Get the best cybersecurity science, research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.

Silence please. Bricklayers working!

Silence please. Bricklayers working!

I've received queries from friends and colleagues expressing surprise that I have not written more about the OPM data breach.

I have, in my career, been on the receiving end of situations similar to this. When you are in the middle of such a situation, it is REMARKABLY UNHELPFUL to have people who do not have full visibility into the situation (like me) conduct pre-mature post-mortems based on incomplete data.

I also know that the people on the front lines of this will not be breathlessly feted as heroes who have "parachuted in" to effect a rescue.

They are the anonymous bricklayers who work in the basement to drain the septic tank of past choices and neglect, before laying the brick and mortar to repair this and prevent future breaches.

As such, I have no desire to distract them while they are doing a critical, but thankless job.

So yeah, right now I can add no value, so am simply going to keep quiet.


Stakeholders bearing gifts

Knowledgeable, insightful, and constructive feedback from users and stakeholders is a precious gift that should never be squandered!

And that is the category into which I would put the recent paper (PDF) that analyzes the Connect.gov (FCCX) and GOV.UK Verify Hub infrastructures.

The privacy and security of FCCX [Connect.gov] and GOV.UK Verify rely on a fully honest and uncompromisable hub. In contrast, we argue that a good solution should be resilient even when the hub is curious (about what it sees) and/or malicious (about the actions it takes).

...

A good protocol should also be resilient against malicious collusion, e.g., between RPs, or between RP(s) and the hub. However, to satisfy forensic requirements, certain special cases of collusions (e.g., hub+IDP, or hub+IDP+RP) may be legitimately allowed to reverse certain privacy properties, e.g., unlinkability, under very well-defined circumstances such as a specific court order targeting a given individual.

Toward mending two nation scale brokered identity systems

I very much agree that the paper contributes to the "... developing pool of knowledge and ideas about digital identity assurance".


cyberforge: random and relevant


 Tweet  Share  Share  Share  Pin  Email


Get the best cybersecurity science, research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.