They say opinions are like noses - everybody's got one. Last week it was SAML. This week it is OAuth 2.0. Although with OAuth, I expect the debate will go on for a while. Securing computer-to-computer APIs over the Internet is an essential requirement for the future. My colleague, John Fontana, as usual has an excellent report on the hubbub about this protocol:
- Group airs dirty laundry as protocol nears completion
"OAuth 2.0 should be finalized this week, but the action is taking place in blogs and comment sections online as three years of work and frustration boil over."
Additional articles in the OAuth debate, plus the rest of the identity news:
- Eran Hammer: OAuth 2.0 and the Road to Hell
"They say the road to hell is paved with good intentions. Well, that's OAuth 2.0. Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing."
[And his follow-up posting: On Leaving OAuth]Â
- John Bradley: The OAuth 2 Sky is NOT Falling.
"While individuals are important to the specification process, the process itself is a group effort that is not without its ups and downs like any group effort. Â The reason for the IETF process having chairs and editors with oversight and input from outside a work group is to ensure that a specification is not just a rubber stamp for an individual or company, also so that a specification has the wide support of the community and is not dependent on a single author. I think the process is working well."
- Leif Johansson: The bitter taste of good intentions
"In a recent blog post, Eran explains why he withdrew from the OAUTH WG. Having observed the workings of that particular WG since its inception I thought I'd provide some perspective. To put it briefly: Eran is in part right and completely, totally off base."
- Thomas Scavo, InCommon: Is OAuth2 In Your Future?
"Whether it becomes a protocol or a framework, OAuth2 certainly deserves another look. In fact, I revisit the nascent worlds of OAuth2 and OpenID Connect often, regularly testing the waters and gauging the current state-of-the-art. At this point, AFAICT there's really nothing to latch on to unless you're a bleeding edge developer, researcher, or technology pundit. People whose opinion I respect predict OAuth2 and friends have a very positive future indeed. Personally, I think it's too early to tell, but from the perspective of a federation operator, are there use cases that would benefit from OAuth2 now?"
- InCommon IAMOnline: The Future Of Federated Identity: Or, Whither SAML?
"There is a very interesting IAMOnline this week courtesy of InCommon.
If you missed it, I highly recommend checking out the recording: The Future Of Federated Identity: Or, Whither SAML? http://www.incommon.org/iamonline/ The presentation very much mirrored the theme at the Cloud Identity Summit 2012 conference Â (OpenID Connect, OAuth, SCIM, UMA) this past week. "
- HootSuite rolls out single sign-on feature, letting users log-in with company email
"The upshot of all this is that Enterprise team members can now use their company email address to access their HootSuite dashboard. So any corporate network that supports Security Assertion Markup Language (SAML) can extend user-authentication for corporate accounts within HootSuite's social media management dashboard."
- Nishant Kaushik: What the Cloud can do for Identity
"I tried to make my contribution with a little talk entitled "Ask not what Identity can do for the Cloud, Ask what the Cloud can do for Identity." It was part of the track on Cloud Identity Edge Cases that the incomparable Pamela Dingle was moderating. The goal was to go a little more esoteric and explore a little of the cutting edge and future innovations in cloud identity.
- John Fontana, Patrick Harding: OpenID Connect; new kid, new promise for enterprise "platform"
"OpenID Connect is the new kid on the block that desires to do the right thing and live up to high hopes for its success, but it still has some growing up to do. That was the message at the Cloud Identity Summit last week from Patrick Harding, CTO of Ping Identity."
- Nat Sakamura: #cis2012 Cloud Identity Summit 2012
[The Twitter stream from the Cloud Identity Summit.]
- Search Consumerization: Role of enterprise IAM in mobile, cloud, Active Directory
"Ping CTO Patrick Harding had experience with federated identity technologies and was able to provide secure access to cloud apps outside the company's firewall. He recently spoke with SearchConsumerization.com about the increasing role enterprise identity management has as IT navigates the pitfalls of mobile devices, the cloud and Software as a Service (SaaS) apps."
- The Open Group: Understanding the Importance of Identity
"We're proud to announce that the Jericho Forum has created a series of five "Identity Key Concepts" videos to explain the key concepts that we should all understand on the topics of identity, entitlement, and access management in cartoon-style plain language."
- Jericho Forum: Identity Management: Operating with Personas
"In the second installment of The Jericho Forum's five-part series about Identity Management, the "operating with personas" video explains how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable, enduring and unchangeable."
- Mark Dixon: Life Management Platform: APIs for Push and Pull?
"Acting on advice from Dave Kearns, I pinged Martin Kuppinger and Craig Burton to find out if anyone was working to specify such API's. Craig suggested that I take a look at the Evented-API specification written by Sam Curren and Phil Windley, which calls for event generators and consumers to interoperate in a loosely-coupled fashion."
- Doc Searls: Oh god, part N
"Last weekend the cover essay in the Review section of The Wall Street Journal was The Customer as a God, by yours truly. Now that a few days have gone by, and I've done lots of responding in the comments below that piece and elsewhere, I can start looking at some of the responses that have appeared on the Web. Aside from a zillion tweets (mostly approving, and now all scrolling to oblivion -- save, maybe, for Topsy -- having completed their brief dances across the Short Attention Span Theater stage), I find there were (to me) surprisingly few responses in blogs."
- Your Visual Identity: Tim Draper-Backed Vizify Launches An About.me On Steroids
"The new Vizify automatically sucks in data from your social networks to create that unified dossier, meaning that users simply create a profile (which only takes a few minutes) and connect their networks of choice, like Foursquare, LinkedIn, Facebook and Twitter. Boom! Vizify transforms that data into visuals as you continue connect your networks."
- Technical Challenges of Tagging the Social Web
"With the new Connect.Me, our goal is to help people discover and connect to each other across an exponentially expanding social web. To really make this work well, we had to dive in deep and solve some really big technical challenges. Answering questions like "which designers does my network recommend" is relatively simple when you have a few hundred social connections. But combine all your social graphs from Facebook, Twitter, and LinkedIn (which is over 400k for some of our users!)."
- Standards could turn social networks into trusted ID brokers: NetIQ
"Speaking after the CSO-NetIQ Agile Security breakfast in Melbourne, Ian Yip, Asia-Pacific identity and security product and business manager with security specialist firm NetIQ, said the sheer size of social-networking sites was giving them currency amongst online service providers wanting more readily-available ways to ascertain the identities of online users."
- NSA director finally greets Defcon hackers
"National Security Agency Director Gen. Keith Alexander calls Defcon the "world's best cybersecurity community" and asks for their help."
[Seeing the DIRNSA, the world's most powerful spymaster, in jeans and a t-shirt just sort of makes my mind reel. Spooks are supposed to wear white sheets!]
- Does the NSA have a file on you? Probably
"People who don't like the idea of Google photographing their homes -- and sniffing their wifi- will really hate this: The National Security Agency is compiling huge dockets of information on citizens including email and cell phone conversations, according to former NSA officials."
[Interestingly, in the article previous to this, the DIRNSA explicitly claims this is not true.]
- Skype is not helping the feds spy on its users, it says
"In the blog post, Gillett goes point by point to explain Skype's side of the story. Here are some highlights: "
- Why Passwords Are NEVER Enough!
"I had the unfortunate experience of checking into a hospital for surgery recently. This is a transcript of a real conversation at the hospital (I have to say here it was NOT an NHS hospital)."
- John Fontana: Two feet beat one password every time, researchers believe
"Researchers are focusing on the feet to develop a new biometric system that proves identity and can help detect certain diseases."
- Chenxi Wang, Forrester: Deliver The Anywhere, Anytime, Any-Device Promise Safely And Securely
"The Mobile Security & Operations Playbook contains content designed specifically for IT security and operations professionals to address these challenges. The playbook covers four key strategy aspects: 1) Discover: articulate the value of mobile security and operations in business terms; 2) Plan: set the strategy for mobile security operations; 3) Act: execute the strategy; and 4) Optimize: measure and optimize mobile security operations. To see a high level overview of the playbook, download the executive overview report."
- Jeff Hodges: The Death of the Internet?
"The book analyzes the overall problem of criminal activity on the Internet--namely fraud--and its ensuing damage. It then goes on to examine how criminals profit, how the Internet's systems work and fail, and issues in the mobile and physical worlds. It concludes by outlining various solution proposals, examining the crucial role of user experience, and poses a set of guiding questions to ask ourselves as we go forward. The essential premise is that we collectively need to keep fraud under control or we risk losing the open freely generative Internet as we know it."
- Identity at Mozilla: Improvements to the First Time Sign-up Flow
"The Persona team has always been interested in optimizing the user experience for developers and users alike. Some time ago we identified one area where we could improve: the first-time sign-up flow. We've been hard at work making this process as smooth as possible, read on to find out how!"
- Cloud Identity Summit 2012 - Advances in the Cloud
"Thursday, Aug 2, 11 AM ET --Webinar
In this webinar, Ping Identity Evangelist John Fontana will be joined by Ping Identity CTO Patrick Harding and his team of senior technical architects (Pam Dingle, Paul Madsen, John Bradley and Hans Zandbelt) for a Ping Identity CTO Office roundtable discussion on the identity trends and topics coming out of Cloud Identity Summit 2012."
- InCommon: Scalable Privilege and Access Management - IAM Online August 8
"Speaker: Chris Phillips, Technical Architect, Canadian Access Federation (CANARIE) As IT portfolios expand with a plethora of applications and services both old and new, so do the challenges of providing an efficient, effective, and scalable privilege and access management practice. The MACE Privilege and Access Management Working Group has developed a series of recommendations for principles, methods and techniques that you can apply to a broad spectrum of applications - locally operated, federation aware, and cloud-based. Join us to learn about these recommendations and how you can assess scalable privilege and access management practices for your applications."
- Mike Amundsen: Programming in the Cloud
"Quite a bit has been written about how the Cloud is altering the landscape for platform, software and infrastructure providers but not as much has been said about what all this means for developers. I recently decided to find out for myself by going on an "all-cloud diet". In practical terms, this meant I used a sealed netbook or smartphone to do all my work."
- Francois Lascelles, Layer 7: Making Sense of API Acces Control - OAuth, Open ID Connect and Token Mechanics
"Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that conne..."
- Twitter apologizes, blames data center failures for outage
"Twitter blamed an "infrastructural double-whammy" of two data center failures on the outage that left millions without the micro-blogging service for hours today."
- Nick Huanca: Infrastructure Automation: Logic vs Data
"Here at PingOne's Site Reliability Team we're all about making things easier in complex systems. The more we can automate on the backend, the more time we can focus on easily deploying quality code consistently. When we needed to start automating our infrastructure to be able to deploy to public and private clouds we ended up deciding on Puppet. We're currently using Puppet for our machine configuration management and application deployments, although Chef, CFEngine or any other configuration management tool could satisfy similar requirements. Some of the factors we took under consideration when selecting Puppet were..."
- GSA OGP Announces an Industry Day on Federal Federated Identity Solutions
"Over the past few months, the FCCX Tiger Team has worked on the use cases and the functional requirements necessary for the operation of an identity federation capability that can be integrated with a government agency web application to support and consume a full range of digital credentials such as PIV, PIV-I, and other third party credentials issued under a FICAM-approved Trust Framework Provider. In simple terms, the Federal government is interested in leveraging one or more commercially available cloud service providers to streamline the burden agencies face in trusting and integrating with FICAM-approved credentials."
- NSTIC: Collaborating on Privacy in the Identity Ecosystem: Process and Opportunity
"While privacy is a NSTIC guiding principle, it will not happen on its own. To facilitate the implementation of the guiding principles, NSTIC calls for all stakeholders to come together in a new Identity Ecosystem Steering Group to collaboratively develop the policies and standards that will underpin the Identity Ecosystem."
[Bob Blakley issued a call to action at the Cloud Identity Summit to participate in this. "You have trained for this your whole life. Â This is your chance to change the future. Don't blow it."]