Standards seem to take forever. OAuth 2.0 was no different. Well, good news, it’s done. Ping’s Brian Campbell and Paul Madsen actually took some time out from their regular schedule of tweet skirmishing to do just enough work to get their names on the standard. Mike Jones from Microsoft, however, probably thinks he’s lost several years from his life:

  • Mike Jones: OAuth 2.0 RFCs Completed
    “The OAuth 2.0 Core and Bearer specifications are now RFC 6749 and RFC 6750. This completes the journey to standardize a pair of simple identity specifications that are already in very widespread use for Web, enterprise, cloud, and mobile applications. They make things better by enabling access to resources to be granted without giving the password for the resource to the party being granted access (a pattern that used to be all too common).”
    [Dick Hardt: OAuth 2.0 :: RFCs 6749 and 6750]

There were other items of interest to the identity community:





  • Francois Lascelles: Define Your Own API Management Deployment Model
    “API Management platforms come in different shapes and sizes: cloud-based infrastructure, on-premise infrastructure, multi-tenant SaaS, single-provider portals, API ecosystems etc. For this third part in a series of posts on API Management deployment models, let’s look at some of the considerations in choosing the right approach for your API Management project.”

Cloud Computing

  • Phil Windley: Why Personal Clouds
    “This short slideshare makes the case for personal clouds. A personal cloud enables cooperating networks of products and services, makes every product a platform, supports intention-driven automation, makes the world your user interface, and transforms the way you interact with the world.”
  • Andreas Solberg: UNINETT WebApp Park Architecture
    “Here is a short description of the UNINETT WebApp Park Architecture.”


  • Gunnar Peterson: Walking The Mobile Mile
    “Putting the 'i' in identity means navigating the hidden complexities in mobile identity”
  • Gunnar Peterson: Line in the Sand on Subprime Security - Mobile Apps Can't Afford to Take on Technical Debt
    “The reason why playing catch-up is not good enough in Mobile is one that will be familiar to my clients - the Mobile Use Cases are too important to screw up. “
  • Mobile Phones and “Mobile” Adversaries: Announcing RSA Distributed Credential Protection
    “DCP realizes proactive cryptography in the limited setting of two servers—and may be extended in future versions to more (m out of n). Of course, just as mobile phones today include a lot more technology than Stubblefield’s demonstration device, and much more user-friendly packaging, DCP is an advance on its 1991 ancestor in print. It realizes ideas due to many researchers before and after Ostrovsky and Yung; at its heart are inventions from RSA Labs (e.g., this paper and follow-up), and excellent work by RSA Engineering to address the many practical problems of commercial systems.”
    [I normally don’t include product announcements, but this is a significant new piece of cryptographic engineering.]
  • You don’t take mobile apps seriously? FTC does…
    “Last month, the Federal Trade Commission (FTC) released new guidelines for app development for mobile devices. End-user privacy and security take top priorities as FTC urges app developers to be mindful of data collected via apps as well as enterprise privacy policies.”


  • Veteran Firm Acxiom Eyes Data-Hungry Advertiser Market
    “Acxiom has been around for 43 years, but this year was the first time the consumer data powerhouse joined the ranks of companies at Advertising Week in New York this week. Like lots of firms, Acxiom sees a huge opportunity in providing data and related services to brand marketers and ad agencies who lately seem insatiably hungry for it.”

Valuable Identity

  • Nat Sakimura: US$1.5M project to bolster the privacy and security of the cyberspace
    “National Institute of Informatics (NII), University of Tokyo, University of Kyoto, and Nomura Research Institute have jointly won a funding from Ministry of Communication with regard to privacy and security enhancement of the cyberspace through SAML and OpenID Connect. The funding is approximately US$1.5M. The project lead is Prof. Nakamura of NII.”
  • MasterCard Connects NTT DoCoMo's Domestic Payment Network to the World
    “Today, Japan's mobile network operator NTT DoCoMo announced that it will allow its 17 million iD mobile credit card service users to make contactless payments overseas through a partnership with MasterCard.”
  • American Express and Walmart Launch Bluebird
    “Bluebird members can deposit money in a variety of ways including payroll direct deposit, remote check capture via the Bluebird mobile app, using cash at any Walmart register, or by linking a checking, savings, or debit card to the account. There are no minimum balance, monthly, or overdraft fees.”
  • Dave Birch: He’s no fraud
    “I made a note at the time, and this came to mind when the good people at Experian invited me along to their annual Identity and Fraud Forum. They asked me to come along and talk about the medium term future for retail payments, but naturally most of the other talks were about, well, identity and fraud.”
  • Mobile Payments: A New Frontier for Criminals
    “Fortunately, Lee’s not a thief but a security expert paid to find vulnerabilities in wireless payment technologies. By 2015, consumers worldwide will buy $1.3 trillion worth of goods with their phones and tablets—four times the amount today, forecasts Juniper Research. The expectation is that fraud will account for 1.5 percent of all mobile payment transactions in four to five years, says Avivah Litan, an analyst at tech researcher Gartner (IT). “There’s huge concern,” says Mike Urban, director of financial crime solutions at Fiserv (FISV), a Brookfield (Wis.)-based technology company that caters to banks and mortgage lenders. “Potentially, it could be billions of dollars a year in losses.””


* Required Fields