Category: Identity

Posted on

You Can Call Me Al

I have heard that some people who follow me on Twitter or other places may be confused about my pronouns, my name, the state of my transition, etc.

When last we met, dear reader, I had acknowledged to myself and to many others that I’m nonbinary with significant parts of my personality that are feminine. Since that time, I’ve continued to learn more about parts of myself that I had been keeping locked away on a shelf. The brain is very good at boxing up stuff it thinks will harm you and isolating it from you and others. I quite literally did not know a bunch of this stuff or connect the dots until I made a conscious effort to dig into “why am I like that?” in a couple places. Then it was like pulling on a thread on a sweater and it totally unravelled. Mixed metaphors enough?

It’s hard finding out this stuff about oneself so late in life. I haven’t had time or been given societal permission to be acculturated as a woman, and there is no room in our society’s image of men for even the slightest display of femininity. To add to that, our culture is tailored to binary gender settings, so even things like what name I use with my email address cause shock when I change them. People are confused when I show up at a store in women’s clothes with makeup on, but then speak with a masculine voice and show my ID or credit card and it’s a man’s name. People are confused when I tell them I prefer “they” pronouns but I still look like a dude when I’m camping, and I dress like a girl when I’m out running or at work.

These are just some of the reasons it’s called “transition.” It’s a process. I, personally, could not bear to save up all the things that I’m doing as part of my transition, perfect them, and then let them loose on the world in a single day. I would never be happy enough with my “progress” to say “today’s the day,” and I’d never get good at these things without practicing them, in many cases, in public. I have to try bits of it, at different times, when it’s convenient for me, pretty much constantly. I think this is more the case with me than with a much more binary-gender-conforming trans person, because they can aim for the binary gender they know that they are inside. I have to figure out where I am on this spectrum and aim for that, and it keeps shifting around.

Even though where I need to be shifts and is in a gray area of the “male” <–> “female” spectrum, I know some things:

  1. Where I am going is much more feminine than I am today. At the end of this, I’m likely to appear to be a cisgender woman, but I will still be nonbinary. Because our culture doesn’t deal well with nonbinary gender, it’s simply much easier to conform to a binary gender presentation, and I’m much more comfortable being a woman than being a man.
  2. I have not had time to learn how to be a woman, so it’s going to take years of learning that and being awkward before I master it.
  3. Because I know these things, I will take actions that appear to be incongruent with how I present in day-to-day life today, things like changing my email address and email display name from “Nicholas Spencer Roy” to “Nicole Siobhán Roy”. There’s no such thing as a gray-area “I’m still transitioning and awkward” email address when my middle-ground name is super short: Nic Roy. My email address would be something dumb like nicroy12345@gmail.com instead of just my name@gmail.com. Because of that, I was forced to pick the long form name where I think I’m going to end up. Migrating all my accounts to a new email address is already painful once. I don’t want to do it again.

So I’m a biosex boy, who in her heart of hearts knows she’s a largely gender-presentation-conforming girl, and intends to get to that point, but will still be a pretty masculine-trait-having girl and will be somewhere on the gender identity spectrum about 3/4 of the way to the girl end of the spectrum.

To sum up:

Call me “Nic” which is easy because it sounds exactly the same as “Nick” and that’s why I chose that name.

To the State of Colorado and the US Government I’m still “Nicholas Spencer Roy” with a gender marker of “M” but I intend to change those things so that I will be “Nicole Siobhán Roy” with a gender marker of “F” and I will eventually both look and sound like that in a way such that someone who’s never met me before will not know I’m not biosex female.

My name is “Nicole” but I won’t get upset if you call me “Nicholas”, although that shouldn’t be a problem because nearly zero people in my life have ever known me as anything other than “Nic[k]”. My sister knows me as “Nicky” but that’s OK because I can also be “Nikki” see how clever and lucky I am?

I prefer “they” pronouns but that will probably change to “she” pronouns. Until I present as a woman full-time and am speaking like a woman (my god that’s hard to do) don’t worry about it, just call me “they” or “she” or “he” or “hey you”.

If you have any questions about any of this stuff, please DM me on Twitter, or email me at: n i c o l e s r o y [at] i c l o u d [dot] c o m.

Posted on

Dreams

I woke at 3 a.m. a few nights ago, in terror. My mom was screaming to be let into the house. Pounding on the front door. I woke and sat bolt upright in bed, listening, my heart pounding furiously in the quiet dark. The AC had turned off, the house was completely silent. I reached for my phone. The security camera showed no one at the front door. I drank some water and went back to sleep. An hour later, I awoke in the same way. Same dream. A woman was screaming at the front door. Was she afraid and running from danger? Hoping to be let in to safety? I couldn’t tell. I almost woke my wife Jill up, but thought better of it. I got out of bed and went down to the front door. Unbolted the deadbolt, cracked the door. No one was there.

I stepped out into the warm darkness of a Colorado early morning, the birds starting to make noise, the sky an inky blue in the East. I breathed deeply – scent of pine and smoke carried on the air. I went back inside and went to bed.

At dawn, in the half-light, I rolled over in bed, facing away from Jill. There was a beautiful woman there, floating in mid-air, seemingly on an extension of the bed that wasn’t really there. I could swear I was awake. I felt awake. This woman was familiar, gorgeous, blonde, dark eyes, striking features. I was in love with her. She told me it was OK to love her. Again I awoke, and went about my day, ashamed to tell Jill about this dream. I thought it was a dream about infidelity.

Now, I realize that she was me, telling me it was OK to love myself, as a woman. She had been screaming to get in the house. Full of rage and anger. I let her in. I’m glad I did. When I finally figured out what these dreams meant, I wept.

Posted on

DC82A40CD16773F13D9C085394B17FF856CB9574

When I was a child, I was enamored of the babysitter. I wanted to be the babysitter. Specifically, I wanted to be a girl. I felt a strong affinity for the feminine. As I grew older, I learned to suppress this feeling. There was no way to change who I was, and I thought “nature doesn’t make mistakes like that”, and “you’re a boy, be happy being a boy.”

As I got older, the girls started changing and I was jealous of them. I hated my body. I rejected my body, first dressing in baggy sweatpants and sweatshirts to hide it. I was depressed. I had no idea why. I saw a child psychiatrist, who diagnosed me with seasonal depression. I’m sure there’s a seasonal component to it, but I was depressed all the time to some extent. Now I realize it is because I hated who I was – physically. I started to over-eat as a self-medication for the depression, but also because I hated my body. I was punishing the body I hated.

After college, I decided I needed to stop being depressed and overweight, and I started eating better and exercising. I lost 140 pounds. I started dating girls for the first time in my life. I started really loving my life. I felt good.

Fast forward 15 years… I’m married, I love my wife, I love my job, I love where we live and our life together.

But.. I had fallen back into a severe depression after a particularly traumatic job experience, and the horrifying and soul-crushing experience of losing my dad to cancer. I started dressing all in black, every day. A uniform of grief. I gained a bunch of weight again. I started vaping. And then the fucking Coronavirus hit. I needed to do something to kick myself out of my funk and get healthy again, so I started running again in March, 2020. Colorado is such a great place to run, there is sun nearly every day. Even in the winter, it doesn’t stay cloudy or cold for very long. I started running along the trails in our neighborhood, and started to feel happy again. I stopped vaping.

And then one day in April, I was running along the High Line Canal trail and started to remember my wish to be a gender other than the one I became. I thought, “maybe my name is Lisa.” I started wearing women’s running clothes, and I felt good in them. Outstanding, actually. Confident. Feminine. I started to think about other appearance changes. I cut my hair in a specific way, with the intent to grow it out. I started dying it – first, gray. Then gray and blue. Then all sorts of fun color combinations. I started wearing brighter colored clothing. Running further and faster every day.

I came out to my wife as genderfluid and non-binary. I was terrified of doing this, but I had to. I am extremely thankful that she took it quite well. I am definitely still attracted to women. I also am at least partly a woman!

I started painting my nails – this was a big deal for me, because you can kind of explain away hair color, but there are certain gender signifiers that are less easy to explain away, and makeup is one of those things. Painting my nails felt liberating. I felt closer to who I actually am. I am slowly coming out to people at work, and they have also all been supportive. I love where I work, and I love my colleagues. I started wearing eyeliner and mascara. I am not sure where it goes from here. I feel like a tomboy. I am athletic, I like camping, knives, motorcycles, shooting guns, but also makeup, and I’m starting to care a bit about fashion. This is quite a change for me, I always rejected fashion, much as I rejected my body. Now I’m rejecting less of myself, and I’m only sorry that it took me 40 years to get there.

Today, I went to Costco with painted nails and eye makeup. I got compliments. I have gotten probably 20 compliments from random people over the course of this journey so far. I think this is because I’m confident, and people see that. I never, not once, got a compliment about my appearance from anyone other than my wife or family in the preceding 40+ years of my life. This is interesting, and maybe it’s because I’m letting the real me be seen.

Posted on

Identity In Transit

In my last job, one of the things that kept me up at night was the notion of electronic identity “in transit” or “on the wire.”  Specifically, I was concerned with protecting the electronic credentials of our customers from any kind of eavesdropping, spoofing or tampering as they were transiting the network at the moment a person entered them in a web form, login box on a computer, on their smart phone, or anywhere else they used their officially issued username and password.

Now I find myself in physical transit, from Iowa to Pennsylvania.  Along with that transition comes the need to re-prove who I am to a number of different agencies and institutions.  Those agencies are rightfully concerned with the prevention of any kind of tampering or spoofing of my identity in physical transit.  Along with that concern comes the need for rigorous forms of identity proofing and vetting in order to obtain new credentials.

Because I do this for a living, I knew the kinds of checks that were going to be required to prove my identity in my new location.  I was atypically well-prepared.  Before the movers arrived, I carefully packed all my incredibly precious, practically irreplaceable, highly combustible paper government-issued proofs of identity in a special box in the center of my car’s back seat.  Like a baby.  I knew that the checks to prove who I am to the Commonwealth of Pennsylvania would be burdensome, but I never really had the opportunity to experience them first-hand, and all at once, before.  Here are my experiences so far.  Please note that these experiences are likely nearly identical in every state in the union (thank goodness I didn’t move to California or my ability to drive would have been in question and I would have had to get fingerprinted!)

The Drivers License

I started with what appears to be the “intermediate certificate” in the trust chain rooted in US citizens’ birth certificates and social security cards: the state-issued drivers license.  This form of physical identity has the following attributes:

  1. It’s highly vetted
  2. It’s issued by a state agency
  3. It has your photo and signature on it
  4. It has your address of record on it
  5. Its issuance is rooted in more deeply-entrenched forms of identification
  6. It’s not so irreplaceable that you can’t carry it with you everywhere, like you can’t with a birth certificate
  7. You must carry it with you everywhere to effectively operate in the modern world
  8. You can’t get one if you don’t already operate effectively in the modern world

As such, most other forms of daily identity proof are rooted in the state-issued drivers license.  To obtain this, I had to drive 10 miles out of town (good thing I have a car and an existing drivers’ license) to a small building where I had to write a check (no cash or credit accepted – are government agencies even permitted to not accept US currency?) to the PennDOT and surrender my Iowa license, present a Social Security card (why?) and any of the items from list A and two of the items from list B:

A

  1. Birth Certificate with raised embossed seal (not a copy)
  2. Certificate of US Citizenship
  3. Certificate of Naturalization
  4. Valid and original US passport (not a copy)

B

  1. Tax records
  2. Lease agreements
  3. Mortgage documents
  4. W2 form
  5. Current weapons permit (US citizen only)
  6. Current utility bills

Note that were I any less than a fully employed and housed person of good means (I carry a passport, and can afford a safe deposit box in which to keep my social security card, birth certificate and passport) I would have an extremely difficult time obtaining a license or photo ID in Pennsylvania (which, were it not due to the action of the ACLU, would be required to vote in an election here.)  If I didn’t have an Internet connection or at least access to a phone, I wouldn’t have been able to determine what I needed to take with me beforehand, and might have needed to make multiple trips, in the car which I thankfully own and am licensed to drive.

Luckily, the address on my check was not required to match my Pennsylvania address of residence, doubly so due to the tear in the space time continuum that would have been caused by identity in transit issue number two:

The Bank

I like credit unions- they exist to serve the membership.  The credit union I currently use in Iowa is a community credit union, meaning it has a community charter, and anyone in the area (a huge area) can use it.  I can still use it because I have existing business with them.  I want to get a new account at a credit union in Pennsylvania because I don’t want to pay ATM fees for withdrawing cash here, and I need to get a safe deposit box to put my incredibly precious and practically irreplaceable, highly combustible paper government-issued identity documents in.  The credit union here does not have a community charter, which means I need to have proof of employment at my new employer to get an account.  That’s fine, I can just do that when I start work at my new employer.  Here’s the fun one though: the credit union asked for my Pennsylvania drivers’ license.  Imagine if the drivers’ license office had decided that the address on my check (no cash, credit or Trobrian Island yams accepted!) needed to match my official Pennsylvania address of record.

Car Title

These next two things are not technically personal identity issues, although they deal with the state-issued identity of my car, which is almost as tightly controlled as the state-issued identity of me as a person.  When I went to the credit union in Iowa (which owns the lien on my car) to ask them about transferring the title to Pennsylvania, they said “don’t move to Pennsylvania.  Anywhere but Pennsylvania.  That is the worst state to transfer a title to.”  I’m not kidding, that’s verbatim.  So, clearly that’s not going to be a problem.

Vehicle Inspection

Iowa does not require any kind of periodic vehicle inspection (this shows in many of the cars on the road) and does not have what the EPA considers to be an air pollution problem, so does not require California Air Resources Board (CARB) certification.  You can legally (and actually) buy a car in Iowa that does not comply with CARB specifications.  If you take your car to Pennsylvania when you move, it’s MY2008 or newer, and it doesn’t have CARB certification, it must have over 7,500 miles on the odometer or you are out of luck, I guess.  Perhaps you could just drive to the King of Prussia Mall a few times to run up the clock before your 20 days to register your car expires.  Of course, in your formerly non-coastal, more-polluting, non-CARB-certified, extra-dinosaur-burning-mobile, that would just cause more pollution, not less.

Neighborly Identity

For the past week, we have had numerous neighbors in our condo association stop by to say “hi” – this was nice the first few times it happened.  Now it is becoming clear that they are investigating whether we are going to depreciate their property values and/or throw wild parties all night.  We are a prematurely elderly, workaholic grad student/professional couple with no kids.  Hopefully they will figure that out and stop ringing our doorbell while I’m on conference calls.

The Grocery Store

Loyalty programs abound!  They are all slightly different and all have weird different rules.  To obtain today’s lowest price on spaghetti sauce, I had to create an on-line identity at the new and different (to me) grocery store and print out a temporary loyalty card on my laser printer, which I bought at Staples, with a discount, using another loyalty card, with another on-line identity.

I understand the need to do many of these things, even most of them.  On the other hand, they are extraordinarily onerous and not at all customer-friendly.  In some cases (voter ID laws) they are blatantly and intentionally disenfranchising of certain segments of society.  That’s a problem.

Update (4/13/2013) – Title and Registration

I don’t know what the credit union thought would be so difficult about getting the title and registration transferred.  Within a couple days of me sending a form to them asking them to send the title to Pennsylvania, I had a new title issued in Pennsylvania, plus my registration and license plate.  It was probably the easiest thing to do yet.

Posted on

Why Are Google and Verizon Fighting Over The TPM Chip In Your Phone?

I’ll give you a hint: it’s not about using NFC to exchange business cards, and it’s not even primarily about mobile payments. Why does Google want the TPM/NFC module in your phone integrated into the phone, and Verizon wants it in the SIM card? Simple: Identity ecosystem lock-in. Verizon and Google both have a huge vested interest in providing you with an electronic identity which you can use to execute high-stakes transactions. The only good way to do that for the general public is by putting a TPM chip in everyone’s phone and wirelessly provisioning high-assurance credentials to it via their trusted service manager of choice (much like “The Highlander,” there can be only one in control of the keys for each TPM, and they each want it to be theirs).

Why do I think this? Take a look at the OIX-certified FICAM Trust Framework-approved list of identity providers. What do you notice? Verizon is LoA 1, 2 and non-crypto 3 approved, and Google is LoA 1 approved but likely wants to be at LoA 2 and 3. Why is Verizon at LoA 2 and 3? Because they have a very well-established business relationship with their customers. They know, with a high degree of assurance, who they are. How will Google establish this high-assurance relationship with their customers? Google Wallet, Google Voice and their controversial “Real Names” policy.

So why do these companies want to be your default high-assurance identity provider? Simple: vendor lock-in. Can you imagine a more powerful lock-in effect for a specific platform than the one created when you not only use it for all your financial transactions, but also to open all the high security physical doors you use? With the advent of cloudsourced security, we aren’t just talking the front door of your house or starting your car. Your workplace will likely soon move to outsourced identity for login to your workstation, access to the VPN, and even the doors to the data center. Why? It’s much cheaper and easier (and less risky) to sign a contract with Verizon or Google to provide this service than to hire the people and purchase the infrastructure to manage it yourself. It’s also much less cumbersome to use a phone which everyone in the company normally already carries, than to set up some kind of expensive and cumbersome smart card system.

So which vendor will companies buy high-assurance identity from? The one with the largest installed base.

Posted on

The Problem With Crypto?

I am not a cryptographer or even remotely capable of assessing the validity of what I’m about to say, but I’ll say it anyways.

The current set of cryptography techniques all seem to be increasingly clever and obfuscated iterations on the pattern of ROT13. They represent security through obscurity in that they always seem to be compromised over time, after enough knowing sets of eyeballs have looked at them. They are initially “secure” because they are so complex that no one (usually including the inventor(s)) can understand the end-to-end implications of every part of them. For example: Why do some elliptic curves allow creation of secure cryptographic rotors?

Posted on

Bobs I Have Not Known

Copyright (c) 2012 by Nicholas Roy, all rights reserved.  No use or duplication of this material without written consent of the author.

There are two Bobs who have shaped my life, and I have not really known either of them.

I was born in the center of the Adirondack Park in northern New York.  It is, as far as I can tell, the largest state park in the United States.  It has mountains, but not like the Rockies.  These mountains have been smoothed away by the last bakers’  dozen million years of geologic time, so that they are now soft and round and green.  They are not threatening or majestic.  They are human-scale mountains.  They welcome you home when you first see them peeking through the treeline on the way over from Tupper Lake on route 3.

Adirondack high peaksI was born in these mountains on February 4th, 1978, one of the coldest recorded days in New York state history- three years after my grandfather, George Robert “Bob” Roy died of stomach cancer in a hospital in the city.  When my family talks about it, they say he donated his body to science, a euphemism for “he was dissected by medical students.”  What’s tangibly left of him is a stone at the old family camp site on First Pond on the Saranac River, hidden a bit back from the shoreline.  It reads:

FOR BOB ROY
WHO LOVED THIS SPOT
FROM HIS FRIENDS

Memorial stone: FOR BOB ROY, WHO LOVED THIS SPOT, FROM HIS FRIENDS

If you were to stumble upon this stone (say you decided that this particular spot on the river looked particularly appealing to tie up your boat and have a swim – a reasonable thing to do,) and you went back in the woods to discreetly relieve yourself.  You might stub your toe on something and clear away the pine needles accumulated over the last decade (since the last time my family went to see the stone.)  You might wonder, “who is this “Bob”?  You would then feel a bit of the mystery I have felt my entire life.  Who is this “Bob”?

November, 2008

I am in New Orleans, Louisiana, and it’s three years after Hurricane Katrina really put the hurt on this town.  I’m here because of an Internet2 conference.  “What the hell is ‘Internet 2′?”  You ask, “I thought we were doing okay with Internet 1.”

Well, yes and no.  The Internet, as it exists today, is a piece of 40 year old technology built from a beautiful concoction of luck, human trust, extreme skill and forethought.  It mostly works today, when the inherent trust that one network researcher had for all the others on the network at the time of its creation, has been swept aside by the billions of people on the net, because the bad guys need it to work in order to do their jobs.  Internet2 is an organization funded by the big US research universities (mostly) in order to do advanced Internet research – to make the existing Internet gradually better.  A friend of mine who’s a CIO in higher ed characterizes this work as “replacing the engines on a 747, one by one, in flight over the Pacific.”  It seems an accurate metaphor.

So I’m in New Orleans, and I’m doing my career thing, which is that I work on the part of the Internet, at my day job at a big research university.  I do “identity” stuff, which is pretty much “who are you on the Internet, and how do you prove it?”  This is a new career path for me – I’ve always been interested in electronic identity, but never had a real reason to do much with it in my career until I took a job doing it six months ago.  So now I’m at the big conference, hoping to make connections and learn the trade.

I check in – the site of the conference is one of those semi-characterless megahotel conference centers in downtown NOLA (they try to make them have local flavor by naming all the conference rooms things like “Magnolia” and “Bordeaux”,) right across the street from the French Quarter.  There are a lot of dudes in Hawaiian shirts with gray beards milling around in the lobby, talking to each other in hushed but spirited tones.  They clearly know each other.  I’m guessing these are the people who know what’s happening at this conference.  They have been here before, many times.  Apparently they are all named Ken, Steve, Bob or Keith – they blur together in my head, I can’t keep the names and faces straight.

The next morning – the first day of the conference, I go to a workshop on a particularly interesting piece of identity technology.  There’s a ton of these guys in the room – I must be in the right place.  The session gets started, and it’s extremely interesting.  I start furiously taking notes on my black Macbook.  I wouldn’t even know what questions to ask, or where to begin.  There’s one of these old guys in the back of the room on a ThinkPad, and he does not talk until the very end, when someone else asks a question.  This guy – his name tag says he is RL “Bob” – gets up and speaks about three sentences that are powerfully overloaded with extremely dry wit, powerful metaphor, and seem to magically answer the 20 or so embryonic questions I had about this technology.  Who is this RL “Bob”?  I need to try to meet this guy.

I stole my grandfather’s World War II pilot logbooks from my parents’ house.  I spent hours looking at every entry in them.

20 June, 1945 – 20 hours Midway to Tinian Hop

He was on the island where they launched the Enola Gay on its mission to destroy Hiroshima.

His logbooks had the numbers of the units he was assigned to in them – things like VPB-11.  I did Google searches for days, trying to find out who else was in VPB-11 – who might know him.  It looked like that unit has been disbanded for a long time, and they had stopped having reunions 10 years ago.  Who might know him or know about him?

My dad had good and bad stories about him, but they were mostly shaded with his apparently ill temper.

My dad, as a child, had lost a stuffed bunny rabbit out the car window.  My grandfather had refused to stop the car to pick it up – he would teach my dad a lesson about carelessness and consequences.

He got so mad at a chainsaw one day, cutting wood, that he did something stupid and terribly inured himself, while caught up in his anger.

But his family and friends had cared – deeply – about him, had put this stone in the mountains he loved.  His spirit was there, they knew it and wanted him to be at peace.

2010

Who is this “Bob”?

That’s what his personal web site opens with.  It is a collection of links to a whole series of different “Bobs” with interesting, short questions asked about their true identities.  One of the links is to his blog.  I click on it.  In the last two years I have learned an enormous amount from “Bob” and his fellow Kens, Keiths and Steves.  I am not part of the group – not yet experienced.  I am a sophomore in the true sense of the word.  I don’t know what I don’t know, but at least I don’t know it.  I have no shame.  That’s how you learn.

They are all guides in the wilderness of electronic identity.  Maybe they can tell I’m one of their kind, or at least I really care about it.  They get my boss to somehow agree to allow me to host conference calls and give feedback on policy documents that they’re working on for the community.  I love this – I am learning more than I ever thought I could.  I’m drinking from the fire hose.

“Bob”‘s blog turns out to be about his ongoing struggle with cancer.  I learn that he was recovering from his first round of treatment the first time I saw him in NOLA.  His blog is also laced with his amazing skill at metaphor and his dry sense of humor, with common threads of baking bread, watching soccer matches on TV, his wife and daughters and their dutch Kooikerhunde dog.  This is a guy with a life.  I try to reconcile this with his seemingly endless output of nearly prescient ideas in identity stuff and the fact that he seems to know, be friends with and constantly talk to everyone in the business, and constantly attend conferences in the US and abroad.  What is his secret?  How does he not burn out?  I go home at the end of the day, nearly every day, satisfied but mentally drained and physically exhausted (how?  I do IT stuff – this shouldn’t happen.)  I’m exhausted and I don’t have cancer.  How does he do it?  I want to be like him, some day.  If I can be a tenth of that, I’ll be amazed.

We got in a fight over Thanksgiving dinner – my grandmother was at my parents’ house and could not stop talking about how similar my dad was in voice and action to my grandfather.

I had heard almost nothing from this part of the family about him, over the years, except bad things.  He got angry very easily.  He slapped people, got into fights, got out the belt.

This was not my dad.  My dad is one of the kindest, gentlest people you could know.  He is a giant teddy bear.

This slandering of my father made me angry – terribly angry in a way I could not control.  I’m not terribly dumb, so I figured out that this rage must have skipped a generation, and now it was boiling up in me.  Who was really the just target of this comparison with my unknown grandfather?  Probably it was me.  This made me even angrier.  I pointed at my grandmother across the turkey – “You never say anything nice about him!  Well he’s not here to defend himself, so let’s just shut up about him!  Screw this, I’m out of here!”  I ran out the front door into the park across the street.  I sat down at a picnic table in the cold November air, the vomitous orange glow of a sodium vapor light despoiling the terrific darkness around me.

After five or so minutes, my mom sat down next to me.

“I never saw that side of him, you know.  He was always kind to me.”

“Thanks – I think I’m too much like him.”

“You’re not like him in the way you think.”

2011

I friend “Bob” on Facebook – it’s the kind of thing a teenage girl would do – friend a bunch of people she only kind of knows.

At the fall conference that year, “Bob” does an amazing talk for a packed room on the subject of social identity – the relevance of identity from places like Facebook and Google.  That morning, after several months of not accepting my friend request, he accepts it.  In the talk, he looks at me and says something like,

“Some of the people on Facebook we know, and some we only just met.”  He looks directly at me as he says this last part. I grin back, stupidly.

I’m getting married – I have become calmer, I might be starting to see the tip of the iceberg of the things I don’t know about life, poking through the surface of existence.  The parts of me that I rightly or wrongly attribute to my grandfather, I suppress.  Somehow I know that attributing them to him isn’t fair.  He’s a ghost and he can’t defend himself.  I got my pilot’s license some years back.  The FAA pilot examiner who tests me flew P38 Lightnings in the war – he signs my temporary airman’s certificate with a barely legible, shaky hand.

I’m getting married in three months, and “Bob”‘s cancer is back.  His blog says:

Just to clear this up, for all you computer people.

Last time was “re-install OS and restore from backup”.

This time is “install a different OS”.

Next time is “migrate to the cloud”.

Got it?

His wit has not been dulled by the cancer.

She helps me, my wife-to-be.  I know I love her because the parts of me that I don’t like, now I don’t blame them on my grandfather and try fight them.  I don’t have to fight them – I really try not to do those things around her because I love her and they are ugly.  Sometimes I fail and she’s scared by the anger, I know.  I feel terrible when that happens, but I’m getting better all the time.

“Bob” is honored and celebrated by his friends and family at the spring Internet2 conference in 2012 – a month or so before my wedding.  I suspect I won’t see “Bob” again, it’s a terrible thought but it feels that way.  Family is important, I know that and he does too.  I decide not to attend the meeting to help prepare for the wedding.

Our wedding day comes and I think of nothing else but my wife and my family.  At the last minute, I look at “Bob”‘s blog – he’s been admitted to the hospital after a particularly evil round of treatment.  He says: “I’m still alive.”  It doesn’t sound fun.  I worry about him but the worry is short lived.  We have a great wedding and a fun party with friends and family.

There are no more blog entries from “Bob”

A few weeks after our wedding, I find out that he’s died through one of the many identity groups he started.  They start a web page where you can leave memories of him.  I fumble for words to say what I think he meant to me, but they end up clumsy and kind of embarrassing.  Many others knew him so much better.  I wish I had known him, too.

My cousin is getting married, and my wife and I get in the car and head out to the Adirondack mountains to visit family and attend the wedding.  We will rent a boat and I will show her the stone that marks my grandfather’s existence.  As we drive over the bridge on the Saranac River, not more than a few thousand feet from his stone, I roll down the windows.  Balsam fir floods the car with its sweet tingle.  I pilot the car over the winding road, this scent filling my nose.  My heartbeat slows.  I let my foot off the gas a bit.  We’re in no hurry here.

Posted on

An Idea For Remote Proofing and InCommon Silver

The InCommon Silver assurance profile has a section that allows for remote proofing of identity subjects. Many people I’ve asked about this are saving this section for “later” and aren’t going to try to do remote proofing to begin with. Someone said something to me the other day about the availability of notaries that makes me think this is possible to do in a not too terribly difficult way. Here’s the relevant section of the assurance profile:

4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on
possession of at least one valid government ID number (e.g., a driver’s license or
passport) and either a second government ID number or financial account
number (e.g., checking account, savings account, loan or credit card) with
confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID
numbers above through record checks either with the applicable agency or
institution or through credit bureaus or similar databases, and confirms that:
name, date of birth, and other personal information in records are on balance
consistent with the application and sufficient to identify a unique individual. If
this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.

Note that it says if you can’t confirm the information provided via record checks, you have to register the subject via the address of record. Everyone seems to be focusing on the technical problem of verifying the source document numbers via Equifax or other credit bureaus, and/or state motor vehicle registries. I think people are so shocked by this requirement that they’re misdirected away from the critical pieces here:

1) You only need to register the facts of the documents presented – you can do that via notaries public that are available free of charge for customers at all banks in the US.

2) You can confirm the identity of the individual by delivery of a registration secret to an address of record. What is an address of record?

Conveniently, section 4.2.2.5 (2)(b) says:

For an electronic Address of Record, the RA confirms the ability of the Subject to receive telephone communications at a telephone number or e-mail at an e-mail address.

So you can just e-mail them a short-lived registration bearer token after you receive their notarized paper form containing their identity documentation back. Can it really be that simple?  An idea for some legalese to include on the form (I am not a lawyer) might be:

I hereby declare that the e-mail address supplied on this form by me is a valid email address that is acceptable for use in official communications with me.  I am the only person who has access to this email address.

Update: 5/30/2012: Thanks to Mark B. Jones for this interesting international tidbit on consular services and the notary function: http://travel.state.gov/law/judicial/judicial_2086.html

Posted on

Just Stop

My new pet peeve is cloud service providers who assume that they can and should use email address as a primary key for customer identities. This is a terrible idea for a large number of reasons. Here are some:

  1. email addresses are name-based.
  2. Names change (usually in the most personally sensitive situations, where they must change: marriage, divorce and witness protection or court ordered separation).
  3. Not everything that looks like an email address is a deliverable email address (e.g. userPrincipalName, eduPersonPrincipalName).
  4. If it looks like an email address you will be tempted to assume that it is an email address.
  5. You could be wrong – it might not really be an email address.
  6. Do you really need to know someone’s email address?
  7. Why do you need to know someone’s email address?
  8. Most people have multiple email addresses.
  9. Which one do you need to know?
  10. How are you going to make the person remember which one they used?
  11. What if they don’t know?
  12. What if they leave the {school, business, non-profit, government, etc} where they had their email account?  Most best practices require deprovisioning of email for people who don’t {attend, work at} that place any longer.

The worst case scenario is that you, as a cloud service provider, have not been clear with your customer about your use of primary keys for identity, and specifically your use of email address as a primary key.  The customer will then blindly deliver this to you and when customer identities’ email addresses change, someone else could end up with access to protected resources that should be owned by a different person.

Many small customers (likely the customers small enough to be looking for your cloud service in the first place) are not in a position to think about the security implications of this use.  You should do that thinking for them, and bring them up-to-speed with the problems and pitfalls associated with using email address as a key.  Sure, since most people have an email address, it’s a convenient piece of information that you can additionally use for delivery of things like password reset requests, confirmations and workflow messages.  On the other hand, you can use other things (that don’t change and aren’t re-assignable to other people) as a shared primary key, and still ask for email address for use in sending email.

I have seen a large number of cloud service providers ask for email address as an identity attribute and not disclose its use as a key- this is the worst of all possible situations, because you are making assumptions about the nature of the customer’s email address that aren’t true, and you aren’t allowing them the opportunity to understand that because of lack of disclosure.  I’m not a lawyer, but lack of disclosure of this kind of thing, leading to an unintended release of information via change of email address (situations in which someone else gets a previously used email address do happen) seems to open the door to legal action.

An ideal solution on the part of a cloud service is to make the primary key for identity very flexible (very long max length, any format alpha, numeric, etc).  You should then develop an interview process that you use to find out what types of keys your customer can provide, and be able to map one or more of them into the key field in your service.  Use a surrogate key within the service that’s hidden from the customer, and expose an API that allows the customer to update their users’ identity keys if necessary.  Some suggestions for things that might make good keys:

  1. Employee ID (not SSN)
  2. Student ID (not SSN and not name-based)
  3. Identity Management System (IdMS – if they have one) surrogate key
  4. Unix UID (if the customer is using a centrally-managed UNIX-type system)
  5. Network ID (if it doesn’t change- ask the customer if they do.  If the customer wants to use this, allow them to rename via an API)
  6. Scoped Network ID (scoped to the customer’s DNS domain name- ask the customer if these change, don’t use if they do, or allow renames via an API)

Cloud service providers: please stop asking your customers for email address as a shared primary key, and work to educate your customers on the danger of using email address as a key for access control.

Posted on

Oxytosin and the Economic Benefit of Trust Fabrics

The global higher education IT community is doing something pretty amazing. They’re weaving together a trust fabric to allow shared services via robust federated authentication and attribute-based authorization (see: InCommon, UK Access Federation, GakuNin, EduGAIN, REFEDS, many others).

At any scale, it’s hard to extend trust from “my tribe” to “your tribe”- but once we’ve done it, the return on the trust is almost magical. With federation in higher education, suddenly services and projects a school would be hard pressed to support on its own become easy to leverage.

So how does this scale beyond higher education? Trust is the basis for lowering barriers to collaboration and lubricating the machinery for an effective economy (See Paul Zak’s fascinating TED talk on Oxytosin). I think this suggests that higher education is once again leading the way in building a framework for increased global trust, global research collaboration and global wealth production.