About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

17 May 2007

IFIP Sec 2007

I normally describe IFIP as the European version of the ACM, which is unfair, because it is a lot more international. However, the participants of IFIP conferences tend to be more European centric, than US centric. This year, South Africa hosted the 22ndIFIP Security Conference (2nd time in South Africa), at the Sandton ICC.

I suppose the organisation of the conference was not bad, except the Sandton ICC venue was too large for the number of delegates. I think, it would have been far better, if the venue was the Balalaika Hotel, as per the Information Security SA conferences from the last two years. Another gripe, mainly associated with the venue, was the lack of free WiFi access during the conferences - come on, a computer conference without WiFi?

There was a distinct lack of local students at the conference - yes it is marginally more expensive than ISSA last year, but it is still cheaper than SATNAC and the value of this conference far outstrips that of ISSA and SATNAC, put together.

Day 1
Judge Mervyn King delivered the opening plenary talk, and it was the only, really general talk of the entire conference, focusing on management and risk over all, rather than specifically on IT. That said, his talk was quite entertaining and informative.

The first paper I attended was an adaptation of ticket based authentication, through the use of TPM chips. This was effectively an advance on my own ISSA paper from last year, which looked at the advantages of ticket based authentication systems for DRM, although my paper was focused on a software approach.

The other notable papers discussed identity management, with a specific focus on national government level identity systems, which was the focus of a panel discussion. I think it all boils down to two things: one governments need some sort of identity system to provide services to its population in a cost effective manner. However, there are too many features, and too many requirements being hoisted on to these systems, limiting their potential success and usage.

Day 2
Prof. Ross Anderson delivered the keynote talk in the morning, focusing on the economics of security, including a discussion on monopolies, buggy Microsoft products and why many large scale government projects fail (eNatis anyone?). I have heard most of the content before, but it was still a well presented, and well thought out presentation.

Most of the talks I attended were on access control, and one of the privacy session (which was where I presented my paper). Of note, was the Deutsche Telekom lab talk focusing on role based extensions to single sign on. The concepts were great, but their current approach creates a privacy problem where the single sign on service provider, potentially knows too much about the user. A paper earlier in the day, focusing on signing e-learning material (e.g. Moodle) was also interesting, but I think the problems could be solved easily if they use a verifiable digital identity system, like the proposal I outlined in my paper at ACM-DRM last year.

My own presentation went well, and was surprisingly short. At 40 slides, I thought my presentation would be longer than the 20 minutes I did take. There was some good discussion afterwards, always a good indication. The paper before me, in my session was interesting, although the presentation was a bit dry (and it was a difficult topic): about signatures that can be used to prove integrity and non-repudiation to a target user, but such a signature would prove nothing to any other users. One problem with the presentation was a lack of a useful example; so here is mine: whistle blowing. In whistle blowing, the user (often at risk) can inform securely to the monitoring organisation, but the monitoring organisation cannot unveil the whistle blower without his/her permission.

Day 3
Prof William Caelli presented the last keynote paper, on the requirement for a newer, updated definition of MAC, or Mandatory Access Control. This is good news, because in my thesis, I propose DRM as a new form of access control, and one that could potentially cater for the requirements placed by MAC.

Another, soon to be PhD graduate, Thierry Sans, presented a paper on a DRM policy administration model, which is similar to my own approach. However, my approach does not follow his approach of resigning the data at every step of the distribution cycle, as I think that strategy is inefficient, and ultimately un-necessary. Prior to that paper, there was a paper which discussed the potential to use web counters as a means to craft covert communication channels - great idea, but incredibly difficult to follow.

Another interesting paper was a theoretical trust model that looked at the possibility of clustering crowds according to their respective trustworthiness. Interesting, because it provides possibilities for wireless mesh routing (and possibly even other routing solutions).

No comments: