@petervan is a world leader in thinking about identity. He is the leader of SWIFT’s Innotribe. Bringing the world’s banks into the future of identity is one of his passions, resulting in the Digital Asset Grid project.  At the Cloud Identity Summit last month, his presentation about DAG left the crowd amazed. Below Peter reflects on the Cloud Identity Summit and the one of its hottest topics, the growth of APIs.

  • Peter Vander Auwera: Cambrian Explosion of Everything
    “I believe we are witnessing a similar “Cambrian Explosion of everything” in the information technology evolution of the recent years, and we see a relatively rapid appearance of new “life” forms, new building blocks for the way we do business in this hyper-connected economy. This thought came into my mind when attending recently the Cloud Identity Summit in Vail, Colorado 16-19 July 2012.”
  • Cloud Identity Summit Presentations - 2012
    “Below are links to most of the presentations.  They are alphabetical by presenter's last name.”

There was a lot more happening this week in the world of identity:


  • Nishant Kaushik: So is Windows Azure AD a Provisioning Engine?
    “Before I left for the Cloud Identity Summit, I had tweeted that one of my goals at CIS would be to dive into this topic. And John Shewchuk was kind enough to seek me out (thanks John Fontana) and grant me some insight into the vision for how they expect Azure AD (he does not like the acronym WAAD!) to address that aspect of identity management in the cloud. It was a very good discussion, and I hope I do it justice here (but I'll rely on John, Kim and others to keep me honest).”
  • Eran Hammer: On Leaving OAuth
    “I have to admit, I’ve been surprised by the tone and magnitude of the reaction to my announcement. I’ve been following the reactions on Twitter and every follow-up blog post I could find. I’d like to share some follow-up thoughts about this decision and the reactions to it. First, I didn’t say ‘dead’, I said ‘bad’.”
  • Tim Bray: On the Deadness of OAuth 2
    “I’m kind of a n00b here. I’m a crypto cretin, a PKI peasant, an attribute-exchange airhead, and have been known to confuse authentication with authorization. Having said that: I’ve spent a lot of time, the last few months, getting to grips with real actual OAuth 2 software, and I’ve learned over the years that when you’re in the process of first using a new technology, that’s a good time to write about it.
    Its done. Stick a fork in it. Ship the RFCs.”
  • Scott Morrison: Why I Still Like OAuth
    “So what are we to really make of all this? Is OAuth dead or at least on “the road to Hell”, as Eran now-famously put it? Certainly, my inbox is full of emails from people asking if they should stop building their security architecture around such a tainted specification.”
  • Jonathan Sander: #SAMLisaZOMBIE
  • Dave Kearns: The death (and life) of a protocol
    “And then he reiterated for the hard of understanding: “SAML is dead does not mean SAML is bad. SAML is dead does not mean SAML isn’t useful. SAML is dead means SAML is not the future.” So what is the future for authentication? In May, at EIC I presented an award: Best New Standard 2012 in the Category “Best Innovation/New Standard in Information Security” which went to OpenID Connect for “Providing the Consumerization of SAML. Driving the adoption of federation and making this much simpler.””
  • Drummond Reed: Social, Local, Mobile, Personal
    “The pot of gold at the end of the current Internet growth rainbow is not social — or mobile — or local — but personal. Personal is to social what local is to mobile. Personal is not a wall of information from all your social connections, but just the most relevant information from the most trusted connections.”
  • John Fontana: Consumers care most about SSN, less about college grades in privacy survey
    “A privacy survey ranks the Top 100 data points in terms of what information end-users care the most about keeping private. Also, Baby Boomers emerge as most privacy-sensitive group.”
  • SafeNet Tokens, Smart Cards Available Through InCommon
    “As part of its multifactor authentication program, Internet2’s InCommon will offer SafeNet’s smart cards and PKI tokens to participating higher education organizations. These devices provide researchers, faculty, students and staff with secure, cryptographic storage of the client certificates that they may use to access campus-based and online resources secured with PKI, as well as allowing for S/MIME digital email signatures and email encryption.”
  • Thomas Scavo: Bring Your Own Token
    “Thus the term "bring-your-own-token" (BYOT) is born. BYOT is a term for "various [authentication] methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have." In this case, the mobile phone, in particular the "smartphone,” is leveraged as a "what you have" token used in conjunction with two-factor authentication (2FA).”
  • Doc Searls: The final demographic
    “For individuals, demographics are absurd. None of us are an age, much less a range of them. We’re animals who live and work and have fun and do stuff. Eventually we croak, but if we stay healthy we acquire wisdom and experience, and find ourselves more valuable over time. Though we’re less employable as we climb the high end of the demographic ladder, it’s not because we can’t do the work. It’s mostly because we look old and our tolerance for bullshit is low. Even one’s own, sometimes.”
  • Marcelo Thompson: Privacy Piracy in Brazil: 10-day Countdown
    “Brazil has just founded its branch of the Pirate Party, in the presence of Pirate King, Rick Falkvinge, himself. The Pirate Party carries the flag of the protection of civil liberties on the Internet, of the promotion of balanced copyright laws and, as Falkvinge himself notes, of a fight for love. To this extent, I must tell you straight on: I am a Pirate — and I believe most of you reading this note will identify yourselves as pirates as well. But this is not a note about the Pirate Party in itself or about the pirate ideology. It is a note about a specific law that Falkvinge, with many (but not all) good reasons, decided to champion in Brazil.”
  • Anil Saldhana named OASIS Distinguished Contributor
    “Anil Saldhana of Red Hat, co-chair of the IDCloud TC and member of the IDtrust Steering Committee, has been recognized as an OASIS Distinguished Contributor. “
  • Danica Radovanovic: Open Linked Data, Serendipity, and the Future of Web
    “Being a Semantic Web, Open Linked Data, Open Source enthusiast, and at some point the contributor to the AP for the FOAF and other metadata standards, recently I had an opportunity to talk with Kingsley Idehen on his current projects,  views on the use of the Web technologies, Open Linked Data,  WebID, serendipity, and certain aspects of the Internet that influence our everyday lives. The interview is published for Australian Science.”
  • The emerging market that could kill the iPhone
    “A handful of tech startups are competing for a foothold in the nascent market for personal data control. And that could mean major changes for the likes of Apple, Google and Microsoft.”


  • A new API for Persona
    “After gathering feedback from our users and our User Experience team, we’re excited to announce that we’ve implemented several important new features in Persona. These features include showing your website’s name and logo in the login dialog, a streamlined experience for first-time Persona users, and greater security thanks to global logout from any device.”
  • Nat Sakamura: Named Token Profile for OAuth 2.0
    “Currently, OAuth only has the bearer token variant. It would be very useful to have the named token variant as well. There can be many ways to do it, but what I propose here is very simple.”


  • Workshop on Federated Identity Management
    “June 21, 22 a Federated Identity Management (FIM) took place at the MPI for Psycholinguistics in Nijmegen. The workshop was hosted by the MPI as a representative for the Humanities and Social Sciences and extra emphasis was placed on contributions from those disciplines.
    See more at https://indico.cern.ch/conferenceDisplay.py?confId=191892”
  • Federated Shibboleth, OpenID, oAuth, and Multifactor
    “October 01, 2012, 3:00 PM - 4:00 PM
    Federated login via OpenID, oAuth, and external Shibboleth IdPs can be used as authentication alternatives to an institutional Shibboleth IdP. A standard Shibboleth service provider can request various types of authentication for access to certain protected resources, and in some cases, more than one authentication type can be required. Data from the institutional directory can be used to seamlessly enrich the login experience and enable fine-grained access controls, all with minimal deployment complexity for departmental uses.”
  • InCommon as Infrastructure: How Standard Practices and Federation Features Help Scale Federated Identity Management
    “October 01, 2012, 4:30 PM - 5:30 PM
    This session will discuss how the adoption of standard practices (the recommended practices that have emerged) will help solve these potential problems, and will help the community better serve campus constituencies. The session will also explore how new federation features — from service provider categories to the assurance program — will ultimately help campuses take full advantage of federated identity management and ultimately better serve their faculty, staff, and students.”


  • Phil Windley: A Road Map for the Personal Cloud Operating System
    “Kynetx has build what amounts to a functioning kernel for a cloud OS. But there's more to an OS than the kernel. This post outlines what else is needed to create a fully usable cloud OS.”
  • Mike Amundsen: Standards, APIs & WAC
    “The WAC’s key failure was that it attempted to standardize the wrong thing: the API. This is a common problem that occurs repeatedly. GigaOm readers may recall another example of industry-level standards going astray, summarized in the “Cloudstack-Openstack Dustup” piece from April. I suspect several readers can call to mind similar cases in the not-too-distant past. Such cases usually share a common theme: disagreement on the details of the API.”

Cloud Computing

  • Gunnar Peterson: Security > 140 Conversation with Jason Chan
    “Jason Chan is Cloud Security Architect at Netflix. In this Security > 140 conversation, we discuss some of the innovations that Netflix has applied to its security in AWS and what other enterprises can learn from their pioneering experiences.”
  • Rackspace CEO: ‘We’re playing a different game’ than Amazon
    “The Rackspace Cloud is now based fully on the open source OpenStack platform. I recently spoke with CEO Lanham Napier, who discussed how his company doesn’t necessarily see Amazon Web Services as a direct competitor, and how OpenStack is changing his company’s entire business.”
  • Amazon takes aim at IO bottlenecks
    “High-performance web applications are often hamstrung by sluggish IO. Amazon is now attacking that problem with new Provisioned IOPS block storage volumes and the ability to direct-connect those volumes to select EC2 compute instances over a 1000 Mbit/sec pipe.”

Valuable Identity

  • Government publishes midata 2012 review and announces consultation on taking new powers
    “The midata programme part of the governments consumer empowerment strategy announced a review and consultation of the programme to date and the plans going forward. The consultation seeks views and opinions on a proposal to create an order making power, which if utilised, would compel suppliers of services and goods to provide to their customers, upon request, historic transaction and consumption data in an open standard machine readable format.”
  • NSTIC: Proposed Identity Ecosystem Steering Group Workplan
    “Today the National Program Office (NPO) is releasing a Proposed Workplan Outline to help address these questions and jumpstart the work of the Identity Ecosystem Steering Group (IESG).  We are releasing this as a “discussion draft” produced by our office, solely to catalyze discussions among stakeholders, with an eye toward accelerating the work of the IESG in the months ahead. “
  • EMV Migration Forum
    “The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance to address issues that require broad cooperation and coordination across many constituents in the payments space to promote the efficient, timely, and effective migration to EMV-enabled cards, devices, and terminals in the United States. A broad cross-section of leading payments brands, issuers, payments processors, and industry suppliers are behind the effort to establish the Forum. The EMV Migration Forum will support the alignment of the EMV implementation steps required for global payment networks, regional payment networks, issuers, processors, merchants, and consumers to successfully move from magnetic stripe technology to secure EMV contact and contactless technology in the United States.”
  • Google Wallet goes cloud-based to support all major credit, debit cards
    “Google Wallet might have figured out the key to mass adoption: accept every major credit and debit card available.”


* Required Fields