Jan
18
Posted by Samer EL SAWDA
Abstract
This article describes the concept of (abstract) Contract Exchange, and then discusses the OpenID Binding and Use of the Contracts as Access Tokens. At the end, it also provides a mapping table to User Managed Access (UMA) Terminologies.
About Contract Exchange
Contract Exchange (CX) is a protocol to exchange the signed contract dynamically among the entities in the network. It uses Public Key based signature, so it achieves certain degree of the non-repudiation and ability to prove. Thus, e-commerce etc. should benefit from it. In addition, since it can capture the purpose of the use, condition of the use, provisioning method etc. for the data/attributes, it can be used to achieve the server to server exchange of the data.
Draft OpenID CX is a binding of this Contract Exchange onto OpenID. It takes a form of OpenID Extension. Thus, it can be used over the existing OpenID Authentication 2.0, which is a GET/POST binding, as well as over the artifact binding which has been discussed since last fall. For the exchange of the proposal and contract etc., it is also using Attribute Exchange 1.1 Draft.
Basic Flow of the CX.
The basic flow of the CX has the following flow. Note that this is before binding it to a specific underlying protocol.
In the below, AM stands for Authorization Manager, SP for Service Provider.
1. (SP finds Proposal Template from XRD/S of the AM)
2. SP obtains the proposal Template from the AM.
3. SP specifies the variables in the Proposal Template to create a Proposal.
4. SP signs the Proposal to create a Signed Proposal.
5. SP sends the Signed Proposal to the AM.
6. AM shows the conditions to the user and obtains the authorization.
7. If OK, the AM counter-signs the proposal to create a Contract.
8. AM saves the Contract and sends a copy to the SP.
9. SP uses the Contract to obtain data etc. and provides service to the user.
The service does not necessarily require data transfer. It may even not a service over the network.
However, it is expected that in majority of the cases, it will be a network based service that requires some data transfer.
Under such circumstances, some data transfer protocol needs to be defined in the contract. e.g., OpenID AX, OAuth, Wrap “API Calls”.)
Characteristics of the CX Template
CX Templates has several unique features.
- XML is the default format.
- The template has to have a URL of the form http://uri_of_contract_template#digest_algorithm:digest, so if the template is changed, the url will also change.
- Anyone can create a template, but since AM is the party that knows what data is available as well as the party which creates the permission page, AM seems to be the natural place.
- As the result of the Hashed URL, template cannot be edited. Thus, we have to use variables to express the portion which is given from the outside.
- Template variables are expressed in the form of {{variable_name}}. As the variable name, xs:id of the XML element is used, and the value will be the inner text of the Element.
Characteristics of the CX Contract
- There can be as many parties as one wants. That is, we can express n-party contract. Each Party has Obligations.
- A Contract includes the public key of the each Parties. These can be used for the signature verification and data encryption.
- A Contract includes a TemplteURL and a Template. Ops and RPs can use this TemplateURL to figure out what kind of template it is.
- Obligation can be written in the Contract. This includes the price and damage limit.
- As a default data request method, AX Request is supported. Other format can be defined.
- Signature is done by XML Signature. Canonicalization is Exclusive Canonicalization. Since it is using the Digital Signature, the ability to proof is high even outside the system.
OpenID GET/POST Binding
CX can be bound to OpenID through GET/POST Binding and Artifact Binding. For the purpose of this article, which binding to use is a non-issue, so I am using simpler GET/POST binding flow.
In the next diagram I am using OP (OpenID Provider) instead of AM and RP (Replying Party) instead of SP to match the OpenID terminology. In addition, UA stands for User-Agent (e.g., Web Browser).
Fig 1: OpenID GET/POST Binding Sequence
Data Transfer using CX
In the use case that transfers data, CX Contract can be used as either the holder-of-key or bearer access token by the RP. Alternatively, if the Data Provider has the copy of the contract, then ContractID can be used as a bearer token. (In general, AM and DP are different, so the later cannot be assumed in every case.) Using such Tokens, server to server data transfer can be achieved. Data Provider (DP) checks the authenticity of the contract and then creates a dataset and encrypts it with the public key in the Contract and provides it to the requestor. Since it is encrypted by the public key of the intended recipient, it cannot be read by somebody else.
Fig 2: Data Transfer sequence when Contract was used as a Bearer Token
Appendix 1: Mapping to UMA terminology
| This Article |
UMA (User Managed Access) |
| AM |
AM |
| SP |
Host |
| DP |
Protected Resource |
| UA |
Requestor |
| User |
Authorizing User |
Jan
18
Posted by Samer EL SAWDA
Last week in our Mobile Web Meets Internet of Things series, we looked at barcode scanning and RFID in the next generation iPhone. We expect to see Apple and Android battling it out for both barcode and RFID supremacy this year.
Another key technology in the Internet of Things – where everyday objects are endowed with Internet connectivity – is sensors. In fact we’ve seen the most activity so far in the Internet of Things from sensor data. So in this post we explore how mobile phones and sensors are mixing; and what to expect in 2010.
RWW’s Mobile Web Meets Internet of Things Series:
Last year we wrote a lot about sensors and discovered that there are two common scenarios for sensors + mobile phones:
1) Everyday objects with sensors pumping out data on things like temperature, noise and activity; the mobile phone reads and analyzes this data.
2) The phone is used as a sensor itself. For example the iPhone has a built-in accelerometer, which is basically a motion detector.
This is used for game control and also for re-sizing your iPhone display from portrait to landscape. The iPhone also has a microphone (which can be used as a noise sensor), a proximity sensor, and an ambient light sensor.
iPhone as Sensor
A good example of scenario 2 is WideNoise, an iPhone application that samples decibel noise levels and displays the data on an interactive map. WideNoise is essentially a sound sensor, using the iPhone’s microphone.
You can take a sound reading on WideNoise and, if you so desire, share that with the community. I must admit that I haven’t found too much practical use for this app yet. However one of the use cases cited is checking it when house-hunting, to assess the average noise levels of the neighborhood. It’s one of those apps that will become more useful the more data is added to it by the community – but we all know that’s a hard thing to achieve for a young startup.
Mobile Phones Reading Sensor Data
Sensors are rapidly growing as a source of data on the Web. A corollary is that sensor networks are an enormous opportunity for some of the big tech companies. In November we wrote about HP’s CeNSE project, which aims to be a “Central Nervous System for the Earth.” CeNSE is a research and development program to build a planetwide sensing network, using billions of what HP calls “tiny, cheap, tough and exquisitely sensitive detectors.”
According to HP Labs, CeNSE sensors will enable real-time data collection, analysis and better decision making. And what will be a key tool for doing all of that? You guessed it, the mobile phone. Imagine for example getting a real-time update of traffic conditions on your mobile phone, via sensors on a major stretch of highway.
Those are the two main ways that sensors and mobile phones are mixing currently. Let us know in the comments if you have a favorite mobile phone app that outputs or inputs sensor data. Also please share other use cases.
Image credits: seizethedave; raneko
Jan
18
Posted by Samer EL SAWDA
Phil Muncaster, V3.co.uk, Sunday 17 January 2010 at 13:15:00
Alibaba Group, which owns Yahoo China, describes Yahoo’s comments as
‘reckless’
Yahoo’s continued presence in China could be in doubt after its partner in
the country,
Alibaba
Group, criticised the internet giant for its comments on the recent attack
by Chinese hackers on Google and other companies, according to reports.
Yahoo sold its China business to Alibaba in 2005. The Chinese internet
company runs retail site Taobao.com, payment platform Alipay and e-commerce site
Alibaba.com, but Yahoo retains a 30 per cent stake in Alibaba.
After Google revealed last week that it and at least 20 other big name firms
had been hit by a highly sophisticated attack originating from China, Yahoo
condemned the incident and said that it stood aligned with Google in opposing
all actions which violate user privacy, despite
going
on to say “our position in China will remain business as usual”.
However, Alibaba spokesman John Spelich is reported as saying in a statement
that his firm has “communicated to Yahoo that Yahoo’s statement that it is
‘aligned’ with the position Google took last week was reckless given the lack of
facts in evidence”.
He added that “Alibaba doesn’t share this view”, a position which could cause
problems for Yahoo if it wants to maintain its stake in the company and token
presence in the region.
It is thought that Yahoo was one of the other firms to be hit by the targeted
hacking attacks, although it has yet to confirm or deny this. The US government
is
expected
to issue a formal complaint to the Chinese authorities about the incident
early this week.
Jan
18
Posted by Samer EL SAWDA
Dan Worth, V3.co.uk, Friday 15 January 2010 at 12:35:00
Move could open the floodgates for mobile operators entering the fixed line
market
In a move that could open the floodgates for mobile operators entering the
home phone market, mobile giant O2 has announced that from March it will offer
landline packages for both new and existing broadband customers.
The firm said the move was a significant development in strategy to
strengthen its position as a key provider of broadband to the home by giving
customers the convenience of having broadband and home packages combined.
The firm will be offering two home phone package, an ‘Evening and Weekend’
deal for £9.50 per month and an ‘Anytime’ package for £12.50 per month.
Sally Cowdry, UK Marketing Director at O2 said the move was a big step for
the company as it seeks to expand its offering to the market.
“This is the most important launch for us in the home space since we entered
the broadband market and is part of our strategy to evolve beyond mobile to a
leading connectivity brand,” she said.
Richard Thurston from Analysys Mason said the move signified O2′s intention
to move deeper into the home market, and beyond simply being a mobile operator.
“Multi-play offerings are essential in the consumer space, and O2′s bundled
offerings are likely to have some traction, especially as O2 is offering fixed
telephony at a discounted price,” he said.
Thurston also said he expects other mobile firms to follow this path.
“O2 is not alone as a mobile operator trying to penetrate the fixed market,
both consumer and business and we can expect Vodafone to be a major fixed line
player too,” he added.
Both packages include services such as number hiding, Last Caller ID, and
Last Number Delete. A number of other services such as Voicemail, Call Waiting,
Caller Display, Call Barring and Ring Back are available for an additional
monthly fee.