Surrounded by identerati, I always find it refreshing to be reminded that everybody gets the concepts of identity at a gut level. Elizabeth Lumley is a professional journalist. She writes about her experience trying to establish bank accounts when she first moved to England. Her struggle is humorous, yet thought-provoking.  Know-your-customer (KYC) policies need to evolve to encompass all the reputation information now available via the Internet.

  • Don't you know who I am?!
    “But I was intrigued by the bank-side folks getting so worked up about 'hard identification' and dismissing 'soft and fluffy' identification coming in from the likes of Amazon and Facebook. I'll tell you why. “

There were several other items of interest to the identity community (click more for the list and links):

  • Wired Opinion: The Perpetual, Invisible Window Into Your Gmail Inbox
    “But since Gmail added OAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox. I’m concerned OAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown.”
  • Dave Kearns: IAM legacies – bad for your business
    “What it all means is that those of you who should be commended for being the early adopters in the IAM space are, essentially, stuck with a cobbled together system which in many of its facets is no longer supported by its vendor, or may not even have a vendor to support it any longer.”
  • The Importance of Social Sign-On
    “YAN is an even bigger issue when combined with the fact that 88% of online buyers had at some point intentionally left registration information blank or used incorrect information when signing up for a new account, up 12% from 2010. Also, the expectation of consumers for brands to support Social Sign-On has increased significantly as eMarketer and Janrain recently reported that consumer desire for Social Sign-On has increased to 77% of US Online Buyers in 2011.”
  • Farmers know about silos
    “"Break down the silos" is one of the catch cries of modern management practice, and it’s a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices have become a huge headache, but attempts to solve what is really a technology and human facors challenge, by sharing identities and identity provisioning all too often come unstuck.”
    [Stephen Wilson just doesn’t like identity federation.  Period!]
  • UMA Twitter Chat 8 Feb 2012
    [Eve Maler held a Twitter chat about the UMA protocol using the hashtag #umachat.  It got a lot of interaction.  She promoted the use of TwitterChat before the start of the session as a way to keep the thread together. She then turned the tweet stream into a Storify presentation.  Nice!]
  • Mike Schwwartz: School Ring Federation
    “At a high level, this blog is about how xdiCoin and XDI messaging could be used to support OpenID Connect 1.0 multi-party federations.”
  • Phil Wolff: Facebook: More access to your data
    “We are sending you this email to update you on our agreement with the Office of the Data Protection Commissioner of Ireland regarding subject access requests. Following conversation with the Office, Facebook agreed to provide further categories of personal data to its members. “
  • Nat Sakamura: Approve OpenID Connect Implementer’s Drafts!
    “OpenID Conenct Implementer’s Draft voting has finally started. We had a technical problem that delayed the start of the voting almost 23 hours, but as promised, we have started it on the Feb. 7, PST![1] So here it goes!”
    [Pamela Dingle wrote about this in her blog, too. “Time to Act!”]
  • Splunk Launches Splunk App for Enterprise Security 2.0
    “Federated Identity Monitoring: Correlation of multiple user identities to identify and investigate user activities across the IT infrastructure”
  • ID provider support now live on BrowserID
    “With our latest update, however, we’re setting aside some of that scaffolding and allowing a fully decentralized system to emerge: Identity providers can become full-fledged participants in BrowserID and directly vouch for their users’ email addresses.”
  • OAuth 2 flow diagrams
    “I’ve developed a set of flow diagrams for the OAuth 2.0 spec, with separate diagrams for the Access Code, Implicit Grant, Resource Owner Password Credentials, and the Client Credentials flows. These were inspired by the diagrams for 1.0 and 1.0a that Idan Gazit posted in, which Justin Richer pointed me to when I first started trying to read and understand the OAuth2.0 spec. I find these types of diagrams to be incredibly useful, so I updated them again to (hopefully) reflect the 2.0 spec.  “
  • John Bradley: Designing a Single Sign-on system using OAuth 2.0
    “Having worked on protocols like Info Card for Authentication (Not SSO) to websites is that the lack of access to rich API is what stopped Websites like Tripit from being interested in them.   As an aside I think Mozilla's  Browser-ID  has the same flaw of focusing only on Authentication.  It just is not enough any more.”
  • Dealing with rejection. Apple, OpenID and my app!
    “I got some pointers from a tip-top iPhone developer @bendodson, who suggested that even the mere mention of an external site might be grounds for rejection. This does fit the profile. On my login page, I mention the main site in some text. It’s not really a link, but a similar thing, as pointed out to me, happened to Hulu!”
  • Implementing SAML to XACML
    “In order achieve the security of XACML requests and responses in server to server communication  SAML profile for XACML is defined by OASIS.This take the system security to a higher level by allowing the usage of fine-grained authorization provided by XACML, to be signed.”
  • Cloudstock at Cloudforce - San Francisco
    “You've heard about the Social Enterprise. Now, join 3,000 developers to start developing your own Social Enterprise apps at Cloudstock, a 1-day cloud developer event running in parallel with Cloudforce on March 15 in San Francisco.”
  • RESTful API Design, Second Edition
    ‘You can also watch video of this webinar here:”
  • API Terms and Conditions Done Right
    “The most important thing to bear in mind is that your T&Cs are one of the most important parts of your relationship with developers, customers and partners who will be using the API. Mess this up and you may see very low adoption, change them too frequently and you may get developer outrage – see the need for Stephen O’Grady’s post on the need for a Mashup Developer Bill of Rights and YourTrove’s developer pain points survey for example – tread with care!”
  • Apigee Acquires Mobile App API Provider Usergrid
    “Apigee, the leading provider of API management products and services, today announced that it has acquired Usergrid, a cloud service that simplifies the process of building mobile applications by providing the common APIs (application programming interfaces) needed to manage data and users. With this acquisition, Apigee enables enterprises and developers to simplify and scale delivery of the full universe of APIs -- enterprise APIs, public APIs, and now with Usergrid, the core APIs that all mobile applications need.”
  • Anil Saldhana: OpenShift Express Paas always comes to my rescue
    “Enter OpenShift, a PaaS from Red Hat.  I have been running many demos on it for months.  A cheatsheet I have is”
  • Google Wallet Security: PIN Exposure Vulnerability
    “Google was able to recognize that the only way to properly solve this issue would be to move the PIN verification into the SE itself and to no longer store the PIN hash and salt outside the SE. Google was extremely responsive to the issue, but ran into several obstacles preventing them from releasing the fixed app.”


* Required Fields