authorization – Bredemarket

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.

Civil Registration and Vital Statistics (CRVS)

Today’s acronym is CRVS, and its importance in Africa.

But let’s define the acronym first: Civil Registration and Vital Statistics. From the World Health Organization:

“In most countries, a civil registration system is used to record statistics on vital events, such as births, deaths, marriages, divorces and fetal deaths. This government administrative system creates a permanent record of each event.”

Note the phrase “in most countries.” And even in some countries with CRVS systems, they may not be (in WHO’s words) “well-functioning.”

Which is why this year’s ID4Africa Annual Meeting (May 12-15) will spend significant time on CRVS as it pertains to legal identity. Here’s the first session in “Track 4,” moderated by UNICEF and the World Bank:

“This session launches the examination of CRVS–ID integration as both a critical governance reform and a strategic opportunity for African countries at all stages of identity system maturity. While civil registration and national ID systems are foundational to legal identity and effective service delivery, they have too often evolved in silos—resulting in fragmentation, inefficiencies, exclusion, and lost value from public investments. Drawing on country experiences from across the continent, the session explores why coherent CRVS–ID integration is essential, what integration pathways are available, and how institutional, legal, and technical choices shape outcomes. Part I features countries that have already undertaken top-down integration reforms, sharing lessons learned and benefits realized. Part II turns to countries still assessing policy options, examining the risks of continued fragmentation, the opportunities offered by integration, and the practical trade-offs involved in moving forward.”

Several additional sessions follow.

Identity has been an issue for years, as I described in a 2021 post about the European Union Digital COVID Certificate (EUDCC). Yeah, way back then.

“Assume for the moment that you have received an EU-authorized vaccine. This is only part of the battle, because the act of vaccination has to be tied to you as a person.

“And [Dr. Joseph] Atick notes one complicating factor in making that link:

“‘One of the biggest barriers to setting up these systems—and one that could greatly complicate digital health certificates – involves traceability, which for an official digital ID means documenting one’s birth event.

“‘In Africa, not everyone has a birth certificate, and many struggle to trace their identity to the birth event.’

“If you cannot prove to the satisfaction of the European Union (or whoever) that you were the actual person who received a vaccine, then you may face barriers to entering Europe (or wherever).”

This not only affects travel, but benefits, banking, and everything else that I in the United States take for granted.

Two Footballs, Two Biscuits, Two Presidents: A Cybersecurity Nightmare.

Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.

I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.

But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.

Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.

If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.

It is not impossible to have duplicate functional footballs and duplicate functional biscuits.

And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.

Grok.

And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?

Bash Script Vulnerabilities

I can’t say WHY I’m looking at bash script vulnerabilities, but they’ve been around since…well, this Kaspersky article is based upon CVE-2014-6271.

“The “bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services….

“But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.”

An authorization nightmare as a hostile non-person entity runs amok.

And it’s still a threat, as two recent CVEs attest…and that’s all I’ll say.

Nobot Policies Hurt Your Company and Your Product

If your security software enforces a “no bots” policy, you’re only hurting yourself.

Bad bots

Yes, there are some bots you want to keep out.

“Scrapers” that obtain your proprietary data without your consent.

“Ad clickers” from your competitors that drain your budgets.

And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).

Good bots

But there are some bots you want to welcome with open arms.

Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.

Buybots

And what about the buybots—those AI agents designed to make legitimate purchases?

Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.

Do you want to keep legitimate buyers from buying just because they’re non-human identities?

(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)

Nobots

According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”

Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.

Who or What Requires Authorization?

There are many definitions of authorization, but the one in RFC 4949 has the benefit of brevity.

“An approval that is granted to a system entity to access a system resource.”

Non-person Entities Require Authorization

Note that it uses the word “entity.” It does NOT use the word “person.” Because the entity requiring authorization may be a non-person entity.

I made this point in a previous post about attribute-based access control (ABAC), when I quoted from the 2014 version of NIST Special Publication 800-162. Incidentally, if you wonder why I use the acronym NPE (non-person entity) rather than the acronym NHI (non-human identity), this is why.

“A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes.”

If you have a process to authorize people, but don’t have a process to authorize bots, you have a problem. Matthew Romero, formerly of Veza, has written about the lack of authorization for non-human identities.

“Unlike human users, NHIs operate without direct oversight or interactive authentication. Some run continuously, using static credentials without safeguards like multi-factor authentication (MFA). Because most NHIs are assigned elevated permissions automatically, they’re often more vulnerable than human accounts—and more attractive targets for attackers.

“When organizations fail to monitor or decommission them, however, these identities can linger unnoticed, creating easy entry points for cyber threats.”

Veza recommends that people use a product that monitors authorizations for both human and non-human identities. And by the most amazing coincidence, Veza offers such a product.

People Require Authorization

And of course people require authorization also. They need authorization:

To drive. Are unified digital IDs a thing?
To satisfy health regulations (which may come back). Update on Covishield and the EUDCC, as long as you can prove you were born.
To participate in the Federal Risk and Authorization Management Program (FedRAMP^®). A Few Thoughts on FedRAMP.
For the aforementioned ABAC. On Attribute-Based Access Control.
For healthcare needs such as prescriptions. Saving Money When Filling Prescriptions: Not You, The Companies.
When assessing TPRM. Driver’s License Data and Third Party Risk Management.
To verify legal capability for employment. What is the Form I-9?
To talk to customer support. HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough.
To launch nuclear weapons. Biscuit-based Identity Authentication and Authorization.
Oh yeah…and to access privileged resources on corporate networks.

It’s not enough to identify or authenticate a person or NPE. Once that is done, you need to confirm that this particular person has the authorization to…launch a nuclear bomb. Or whatever.

Your Customers Require Information on Your Authorization Solution

If your company offers an authorization solution, and you need Bredemarket’s content, proposal, or analysis consulting help, talk to me.

Non-citizen REAL ID Expiration Dates Calculated Incorrectly in California

Remember my post that noted an error in Slashdot and Reason reporting about REAL IDs for non-citizens?

No, you don’t have to be a citizen to get a REAL ID.

But your REAL ID is tied to your authorization to be in the United States, and expires on the same date as your authorization to be here.

Well, that’s how it’s supposed to work.

In California, the date calculations (based upon 2006 legacy code) were screwed up for 300,000 legal residents.

“The error overrode the correct expiration date, which should have matched the end of the cardholder’s authorized stay in the United States. Under federal rules, immigrants with legal status — including permanent residents, green card holders and visa holders — are eligible for REAL IDs, but the cards’ expiration dates must align with the length of their authorized stay.”

Except when they don’t.

And for those who believe that granting REAL IDs to non-citizens is an example of California breaking the law:

The DHS approved California’s REAL IDs in April 2019 under President Trump.
Check reliably red South Dakota’s REAL ID requirements.

“If you’re not a U.S. citizen, you must apply in person at a state driver exam station and provide a U.S. Citizenship and Immigration document proving your lawful status in the U.S.”

Biscuit-based Identity Authentication and Authorization

Some of us authenticate ourselves to unlock our smartphones. Others authenticate to access confidential corporate information. A few authenticate to wield the power to annihilate the world.

The football and the biscuit

In the United States, the President (Commander-in-Chief) has a “biscuit.”

“The nuclear biscuit is a card with authentication codes that acts as the President’s personal key to unlocking America’s nuclear arsenal.

“The biscuit acts a lot like a two-factor authentication device or app. Its codes are updated regularly, and it works in connection with the nuclear football to verify the President’s identity. Without the biscuit, the President can’t order a nuclear strike, even if they have the football itself.”

Factors of authentication

Here are the three authentication factors that the biscuit reportedly uses.

“Something you have is quite an obvious one, you needed to have the actual Biscuit and the codes within.

“Something you know is when you opened the Biscuit. It had many codes printed on the cards and all were false apart from one. The President would have been told the position of the real code when he first took office. He would also be told each time the Biscuit was changed.

“For something you are, the phone line the President would need to contact has no number. It can only be contacted via a secure military phone. This phone would be handed to the President by one of his security team who would obviously not hand this phone to anyone but the President.”

Now you can argue that the phone line is not a TRUE something you are factor. A devious security team member could hand the phone to someone who SOUNDS like the President.

And there’s another complication.

Passing the football

Let’s say that a President is away from Washington. Say, at a school in Florida.

And all of a sudden attacks are launched in multiple U.S. cities.

What if an attack were launched in Florida, incapacitating the President, either temporarily of permanently?

In such an attack, the country and the world cannot afford to wait for hours for the football to be flown to wherever Richard Cheney is.

The solution? Two footballs (at least).

“Believing that the vice president should be a partner in national security policymaking, President Jimmy Carter assigned a football to Vice President Walter Mondale and this became the practice for future U.S. administrations.”

Outside the U.S. Russia has a similar system called the “Cheget,” and other nuclear countries presumably have similar procedures to authenticate the persons or persons authorized to launch nuclear weapons.

Your football and biscuit

If you are an identity vendor or customer, you may have your own authentication and authorization procedures. While a breach of your procedures won’t result in the annihilation of civilization, it could create its own damage.

Do you need help describing the security of your identity solution?

Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

A Frost Radar for the Bots

There appears to be a Frost Radar for everything…including non-person entities, or NPEs (a/k/a non-human identities, or NHIs).

And Descope is talking about the NHI Frost Radar.

“Los Altos, CA, November 13, 2025 – Descope, the drag & drop external IAM platform, today announced that it has been recognized as a Leader in the 2025 Frost Radar™ for Non-Human Identity (NHI) Solutions, further validating Descope’s fast growth and innovation in the agentic identity space.”

The product that Frost & Sullivan recognized is Decsope’s Agentic Identity Hub…

“…an industry-first platform that helps organizations solve authentication and authorization challenges for AI agents, systems, and workflows. Notable additions include providing apps an easy way to become agent-ready while requiring user consent, providing agents a scalable way to connect with 50+ third-party tools and enterprise systems, and helping developers using the Model Context Protocol (MCP) protect their remote MCP servers with purpose-built authorization APIs and SDKs.”

So how does the Frost Radar work?

“The Frost Radar™ is a robust analytical tool that allows us to evaluate companies across two key indices: their focus on continuous innovation and their ability to translate their innovations into consistent growth.”

It uses four classifications.

Frost classification	What it means	What it REALLY means
Growth and Innovation Leaders	High innovation (Y axis) and growth (X axis)	Good
Innovation Leaders	High innovation	Stagnant growth
Growth Leaders	High growth	Stagnant innovation
Challengers	Low growth and innovation	Stagnant everything

So a “Leader” could lead in some things, but not in others.

Even Descope’s announcement includes a Frost Radar picture that indicates that Descope may be a leader, but others (such as Saviynt and Veza) may be more leaderly.

But I guess it’s better to be some sort of “leader,” or even a “challenger,” then to not be recognized at all.

HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough

How many people should use a SaaS service? If your answer is “only one,” you don’t need to read this post.

Last month I discussed a particular use case in which AI-based non-person entities (NPEs) were bound to the identities of carbon-based life forms. My post “Identity-Bound Non-Person Entities” reviewed the partnership between Anonybit and SmartUp.

This binding doesn’t need artificial intelligence to work. The NPE may be something as simple as a service.

But how many people can be bound to an NPE?

A company and its service

There is a very large technology company; I won’t reveal the company name, but its initials are HP. And this very large company provides a service; I won’t reveal the service name, but it instantly provides ink for the company’s printers…

Never mind. It turns out that I already discussed HP Instant Ink (Ink as a Service) in the Bredemarket blog before. Plus, the company providing IaaS is no longer known as “the Hewlett-Packard Company,” but as “HP Inc.” So much for my attempts at obfuscation.

The 1:1 binding between me and Instant Ink

Anyway, we did sign up for Instant Ink when we purchased a new printer. Specifically, my HP account was registered as the owner of our Instant Ink account.

(Those of you with a keen eye can already see where this is going.)

As part of the Instant Ink service that we purchased, I can obtain two things:

1. The status of Instant Ink shipments to us

Not that these shipments are all that fast.

So far we have encountered two instances in which we ran out of ink before the new Instant Ink shipment arrived.

And when you put a regular ink cartridge into the printer while waiting for the Instant Ink shipment, HP sends a nasty gram stating that I put the wrong ink in the printer, and to put Instant Ink in the printer right now.

Um, my Instant Ink is in Pennsylvania, and it will take 10 days to reach California. What am I supposed to do, fly to Pennsylvania and get it?

2. HP support

For our printer, I can obtain support from HP. I will have more to say about HP support later.

First person…or people

Do all of you see the issue now? If not, let me spell it out.

I am married, and my wife and I bought the printer together. But she has no access to shipment tracking or support; only I do.

Actually, I must confess that I gave her my HP login and password. So she has access to the shipment tracking information. But since her name is not John, we assumed that HP would never talk to her about the Instant Ink service that we purchased.

There is something in the (so-called) HP Smart App that allows me to “invite” someone to the printer. But when I tried to “invite” my wife, HP briefly flashed a message saying that I could not invite my wife because she already had an HP personal account.

I need support

By this time I had piled up 3 support requests for HP:

How can I get new Instant Ink before my old Instant Ink runs out?
How can my wife see information on our Instant Ink service?
Plus there’s a third one regarding multiple HP accounts that I won’t get into here.

I decided to tackle the second support request first. So I found the support page, started a gust, and got a ticket number.

The first support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

The Instant Ink person asked for the error code that appeared when I tried to “invite” my wife. I explained that I didn’t know because it disappeared so quickly.

So I tried to invite my wife again, pointing my smartphone camera at the laptop screen so that I could take a picture of the error code the…um…instant that it appeared.

I successfully took the picture, and there was no error code. Just a message saying that I couldn’t invite my wife because she already had an HP personal account. And to contact support.

The Instant Ink specialist instructed me to click on a link, then closed the support ticket.

I clicked on the link…and was asked to create a new support ticket.

The second support chat

I was routed to a printer specialist, who informed me that they couldn’t help me and routed me to an Instant Ink specialist.

(Yes, there’s a lot of repetition in this post.)

By this time I tried to boil my request down to a simple question: how can my wife see Instant Ink shipment status and request support on her own?

The Instant Ink specialist went quiet for a while, and finally—over an hour after I started the initial support chat—provided the solution to my problem.

Give my wife my HP login and password. And sure, she’ll have no problem contacting support, even though I’m the named user.

Suffice it to say that I was not pleased.

A systemic problem

But to be fair, none of the 4 support people I talked to could have solved my problem.

Because HP has made the underlying assumption that its Instant Ink service can only be managed by one person, not two.

And HP is not alone in this. There are multiple services that assume single person management. This affects married couples often, where one spouse is the named user for a service but knows nothing about it because spouse 2 handles it.

This results in a number of conversations like this:

SERVICE: John?

WIFE: No, this is his wife.

SERVICE: I need John’s authorization to continue.

WIFE: (carries phone to me in the Bredemarket world headquarters) Amazing and wonderful husband, could you authorize me to discuss our account?

(Some portions of this conversation may have been fictionalized.)

ME: Hello, this is John.

SERVICE: John, what is your date of birth?

This is not a technology issue, but an organizational issue. Except where laws (such as HIPAA) regulate this, an organization should allow multiple people to be assigned to a service or other NPE.

It would make my—I mean our lives easier.