Tim Bray from Google has been running a series of blog entries he calls the Federation Conversation, soliciting feedback. He has gotten a lot! This led to him investigating Mozilla's Persona and asking a number of interesting questions about Persona and large-scale authentication in general:
There were several other items of interest to the identity community.
Eve Maler, Forrester: "Responsive Design" Is Good For Web Apps - And For Authentication Responsive design is all the rage in consumer web-app design. Similarly, in researching current authentication methods and trends, we've come to believe more strongly than ever in adapting your user authentication methods to your population, the interaction channel they're using, your business goal, your risk, and your ability to pick up on contextual clues about the user's legitimacy or lack thereof. Call it responsive design for authentication.
Anil John: Role of Multi-Sided Platforms in Identity Federation Many of the breakthrough products and services in existence today are platforms which connect two or more distinct classes of customers in a network. This blog post explores some of the foundational elements of such platforms and their applicability to identity federation.
Nat Sakimura: Refactoring OpenID Connect Drafts After the Berlin OpenID AB/C WG F2F meeting, I have been trying to refactor the Connect suites into more palatable form. I am supposed to create two sets of the refactored version. One for a granular split version and the other for a monolithic version.
Mike Jones: WebFinger Specification Ready for RFC Editor The WebFinger specification enables discovery of information about a user or resource at a host using an HTTP query to a well-known https endpoint, with the discovered information being returned in a simple JSON structure. For instance, OpenID Connect uses WebFinger to discover the location of a user's OpenID Connect server.
Anil John: If You Don't Plan For User Enrollment Now, You'll Hate Federation Later. Redux. User enrollment (a.k.a. user activation, first time user provisioning, first time account mapping) into a Relying Party (RP) application is the critical first step in making identity federation work. I've found this particular topic to be one that is ripe for confusion and conflation driven by the needs and motivations of both RPs and Credential Service Providers (CSP).
Nishant Kaushik, Identropy: It's about Provisioning, not provisioning As I point out in my 2011 CIS talk, Provisioning is a business problem, which deals with the policies, rules, technology and user experience pertaining to the creation and management of user accounts, and often much more. Most IDaaS vendors claiming to solve enterprise 'Provisioning' needs are actually just offering 'provisioning', which mainly covers the technology part of the equation.
Dave Kearns: Eliminating passwords? We're NEARly there! Still, it was interesting, especially when I read: "The next generation of access control credentials are expected to do more than provide door access." I chuckled, because I'd written something very similar a decade ago.
Matt McLarty, Layer 7: Steering Safely into the Open Enterprise George Reese of Dell recently published an article that discusses the Tesla Model S REST API. This API enables some remote control features on the car and is primarily used by Tesla's available smartphone apps. Great stuff, showing how mobile meets IOT meets API. The problem is that the focus of the article is all on its potential security vulnerabilities.
Bob Griffin, RSA: Speaking of Security - for Smart Grid I've touched on Smart Grid a number of times in my blogs for RSA's Speaking of Security, including in a recent one on Metadata and Evolution of Security. In The Digital Universe and the Smart Grid, I wrote about the implications of the Internet of Things for the Smart Grid. And in Air Gaps and Smart Grid, I wrote about the need to build security analytics into the Smart Grid, given the vulnerabilities even in air-gapped systems.
Katie O'Brien, UnboundID: Five Common Data Privacy Misconceptions in the United States In discussions with friends, family, and colleagues, everyone seems clear on what should happen, but not as clear on what is happening. Plenty of the key points in the data privacy discussion can seem vague even to those entrenched in the subject. However, there are several aspects of today's data privacy landscape that are well documented, although they may not be well known.
Doc Searls: Thoughts on privacy That's because privacy is mostly a settled issue in the physical world, and a grace of civilized life. Clothing, for example, is a privacy technology. So are walls, doors, windows and shades.
Dave Birch: Monday Museum: Tokens mean credentials mean reputation It's hard to validate -- I mean really, really validate -- someone's real identity in a transaction. By "hard", of course, I also mean "expensive". That's why transaction mechanisms that don't validate real identity (eg, credit cards) are easy to use and cost-effective. Luckily, we don't often really need actual identity validated to conduct a transaction.
Philippe Benitez: The Truth About EMV in the US: Card-Not-Present Fraud This is because EMV payment cards are often equipped with features meant to add security to card-not-present transactions, such as one-time-passwords, on-card displays, or features accessible via personal card readers. Using an EMV card with one or more of these authentication tools effectively ensures that the card-owner and the card are both present during the transaction.
Identity Woman: Interesting events in 2013 This is a calendar of events that I know in 2013 (and beyond). I think they're interesting, I'm currently planning on attending all the events in BLACK, I'm helping co-organize all the events with RED headlines. Some events will change from interesting to attending as they approach.
Trusted Computing Conference Sept. 9-12, 2013 Orlando, FL., USA The most influential and powerful individuals and businesses will participate in this three-day conference and trade show that will unify the standards-based trusted computing message and unite our understanding.
Open Identity Summit 2013 Sept. 10th - 11th 2013, Kloster Banz, Germany The aim of Open Identity Summit 2013 is to link practical experiences and requirements with academic innovations. Focus areas will be Research and Applications in the area of Identity Management and Open Source with a special focus on Cloud Computing.
pii2013 The 4th annual Privacy Identity Innovation conference, pii2013, will be held Sept. 17-18 at the Bell Harbor International Conference Center in downtown Seattle. There will also be a Welcome Reception for pii2013 participants in the Space Needle at 5:00pm on September 16th.
Digital Enlightenment Forum 2013 The 2013 edition of the annual event of the Digital Enlightenment Forum (DEF) will take place from Sept.18-20, 2013 at the Crowne Plaza Hotel in Brussels on the theme "Personal data and citizenship in the digital society".
User-Centric ID Live Opportunities for relying parties in NSTIC and the new identity ecosystem Oct. 15-16, 2013 - Washington Convention Center, Washington, D.C.
eID & ePass 5th edition National eID & ePassport Conference - the Global Forum on the drivers behind the digitalization of citizen ID documents proudly announce the fifth edition in Berlin, Oct. 28-29, 2013 @Intercontinental Berlin.
InCommon Advance CAMP: Identity Services Summit Nov. 12-13, 2013 San Jose, CA. Part of the 2013 Identity Week (www.incommon.org/idweek) Join leading identity architects and developers from U.S. research and higher education and international and commercial identerati.
InCommon: CAMP Cloud: Identity and Access in an Era of Outsourced Services Nov. 14-15, 2013 - San Jose, CA. Part of the 2013 Identity Week (www.incommon.org/idweek) Are your campus stakeholders looking at cloud-based solutions? Are you concerned about the management and maintenance of an accurate, accountable identity inventory? Learn about solutions being discussed and implemented across higher education.
KuppingerCole Information Risk & Security Summit 2014 Nov. 27-28, 2013, Frankfurt, Germany Taking place on November 27 - 28, 2013 at the Frankfurter Innovationszentrum FIZ Conference Lab, Frankfurt/Germany, offers an unseen combination of thought leadership and interactive session formats, tackling the most demanding questions IT professionals are confronted with: How to support the extended and connected enterprise with brilliant services without taking too many big risks.