Sometimes someone comes up with an idea that is so elegant and simple, yet so powerful, that I just marvel. One of my favorite tools of all time is the old beer can opener that had a can opener on one end and pop bottle cap opener on the other. No moving parts! Fits in the hand. Low price. Etc. Now our friends at Kynetx have figured out how to give any object an identity by attaching a simple tag to it - a QR sticker or an RFID chip, for example, that connects to its personal cloud. Welcome to the Internet of Things! (IoT)
Phil Windley: Introducing SquareTag “A little tag that can be attached to something, and contains a short code—the tag’s ID—that points to a dedicated online computer that stores data and runs programs. These computers are persistent data objects (PDOs—what I’ve called a “personal cloud” in other contexts). The PDO is a virtual representation of some thing in the physical world.”
Phil and friends have put out a series of introductory whitepapers about this:
The Live Web Series “The Live Web Series is a series of white papers about concepts and technologies that are making the Live Web a reality. Our vision includes lightweight, cloud-based, virtual computers that we call personal clouds connected in a relationship web using personal channels, communication links of extraordinary power. Using these as building blocks, we envision a powerful and yet practical Internet of Things and new ways of conducting commerce.”
There were lots of other items of interest to the identity community this week:
Dave Kearns: The buzz for 2013 “Last time out, I ended by saying “Next time we’ll take a look at two ideas that, hopefully, will be the talk of 2013.” I lied. Depending on how you look at it, it’s either four ideas – or one idea. And there’s sure to be a buzzword/phrase/abbreviation/acronym or two coming about from it – or them. I do know that there are four concepts, known fairly well within the identity community, that need to coalesce to create a grand scheme which can be turned into a buzz phrase and picked up by the general media so let’s take a look and see how they’ll fit together.”
Andre Durand: 2013: It's go time “I recently started a day with a morning run across the Golden Gate Bridge. It was as inspirational as it was reflective, as I ran from the peninsula of San Francisco over to Marin County. It is these moments in life when epiphanies seem to appear and the future gains focus.”
Google wants Password123 in Museum of Bad Headaches “Should typed passwords ever make their way into the Memory Bin, no tears will be shed in certain quarters at Google. The search giant is taking a serious look at a computing future where users have a safer environment that can secure their online information and accounts via physical passwords, perhaps in the form of finger rings or USB sticks or keys. Google's Vice President of Security Eric Grosse and engineer Mayank Upadhyay have presented their suggestions for better hardware authentication in an upcoming research paper to be published in Security & Privacy magazine.”
Robert McMillan: Google Declares War on the Password “ Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger? This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.” [Mark Atwood: Thoughts on Google, YubiCo, and "The War on Passwords"]
John Fontana: Password life expectancy down to seconds “End-user generated passwords continue to have little defense against hackers, according to Deloitte Canada.”
Secure Crypto: Cluster Cracker “The results published show that the most common techniques of storing passwords are vulnerable to offline attack. They also show that when a password is secured using ‘bcrypt’ or ‘sha512crypt’ the number of guesses possible is dramatically reduced and thus security is dramatically increased. Both algorithms are secure against brute force attacks. But, dictionary attacks will still work against weak passwords.”
Phil Hunt: Is OAuth2 Ready for Use? “In what seems to be becoming a regular thing, I have another blog post on the Oracle IDM blog, "Standards Corner: A Look at OAuth2", where I answer some tough questions:
What is the difference between OAuth1 and OAuth2?
Is OAuth2 mature enough to use?
Should customers deploy OAuth1?
What's happening with OAuth2?”
Anil John: User Consent in the Age of Attributes - Part 2 “In a previous blog post on user consent, I had created a mock-up of a consent UI as a thought exercise. But I've always been on the lookout for what has been shown to work effectively in an operational setting. In this blog post, I wanted to highlight the consent dialog that is in production use by the WAYF federation hub.”
Sean Deuby: Microsoft Formally Announces Its “Cloud OS” Strategy “Private cloud, Azure public cloud, third-party cloud services, and mobile device management under one Windows Server 2012 / System Center 2012 SP1 umbrella”
Robert David Graham: I conceal my identity the same way Aaron was indicted for “According to his indictment, Aaron Swartz was charged with wirefraud for concealing/changing his "true identity". It sent chills down my back, because I do everything on that list (and more).”
Phil Hunt: OAuth2: How does OAuth2 Make Crypto Easier for Developers< “Let me break this up into a couple of paraphrased pieces:
1. If you do not use crypto, how do you securely have a self-contained token without crypto (aka bearer token)?
2. Does this mean all connections must be HTTPS mutual authentication to be viable?”
Anil John: Can NIST E-Authentication Guideline SP 800-63-1 Support a Token-Attribute Separation Model? “In "A model for separating token and attribute manager functions", I provided some examples of how that model could be mapped to instances of current online application architectures. In this blog post, I would like to explore if the components used to calculate authentication assurance levels in NIST SP 800-63-1 can be mapped into the model.”
Personal Clouds - Community Gathering “Personal Data Ecosystem Consortium Tuesday, January 29, 2013 from 6:00 PM to 9:00 PM (PST) San Francisco, CA”
Kantara Initiative to Appear at HIMSS13 “New Orleans welcomes the 2013 HIMSS Annual Conference and Exhibition, March 3-7, 2013, at the Ernest N. Morial Convention Center. More than 36,000 healthcare industry professionals are expected to attend to discuss health information technology issues and review innovative solutions designed to transform healthcare.”
European Identity & Cloud Conference 2013 “May 14 – 17, 2013 at the Dolce Ballhaus Forum Unterschleissheim, Munich/Germany,”
Drummond Reed: Trillions – The Video< “Setting a new precedent here – blogging about a book even before I’ve finished reading the first chapter. But I’m reading Trillions at the recommendation of several close friends in the industry (Phil Windley, Peter Vander Auwera) who believe it’s highly relevant to where we are going with personal clouds and XDI. And just the introduction makes so much sense that I know I’m going to savor every chapter. If you want to see why, just watch this wonderfully executed 3-minute video from MAYA, the company behind the book.”
Chris Maher: NIST's NCCoE: Request for Proposal; Secure Electronic Health Information Exchange “… Major security concerns for secure electronic health information exchange include the following categories: “
Visa Approves RIM’s Secure Element for Payments “Visa has approved Research in Motion’s method for handling secure mobile payments. This is an important step in developing support for BlackBerry’s ability to enable NFC-based payments. “
Dave Birch: Why would some retailers want to get rid of cash? Because of the others who don’t “Having sat through a fantastic, detailed and interesting presentation about the cashless Sziget festival in Hungary, I can say that this is categorically not true. NFC was faster, safer, more convenient and (and this is the kicker) more profitable than either cash or chip and PIN cards (the merchant charge on contactless transactions was lower than chip and PIN transactions). But that wasn't the point I wanted to make.”