<HTML><HEAD></HEAD>
<BODY id=MailContainerBody style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" bgColor=#ffffff leftMargin=0 topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV id=idOWAReplyText36006 dir=ltr>
<DIV dir=ltr><FONT face=Terminal color=#000000 size=2></FONT> </DIV></DIV>
<DIV dir=ltr>Read the thread from the bottom, if interested in one user's experience linking open source smartcards to openid, linking up to plaxo.</DIV>
<DIV dir=ltr><BR> </DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>From:</B> Peter Williams<BR><B>Sent:</B> Sat 3/8/2008 3:56 PM<BR><B>To:</B> MuscleCard Mailing List; Peter Williams<BR><B>Subject:</B> Re: [Muscle] updated experience, 2 years later.<BR></FONT><BR></DIV>
<DIV>
<DIV><FONT face=Arial size=2>Now the bad news (nothing to do with muscle, idalliance, or trustbearer technology!)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Plaxo wants to me do account linking to a new plaxo account, where it assumes my email address is valid (from the openid protocol, based off the pc/sc protocol) given my email is correctly auto-populated on Plaxo's signup screen. Nice.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Not trusting openid (from trustbearer.com) enough, it decides to ping my email account like a million other site subscription wizards.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>OK, I play along and authenticate back using untrustworthy email (despite having upgraded to smartcards and then openid), confirming my email id by (really untrustworthy!) email bearer. Presumably it’s a case of "Smartcards/Splartcards. Openid/StolenId" for Plaxo and their trust model. Well, they are entitled to that view in the openid UCI model. So, Plaxo falls back to use email verification over the DARPA internet, anyways.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Then comes the rub.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The nature of plaxo is...social networking, asking me to import friends from companion services providers (like MSN). It asks me to type in my MSN username AND PASSWORD (and trust the plaxo privacy policy). Aha, that’s unlikely (being a more than usually savvy consumer). They didn’t trust my card/openid, why would I trust their privacy policy? After all, that MSN account is also linked up with my new openid (in a new gateway peering service linking WS-Federation names to openids)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Oh well, we clearly have some re-education to engage in, so the assurance of cards and the muscle applet (and trustworthy manufacturing, provisioning and management processes, presumably asserted via X,509 OOB certs) becomes apparent.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>You cannot be surely be happily participating in websso on the inbound channel, leveraging behind the scenes smartcard public key auth from the musclecard, and then STILL on an outbound channel be asking for and storing folks's password - when importing friends list! Plaxo should be asking for my openid on the companion services - or asking me to present my trustbearer openid to Microsoft If Microsoft doesn’t accept openids, then fine! I can always cite a gateway binding my openid to my live.com cardspace card!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Peter.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Ill be forwarding this email to openid mailing lists, for comment there, too! The world has clearly moved on from two years ago.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=home_pw@msn.com href="mailto:home_pw@msn.com" target=_blank>Peter Williams</A> </DIV>
<DIV><B>Sent:</B> Saturday, March 08, 2008 3:29 PM</DIV>
<DIV><B>To:</B> <A title=muscle@lists.musclecard.com href="mailto:muscle@lists.musclecard.com" target=_blank>MuscleCard Mailing List</A> </DIV>
<DIV><B>Subject:</B> [Muscle] updated experience, 2 years later.</DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Well I have to say I'm impressed both this afternoon and even more so later this afternoon - since this morning depressed me.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>This morning:-</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2>2 years ago, I know dominated muscle applet, muscleshell, various tools for GP loading, and GP command sets for its fancy security features such as DAP and receipts. I know I also dominated T0 over CCID firmware for 8051 uPs, and various bits of microcodable verilog to support fancy crypto modes in the ATMEL ICC's 16 bit crypto co-processor, we used once to use. Having left this project, 2 years later I return to its src tree - and its just a load of mumbo-jumbo of various tools, old compilers by firms that no longer exist, and scripts in 9 toolchains, A bit of openssl here, a win32 port of muscletool there, an atmel load script for promming micros, loadfile for starting up a COS, scripts to personalize muscle applet, along with various simulations.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I could not make head or tail of it despite (being the programmer of it all) !</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Not happy (with myself).</FONT></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2>This afternoon:-</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2>So using Vista SP1 and an old SCM cardreader which received auto-updated firmware/drivers, I went to the identityalliance.com site, and installed its download package. Then I stuck in my really old JCOP21 javacard democard from IBM Zurich and use the idalliance tool's profile menu to configure it (as a musclecard). 60s later, its done . I even set easily a new admin and user pin. Even set a password in the password store.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So, on a roll, I went using the same vista host to the openid.trustbearer.com and and registered this card - enrolling it with my trustbearer openid. 60s later, I have an SSO-capable token.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I'm <A title="http://openid.trustbearer.com/home_pw CTRL + Click to follow link" href="http://openid.trustbearer.com/home_pw" target=_blank>http://openid.trustbearer.com/home_pw</A>. What else?!!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Perfect. No fuss (and no compiling required of 2 year old code that I cannot fathom any longer).</FONT></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Later this afternoon (now that I'm feeling lucky and cared for):-</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV> <FONT face=Arial size=2>I use task manager to kill my locked up IE7 (sob). Oh well, it happens 4 times a day with or without smartcard installs!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I go to <A title="http://www.plaxo.com/openid CTRL + Click to follow link" href="http://www.plaxo.com/openid" target=_blank>http://www.plaxo.com/openid</A> to use my new found capabilities. First I remove my old jcop 21 with its old musclecard applet from the old SCM reader.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>plaxo redirects the browser to trustbearer, which prompts me to insert a card (after an activeX download). Perfectly reasonable. So I do as asked and it them prompts me for a pin: which I enter. All perfectlty normal and expected.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>trust bearer redirects me to plaxo, which now asks me to bind to my asserted openid to the plaxo account, given I have a verified id assured as multi-factor-hardware!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Perfect. It was all seemless, first time through.</FONT></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2>Peter.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Muscle mailing list<BR>Muscle@lists.musclecard.com<BR>http://lists.drizzle.com/mailman/listinfo/muscle<BR></DIV></BODY></HTML>