months I've been involved in the Technical Steering group of the Polder Consortium.

The Polder Consortium helps organizations establish environments of trust for sharing critical information across organizational boundaries. 

It involves Wycliffe and a couple of other mission organisations at the moment. Deciding what sort of organisations it should involve has been one of the things we've discussed on our teleconferences. My particular interest is authenticating a local application that I've written against one of our corporate systems. When it comes to the technical stuff and the discussions that accompany the beginnings of such a co-operative venture I'm a bystander, but it's interesting to watch the formation of this group. If you want a bit of technical detail then let me throw out a few words: SAML, federated identity, Shibboleth.

If you want to dive in a bit more I suggest you look at slides from an ICCM 2011 Presentation of Federated Identity. If you're wondering "Why the word polder?" then follow that link.

Update: I didn't realise until now the Polder Consortium is on twitter too.

Photo of the Petronas Towers Skybridge courtesy of Shubert Ciencia.