Claims-Based Identity and Access Control

please take your seats we're good yeah it it'll be up in a second all right I'd like to introduce our next speaker which is Bill SE and the title of his talk is are you aware of claims and I'm going to let him do his own introduction for him so I won't Ramble On welcome Bill thank you very much hey wow I got I got fans I I I I have to warn you ahead of time that I'm a walker arounder I'm not normally a stand in one place and talker so if I wander away from the microphone and it's a problem for the video somebody will like wave at me or throw something or like that no

I'll I'll never cuz I talk with my hands it's just it's bad no matter what that's I normally I just work without a mic because I talk so loud but I know you guys have some recording stuff going on and I'm not going to mess around anyway hi my name is Bill simp but I'm here to talk about identity management um and what we're going to do is we're going to take a really broad definition of a term that Microsoft has been throwing around called claims-based security claims based identity and I say broad because Microsoft has this very rich ecosystem for this for this identity management and I want to narrow it for the purpose

of this talk um and make it real General we're going to say a user has a token and the token has claim and that's it that is claims based identity so what this does is it creates an environment for decentralized access control which at odds with discretionary access control which is what we're normally dealing with so that allows me to talk about both open id/ oof along with the adfs with that Microsoft is coming up with um people say they're not the same but you'll find there's a lot more similarities than you think and that's largely what I'm here to talk about but first let's talk about me because why not right um I am um not

part of the security infrastructure the security Community though I'm I'm odd at times at how open armed everyone's been towards accepting me into talking about things like identity management uh I'm a software architect I'm I'm the person who attempts not to build software with screaming huge SQL injection holes and only encrypting my passwords with one mda5 hash and not using any salt not that any body else would do something like that um and I I do work in Columbus Ohio I'm an independent consultant uh I do a lot of work with state government um and uh also a fair amount of private work uh and I specialize in Microsoft Technology but that's not the only thing I've done

by any stretch of the imagination um I'm an author I've been writing for about 12 years I've written all kinds of weird little books mostly on Microsoft topics um though some other topics I've written for rocks I've written for Addison Wesley I've written for uh Wy um and it's uh it's neat though I will admit I'm one of those who prefers to have written rather than writing if you know what I mean um I'm very much a Family Guy uh I have a wife and two beautiful children uh who we homeschool and have a ton of fun because I can you know we can run around during the day and I have to wor about

schedules and crap like that and it's we we do neat stuff normally they're they drag along with me but uh they they couldn't come up here today even though they would have liked to because there's all kinds of fun stuff do in Cleveland um I actually am a ninja um I I train in Ninjutsu in the columb Jutsu Club in Columbus I'm fifth Q please don't test me I'm a little out of shape in case you can't tell um I'm also a home Brewer I brew my own beer I did not bring any I'm sorry uh sorry uh I have a I have a wonderful wonderful very hoppy American Ale if anybody likes bitter beer that'll be

done in about two weeks so call me and if you're flying through Columbus let me know when you can have a P6 um I'm also a lock sport Enthusiast um yes uh I run the Columbus branch of Lockport International um and uh I'm actually the the administrative director of Lockport International as well and handle creation of new chapters and getting people involved in Lockport and stuff like that this crowd I don't need to tell any of you about it you all know normally I speak to development crowds and they're all like Lockport what's that but I I assume I don't need to do my normal Spiel here I've been writing for a while um and it it kind of pegs me

as a little bit more of a analyzer thinker Problem Solver than a standup and convince her I'm not a real good salesman in fact back in my previous Life as a musician um when I I worked for a sales organization in music coil music out of Columbus and um I was a sales repap and they um were trying to make the company more formal and they brought in somebody to give all the sales reps tests to see what kind of salesman they are and what they determined is that I don't care whether people like me or not so I'm actually a very poor salesman and at the time I was shocked by that in the the 20 years

since then give or take I've learned that they're exactly right and I I do very much suck as a Salesman so take take that for what it's worth as I talk so let's talk about Bob and Alice Bob and Alice are doing a little bit of Moonlighting for me um from the cryptography World Bob is living in a discretionary role-based world and Alice has a set of claims okay what's more um Bob is a doctor um Bob hello there he is okay good see Bob's doctor um what's more he's a heart surgeon okay and he he likes to work for a living like we all do but everywhere he goes he has these troubles um every every every hospital

wants him to um to prove that he knows what he knows and they test him consistently over and over again and and and every time he comes in and and there's a different procedure that needs to be done he needs to prove that he knows how to do the procedure and every patient wants to quiz him and ask him you know hey tell me what you've done tell me who else you've worked on over and over and over and over and over again he needs to revalidate his checklist of claims every single time he interacts with any system and it's a little frustrating Alice on the other hand Alice okay I apparently put a space

in there I do not know why um Alice as it turns out is a doctor too who knew all those years we've been watching them in cryptography stuff we didn't know this I didn't know anyway um and she also is a heart surgeon who knew however she has a diploma from Trent University somebody did somebody get that or was that no nobody got okay Trent's The Trusted party and crypt never mind um when so when she applies to work at the hospital they just ask her for her diploma right and she has to prove it's real of course and what's more the diploma says right on it that she's a heart surgeon so when people

come to to uh to uh uh get get work done get get the heart work on or get advice or whatever they don't have to continuously revalidate her they just look at her um diploma and go oh okay well I trust Trent University they know what they're doing she has a diploma from there everything must be cool so let's you know let's take a look when Alice wants to get a job she goes and she says Hey hospital I want a job and the hospital says well that's awesome but we need a diploma and we only accept diplomas from certain places and it has to have certain things on it or we won't accept it she goes oh I'll just send an

email to Trent University and get my diploma and Trent says oh yeah cool we know we know who you are we'll validate your identity first of course right but I'll get your diploma we'll sign it so prove that it's real we'll send it back to you and Alice says thank you very much I'll send that to the hospital hospital goes cool this Alice's diploma fantastic we'll validate that to make sure that it's exactly what we expect and then Tada That's All She Wrote she's got her job because she's proven that she is who she says she is and she knows what she says she knows there's a problem with discretionary role-based security and the the problem starts you

know 15 years ago when Bob got his novel netware account and so he had a digital identity at work all right um and then five years ago he set up with a with a Yahoo mail account so now he's got an identity at Yahoo well over the last three years public and private identity um identity repositories have popped up everywhere so now everyone has a copy of Bob's identity um and it might be have his name spelled wrong in one place and it might have an old email address in another place and it becomes a a management nightmare for Bob he has to remember so many passwords he needs a password keeper and then he lost the

password to the password keeper one of the sites he has an account with got hacked and all the passwords got downloaded they were storing in plain text and then somebody got on the site and baggy pantsed him he can't win he can't control anything and that that scope kind of describes the whole problem with discretionary Access Control you create silos of users that are incorrect the user doesn't have any control he often forgets they're there you can't um you you can't uh share information between them often because everyone has their own scheme for storage uh it creates a complex management system for the holders of the identity they have to stay in touch with the um the user to make sure that

everything is current in the identity um and it prevent presents a really interesting reversal of control where the users should be in control of their own identity but instead each application is and that provides a tremendous amount of risk because the application is now responsible for doing things like preventing escalation of privilege um there's more information in the application than there absolutely must be in this scenario and that is a bad thing what's more as as we learned with the with the password manager and everything else it provides a bad user experience we you guys all know the big list of passwords that people keep on the post a note on the side of their

monitor that's what you live to defend against often at at least professionally um and that is partially caused by this discretionary identity management scheme um an example that I put in here mostly to talk to the dev crowd so forgive me if I uh if if this is kind of beneath everyone in the room but the at exploit in Windows XP you pull up a command prompt probably all familiar with this um and then tell it uh um you want to set command. XE for the sometime in the future uh and menu wait for it to run command. XT this is back in XP back in the day um wait for command XD to be

run by the at scheduler of course it runs in the context of the system account you can then kill your console applic kill your Explorer use the use the command. XC that was run by the scheduler to run explore again and Tada you are you are you are now the system account right that shouldn't ever happen because the machine has more information about users than it absolutely must have the user should come to the machine with the identity not the machine store the identities within it now of course Microsoft fixed that bug but all they did was say oh no you can't run command X interactive anymore well they didn't actually fix the problem at all did they

because the the this the concept of the system account is still alive and well within even Windows 7 there's still more information within even that application than there absolutely must be so Alice let's talk about Alice what was down

here Alice has a single identity with a chain of claims it's encrypted and verified by a trusted third party and she uses it everywhere she goes she uses it at home she uses it at work she uses it to comment on the blog she reads she uses it to check her mail somewhere there is an Iden repository that she and all of these end places trusts and it is in charge of authenticating her identity now each of these places may have own claims that relate to her identity but the actual identity information isn't in any of these places any longer so there's the Bob and Alice story let's talk about claim-based identity management and why it's

important who who is doing it with what how you can get started and then a couple what if scenarios what if it doesn't work the way we say what if what if what if starting with why four good reasons why claim based security claim based identity management is important flexibility interoperability single sign on and Federation let's start with flexibility so here's your app your application has to authenticate its users now when you started you had a username and a password box but then the boss came and said hey we're putting in this radius system you need to accept authentication from that so you had to go and get the radius API and do a bunch of coding and

set up that piece right um oh and now we're going to do a bunch of we're going to do the certificates for certain privileged users and oh hey can't we make it so you can just accept their Windows authentication and hey we've got this care Bros system we'd really like to include that in this application from a user system perspective and oh for the administrators we're going to need to do a a retile scan or something and and get their get their biometric information each one of these identity management systems has their own API for you to develop a login system with and that is exceedingly frustrating this is what it should look like you should have a

common API for all identity schemes and you shouldn't have to do logins at all the user should come to you with their identity in their hand and that is what claim-based identity will do distributed identity management will do it will allow the user to just come to your application or your system with their identity in their hand and their list of claims interoperability is another important piece of all this and I'm going to talk about the who's in a few minutes but there's two standards at play here that are both Oasis standards saml is one and open ID is the other they're both based Loosely on WS star and before you throw things at me I know that ws star is a

mess and it's way too thick and it's really hard to deal with and it's really hard to manage but they're doing a very good job of creating substandards based on substandards I got to find out the word for that um based on the the the the principles laid down by wstar those principles are very sound so for those of you who aren't web services people in the room this is a standard for XML packet passing right um where where as um you can uh store information in an XML envelope or in the case of open ID in a uh in a urri instead um that contains certain information and can be cryptographically signed so this is the

sample packet well this is a very very high level view of the sample packet we'll talk about that when we get to who uh we're still on why the third why a single sign on um and this is something people been playing with for a long time they have the the Ohio Department of Health builds a portal you sign into the portal and the portal passes your credentials to all the applications and each application has to be built to accept whatever the portal hands to it in terms of an identity what's wrong with that well each app has to be able to handle the identity handed to it I mean if you buy a third party

application you're toast you can't you can't integrate it into the portal unless it itself has a very rich API and then you have to do a kind of coding and it's very brittle if you do it with a standard instead then you have single sign on no matter what application you're using finally Federation which in especially the case of samel is an extremely extremely important reason why all of this claims spased stuff is important and this wonderful diagram and this is where I'm stepping into you guys' space a little bit most of you are probably infrastructure people so forgive my application developers kind of forp Ive on this but uh you have an external user who wants to access certain web

apps inside of your perimeter Network well we can do that by storing certain claims about the user and some kind of lightweight directory service off to the side of our application and then use in in the Microsoft World a product called adfs active directory Federation services to link up the uh internal domain where which manages all the uh identification for your users and a perimeter domain which maintains all the identification for anybody else that might want to use your application now the NTFS trust along the bottom there will only do certain things for you and you certainly don't want your internal domain to trust the perimeter domain it's it goes the other way so adfs will

broker identity management for you within the Enterprise and the real benefit of this is that when the external user uh is sitting on a domain of their own now of course the external user isn't say it's a citizen then their identity information will probably be in the perimeter domain right um however if they happen to be say for instance the Franklin County Board of Health or whatever like that and and the external user wants to use your web application then we can set up a further adfs trust for the domain that they're sitting on so their Windows identity is used to access that application the LDS is still holding the the entitlements let's say um so that we can take that identity

that we already know about and attach it to certain things that the user can do within the application so it's not like we're we're we're um uh handing out authorization to another application it's just the authentication we trust that external domain to authenticate this user for us and the basic claim set hey I am Bill SE and I'm coming from the Franklin County Board of Health and I am a um a manager there and I'm in this building that list of claims comes from the external domain to our application via a common API called Windows identity Foundation we'll talk about that in a few minutes and this can be repeated then as many times as you want so if you have an

Enterprise where you have a large number a large body of users sitting on their own domains say you're an a a private sector company that has a lot of um a lot of vendors you can trust e with the adfs trust each of their domains so that the authentication is handled internally to their system rather than you having to create and manage a completely separate set of user repositories for the users that are using your applications let's talk about

who there are two players to this game the big guys are using SLE um security Asser markup language um this is Microsoft and IBM is who this is uh there's some other players but Microsoft and IBM pretty much own it and Microsoft is the only person that actually has a product that's doing anything with it it's adfs um and saml is well I I'll tell you what's how what saml is in just a minute outside of samel there's the field pretty much everybody else and most of them are using open ID which is another standard managed by Oasis um open ID and SLE are different I won't lie to you but they do the same thing

from the perspective of the user open idea is much more trending towards single sign on than it is to uh a chain of claims in fact the the packet you get from open ID if you choose to trust them as a as a trusted third party for identity management is pretty much just a URI for the user that is that is unique to that user and um the fact that they are authenticated and maybe their name and that's it um so it's really up to you to do the actual claim management within your application um open ID is driven by HTTP rather than um rather than XML so it is um really well suited for internet sites and in fact that's

what you see when you go to a Blog and the blog at the bottom says Hey click here to sign in with your Twitter account to comment on my blog that's what's happening is more or less an open ID transaction now that could be actually via ooth which is a slightly different take on open ID but it's basically the same concept samon on the other hand is um much more driven towards Federation than single sign on though of course it can do single sign on uh and it is an extremely rich dense XML format very much like everything else Microsoft does it's very configuration over convention it's very um everything to everybody uh the standard is hundreds of not thousands of

pages long and it's almost impossible to decipher manually um however what it does provide is a very very rich privacy model because everything has a very thick layer of encryption at many different levels whereas open ID depends entirely upon SSL saml has many layers of encryption and um and and Trust verification built right into the standard now real quick on ooth versus open ID I kind of Ed them interchangeably for the purposes of this talk but they are different um open ID is used for single sign on it is sign on to myop id.com with your url mine is s.y open id.com or Facebook or whatever and then every site that chooses to trust an

open ID standard will allow you to be authenticated okay um ooth is more about sharing for instance probably many of you use Twitter and um there's a lot of um picture services like twitpic that you can then when you go to twitpic to upload a photo or you have your phone connect to twitpic to up upload a photo and then show it in your Twitter account it says hey I can tweet this for you but I need Twitter to say it's okay so sign on to Twitter and tell Twitter that it's okay that I post on your behalf that is oo oath is like giving your son a gift card whereas open ID is like giving your

son a MasterCard all right okay they're getting closer people I read on speak in Twitter I read somebody made the comment um the airads appear to have stopped but now the machine gun fire starting yeah that's that's about right so now we know why and who goodness gracious um uh let's talk about how how how this is all implemented and so far we we focused on samle and open ID so I'm going to continue in that realm for a little while so um adfs and whiff is uh the dependent is is excellent for Passive clients and service oriented applications so we have Alice once again here who's attempting to access an application in my domain okay so the

application is the thing with default. espx over here with a couple of pages inside of it and it is um in in encased within this pre-processing environment that's handled actually by is largely for those of you who are Microsoft people um when Alice tries to go to the application and say hey let me in she stopped at the pre-processing layer and says hey give me your give me your claims give me give me your identity I don't know who you are um normally there my app would have to have a login screen right you write a login screen you accept the username and password maybe you go check it with a service or something like that and you come back

she's not even at the app yet okay I is stopping her and saying you don't have any claims and she says oh I'm I'm really sorry let me um let me go get my claims from the secure token server okay so she's getting an HTTP redirect to from not from our app from is to the secure token server to get her claims either it will pick it up from her Windows identity if she's logged into a Windows machine or it will prompt her with a login page where she will put in her credentials use Biometrics use radius use her certificates put in her smart card whatever whatever needs to be done all that is handled within the STS which is

the public facing interface to this whole M big identity provider that we already have in place usually active directory right there's there's all these pieces that are already inside there and instead of remaking them in each application we're just going to use that so she gets her claims she goes back to the application that says knock knock here I am I'm sorry she goes back to the application hosting environment says knock knock here I am and they say oh you are Alice and you're a doctor so here is your page because I can use the claims that came with her in her SLE packet to make decisions about author uh authorization too as well as trusting

that she's been authenticated the service um environment looks very much the same as you can tell by the fact that the picture practically changed not at all at most of you probably didn't even realize the slide had changed and I make that mistake a lot um but there's a key difference in a service environment we are already presented with the policy via the wisd so we know uh as a service consumer that the um user will need certain things before we ever start so the service consumer knows what they're going to need they go to the STS they do the same thing they get their credentials or the user's credentials come into the application and um are once again direct

directed to the proper service so that's a a real high level look at how adfs will provide some stuff for you and now I'm going to make everybody's eyes blade how many people in here would actually consider yourself a coder oh awesome okay um this is extremely tiny and I'm very sorry I I would like to find a way to make it bigger and make it still be have everything in there but effectively that Top Line there where I say where I go get and I claims identity that is the authorization step for this entire application because the user is already authorized I did not write a login page I did not go check their identity

because I don't need to either their claim list is in that object or it is not and if it is they are allowed in and if they are not then they aren't allowed in and that is the end of the story what's more my little um Czech legal thing here will go and use their birth date which happens to be in their claims list now their claims list remember was given to the required list of claims was given to them at policy time if this is a service that would have been at in the wisd at design time if this is a um a passive a web application um than it would have been at uh at request time I

gave the policy to them saying hey your birth date must be in your list of claims when they go to the STDs they say handy my birth date the SDS says yes I'm allowed to give you that because I've been preconfigured to do so remember this is Microsoft um and you get it in your list of claims we can then check it add 21 to it make sure that it's less than today and let them in or pass you know your legal if if if you are and and um and you're uh out of here if you're not so that is how you do with let's talk about open ID real fast I doing on time oh awesome

good okay oops so open ID is uh is is um much simpler much simpler than than whiff is uh there's very little infrastructure up front except for the fact that the user has gotten a Persona ID you see our Persona ID server up at the top there and it's communicated it to some identity provider so the user says Hey I want to use your website and the website says Nope I got to redirect you to your identity provider which I know because you've given me um you have given me a piece of information your url right your custom URL like.my openen id.com or or whatever like that the identity provider says hey here's a login screen you've got to give me your

password biometric token whatever um in order to be authenticated uh the user says hey no problem here it is and the identity provider sends a packet back to the website the the the the relying party saying okay this person is legit here's the information I have about them and the website then Returns the page that the user initially asked for much more straightforward than than much less configuration but it's also much weaker um the as you can see in some some code here really all you ever get back is failure success setup needed which means yeah this user might have a URL with us but they've never like given us any information about them so we've never

heard of them um or cancel which means that something happened along the wire somewhere um you don't really get very much back from the open ID provider now whereas adfs has with as its um uh API to say for instance open ID has a whole range of of um of of IDs uh it's simple enough people are just building them this is using one called Ruby open ID it's on GitHub and there's Bunches of them out there but basically all of them deal with exactly the same thing there's not much coming back from open ID except for the fact that the user is authenticated but what didn't we have to do in any of these cases we didn't have

to decrypt the packets we didn't have to decrypt the URI we didn't have to go through all this rigar roll we didn't have to parse the S code we didn't have to do anything fancy to get the collection of claims because it's been handled for us since it's a standard we can have a common API that all our applications can use no matter which platform you're using and you take so much weight out of the application developer hands and the system administrator hands to not have to deal with that anymore so let's talk about what ifs for a few minutes there's obviously a lot of pluses right um to to uh to distribute identity management the apps don't have

to handle their own login uh the user doesn't have to the the the the systems don't have to maintain a user repository any longer the user owns their own identity effectively uh trusted parties own the authentication of the user and everything is encrypted right but there are still things that can go wrong and everyone here is very familiar with risk assessment well this is the other side of the

coin anything encrypted is subject to a timing attack and um there hasn't been much in the way of timing attacks being used over the Internet because internet is uh is too um untrustworthy as as far as the speed is concerned but um this year at Defcon and probably a black hat too um a a couple of guys whose names I still didn't put in my speaker notes I'm sorry I really I need to do that and give them credit um have proved that you can find surprisingly small timing differences visible from um the internet or remote attack remote stations in general um sub 40c 40 nanc numbers via the internet and sub uh or I'm sorry 40 nanc numbers via

the Lan and 25 microc um numbers via the Internet um so the the old encryption attack where you take a SLE token um and throw it at a server and then change the first character and throw it again and change the first character and throw it again and and try to discern when the server takes a little bit slower to respond that a little bit slower because they decrypted the first character and they tried to work on the second character more or less that's a oversimplification but more or less that's good enough for the purpose of this talk um because so many applications written in scripting languages these days the applications are a little bit slower to respond in

general and we can get much greater responses back so the encryption itself is a little bit more um untrustworthy than it used to be and that is a a risk potentially um especially if you're trusting via adfs trusting partners that maybe you wouldn't really trust that much if you know what I mean realmman misinterpretation is a big problem for open ID um especially because um in Ran what my Rous interpretation is is uh the the the old fishing attack where instead of uh cgi.com it's CGI doome eval domain in russia.com and the user goes oh it's from eBay this should be fine click um the same thing can be true of open ID um the the the uh uh the relying party

can I'm sorry the identity provider can fool the user into logging in with their credentials by intercepting by having their um okay let me let me let me back that up just a second sorry about that the uh identifying server can be intercepted man in the middle attack can be intercepted and the user can be fooled into logging in to a site that isn't their actual identity provider and just like fake Facebook pages or anything else um where they're collecting usernames and passwords open anything open ID related is susceptible to that attack because users just don't look at the URLs they just don't they don't look very carefully so that's that's very much a a risk as well um and

finally um identity providers can just fail they can fail to service the request if you're internal on a domain your STS can go down if your STS goes down every application stops working everyone because they're all dependent on the STS to to distribute the claims right um if your in if your internet application requires Twitter and Twitter gets busy you get a whole lot of fail whale right um identity providers can fail to protect the identities you can choose to trust an identity provider that gets hacked and gets their database downloaded and somebody rainbow tables their user and gets up with a bunch of identities and that can still happen now presumably because the identity

providers were CH choosing especially in the open ID space are big they're big enough to be very visible and they won't make those mistakes but we all know that that's not really how it works in the real world uh the that whole too big def fail concept um and also identity providers can fail to keep the doors open they can just go away for that matter Microsoft can just decide that adfs isn't worth the risk and get rid of it um and when that happens you have a whole lot of rework to do whereas if you're maintaining all of your own identities you wouldn't so there's three risks um to take into consideration and I'm sure you all can come up with more

that we can do in the hallway track later on so what do you do well generally speaking my take is this when I'm advising clients you need to do a risk assessment if you're in an extremely high security environment on the internet you you don't want to be accepting Gmail as authentication you just don't you want to maintain control over the identities um the pharmacy compounding board requires users to have a user certificate and may manage it internally and that's that and for them that's a good idea because you don't want anybody to be able to go in and find out how to mix certain drugs that's a bad thing um if you're building something

especially social look at open ID it's very powerful and people who use open ID for instance just on their blogs see a much greater conversation much more Rich conversation in um in in their comments because users can just log in with their Twitter Gmail or Facebook accounts instead of having to create an account with you and you know authenticate that way and then another password to remember internally to a enter rise space um Federation is a really really strong Contender if you have a distributed identification system anyway if you are my my classic example is always the Department of Health the state of Ohio I've done a lot of work and all of their people the the many

many organizations that they do business with all of those people have identities in each of the apps that the Department of Health provides and it's a real problem um because honestly some of those apps are 15 years old and are subject to SQL injection and and and other attacks um uh cross-site scripting attacks and such as that especially the early JavaScript ones if you remove the login pages from all those applications that's one less thing you have to worry about and one less identity that all those users has to manage so while Federation is not a Panacea it really does have a place in a lot of applications you have to trust somebody else and the whole chain is

only as weak as only as strong as its weakest link but um and you're taking the identities potentially out of your own control which some of you may not like but the benefits it brings from the user perspective and from the management perspective are very very strong so here's some of the references I ran a little short I'm sorry but that's okay we'll have more time to drink coffee right um i r um the um here's the references that I largely used um if you are interested in further learning about adfs and whiff uh especially for the microsof is among you um programming windows it Foundation is an awesome awesome book uh it has a

whole range of um uh background information and much much of the philosophical parts of this talk were were kind of gleaned from from Victorio's wisdom and I I recommend you read it at least the first half um there's also a really great white paper out there that that that Keith and sesha did uh called um Microsoft identity Foundation white paper for developers open id.org has a very rich documentation section if you if you're a public internet guy go go just go surf their site for a while it's its eye opening um and Wikipedia surprisingly has a really really rich and extremely accurate um identity management section in general that covers a whole range of topics if if it's something that you end

up finding yourself faced with that maybe you haven't faced with before you can actually get an education from Wikipedia which is not something I normally say but in this in this case it it really I I verified a tremendous amount of stuff and it's it's really very rich we'll fix that by tonight yeah awesome awesome so questions I have two questions who the heck am I there's my Vital Statistics if anybody's interested to poke fun at me on Twitter or anything like that and uh if in case anybody slept through the entire thing we were talking about identity management and uh we were talking about using distributed identity management over discretionary and that is uh so those

are my two questions and I got some answers so if any of you have questions you can ask them for the group or you can grab me afterwards I'll be hanging around for a while I'll be here through lunch and like that but that's that's the beginning the end of it thank you very much for allowing me uh to to questions for Bill do this thing all right go see him in the hallway track indeed thanks a lot Bill thank you very much ladies