Swim-lane visualization of security protocols

Reacting to this report about a flaw in the single signon protocol for Google Apps (via ZDNet and heise Security), Kim Cameron writes:

As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago. There must be better processes in place. I hope we’ll get to the point where we are all using vetted software frameworks so this kind of do-it-yourself brain surgery doesn’t happen.

The “brain surgery” Kim refers to here was the omission of a unique ID that’s supposed to be cryptographicallly bound into a SAML assertion, so that the party relying on the assertion knows it was “freshly minted in response to its needs”.

It would certainly be useful to standardize on a relatively small set of frameworks that have been vetted, as Kim suggests, and are believed to implement these tricky protocols accurately and reliably.

I can imagine taking things a step further, exposing the test suites for these frameworks so that any implementation can be explored interactively and probed automatically. Given the complex dance of machine-to-machine, machine-to-human, and sometimes human-to-human interaction that occurs when a security protocol is enacted, I’m reminded of Ward Cunningham’s swim-lane visualizations. The idea is that anyone can run business-logic tests on demand, visualize the resulting flow of interaction, and verify the outcomes. Ward’s vision didn’t garner nearly the interest I expected when I first wrote it up (and then followed with a podcast). But like so many of his brainstorms, I think his approach to implementing Brian Marick’s notion of Visible Workings is revolutionary.

Evaluating an implementation of a security protocol is a job that requires expert brainpower assisted by all the automated tooling it marshall. But security protocols are also forms of business logic that can, and should, be transparent and understandable to everyone — at least at some useful level of description. In Ward’s world, when you’re ready to submit your credentials to a login authority, you could hit an Explore button and land in a swim-lane visualization driven by the actual tests used to validate the implementation of the protocol you’re enacting. I’d like to live in that world.