Planet Identity

Ben Laurie - Apache / The Bunker: Certificate Transparency Sites

2012-02-04T21:50:54Z

I may not have said much more about Certificate Transparency, but we’ve been working on it. So, those interested in following along (or joining in) are welcome to look at…

Website.

Mailing list.

Code repository.

The code repository also includes the spec, in xml2rfc format.

Jackson Shaw - Quest: Multifactor Authentication for Dummies

2012-02-04T19:57:01Z

We just released this “for Dummies” book which gives a good overview of what multifactor authentication is, the challenges it helps to solve and how the Quest Defender product fits into solving customer’s problems in this area.

You can download your copy of this book here. I hope you find it useful.

Phil Windley - Kynetx: An Operating System for Your Personal Cloud

2012-02-04T00:58:01Z

Everyone has a cloud strategy these days. Of course, when you hear about clouds, you hear questions like "Are we talking about IaaS, PaaS, or SaaS?" This assumes an enterprise-centric view of clouds that is belied by what Robert Scoble calls the game of games. Facebook, Google, and Apple are most selling clouds in various guises and see their cloud strategy as a key to their future.

The problems with these "personal clouds" is that they have no operating system. An operating system is what makes your personal computer personal. Without an OS, it would be a special purpose appliance that does specific things (like run an office suite) but not others (like play a game). There are certainly those who wish that was the norm, but for now, at least, we have general purpose computers that run a variety of applications and can be configured according to the dictates and wishes of their owners.

[An aside for those of you getting ready to comment: yes Facebook allows apps and is an app platform, but they are ancillary to the experience, not core. The core experience is still very much a Facebook-determined thing.]

The user-focused clouds we see today are special purpose. You can't customize them much or make them do something their builders didn't envision in the selection of applications that they offer.

In contrast a personal event network is like an OS for your personal cloud. You can install apps to customize it for your purpose, it can store and manage your personal data, and it provides generalized services through APIs that any app can take advantage of.

Ian Yip: F*** it, I'm lighting 100 candles - Entitlement Management 2012

2012-02-03T14:31:53Z

Photo credit: Alessandro Silipo

One of the most widely read series of posts on my blog relate to entitlement management (part 1, part 2). In fact, do a search on Google for "entitlement management" and part 1 appears on the first page of search results (albeit below the fold). Don't read them yet. You'll get tired and won't come back to continue reading this :-)

I wrote those posts over 2 years ago to stir the pot. They served their purpose and garnered some great discussion with a few luminaries in this space (including esteemed analysts from Gartner and Forrester).

At the time, I argued that the term "entitlement management" was typically used to refer to fine-grained access management or real-time, attribute-based, authorisation enforcement (e.g. as per the products offered by IBM, Oracle, Axiomatics and BiTKOO (now part of Quest Software)). But on the flip side, I did acknowledge (in part 2) that there were other ways to define it:

The processes and solutions around gathering, interpreting, and cleansing entitlements.
User-managed (or user-centric) entitlement management.

Point number 2 is a topic best left for another day, especially as it involves discussions around online services (see UMA for more info).

The first point however, is what we now commonly refer to as access governance (e.g. SailPoint, Aveksa). Some use "identity intelligence" (thanks to the analysts), but in my opinion, identity intelligence is a broader term that also includes data analytics and Security Information and Event Management (SIEM). However, "manage user entitlements" is another commonly used term in access governance discussions. In fact, it is used so often that I'm starting to find when anyone talks about entitlement management, more often than not, they mean managing user entitlements for access governance purposes.

Back in 2009 (when I wrote the posts referenced above), I was convinced that real-time, attribute-based, fine-grained authorisation enforcement would take off. IBM and Oracle certainly thought so too. I have yet to come across a security architect who doesn't think it's a good idea. I still think it's a great idea. But in the world of Information Security, just because something is a good idea does not make it compelling. Compelling; aye, there's the rub. If I had to distil security spending decisions down to one word, it would be: "compelling". In a recent presentation I gave, I said:

"Sexy technology doesn't sell security. Interesting technology doesn't sell security. But give someone a compelling reason, and they'll buy a security solution."

That statement sums up why entitlement management has evolved to be more about access governance than fine-grained access management.

Trying to sell someone on the fine-grained access management story is an almost impossible, thankless task. If any of you have ever had to sell a provisioning solution without out-of-the-box adapters (or agents, or drivers, depending on which vendor's solution you are familiar with), multiply that pain by a factor of 100 and you might start to get close to the challenges faced with selling a fine-grained access management solution. It's like saying: "please buy our power station, but you have to figure out how to build the light bulbs yourself after ripping out the ceiling to install wires and by the way, there are 1000 ways you can build light bulbs using 1000 different sockets into the wiring with each bulb running at a different wattage".

Access governance initiatives on the other hand, are almost always driven by regulatory compliance requirements. This makes access governance initiatives compelling. It is also why SailPoint and Aveksa are doing so well.

To be successful at selling fine-grained access management solutions, you have to go to customers with a pre-built set of light bulbs and only focus on the ones with wiring compatible with your set of light bulbs. It's why BiTKOO does well in Microsoft SharePoint environments.

Essentially, access governance solutions are much less intrusive, much easier to integrate and are supported by compelling reasons to buy.

As reliant as we are on electricity nowadays, if we were told we had to rip our ceiling out, install wiring ourselves and build our own light bulbs, most of us would say:

"F@#$ it, I'm lighting 100 candles."

Ian Yip: Book Review - Grouped

2012-02-03T14:24:01Z

I've never done a book review, and I don't plan on making it a habit. But this one is worth a mention given many of us have to do some level of marketing, even if it's not officially in our job description. And in today's Facebook/Twitter centric world, marketing's changed a lot from the good old days.

Grouped, by Paul Adams is an easy, interesting, worthwhile read. It has the distinction of being the very first e-book I've ever bought. Essentially, it talks about the social web and how people are influenced in today's constantly connected world. You'll feel smarter after reading it, but you don't need a PhD to understand it. Paul's done a great job of distilling and simplifying copious amounts of PhD-worthy research for the masses.

If what you do relates to marketing in any way, you'll appreciate the ideas Paul puts forward. Even if you're not, you'll learn enough to make it worth your while and it'll make you see many things in a different light. For example, where you may not have realised an online interaction is actually influencing your behaviour in the past, you'll sure as hell notice once you've finished the book. Our emotions and subconscious play a much bigger part in our seemingly logical decisions than we realise.

The best ideas are the ones that are easy to understand and seem obvious, except they didn't occur to you until now. For example, the fact we work hard to conform to social norms, observe how others react to understand what is acceptable thus shaping our behaviour seems obvious. But we don't consciously realise that's how we tend to behave. We apparently also communicate with the same 5 to 10 people most of the time, but it's not something I realised until I thought about it. I'm not doing the content justice in my paraphrasing, so you're better off reading the book than trying to gain any useful insights here.

The book is well researched, has a nice selection of case studies and examples, and best of all, doesn't take long to read. I should point out a lot of the examples are from Paul's experiences at Facebook, but I don't think he means for the book to be a big advertisement for the Facebook platform. He simply used the relevant data he had access to given his position at the company.

Then again, the fact I'm being positive about this book could be because we generally don't want to appear to be negative in public, especially when doing so in a non-anonymous manner. Perhaps I've been Jedi Mind Tricked into this way of thinking by Mr Adams.

Blogging 'bout WAYF: Why is the configuration called metadata?

2012-02-03T07:31:54Z

Metadata is the ‘configuration’ of the identity federation.

In a point-to-point-federation, where all entities must know each other, the configuration needs to be updated at all entities at regular intervals. Thus the name ‘metadata’.

In a hub-and-spoke model, like WAYF, each IdP and SP only needs to know the configuration of one other entity, namely the hub. The ‘metadata’ is updated much less frequently and can be thought of as almost static.

In principle it should only be updated if the certificate of the hub is changed.

Kuppinger Cole: Back to the ROOTs

2012-02-02T20:52:41Z

In Kuppinger Cole Podcasts

In diesem Webinar erläutert zunächst Martin Kuppinger die aktuellen Trends im Markt für PxM (Privileged Access, Account, Identity, User Management) und die Frage, wo und wie man PxM-Lösungen mit seiner übrigen Identity und Access Management-Infrastruktur verbinden sollte. Daran anschliessend stellt Jochen Koehler von Cyber-Ark praktische Ansätze zur Verwaltung von privilegierten Identitäten vor.

Watch online

Courion: And the Answer is…Access Intelligence

2012-02-02T18:45:00Z

Access Risk Management Blog | Courion

Protecting against loss of intellectual property and vital data is mission critical, and a big part of what keeps IT managers up at night.

But a recent survey conducted by Courion of IT managers revealed there's a disconnect between the top concerns of IT managers and what they're doing to protect vital corporate information.

While potential loss of sensitive data, corporate reputation, intellectual property or revenue topped the list of risks to the organization, IT managers also struggle with actually identifying their biggest access risks and the need to put processes in place to manage them.

But surprisingly, only 12 percent of those responding conduct reviews more than monthly to certify that user access risk poses no threat to their critical assets. Over 60 percent of IT managers review user access privileges only four times per year or less, and those reviews only ensure companies are observing security and best audit practices — they're not focused on identifying new or growing areas of access risk — such as internal users abusing privileges.

That said, more than half of the survey respondents know they need to start doing things differently. They'd like to use near-real-time graphical profiles of Identity and Access Management (IAM) activities to help them manage the most critical risks to corporate information, but said they currently lack visibility into the access risk management data they need to create the profiles.

Lack of data also prevents IT managers from identifying user access associations and patterns that violate company policies or could enable users to circumvent internal controls. Nearly 60 percent of those polled said they can't compile the data for that kind of analysis from their existing IAM systems, and many who use IAM data to manage risk are doing it manually — it's not only time consuming; it doesn't provide a business context for evaluating access risk.

While survey results show obvious gaps in access risk management programs, they also show that IT managers are very aware about what’s needed to address these gaps. The key is having more access intelligence about their access risk — insight into which users have access to what vital information and knowing if they’re doing the right things with that access.

To learn more, click here.

blog.courion.com

Ashraf Motiwala - Identropy: Identropy Reviews Cutting Identity Management Operating Costs

2012-02-02T05:22:28Z

Identropy will be hosting a webinar with our friends at IDC entitled "Reducing your IDM Operating Costs Using IDaaS" in a couple of weeks (Tuesday, Feb 14). Nishant from Identropy and Sally Hudson from IDC will be presenting. Hope you can join us! You can read the abstract below, and register here...

Would you like to reduce your IDM Operations costs by 50%, while still proving that the IDM program is meeting its goal?

Is your IT team overburdened with IDM operational support in response to a constant stream of patches and updates that were never budgeted for?

Do they lack the bandwidth to get to strategic new tasks in an ever-evolving, increasingly important IDM program?

Do they lack the time or subject matter expertise to enhance your IDM solution in response to changing organizational needs and business objectives?

If so, this webinar is for you.

The successful deployment of an Identity Management (IDM) infrastructure is only the first step of a continuous journey. Join Identropy and IDC for a webinar on how Identity Management-as-a-Service can help overcome the challenges of successfully and cost-effectively running an IAM program. During this webinar, guest speaker Sally Hudson, Research Director within IDC's Security Products and Services group, will discuss why many of these projects fail and what operational areas need to be accounted for to help bridge the divide between project-go-live and long-term success. Nishant Kaushik, Chief Architect at Identropy, will discuss how their SCUID Operations offering has helped many customers address their operational concerns and yield long-term and increasing value from their IDM investment.

Nat Sakimura: 単なる OAuth 2.0 を認証に使うと、車が通れるほどのどでかいセキュリティー・ホールができる

2012-02-02T03:20:34Z

OAuth 2.0 の implicit grant flow を認証に使うと、車が通れる程どてかいセキュリティ・ホールが開くよ、と言う、ジョン・ブラッドレー氏[1]による良記事。コメントも読み応えあります。ちょっとチェックした見たところは、全滅。RP側を治さなきゃいけないから、とっとと公開アナウンスしたほうが良いのでしょうね。いちいちコンタクトしてられないし。

Facebook や、その他OAuthログインしているサイトはみんなチェク！

The problem with OAuth for Authentication. | Thread Safe

In some of the feedback I have gotten on the openID Connect spec, the statement is made that Connect is too complicated. That OAuth 2.0 is all you need to do authentication. Many point to Identity Pro…

英語読みたくないという人のために簡単に解説すると…

OAuth 2.0 の implicit flow を使って「認証」をしようとすると、とっても大きな穴が開きます。

カット＆ペーストアタックが可能だからです。

OAuth 認証？は、図１のような流れになります。

図１ OAuth 認証？の流れ

一見、問題なさそうに見えます。しかし、それはすべてのサイトが「良いサイト」ならばです。

Site_A が実は悪いサイトだったとしましょう。すると、Site_A は、このユーザになり変わる access_token をまんまと入手してしまったことになります。

Site_A は、以後、このユーザになりすまして、任意の「OAuth 認証？」をやっているサイトにログインすることができます。

非技術者のためのOAuth認証(?)とOpenIDの違い入門にも書きましたが、宛先の書いてない合鍵渡しちゃって、それを持っている人は誰でも私の分身ですと言っているわけですから当たり前ですね。

具体的に書くと、

Site_A はブラウザ(User Agent) UAを使って、Site_B に行ってログインしようとします。すると、上記と同じ手続で Site_B は「認証」をしようとします。UAは Site_B用の、攻撃者用のアクセストークン access_token_B をOAuth の Authorization Endpoint (Authz) からもらいますが、これをSite_Bには渡さずに、さっき取得した、ユーザ（＝被害者）のアクセストークン access_token_A を代わりに渡します。Site_Bがこのトークンが本当はSite_A用のものだと認識する手段はありません。なので、自分向けのものとして受け取ってしまいます。そして、Site_Bは GraphAPI に access_token を投げて、被害者のemail や user_id を取得しようとします。GraphAPI が、このSite_A用のトークンを送ってきているのがSite_Bだということを認識する手段もありません。したがって、GraphAPIは、Site_Aがリクエストしてきたのと同様に、被害者のemailやuser_idを送り返してしまいます。結果、Site_Bは、攻撃者を被害者としてログインさせてしまいます[5]。この流れが図２です。

図２ OAuth の access_token 置換え攻撃

これは、OAuth の state パラメータを使って XSRF 対策をしていても防げません。つまり、OAuth 2.0 の Client は、そのClient (サイト)にログインしたすべての人になりすまして、任意の他のOAuth 対応サイトにログインできるのです。

これは、OAuth の問題ではありません。

OAuth は Authorization Delegation Protocol = 認可をデリゲーションするためのプロトコルであって、ユーザ認証のためのプロトコルではないからです[5]。はっきり言って、楽ちんだからといって、それを単体で認証の代わりに使っている方が悪い。

実は、Facebook もこのことは気づいていて、signed_request というAPIを持っています。これはほとんど OpenID Connect と同じです[2]。Facebook でログインするためには、こちらを使わなければいけないのです。scope=signed_request ってやるんですよ。でも、使っている人、どれくらい居ますか？やってます？ほとんどは、access token を取得するための client side flow (Facebook のデフォルト）を認証の代わりにつかっちゃってますよね？！

Google の Identity Service の責任者の Eric Sachs 氏の、John の blog に寄せられた投稿も、このことの重要性を指摘しています。

OpenID Connect ではなく、単なるOAuth を認証に使っているIdPが巨大なセキュリティホールを生み出しているということに関する、ジョン・ブラッドレー氏によるすばらしい記事。これは、至るところで繰り返し言い続けなければならない。IdPに対しては、パートナーに対してセキュリティ上の問題を生んでいるということを理解してもらうために。RPsには、数行のコードをケチったために、自らのセキュリティを台無しにしているということに気付いてもらうために。数年前、Googleが現在のOAuthにあたる独自API「AuthSub」を公開したときは、まさにこの理由のために「認証に使ってはいけない」旨を、ドキュメントの最後に大きく掲載していた。[3]

問題の原因は、access_token の audience は resource endpoint であるのに対して、認証に使うトークンの audience は client でなければいけないというところにあります。だから、OpenID Connect では、client を audience にした id_token という、access_token とは別のトークンを発行しているのです。Facebook の signed_request も同じです。

ちゃんと治してくださいね、皆さん。治すってことは、OpenID Connect 対応するってことですよ！

大した工数じゃないんだから。数行を惜しんでユーザを危険に晒す[4]のは、ぜひやめていただきたいところです。

[1] John Bradley. アメリカ政府の ICAMの中の人で、IMI, OpenID, SAML のプロファイルを書いている。OpenID Foundation 理事。Kantara Initiative リーダーシップカウンシル議長。今回の記事は、OAuth 認証のプロファイルを書こうとして、「だめだこりゃ」ということらしい。

[2] signed_request は、Facebook 独自の署名方式をとっているのに対して、OpenID Connect は IETF JOSE WG で標準化されているJWSを利用しています。また、signed_request では、access_token 自体をsigned_request の中に入れていますが、OpenID Connect では、他のOAuth 2.0 サイトとの互換性を考慮して、外出しにしています。

[3] 原文: Great post by John Bradley on the huge security hole many IDPs have created by using plain OAuth, instead of OpenIDConnect, for authentication. We need to keep hammering away on this point both so IDPs realize the security problems they are creating for their partners, and to get RPs to realize how easily they can compromise their own security just because of the lack of a few additional lines of code. Years ago when Google first launched its proprietary equivalent of OAuth, called AuthSub, we had a big section at the bottom warning people not to use it for authentication for exactly this reason. (source: https://plus.google.com/u/0/102425765611793764729/posts/UKcZQzuvosQ )

[4] 乗っ取られたとしても何も起きないのならば良いのですが、ユーザの個人情報を貯めてたりしたら、当然個人情報漏えい事件になりますよね。

[5] 太字部分、2/3追記。

[6] （2/3追記）攻撃者であるSite_Aが、自分あての access_token を他の人に渡すのは、Site_Aが自分でアクセスした結果を渡すのと得られる結果は同じです。したがって、GraphAPI/Resourceの提供者の立場からしたら、Site_A用の access_token を Site_Bが使うことは、別にリスクが増加していることにはなりません。

Identity Commons: NSTIC Moving Forward with Pilots and Steering Group

2012-02-02T00:28:43Z

The following announcement was just sent from NIST's Jeremy Grant, with important updates on the coming NSTIC funded pilots and plans for constituting a Steering Group, among other updates. We'll be providing information on these items and more over the next several days. Looks like 2012 will be the year NSTIC begins true implementation. Dear NSTIC [...]

Ping Talk - Ping Identity: This Week in Identity - Take 2 at G+ for names and nyms

2012-02-01T22:04:00Z

As Google+ continues to grow, reason prevailed over insanity: they relented on their silly pseudonym policy. Sort of. Read the official announcement and rationale from Google’s Bradley Horowitz, then read Identity Woman’s reaction:

Toward a more inclusive naming policy for Google+
“Today we’re pleased to be launching features that will address and remedy the majority of these issues. To be clear - our work here isn’t done, but I’m really pleased to be shipping a milestone on our journey.”
Identity Woman: The new Google+ Names process

There were several other items of interest to the identity community (click more for the list and links):
[More]

Identity Commons: ID Collaboration Day Will Happen in San Francisco the Monday before RSA !

2012-02-01T17:57:30Z

This is an important opportunity to collaborate for all members of the Identity Community so please update your schedule and try to attend. For More Information Click Here

Gerry Beuchelt - MITRE: Doing the Security Thing

2012-02-01T17:02:30Z

In a very refreshing article, Brendan Williams talks about the fallacies of securing systems based on compliance models, with an army of clerical staff working checklists to determine the security architecture for a new system. For a lot of my cyber security related activities, I have been trying to implement a risk management approach, where a security architecture is firmly rooted in the evaluated threats, their likelihood and impact, and most cost effective mitigations.

To address the problem, NIST has provided the SP 800-30 risk management process for some time now. And while high-level threats are very application specific, the National Vulnerability Database provides a low-level overview for what vulnerabilities a threat actor could attempt to exploit.

Phil Windley - Kynetx: Place-Based Networks

2012-02-01T14:32:04Z

Here's a thought-provoking piece on place-based networks from Gideon Rosenblatt.

Imagine if the Internet worked the way the real world does - and that physical places still helped build connection and community. That's the idea behind Place-Based Networks; it's mobile, social technology to help you connect with people based on your shared interest in a place.
From Place-Based Networks: A New Kind of Social Network » Alchemy of Change by Gideon Rosenblatt
Referenced Wed Feb 01 2012 07:27:40 GMT-0700 (MST)

I imagine that our personal event networks could help with that. If your personal event network knows where you are and what venues you frequent, it can automate things like tagging in your communications, negotiating meet-ups, and so on.

George Fletcher - AOL: OpenID Foundation Elections in Progress

2012-01-31T22:22:00Z

The election of two new Community Board members for the OpenID Foundation is now in progress. The current list of candidates includes:

Axel Nennker
George Fletcher <-- That's me :)
Greg Keegstra
David Marceau
Patrice Vuillard
Sébastien Brault
Yosef Vuillard

If you are an OpenID Foundation member, please log into the OpenID Foundation and exercise your right vote! You can easily sign up for an individual membership for only $25 US.

I'm excited about OpenID's future with the release of the OpenID Connect implementor's draft specs. This body of work is important for moving OpenID from just a federated authentication solution to one that can solve many identity authentication and authorization use cases. These use cases are not limited just to non-risk transactions but can cover higher levels of assurance as well.

Adoption is going to be critical in the next two years and that's one of the reasons I'm running for one of the available board seats. Adoption is more than just OpenID Connect implementations; adoption includes moving beyond low-risk transactions into higher value use cases and really providing convenience and security to consumers. Whether this is a goal that can be accomplished in the next 2 years remains to be seen, but it's a goal worth shooting for.

Of course I'd appreciate your vote!

Phil Windley - Kynetx: In Class Exercise

2012-01-31T16:15:04Z

We did an in class exercise today that will continue for the first part of Thursday on the Fast Flower Delivery use case. If you missed, do it on your own before Thursday and show me you work.

Matt Pollicove - CTI: Calling all Dispatchers

2012-01-31T14:27:28Z

There are two items of general NetWeaver Identity Managementmaintenance that I get asked about frequently.

How do you prevent deadlocks
What is the best way to configure my dispatchersin IDM?

All too often these issues are actually related asinefficient dispatcher setup can cause database deadlocks. In this blog entryI’d like to recommend some possible architecture scenarios that will help outwith this. For the purposes of this discussion, we’ll be talking about aNetWeaver IDM 7.1 installation on Microsoft SQL Server 2008 R2. According to Microsoft:

A deadlock occurs when two or more tasks permanently blockeach other by each task having a lock on a resource which the other tasks aretrying to lock. The following graph presents a high level view of a deadlockstate where:

· Task T1 has a lock on resource R1 and hasrequested a lock on resource R2.

· Task T2 has a lock on resource R2 and has requesteda lock on resource R1.

· Because neither task can continue until aresource is available and neither resource can be released until a taskcontinues, a deadlock state exists.

Attaching multiple dispatchers to the same task would thenseem to create the potential for deadlocks to occur in the database,particularly if they are all trying to access the same rows in the various IDMtables. But wait, we’re supposed to be able to do this to encourage HighAvailability, Load balancing and failover, so what gives?

Well the secret lies in the architecture, of course. If therequests come from separate physical hosts, it is much easier for the both IDMand the database to manage the threads and requests. Let’s look at a couple ofexamples. First here is a basic dispatcher setup assuming one server with acouple of dispatchers on it.

This setup is OK since each dispatcher (D) is connected to adistinct Job (J) or set of jobs. Sometimes there is a need to have aconfiguration like this, which usually something like one dispatcher for provisioningjobs, one for housekeeping(HK) and one that provides some sort of elevatedaccess for Directory Services(DS) access.

Based on this there might be a temptation to set up thedispatcher/job relationship to look something like this to provide additionalfail over and support for some specific jobs. Consider the following examplewhere I outline a scenario with a crossover between multiple dispatcherspointing to jobs in a many to one relationship:

This scenario is exactly what we do not want to have as itis most likely to create a deadlock scenario as having multiple dispatchers accessingthe same jobs that are accessing the same database resources. What we have hereis a potential for deadlocks as the system is trying to manage multipledatabase resources (rows) at the same time.

What tends to compound this situation is the way that thedatabase is being accessed. Using the To Identity Store Pass creates the leastamount of deadlock strain on the system, since this is under the direct controlof the workflow system and its dispatchers, while using techniques such as the uIS_SetValue function, that can becalled from anywhere, at any time, create the greatest possibility as thesystem is managing standard job based access with unforeseen access via uIS_SetValue.

This scenario should be replaced by something like this:

In this case the potential for deadlocks is significantlyreduced since there is separate management of the database connections. It alsoprovides a degree of load-balancing and failover since if the D₁ or D₃Dispatchers are busy or unable to process an assigned task then the D₄or D₅ dispatchers respectively can take over. A good resource forthis can be found in the SAP document SAPNetWeaver Identity Management Identity Center Implementation Guide OptimizingDispatcher Performance.

What also needs to be recognized is that it’s not always asmuch “where” the requests come from, but when the requests come. Care should betaken to monitor the frequency and duration of the larger and more intensivetasks and workflows to make sure that the more involved tasks do not run at thesame time (For example the HCM load should probably not happen the same timethat the Directory Service reconciliation is occurring). These should be thefirst candidates for having their down dedicated dispatchers if there is a needto run them on similar schedules and this cannot be avoided.

Given all of this, the thing to remember when consideringdispatcher allocation is to make sure that there are not multiple dispatchersthat are competing for the same set of Identity Store resources at the sametime. As long as this is kept in mind when setting up dispatchers, thepossibility of deadlocks is minimized.

A related question to this is how many dispatchers are neededto assign for provisioning and de-provisioning operations. I have always used25,000 objects per dispatcher as a general rule. Based on this the scenarioshown above would be good for an enterprise where there are a maximum of 50,000users, roles, privileges or groups that are being managed in any given task.

As a final note, it is a good thing to remember that thedispatchers do not need to be installed on Microsoft Windows based systemsonly. Any UNIX/LINUX environment is just fine for setting up IDM Dispatchers.For more information, check out the SAP document: HowTo: Setting Up An Identity Management Dispatcher On A Unix Host Flavor.

Kuppinger Cole: Product Research Note: Blackbird Management Suite - 70402

2012-01-31T13:07:49Z

In KuppingerCole

The Blackbird Management Suite is well architected and is designed to include high levels of integration with the existing support modules for Active Directory and the Windows Server File System. The administrative interface for Active Directory makes use of the Windows Snap-in architecture for 3rd party products with the Microsoft Management Console (MMC). The File System management is done through an extended explorer thus maintaining the familiarity with the...
more

Kuppinger Cole: LinkedIn – the next bad guy

2012-01-31T12:10:28Z

In Martin Kuppinger

Last Friday, I received two identical emails from LinkedIn contacts informing me about changes in the privacy conditions of LinkedIn. Without user consent, LinkedIn is now allowed to use names and pictures of the users in advertisements. Users can revoke the permission in a simple way (see below). However, what LinkedIn has done raises the question whether the providers of today’s social networks never will learn their privacy lessons.

LinkedIn once again has shown the fundamental misunderstanding of social network providers, that all data therein is their data. However, it is the data of the users, not of the social network. There are some upcoming approaches like personal.com which change that paradigm and give users control over their data. Changing privacy policies in a way like LinkedIn just shows that they probably never will understand this.

But even when you look at what LinkedIn has done from a business perspective, it doesn’t really make sense. What is the value of using the names and pictures of users in advertisements? I don’t believe that it is a really big value. However, changing privacy policies without informing users and without asking for consent automatically has led to a lot of negative reactions, like mails LinkedIn users are sending to their contacts to inform them about this change or like press articles and blogs. To me it appears that the negative impact is far bigger than the positive outcome of that change.

LinkedIn has successfully managed to change its image from being a fairly serious network for business professionals to being just another bad guy like Facebook and the others. Maybe they will learn from the reaction of their users, but, I doubt that. It looks like the classical social networks which build their value on the understanding that everything we enter is automatically theirs, won’t ever learn that lesson. At least not until other concepts become sufficiently successful to drive them out of the market. But then it might be too late.

To change the privacy settings use the following steps:

1. Place the cursor on your name at the top right corner of the screen. From the small pull down menu that appears, select “Settings”

2. Then click “Account” on the left/bottom

3. In the column next to Account, select the option “Manage Social Advertising”

4. Finally un-tick the box “LinkedIn may use my name and photo in social advertising”

5. and Save

Kuppinger Cole: Evil, or just different

2012-01-31T12:01:58Z

In Dave Kearns

Well that didn’t take long.

Less than a week after I predicted that “2012 could be a very good year for privacy,” Google announced a new privacy policy, one which would apply across almost all of its services. Far from being seen as a good thing, though, the initial reaction was a large outpouring of grief by the privacy community. Even the general media portrayed the move in a dark light.

The Washington Post, for example, was quick to point out that “A user signing up for Gmail, for instance, might never have imagined that the content of his or her messages could affect the experience on seemingly unrelated Web sites such as YouTube.”

Some of the headlines for the stories about the change:

Google Privacy Change Provokes Outrage (Information Week)
Use Google? Time to Get Real About Protecting Your Digital Self (The Atlantic)
How to close your Google Account (The Washington Post)
Google’s New Privacy Policy Raising Questions in Washington (AdWeek)
Google changes privacy policy to make the company one big product (VentureBeat)
Google Changes Again, Launches One Privacy Policy to Rule Them All (Mashable)
Google’s new privacy policy: Is this war? (KPCC radio)
Big Brother? Google’s new privacy policy creates one massive database (Tecca)

And there’s many more just like them.

Common Sense Media claims to be “…dedicated to improving the lives of kids and families by providing the trustworthy information, education, and independent voice they need to thrive in a world of media and technology.” Their chief executive, James Steyer, was quoted in the Washington Post article as saying: “Google’s new privacy announcement is frustrating and a little frightening. Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”

Of course, everyone does have the option to “opt out,” by not using the service. Well, there is another way, which I’ll tell you about later.

Not all of the media was negative, though. Forbes magazine noted in its headline: “Internet Freak-out Over Google’s New Privacy Policy Proves Again That No One Actually Reads Privacy Policies”.

Google isn’t going to be collecting any more, or any different, information with this policy change. As explained in a Google blog entry (by Alma Whitten, Google’s Director of Privacy, Product and Engineering): “…we still have more than 70 (yes, you read right … 70) privacy documents covering all of our different products. This approach is somewhat complicated.” So the company is taking 60 or so of them (the others have legal reasons to be kept separate) and rolling them into one which “…covers the majority of our products and explains what information we collect, and how we use it, in a much more readable way.”

As a consequence of this, the new policy “…makes clear that, if you’re signed in, we [i.e., Google] may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products.”

Again, nothing new will be collected; it will simply be amalgamated into one record rather than 2, 5, 15 or more under the current policy. Will this help users, or hurt them?

The jury is still out on that, of course, but I personally believe it will help many more people than it might possibly hurt. The telling point is who gets to see that accumulated data.

As the above cited blog post notes, “We remain committed to data liberation, so if you want to take your information elsewhere you can. We don’t sell your personal information, nor do we share it externally without your permission except in very limited circumstances like a valid court order. We try hard to be transparent about the information we collect, and to give you meaningful choices about how it is used.”

Ah, so how will it be used?

Generally, Google’s critics and the company itself agree that the data will be used to personalize your experience across the multiple Google platforms (search, Gmail, Google+, YouTube, Android, etc. – each of those “70 plus” privacy policies referenced earlier refers to a different service/platform). Some see that as, well, in Gizmodo’s words: “The End of ‘Don’t Be Evil’.”

Google, though, thinks this will – for the great majority of its users – improve their on-line experience and improve it dramatically.

Not only will the search engine know more about what you’re searching for (if you enter “Jaguar” as a search term, do you mean automobiles or wild animals?), but it can tailor the advertising you see (and you will see advertising) to your tastes and desires. So if I enter “Mannequin Pis” as a search term (or to find pictures) I might see that priority is given to the famous Brussels statue or it might be to the restaurant in Olney, Maryland (about 10 miles from my office). The deciding point might be where my Android phone indicates I’m located at the time I search.

Some people find that “creepy.” I’m not one of them.

For twenty years I’ve been waiting for a personalization service like this. It was one of the reasons I became so interested in directory services and, later, identity services. It’s the promise of being my personal assistant, in theory, that’s finally being delivered.

One example that Google’s Whitten points out: “We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day.” She could have added that emails could be automatically sent to other others scheduled for that meeting letting them know you would be late – and actually reschedule the meeting knowing what their calendars look like and approximately how long it will take you to get to the office. I find that to be an excellent use of technology. If it also means I’ll see more ads for cruises, antiques and restaurants (things I’m interested in) and fewer for shoes, fast food and skiing (which I’m not interested in) then I consider that a plus.

Now, if Google was going to package this information and distribute it to its advertisers or sell it to other third parties to do so, then I’d be in the forefront of those protesting – and I’d quite possibly be looking to replace those Google services I do use. But they aren’t. Google’s policy regarding this data stays the same, “We don’t sell your personal information, nor do we share it externally without your permission. [emphasis added]” No one has ever shown that Google violates this pledge.

Forbes’ Kashmir Hill sums it up best, I think: “When Google starts bundling everything it knows about its users and selling that to insurance companies, background check companies, and the Department of Homeland Security, that’s when I’ll trot out the ‘evil label.’ But using information from Gmail to suggest more appropriate YouTube videos or reminding an Android smartphone user that they have a Google calendar appointment in a half hour on the other side of town doesn’t strike me as the work of Lucifer.”

I did promise you a way to stop Google from amalgamating all of your data, didn’t I? It’s quite simple, just create separate accounts for the services you want to keep separate – Gmail, YouTube, Picassa, what have you. Google can’t force you to put every service under one account, so you can do this to maintain relative privacy – just remember which accounts cover which services!

In other privacy news, the EU has proposed updated regulations covering data breaches and the mis-handling of personal information. Companies could face penalties as high as 2% of their yearly global sales (not just EU sales) but, on the plus side, companies would now only have to deal with the privacy agency of the country they’re headquartered in rather than face all 27 EU data-protection agencies. So, stricter rules, bigger “teeth” in the law but easier compliance – it’s too soon to tell if this is a plus or a minus – and for whom.

Finally, a new debate is starting in the US about privacy and healthcare. Some have proposed what’s called a universal patient identifier, or UPI – a single unique health-care identification number for every inhabitant. This would be very useful for doctors, emergency workers, hospitals, pharmacists – and patients. Proponents say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. Privacy activists say the data would be collected and sold to third parties causing a rise in distrust of the medical profession and a deterioration in care. Expect this debate to go one for quite some time.

Here at KuppingerCole we’ll be following these issues – as well as all identity privacy issues – as they play out round the world.

Kuppinger Cole: 13.03.2012: Access Risks - from SAP to the Outer Space: an Identity & Access Governance Journey

2012-01-31T11:27:45Z

In KuppingerCole

Access Governance applies across the entire application landscape, but has the largest impact on SAP where key business processes are managed. As SAP pose unique Access Security needs, it tends to be left in isolation. This webinar will explain how to address SAP specific needs without losing the benefits of an Enterprise wide Identity & Access Governance implementation.
more

Mike Jones - Microsoft: OAuth 2.0 Bearer Token Specification Draft -16

2012-01-30T23:56:45Z

Draft 16 of the OAuth 2.0 Bearer Token Specification has been published. This version contains a proposed resolution to the auth-param syntax issue that has been reviewed by Julian Reschke, Mark Nottingham, and the OAuth WG chairs. It also addresses the Gen-ART review comments by Alexey Melnikov.

It contains the following changes:

Use the HTTPbis auth-param syntax for Bearer challenge attributes.
Dropped the sentence “The realm value is intended for programmatic use and is not meant to be displayed to end users”.
Reordered form-encoded body parameter description bullets for better readability.
Added [USASCII] reference.

The draft is available at:

http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16

An HTML-formatted version is available at:

http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-16.html

Kuppinger Cole: 28.02.2012: Access Governance richtig gemacht: Investitionsschutz und zielgerichtete Weiterentwicklung

2012-01-30T18:01:33Z

In KuppingerCole

Access Governance – dieser Begriff steht für Lösungen, mit denen sich Zugriffsrechte besser steuern und kontrollieren lassen. Die regelmäßige Re-Zertifizierung und damit Überprüfung von Zugriffsberechtigungen gehört ebenso dazu wie analytische Funktionen für den Status von Zugriffsberechtigungen und Rollenmanagement-Funktionen. Die Lösungen müssen aber auch das Management von Zugriffsberechtigungen mit einfachen Bestellfunktionen für Berechtigungen durch Endanwender und damit auch eine gute...
more

CA on Security Management: Cloud IAM Services-Everyone’s New Punching Bag

2012-01-30T15:36:00Z

Any new product or technology is invariably accompanied by certain levels of skepticism and cynicism. Whether it is the latest smart phone lacking a certain mega-pixel camera or a new version of enterprise software not supporting a given operating system or standard, critics will always appear to question these new products' viability. As we enter 2012, cloud computing, or more...

Travis Spencer - Ping Identity: A Manageable System for Managing Passwords

2012-01-30T12:11:52Z

Tons of passwords are an unfortunate reality. I'm working hard every day to reduce the number of passwords that we have to use around the Web. Till it gets to a management number though, we need a way to cope. Everyone has a technique -- some put their passwords in a spreadsheet, others write them on post-its stuck to their computer screen, others use the same password(s) everywhere, some use a password manager in their browser. All of tese techniques have various security implications, however. We have to manage this chaos some how though, so the security issues are often disregarded. Is there a more secure way?

A better alternative would be one that doesn't require you to write anything down, isn't locked away in a computer that you don't have ready access to, and is unique per site and per account. One such technique is to create a set of steps, an algorithm, that you follow to create a unique password for every user account on every site that requires one. To do this, start by using something from the Web site that won't change, like the name; this is your "seed" value. For instance, your algorithm could be something like this:

Capitalize the first letter of the Web site's name and make the rest lowercase.
Take the first 4 characters of this name. If it is less than four characters, add underscores to make it at least four characters long.
Add some word that contains a symbol and a number and is easy to remember (e.g., P@nda1). The result is the password to use on the site.

So, using this sample algorithm, the password for CNN would be this:

Cnn
Cnn_
Cnn_P@nda1

For Spotify, it would be this:

Spot
Spot
SpotP@nda1

The result is a strong passwords that while difficult to remember is easy to reproduce because the necessary steps are memorable. There's a problem w/ this though. If a baddie ever sees just two of your passwords, they'll have a very easy time guessing any of your others because they are so similar. So, here's an easy fix that makes things more secure

Download an app to your phone that can generate a password from an input phrase. This app should produce the same password every time it's given the same input. It should produce passwords that includes uppercase, lowercase, numbers, and symbols. This app should not have permission to access the Internet. Some of the free ones require it, so they can download ads. Who knows though? They might also be uploading your passwords. An example of a good one for Android is Password Generator Pro.

Now, when you have to sign up for a new account and create a password, use your algorithm as described above. However, don't use that as the password. Instead, use it as input to the app. This will produce a random password from a phrase that's hard to guess but associated to the site you're visiting. With the the site-specific "seed," the common algorithm, and an app that's running on your phone which generates strong passwords, you'll have a pretty easy system for managing the chaos where you don't have to write anything down, each password is unique, and they can't be guessed.

Make sure you don't let people know your algorithm though or all this security breaks down.

If you have a better way to manage this mess or if you think there are issues w/ this system, leave a comment here or drop me a line.

Paul Madsen: New line of greeting cards

2012-01-29T20:57:26Z

Posted via email from Pre(posterous)

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 41

2012-01-29T06:03:27Z

This is a link to the presentation I gave to the Trust Elevation WG at OASIS, headed by Dr. Abbie Barbir. I might extend the time frame to post the reminder 59 thoughts around token trends (not within the 100 days) to late 2012.

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 40

2012-01-29T05:42:37Z

And also Microsoft supports a type of Access Tokens in its operating system.

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 39

2012-01-29T05:27:38Z

In the Data Tokenization space -- we need to go beyond simple data element tokenization (such as SS# and PAN) and leverage a Data Tokenization Platform such as the Intel Token Broker. The idea is to have a tokenized representation of all "data" resource - which includes a table, a db or directory. See the demo and read the papers. Such Data STS are also integrated into XACML based entitlement systems (such as Axiomatics and Oracle EM).

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 38

2012-01-29T05:21:09Z

Of course when you have major mainframe applications and mainframe batch jobs still in production, we need to extend the legacy RACF authentication of such legacy systems and specialized implementation such as eZtoken enables these tokenized representation.

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 37

2012-01-29T05:17:08Z

While OATH tokens are Authentication tokens we also have OAUTH tokens as access tokens. Amongst Access tokens we can have tokens such as an RBACtoken or a XrML token that offers tokenized representation of access privileges for a user. Very useful when access decisions are taken for multiple distributed resources and in collaboration with multiple access tokens.

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 35

2012-01-29T05:10:50Z

Similar to the approach taken by the SPENGO effort in the past (negotiated authentication), OATH is another initiative that aligns a few Authentication methods and tokens, such as; Standalone OTP generators, Smart Cards, USB Key FOBs, Software tokens and Trusted Platform Module (TPM) tokens via client negotiated framework with STS (secure token services). The power of OATH token is that it is a framework that is token agnostic and authN mechanism agnostic, and that it will have commercial implementations via Ping STS and others. Therefore if you see a OATH token in a STS representing a subject - you can expect that it is negotiated with the client application or application type before it is generated.

Kevin Marks: QR Codes: bad idea or terrible idea?

2012-01-28T17:43:47Z

People have a problem finding your URL. You post a QR Code. Now they have 2 problems. Or more:

They see a chunk of robot barf on your poster, and have to realise it isn't a crossword puzzle, but a QR code.
They need to take a digital photograph of it with their phone. If they have a laptop, even with a camera, this requires physical contortions
They need an application on their phone that can make sense of a QR code.
They need a lot of patience as they fiddle with it.
They need a working network connection to resolve it.

Conversely, with a URL they could type it in, take a photograph of it and type it in later, or if they have the right app, it will recognise the URL text from the image and make it clickable.

That is the irony of this. QR Codes ignore years of research and culture on how to communicate meaning in symbolic form designed to be captured by image processing tools behind a lens. We have this technology. It is called writing.

Written language has a set of symbols that are relatively unambiguous, that are formed of curves rather than hard edges making them resilient to noise, and have been market-tested for milennia. QR Codes don't just ignore this, they ignore the relative success of one dimensional barcodes. Notice something about a barcode? It has the number printed on it as well, so you can type it in if the scan fails. QR Codes don't do this, so it's far too easy to put the wrong one in, or fail to replace a mockup. Which is why so many QR codes link to Justin's site instead.

The only place you should use QR codes is if you have a dedicated reader for them, like a classic barcode scanner, and a workflow that is designed for this that actually saves time. If you do empirical research on using QR codes for the public, you'll likely see 80% worse performance than text like this museum did. By all means try the experiment and report your results. Put up a QR code and a printed URL and see which gets the most usage.

Or listen to others:

a majority of our respondents knew more or less what they were for, very few (n=2, or around 7%) were successfully able to use QR codes to resolve a URL, even when coached by a knowledgeable researcher.[..] A strong theme that emerged — which we certainly found entirely unsurprising, but which ought to give genuine pause to the cleverer sort of marketers — is that, even where respondents displayed sufficient awareness and understanding of QR codes to make use of them, virtually no one expressed any interest in actually doing so.

As Alexis Madrigal puts it:

Is it really faster and better to use a QR code that will direct you to part of a marketing campaign rather than getting a broader sweep of information by simply using the browser that you already use all the time on your phone? In the instant cost-benefit analysis I do every time I see a QR code, it has yet to make sense for me to fire up the decoder app I have installed on my phone.

QR code at the bus stop to get time of next bus. Really useful in the dark. Not. yfrog.com/mgicpqj
— Martin Geddes (@martingeddes) January 27, 2012

Paul Madsen: New line of greeting cards

2012-01-27T21:46:03Z

Posted via email from Pre(posterous)

Robin Wilton - Future Identity: Time for a rant...

2012-01-27T19:17:29Z

... about some really irritating developments in TV advertising.

I apoplogise in advance, but I think some of these peeves have been simmering for a while now, and it would be healthier all round if I can permit myself a little vent. There are two advertising trends at the moment which are really starting to grate.

The first is when the advertiser treats us like imbeciles, incapable of logical thought. Two examples:

1 - the dishwasher tablet which is sold on the premise that, if you don't use it, filth accumulates in your dishwasher's plumbing tubes and is then swilled around your cutlery and crockery, bathing them in a vile brew which is, by implication, not far short of raw sewage. Of course, being imbeciles we fail to notice that the pipes into the dishwasher come from the water main, and are presumably not already clogged with sewage; and the pipes out of the dishwasher do not convey anything back into it.

2 - the kitchen soap dispenser whose great selling point is that it includes a sensor, so that you can get your dollop of soap without having to do anything insanitary like press down on a squirter. Again, being imbeciles, we have never noticed that the first thing you do after pressing down on a (presumably plague-ridden) soap dispenser is... wash your hands.

Here's the enigma: are these advertisements fatally flawed, foolishly insulting their target market... or are they perfectly crafted, aimed precisely at a market of imbeciles?

The other irritant is a variant on the old "vox pop" technique. Classically, this involves a reassuring third party, such as an interviewer or someone in a white coat, getting totally spontaneous product endorsements out of enthusiastic consumers who are totally surprised at the effectiveness of the product.

The variant (toothpaste being far and away the worst offender) is that when sound-editing your vox pops, you have to remove tiny snippets of silence from between random words. The result sounds something like this:

"I had never realisedthat some things I eatevery day, suchas battery acid, can eataway at tooth enameland cause cavities andbrain rot."

Why? Why do they do this?

I am seriously considering applying for that job, snipping out the tiny gaps between words in fatuous vox pops. Then, like one of my literary heroes, Doktor Murke, I would splice them carefully together again and luxuriate in the resulting silence. Listening to it might even bring my blood pressure down again...

Robin Wilton - Gartner: GPS tracking and the 4th Amendment (Part 2…)

2012-01-27T14:58:53Z

My colleague Avivah Litan has given her insightful and thought-provoking read on the recent US Supreme Court decision here.

Avivah correctly identifies the “opt-in”/”opt-out” dichotomy as a critical element of the discussion. Tracking for law enforcement purposes needs, of course, to be set aside from the debate over user consent… but outside law enforcement – whether in the commercial domain or for public sector service delivery – I strongly believe that there should always be an opt-out available. In fact, my personal opinion is that “opted out” should always be the default, with an opt-in choice if the user wishes.

Of course, if there’s an opt-out, some of the people who exercise it will be virtuous, and some will not. There are those whose take the old “if you have nothing to fear, you have nothing to hide” view – but as anyone who has followed my blogging will know, that’s a view that I find misguided, harmful and pernicious. Avivah’s distinction between law enforcement and the commercial sector helps indicate one of the reasons why: it is clearly not the case that everything the law enforcement authorities know about me should, of right, be made public. Similarly, there are things which commercial service providers know about me which law enforcement authorities have no business knowing. The “nothing to hide, nothing to fear” brigade cannot cope with the idea that those who may seek to harm me can do so whether I have anything to hide or not.

In US v Jones, the Supreme Court was explicit about the citizen’s legitimate expectation of privacy. I tend to take a strong line on that. The ‘default setting’ is not that if I have nothing to hide, I have nothing to fear… it is that unless you have a provable, legitimate reason for doing so, you have no business meddling in my affairs.

Paul Madsen: New line of greeting cards #byod

2012-01-27T11:54:20Z

Posted via email from Pre(posterous)

Kuppinger Cole: Privacy by Design

2012-01-27T10:37:05Z

In Kuppinger Cole Podcasts

2011 was, once again, a bad year for privacy as data breaches releasing usernames, passwords, credit card details and even medical records continued to make news right through the end of the year. Time has proven that no amount of imposed regulation can protect privacy in the face of a determined hacker. What’s needed is what’s called Privacy by Design. Join us in this webinar, where Senior Analyst Dave Kearns will discuss with Ontario´s Information and Privacy Commissioner Dr. Ann Cavoukian,...

Watch online

Kuppinger Cole: Personal Data Vault – putting YOUR data in YOUR hands

2012-01-27T09:31:24Z

In Sebastian Rohr

I still remember the fun that was had when Dick Hardt first made his cool presentations on User Centric Identity Management and regaining control of who would access to what attribute of your multiple personas, be it online, at home or at work. We all know, that his company sxip identity failed because it did not gain enough momentum to monetize on the idea. Still, concepts such as the (also “failed”, much to my demise) Information Cards by Microsoft or the OpenID approach share some aspects of the sxipper product – putting you in control of your data. The current hype around the new EU privacy and data security legislation is putting some more focus to this!
Apparently, only very tech savvy users – geeks like you and me  – seem to widely adopt and use OpenID. I, personally was attracted to Clavid, a Swiss IDP who combines OpenID with the one thing missing everywhere else: Strong Authentication! Most of you know that this is sort of my pet topic here at KCP and so I was really amazed to see them offer Yubikeys, Avionics’ Internet Passport and even SwissID Government issued certificates as a means of strong authentication – making Clavid an early representative of the prospering “Authentication as a Service” market segment. Not prospering enough, I guess, as I did not see the Clavid guys buying fast cars and castles at Lake Geneva’s´ shores…
Anyway, the concept of letting us – the users/consumers/customers – decide on who gets access to which detail of my life and (digital) identity remains an unsolved issue. Be it the tedious task of filling out forms after forms to get your kid into day-care or getting new insurance for your car – you have to share information about yourself and your loved ones and wonder: do they REALLY need that info? And if so: why do they ask me the same questions over and over again?
Wouldn´t it be nice if more of these form-fields could be “auto-filled”, depending on your choice of what to disclose and what not? Wouldn´t it be great to have one common place to securely store all the insurance information, account information and whatnot? Just like putting your valuables in a bank deposit box (or your high-security safe in your secret lair downstairs, depending if you are a super villain or not)? You could even “compartmentalize” your life into stuff belonging to work/career (like digital versions of all your certifications and endorsements), your personal leisure activities (like memberships in sportsclub and your fishing license, Open Water Diver certificate), your kids info (school district, Headmaster contacts, the football team coach) and the list continues.
I recently tried to gather my families´ core identity data, such as passport and ID card numbers, SSN, healthcare ID, tax ID etc. and it took me full Sunday. Last week I did it all over again, as I misplaced the sheet of paper I used – pretty old school, don´t you think?
But all personal stupidity aside: wouldn´t it be great to use that “digital vault” full of your own personal data to actually ERASE all the personal detail that are stored at the gazillion of companies and organizations you interact with day to day? Why must I put my CC info and full address with “your airline of choice”, if I could use their services “pseudonymously” and only allowing access to those details “on demand” while I actually book a flight? Currently, if I lose my CC or it expires the internet economy burdens me with changing my CC info in each of the gazillion pages I do business with. Why?
I am looking forward to a (hopefully very near) future, where I can actually manage my data in one place and have those who need access to it authorized on a configurable basis. Sure, my employer should have continuous access to my bank account information! But if I am leaving – how can I make them erase that info on file today?
Look put for some colnew announcements and blogs on KCP on this – my colleagues will provide more info as it becomes “freely available”

Kuppinger Cole: Stopping a Clapper Over WikiLeaks

2012-01-27T09:24:01Z

In Tim Cole

The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders.

The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens if someone who isn’t authorized tries to access them or pass them on illegally. In fact, that is the whole idea of “information-centric IT security, a buzzword that is gaining popularity among Digital Identity Management experts and privacy advocates.

But by publically announcing their aim of stopping another WikiLeaks-style exposure of classified information just shows that the Official Mind has yet to grasp the real implications of the Digital Revolution. “Information wants to be free” was originally a clarion call by Internet activists who believed that transparency should be the hallmarks of an open society. In fact, the real motto is best encompassed in what I once dubbed “Cameron’s Law”, after Microsoft’s “identity guru” Kim Cameron, who once postulated that “sensitive information will be leaked”.

Yes, we all need to do all we can to protect privacy and guard crucial bits of information. But we should also be prepared for the worst. IT Security can create a false sense of confidence in our own defense mechanisms. At least as important as plugging holes in the dyke is to prepare oneself for the moment when the levees break and the floodwaters start to rise. Maybe “Remember New Orleans” would be a good slogan for security professionals to hang on their walls.

I found it particularly poignant to read the name of the official in charge of U.S. government efforts to create the Totally Secure System: Jim Clapper, the Director of National Intelligence, the mention of whom bring irresistibly to mind the old nautical expression about “clapping a stopper” over something, meaning to block something effectively. “Clapper” is actually the word for a safety valve – and as any engineer will tell you, the function of a valve is to let something out before the pressure reaches dangerous levels and pieces of stuff start flying around.

Of course, controlling the release of data so that only authorized individuals are able to see and use them is in fact what Identity Management is all about – or should be.

Phil Windley - Kynetx: Podcatchers for Smartphones

2012-01-27T04:29:05Z

As you might guess, given that I'm Executive Producer of IT Conversations, I like listening to podcasts. I'm also an iPhone user. Not to put too fine a point on it: iTunes sucks rocks for listening to podcasts. The problem is mostly that iTunes has a crappy interface for subscribing to and managing podcasts. It also downloads only one episode per day, with no way to change the defaults. Moreover it will stop downloading podcasts that you haven't listened to for a while and you have to remember to go in an start it up. I started feeling like I had to "take care of iTunes" like it was a recalcitrant pet or something.

For some reason, it never really occurred to me to download an app for listening to podcasts, although I've downloaded several single purpose ones (like the This American Life app). Then Paul Figgiani introduced me to Downcast. I'm in love. I no longer have to fight iTunes and all my favorites are right there waiting for me to listen to them when I go for a walk or drive to work. The interface is good, with plenty of controls for skipping forward and back or adjusting the playback speed. I also like the built-in "share" features although I wish they allowed me to customize the default text for the share.

Unfortunately, Downcast isn't available on Android. I have an Android tablet (Galaxy Tab) that I've used Google Listen on. It's a functional podcatcher, albeit a little bare-boned compared to Downcast: no speed or skipping controls and no built-in sharing.

So, go grab Downcast, plug in the IT Conversations feed URL and enjoy great tech talks from the longest running podcast on the planet...no matter where you're at.

Identity Commons: Registration Now Open for 2012 NIST/NSTIC IDtrust Workshop

2012-01-26T21:06:54Z

March 13-14, 2012 at NIST in Gaithersburg, Maryland. This promises to be an important event for the digitial identity community and perhaps a milestone in progress on the National Strategy for Trusted Identities in Cyberspace (NSTIC). Don't Miss Out – Online Registration is NOW Open Click here for further details

Johannes Ernst - NetMesh: What I Expect From Customer Support

2012-01-26T20:59:16Z

1. I expect you hear what I’m saying (or typing), and not ignore the essence of it. Example: If I say “I want to cancel my account”, you cannot respond: “I understand you are having trouble with your account.” That’s not what I said. 2. I expect that you respond in a timely manner. Example: [...]

Robin Wilton - Future Identity: EU cookie regulations and consent

2012-01-26T14:57:01Z

As you are probably aware, a revision to the EU's e-Privacy Directive was recently transposed into UK law as the Privacy and Electronic Communications Regulations 2011, or PECR. PECR means that, as of May 26th 2011, UK websites are required to obtain users' informed consent before tracking their online behaviour through means such as cookies.

Well-meaning though this legislation may be, there are a number of practical issues with its implementation. As it has never been my intent to invade, subvert or otherwise compromise your privacy, this post is a brief indication of some of those issues, and the possible impact on you as a visitor to this blog.

First, jurisdiction: is this a UK site? Well, I'm located in the UK, and it's my blog, so I'm going to behave as though it is and assume that PECR 2011 applies to it and to me. However, as Blogger belongs to Google, and Google are notoriously reticent about revealing the location of their data-centres, I have no idea where this blog is actually hosted. I suspect a lot of individuals, small/medium enterprises and organisations are in the same position: wherever they are, their websites may or may not be hosted in the UK, and that may give rise to some question as to whether or not PECR can be enforced.

Second, enforcement. The UK ICO has, allegedly, been 'pressured' by the UK government not to enforce PECR, at least for a year while companies figure out what to do about the law. On the one hand, I have little sympathy with this: EU legislation moves at a pretty normal pace for law-making, and PECR has been inching its way down the legislative alimentary canal for many months now. Its emergence should not have come as a surprise to anyone.... but let's not take that analogy any further. On the other hand, there's no doubt that the mechanisms for doing a good privacy-respecting job of gathering user consent are sadly lacking. Of course, as the only viable candidate for deploying such mechanisms is the browser, and as the dominant browsers on the planet are all developed outside the EU, that shouldn't come as a surprise either. On the third hand (as Zaphod could have said) why in Zarquon's name didn't Viviane Reding and her merry band of legislators think of that when they were designing the amendment?

Third, practicality. I do use a couple of counters to track visits to the blog: as you can see, there's a ClustrMaps graphic on the page, and though you can't see it, Statcounter is also enabled. For those two tools, I can give you the following assurance: I never use them for anything other than an occasional look at how site traffic is trending over time. I sometimes look at the per-country breakdown of visits, and if I'm getting persistent spam comments I may look at the IP address of a specific visitor. However, I never use the tracking details for any other purpose, and never knowingly disclose them to any other entity. I don't use Adwords or Affiliate Network, nor is it my intent to do so.

However... it is entirely possible that Blogger, as the host of the blog, gathers statistics about both my use of it and your visits to it. Over that, I have no control. Again, I suspect that many, many individuals, organisations and small/medium businesses are in the same position - and as 'cloud' computing continues to grow, that situation will grow with it.

That leaves me with two problems:

1 - if you don't like the relatively minor use of cookies I do make on this site, and/or don't trust my promise not to abuse the data collected, I'm afraid I don't have any practical way of gathering your consent (or withdrawal of it). Nor do I have a way of turning cookies off for you while still somehow keeping an eye on site usage. By all means block or delete my cookies at your end, if you have the means to do so; I won't be offended (in fact, I won't even know), and as far as I am aware, it won't affect your ability to browse the site.

2 - if you don't like the idea that my hosts (either for this blog, or for my website, for instance) may also be setting cookies, I can sympathise, but there's very little I can do about that. Nor do I think there's any reasonable expectation that they will ask for your consent via my blog. If you have a problem with that, please leave a comment, and then we can both stare at it and wonder what to do next...

So, what can we expect from the PECR 2011 amendment?

Will it immediately change the way in which companies track your online behaviour? No.

Will it change the way browsers handle cookies and consent? Possibly, over time.

Will it advance the debate over online privacy: I sincerely hope so, even if it's only through increased discussion, as opposed to immediate improvement.

Will it resolve the tension between technologists who see the law as an inconvenient obstacle to commercial progress, and legislators who don't understand the technology but want to be seen to be doing something? No. That, regrettably, is something we're stuck with for the foreseeable future. Welcome to Aldous Huxley's world.

Paul Madsen: New line of greeting cards #byod #mdm

2012-01-26T11:21:03Z

Posted via email from Pre(posterous)

Drummond Reed - Cordance: The Fundamental Flaw in SOPA and PIPPA

2012-01-26T04:44:06Z

After all the raging debate about SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act), the fundamental flaw in both is captured succinctly in this public letter to Senator Orrin Hatch from Phil Windley, Kynetx CTO and author of The Live Web, on his Technometria blog.

Thanks for summarizing the problem so nicely, Phil. And a tip ‘o the hat too to Cory Doctorow, whose talk on the subject Phil credits as well.

Incidentally, Phil’s point that we don’t need new laws governing technology, we need to enforce existing laws about harmful behaviour, explains why Connect.Me created the Respect Trust Framework. It is the legal fabric of a “purposeful network” where the incentives are so strong not to violate the trust of others that we will not have the kinds of rights violations that SOPA and PIPA are trying, misguidedly, to address.

Drummond Reed - Cordance: AT&T Are You Reading Your Own Emails???

2012-01-26T03:16:54Z

When I upgraded to the iPhone 4S the day after Christmas (it was really an Apple Christmas in my household this year), I made the difficult decision to stick with AT&T.

My experience with routinely dropped calls has been just as bad as anyone else’s, so ever since Verizon got the iPhone I was convinced I’d switch when I upgraded (the rest of my family has been on Verizon for years).

But in the end, my grandfathered data plan plus the convenience of being able to use voice and data at the same time plus the investment AT&T is making in 4G made me decide to stick it out another 2 years.

So I really, really wanted to believe AT&T is at last getting its act together.

And then I receive this post-sale email from AT&T with the subject line Let’s Talk about your new iPhone. In the body they offered links to a host of helpful tools:

Thinking it would be wise to watch a tutorial (just to see if there’s anything else I should know about my new 4S that my 16-year-old son — or the wonderful Siri — hasn’t already showed me), I clicked the first link.

The result was not the iPhone tutorial I expected, but a generic web page titled Cell Phone and Interactive Device Tutorials. I think to myself, “That’s dumb – why not just link directly to the iPhone tutorial like the link said?” But what the hell, maybe AT&T’s websites are so poorly designed that they didn’t allow internal linking. So I dutifully clicked the Manufacturer drop down to choose Apple, and…

…WTF??? NO APPLE!!!!!!!

Poof. There went the tiny puff of faith I had left in the AT&T turnaround.

I mean, COME ON, AT&T, DO YOU HONESTLY EMPLOY NO PROOFREADERS FOR AN EMAIL YOU SEND TO ALL NEW IPHONE CUSTOMERS WITH A LINK TO AN IPHONE TUTORIAL THAT DOESN’T EXIST???

Please tell me what happened here. I invite anyone from AT&T to reply as a comment to this post so I and anyone else reading this will have some clue what’s going on with you.

Sincerely,

– A Customer Who Really Wants to Believe He Didn’t Just Throw Away 2 More Years of Service

Kaliya Hamlin - Identity Woman: The new Google is Creepier then ever.

2012-01-26T02:54:23Z

The Washington Post has an article today that talks about what google is doing as of today:

Google’s no-opt-out privacy changes and the end of the anonymous Internet

Google announced Tuesday its plans to integrate data from all its services with your profile for logged-in Google+ users.

She makes this assertion in the early part of the article.

The Internet, nowadays, is overwhelmingly dominated by fora in which you hang out as your actual self. Facebook. Twitter. And now, Google.

While I understand her assertion that the net is "dominated" by these fora. There are two assumptions one is that the people in those places are being 'Their actual selves" when the research shows that people are being thoughtful and careful about how they present in different places and what aspects of themselves they share where (see danah boyd's research about young people and networked publics). I think in one way she is right the people like her - who went to college and have mainstream white collar jobs are on these fora with their real names but most people who actually do interesting hobbies or have religious lives that they don't share publically or across all contexts of their lives either are not sharing about these on those fora or they are keeping them contextually separate using different names and handles.

This weekend at She's Geeky I am going to ask a lot of questions of the women coming about how they do manage their identities and what they want and need out of digital systems to feel safe using them.

Tie actions online to our real identities, and suddenly online activity has real-world consequences.

This is very true and unless we build tools that give people both persona management and context management we are going to be creating a really creepy world. See my TEDx Talk on Participatory Totalitarianism.

Ping Talk - Ping Identity: This Week in Identity - Another group of purpose maximizers

2012-01-26T01:39:24Z

At Ping Identity, our culture and values are everything. Our good friend, Nishant Kaushik, relates that the same is true at Identropy. He explains their drive to maximize purpose. Also, check out the great video about one of his favorite books, Drive, by Daniel Pink.

Nishant Kaushik: We Are Purpose Maximizers!

There were several other items of interest to the identity community (click more for the list and links): [More]

Kaliya Hamlin - Identity Woman: Getting Started with Identity

2012-01-25T21:13:20Z

Welcome to the Identity Woman Blog. Here are some links to help you get started on understanding identity on the internet:

My Personal Saga with Google in the [psuedo]NymWars to use the name I choose on their service - annotation of all my posts.

National! Identity! Cyberspace! Why we shouldn't freak about NSTIC on my Fast Company blog.

Government Experimenting with Identity Technologies on my Fast Company blog.

My speech at the Digital Privacy Forum in January 2011 articulating a vision that goes beyond "Do-Not-Track" vs. Business as Usual, creating a new ecosystem where people collect their own data.

The National Strategy for Trusted Identities in Cyberspace asked industry leaders to share their ideas on how the Identity Ecosystem should be governed and managed. I wrote a response that covers much of the history of the user-centric community along with a vision of how to grow consensus.

Core User-Centric Identity Concepts Videos on the NSTIC.US Education Page (be sure to scroll down), including Identity, Authentication (AuthN), Authorization (AuthZ), Verification, Enrollment, etc.

Organizations and Events I share leadership in:

Internet Identity Workshop #14 May 1-3 in Mountain View, CA. This conference has focused on User-Centric Identity since 2005.

Personal Data Ecosystem Consortium So far there are 16 startups focused on developing the new business opportunities for people collecting and getting value from their own data. We contributed to the World Economic Forum Rethinking Personal Data Project report Personal Data: The Emergence of a New Asset Class.

Identity Commons keeps all the organizations and groups working on user-centric identity linked together.

OASIS ID Trust Steering Committee representing Planetwork and people.

Kaliya Hamlin - Identity Woman: The Nymwars and what they mean: summary of my posts to date.

2012-01-25T21:11:03Z

UpDATE: Google relented a bit, however I am still waiting to see if my name of choice was approved. You can read about the process I had to go through here. The New Google Names Process

-----------------

For those of you coming from the Mercury News story on the NymWars exploding...

I STILL have my Google+ profile suspended for using a [ . ] as my last name. Prior to that I had "Identity Woman" as my last name and prior to that... before I ever got a G+ profile and since I started using Gmail and Google Profiles I had a [ * ]as my last name. [see the complete list of posts about this whole saga below]

It is my right to choose my own name online and how I express it. Names and identities are socially constructed AND contextual... and without the freedom to choose our own names, and the freedom to have different names (and identifiers) across different contexts we will end up with a social reality that I don't want to live in: Participatory Totalitarianism.

The last names that I have had during my life are Young, and currently Hamlin (my soon-to-be ex-husband's last name). I plan to have a last name of my own, different from either of those, within the next few years. I do not choose to "promote" this last name as the HEADLINE of my profile in Google - that is a representation of my professional self online. Yes, people walk up to me IRL (In Real Life) and say "Yeah! You're Identity Woman, aren't you" - yep . It is, believe it or not, a "common" name for me as the G+ "requirements" call for. Just like it is common for BotGirl Questi to be called that when she is in that persona online. Botgirl has the best collection of articles on the web about #nymwars and amazing art protesting what happened to her and all of us who have been suspended - comic book covers, songs re-written with new lyrics, impassioned monologs.

In the digital world "identifiers" are totally linkable across contexts - that is, different communities and contexts that would never meet In Real Life cross online with common identifiers. So if you don't have the freedom to choose which identifiers (name, e-mail address, phone number, physical address,) you don't have the freedom to keep identifiers in different contexts separate, and if you can't keep them separate, that means they are linkable. Without that freedom, you can't explore or be a part of niche communities of interest that are not mainstream or not appropriate for some other context you also belong to. Here are some examples:

the gambler at church,
the "crazy" ferret lady at work
the gardening gun lover
being part of a minority sexual community
proactive environmental activist working at a logging company
being a Buddhist in a part of the country where everyone goes to church on Sunday and doesn't talk about religion because they would be ostracized OR the other way around being a very devout christian in a part of the country where when they do inter-religious services they include everyone except christianity...and you just would rather your faith not be "public"
going out in the woods every few weekends dressed up like knights and ladies, while being in the Army Reserve on other ones.

This freedom to have multiple personas for multiple contexts, just like the right to vote for our government in a secret ballot box, is essential for a free society. If we do not fight for and maintain these rights, we will end up with Participatory Totalitarianism.

Google+ and my "real" name: Yes, I'm Identity Woman My first post on Google+ surprise to find my profile suspended.... I think this will all be over very soon.

Nymwars: IRL on Google Lawns. My idea to "occupy" the lawn of Google with a colourful range of folks who want the right to choose their names. I wrote this after I figured out a week into this that it wasn't going to end, and they hadn't just made a mistake.

danah boyd writes a very good post on How to design for social norms (and avoid angry mobs) all about the nymwars and what is/was going on.

August 8th Google Suspension Update - they now think I should wait for business accounts.

August 27th Let's try going with the Mononym for Google+

August 28th Google+ says your name is "Toby" NOT "Kunta Kinte"

This post was written after watching Tim O'Reilly talk to Bradley Horowitz the manager for social at Google. In it, Tim calls users asking for the right to choose their own name self-righteous and strident. I make a link to a classic American story, Roots, where Kunta Kinte, a man stolen from his village in Africa, taken to the United States, and sold into slavery refuses to take the name his slaveowner gives him, Toby - he is whipped until he accepts this name. I asked Tim and Brad if Kunta Kinte was self righteous for standing up for his own name... Tim said no, but that is a self-righteous question to ask.... well, that was on Twitter and a very interesting conversation followed with several tweeters, that resulted in Tim framing what was happening as a lynch mob against Google.... you can see that in this post.

August 29th - Is Google+ is being lynched by out-spoken users upset by real names policy?

Please also check out this post about "Tone and Silencing" to understand what the underlying dynamics are in this conversation and speaking up to the powers that be.

"Bonus suppression" Google runs YouTube and they took the clip of the movie scene down for "inappropriate nudity or sexual" - it has neither, it just made a dramatic point and made them look bad. In the clip Kunta Kinte is facing the camera with part of his chest showing being whipped from behind by a white man who is working for the slaveowner until he breaks. After repeating his name is Kunta Kinte when asked what his name is, he finally says... it is Toby.

August 30sh - One Month of the Gag by Google.

September 5th - Mononym officially not accepted. I am Kaliya - Google, Get a clue.

Posted Sept 9th.

Potential Future: Google-Zon

With the nymwars unfolding (Nym = Pseudonym , Anonymous and other varities on this theme) this video of the Google-Zon story in the year 2014 seems more prescient then ever.

EPIC in this video stands for the Electronic Personalized Information Construct

Please watch the video on the original site; the way it was done is amazing.

The computer writes a new story for every user (sound like the Filter Bubble?) everyone contributes and in exchange gets a cut of the revenue...

Relevant background

Who is Harmed by Real Names Policies developed by the Geek Feminism Community... prophetically I included in the response I gave to the Notice of Inquiry about governance of the Identity Ecosystem as outlined in the National Strategy for Trusted Identities in Cyberspace that I wrote, before I myself was affected.

Kaliya Hamlin - Identity Woman: The new Google+ Names process

2012-01-25T18:27:41Z

Today people were tweeting/writing about the new google+ names policies. Well. I just went through it and it involves many screens and an appeal into the Kafkaesqe googleplex that takes up to 3 days before they approve your name request. I think they should to this to EVERY user cause how do I know your name "is" David Smith...it just doesn't trigger their dictionaries prompting inquiry into the legitimacy of your name...Ok but I digress...lets see how this works.

First you are discouraged from changing your name and limited to the frequency you can do so. You have to click "change name" to do anything.

Then my Name doesn't meet their Names Policy (at least they dropped the name violation language).

I clicked on the "Click here" to submit an appeal

More are you sure....

Really sure you know what your name is....

Now you can fill out the form....

I put my e-mail address as Kaliya@identitywoman.net (yes I have that one).

I linked to my blog, twitter and a Read Write Web news article that refrences me that way.

For extra documents I uploaded the Laws of Identity that lists me in the opening paragraph amongst all my professional colleagues as "Identity Woman Kaliya." You know if you having your name listed in the thankyous of the Laws of Identity as your profile name on google - I don't know what will qualify.

Andrew Nash the head of Identity at Google is friends with a bunch of us in case you need to know the context Googlers - googling the laws to confirm my/their legitimacy.

Then you get this lovely confirmation....

We shall see...

UPDATE:

Not hearing anything at the e-mail address I submitted to them as my e-mail address. I re-appealed. And of course had to do extra cognitive work to not hit the very attractive blue "cancel" button along the way. This then appeared inside my profile page.

So we shall see....

Robin Wilton - Gartner: Interesting times…

2012-01-25T18:03:06Z

Well, it may have been a quiet week in Lake Wobegon, but in the privacy and policy domain it has been quite the opposite. Wikipedia and a number of other sites went dark in protest against SOPA/PIPA; the Feds took down the MegaUpload file-sharing site, alleging violation of piracy laws; Anonymous retaliated by taking down a slew of SOPA supporters; and the European Commission has just announced its new, pan-European Data Protection Regulation (link to PDF version).

But let’s not talk about that… let’s talk about the 4th Amendment. For those on the right hand side of the Atlantic, the 4th Amendment is the part of the US Constitution which establishes the individual’s “right to be secure from all unreasonable searches, and seizures of his person, his houses, his papers, and all his possessions”. Like any constitutional law, it has been subject to a great deal of interpretation in the 221 years since it was ratified, not least as the law tries to keep pace with new ways of “searching” and “seizing”.

The 4th Amendment is often considered to be the closest thing US citizens have to a privacy right, and it generally establishes the need for any violation of that right to be backed up by a judicial warrant. Of the current Supreme Court, Justice Antonin Scalia is the one who most commonly dissents from this view, holding that the “reasonableness” test can be satisfied without a warrant. However, in a judgement this week Justice Scalia joined with his peers in finding unanimously in favour of the need for a warrant.

The case at issue was US vs. Jones, and the Supreme Court ruled that US law enforcement authorities had violated Mr Jones’ 4th Amendment rights by fixing a GPS tracker to his wife’s car, and using it to track his movements. Mr Jones was, at that time, suspected of being involved in drug dealing.

The judges ruled that, in attaching the device to Jones’ car, the police had physically intruded into “a constitutionally protected area”, and that this ran counter to a legitimate expectation of privacy in that respect. Justice Sotomayor and Justice Alito both drew attention to the issues of keeping 4th Amendment protections in step with rapid technological change – not least, the fact that so many of our personal actions are tracked by commercial websites and hand-held devices.

The court held back from ruling on what other means of surveillance might violate the 4th Amendment rights, though it is clearly something they thought about in their review of prior case law. As a result, the two aspects I mentioned above (physical intrusion, and expectation of privacy) are very likely to be the basis of future decisions, if it should come to questions of whether, say, traffic camera data can be used to track a suspected criminal. There would be a strong argument that the installation and operation of traffic cameras does not involve intrusion into a constitutionally protected area, and that it does not infringe on an expectation of privacy.

Whether that will extend into the online domain of web tracking remains to be seen.

So much for the 4th Amendment… I’ll see your 4th and raise you one: in a quite separate case, a judge in Denver ruled that an individual could not claim 5th Amendment protection from a law enforcement request to decrypt data on her laptop. (The 5th Amendment is the one establishing, among other things, an individual’s right to refuse to give information which might incriminate them).

In this instance, the suspect declined to decrypt the contents of her hard drive on the grounds that it might incriminate her. The judge held that, even if the police did not know the specific contents of a specific document, the fact of its existence was a foregone conclusion, and that therefore the 5th Amendment did not apply.

I have to admit, I don’t quite follow that chain of reasoning, but like I say,the law is having a job keeping pace with technological change. It has been an interesting week, then… and I dont see the pace of change slowing down any time soon.

Andreas Åkre Solberg - Feide/UNINETT: Identity Federations Status Report – January 2012

2012-01-25T09:55:23Z

GÉANT Identity Federations currently have a lot of ongoing activities. Here is a summary of what we are working on, and the current status.

Federation Lab › Test Federation

Goal:

allow new SPs and IdPs to easily connect to a set of available entities that are available with no contract neccessary. Self-maintained.

Activity expected to be done April 2012.

Miro: Nothing to update.

Federation Lab › Monitoring and statistics

Miro: As I promised we’ve done preparations for using f-ticks with SSP in production in our federation. I’ll be able to report on that next month.

Federation Lab › SAMLtracer

A significant patch reveiced from Mark Dubrovnic. Some of the patches incorporated, some left. Including UI updates, and support for import export.

Some planned features: Notifications of SAML artifacts, support for IdP Discovery protocol.

Federation Lab › OpenID Connect

We’re making progress. In Februrary we’ll be able to connect the front-end test run UI with the backend test tool, and present to visible results.

There is an interop event in San Fransisco, then a new OpenID Connect meeting in Paris next to IETF. Roland is attending to IETF + Kantara meeting. Andreas might as well. We will have some demo available before that.

The backend test tool is able to produce test results for the initial simple test cases, it is tested against several OpenID Connect Provider implementations.

We’re planning on preparing test fascility for OAuth 2.0 in addition to OpenID Connect. That tool might be very useful for the VOOT work.

RedIRIS will perform an implementation of OpenID Connect that will be coordinated with the test fascility. RedIRIS already have experience and a library for Oauth 2.0, and will make use of that. They will also make an simpleSAMLphp module to make it very easy for enabling OpenID Connect support in an existing IdP or SP running SSP.

VOOT

Leif: Setup http://openvoot.org and prepared a drafted IETF templated spec.

Foodle: no updates.

UNINETT has implemented OAuth 2.0, and tested against Leifs implementation. Some problems, but we made it work. OAuth 2.0 support will be integrated into Foodle, this spring.

SurfNet: Ready to exchange OAuth keys with Foodle, is ready to also consume groups from Foodle as a client. Will implement OAuth 2.0 in second half of 2012.

Renater: Has already completed sympa VOOT OAuth 1.0 based implementation. OAuth 1.0 based implementation is made publicly available. Prepared to test against Foodle and SurfNet. Working on OAuth 2.0. Exepcted to be ready March 2012.

SAML2int

The SAML2int profile is being transferred to Kantara Initiative: Federation Interoperability WG.

Scot is will apply some minimal changes contribued by Ian Young.

Federated Provisioning

Mads Freek have been hired by Wayf to work on – mostly – Stinus.

Stinus is the ‘Federated provisioning and de-provisioning’ project originally proposed by WAYF, SURFnet & JANET as per the enclosed pdf.

A description – one month old – of the architecture is available here: http://code.google.com/p/stinus/wiki/StinusOverview?show=content

I expect to have a pre-poc up an running in week 6 and expect to update the description to reflect some recent changes – mostly the use of Gearman both inside core and as the protocol between Stinus components.

Working prototype within 2 weeks.

Wayf will ensure comatibility with connectors used from the Sun provisioning Framework, that also used in Netherlands. Wayf and SurfNet is in dialogue.

Remco has already done some work on Federated Provisioning, will also do much work in the year to come, but it will be funded by another project. Remco will share a deliverable related to the work on the mailinglist.

DiscoJuice

No updates.

Moonshot

Technology is settling down, more mature, and spec.

Most activity on supporting customers on piloting activities.

Piloting activities around these areas:

Classic e-Science fascilities. SSH access, visitors with physical access to console.
UK National Grid Services.
Cancer Research UK: for microsoft exchange, file sharing, etc. Large organization, divded into 5 institutes.
UK National Health Services. Interested in starting piloting.

Likely initial most important use case: federated login to regular desktops (between different, unrelated MS Active Directory domains), not just applications

Planet Identity

Ben Laurie - Apache / The Bunker: Certificate Transparency Sites

Jackson Shaw - Quest: Multifactor Authentication for Dummies

Phil Windley - Kynetx: An Operating System for Your Personal Cloud

Ian Yip: F*** it, I'm lighting 100 candles - Entitlement Management 2012

Ian Yip: Book Review - Grouped

Blogging 'bout WAYF: Why is the configuration called metadata?

Kuppinger Cole: Back to the ROOTs

Courion: And the Answer is…Access Intelligence

Ashraf Motiwala - Identropy: Identropy Reviews Cutting Identity Management Operating Costs

Nat Sakimura: 単なる OAuth 2.0 を認証に使うと、車が通れるほどのどでかいセキュリティー・ホールができる

Identity Commons: NSTIC Moving Forward with Pilots and Steering Group

Ping Talk - Ping Identity: This Week in Identity - Take 2 at G+ for names and nyms

Identity Commons: ID Collaboration Day Will Happen in San Francisco the Monday before RSA !

Gerry Beuchelt - MITRE: Doing the Security Thing

Phil Windley - Kynetx: Place-Based Networks

George Fletcher - AOL: OpenID Foundation Elections in Progress

Phil Windley - Kynetx: In Class Exercise

Matt Pollicove - CTI: Calling all Dispatchers

Kuppinger Cole: Product Research Note: Blackbird Management Suite - 70402

Kuppinger Cole: LinkedIn – the next bad guy

Kuppinger Cole: Evil, or just different

Kuppinger Cole: 13.03.2012: Access Risks - from SAP to the Outer Space: an Identity & Access Governance Journey

Mike Jones - Microsoft: OAuth 2.0 Bearer Token Specification Draft -16

Kuppinger Cole: 28.02.2012: Access Governance richtig gemacht: Investitionsschutz und zielgerichtete Weiterentwicklung

CA on Security Management: Cloud IAM Services-Everyone’s New Punching Bag

Travis Spencer - Ping Identity: A Manageable System for Managing Passwords

Paul Madsen: New line of greeting cards

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 41

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 40

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 39

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 38

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 37

Rakesh Radhakrishnan - Sun: Thoughts on Token Technology Trends- No: 35

Kevin Marks: QR Codes: bad idea or terrible idea?

Paul Madsen: New line of greeting cards

Robin Wilton - Future Identity: Time for a rant...

Robin Wilton - Gartner: GPS tracking and the 4th Amendment (Part 2…)

Paul Madsen: New line of greeting cards #byod

Kuppinger Cole: Privacy by Design

Kuppinger Cole: Personal Data Vault – putting YOUR data in YOUR hands

Kuppinger Cole: Stopping a Clapper Over WikiLeaks

Phil Windley - Kynetx: Podcatchers for Smartphones

Identity Commons: Registration Now Open for 2012 NIST/NSTIC IDtrust Workshop

Johannes Ernst - NetMesh: What I Expect From Customer Support

Robin Wilton - Future Identity: EU cookie regulations and consent

Paul Madsen: New line of greeting cards #byod #mdm

Drummond Reed - Cordance: The Fundamental Flaw in SOPA and PIPPA

Drummond Reed - Cordance: AT&T Are You Reading Your Own Emails???

Kaliya Hamlin - Identity Woman: The new Google is Creepier then ever.

Ping Talk - Ping Identity: This Week in Identity - Another group of purpose maximizers

Kaliya Hamlin - Identity Woman: Getting Started with Identity

Kaliya Hamlin - Identity Woman: The Nymwars and what they mean: summary of my posts to date.

Google+ and my "real" name: Yes, I'm Identity Woman My first post on Google+ surprise to find my profile suspended.... I think this will all be over very soon.

Nymwars: IRL on Google Lawns. My idea to "occupy" the lawn of Google with a colourful range of folks who want the right to choose their names. I wrote this after I figured out a week into this that it wasn't going to end, and they hadn't just made a mistake.

Potential Future: Google-Zon

Kaliya Hamlin - Identity Woman: The new Google+ Names process

Robin Wilton - Gartner: Interesting times…

Andreas Åkre Solberg - Feide/UNINETT: Identity Federations Status Report – January 2012

Federation Lab › Test Federation

Federation Lab › Monitoring and statistics

Federation Lab › SAMLtracer

Federation Lab › OpenID Connect

VOOT

SAML2int

Federated Provisioning

DiscoJuice

Moonshot

Other topics