Planet Identity

JISC Access Management Team: Lies, Damn Lies…

2010-02-09T00:58:22Z

This week, I’m getting excited about statistics! Well, I need something down to earth to balance out the amazing experience of being at APAN29 in Sydney.

Just before I started at JISC, we had some long and detailed conversations about statistics as part of the ANGEL project. Whilst usage statistic work has mumbled on in the background but there hasn’t been any significant work in this area….until now. Like buses, JISC usage statistic projects all come at once.

Something I am very happy to see funded, particularly as I saw the birth of the project idea whilst walking on a very hot day in San Antonio, is the RAPTOR project at Cardiff University. At the moment, Shibboleth Identity Providers can produce very useful access logs for institutions, but in a format that is not particularly friendly or helpful to the needs of librarians who need to be able to quickly review and assess resource usage. RAPTOR will produce a toolkit to not only provide this functionality but also to integrate these statistics with EZProxy logs - a joined up approach which I’m sure will be appreciated.

Hand in hand with this, the UK federation are planning on producing a portal to allow institutions to upload appropriately anonymised statistics….possible using the outputs from RAPTOR if we are smart about it. This will give us an interesting national view of resource usage, useful for both JISC and JISC Collections in focusing attention on the requirements of our community.

At the other end of the picture, it is equally important that we look at Service Provider statistics to provide the more detailed view of user behaviour beyond the authentication point. JISC Collections have been examining the potential of a usage statistics portal that will aggregate statistics from COUNTER compliant reports provided by publishers. Again, the point here is to reduce the amount of time librarians are forced to spend aggregating this information.

To complete the picture, the PIRUS project is looking at usage statistics right down at the article level across both publisher resources and repositories. More information is available in this post from Ben Wynne. PIRUS has produced a review of what information would be required to provide article level statistics. My only concern about this report is ‘who’ section and the options described for identifying unique users. eduPersonTargetedID and eduPersonPrincipleName seem obvious candidates for potential unique identifiers but are missing from the report. The challenge here will be any suggestion that looks at tracking the same user across multiple Service Providers. Obviously this is useful information for institutions, publishers and authors, but the privacy issues and management of Personally Identifiable Information (PII) will have to be carefully examined.

So that is your usage stats round-up - certainly lots of good stuff to keep an eye on.

Marc Canter - Broadband Mechanics: On-demand “Lost”

2010-02-08T21:15:54Z

Since I teach my class on Tuesday nights - I’ve been unnable to catch the new episodes of “Lost”. So I’m forced to go to ‘Hulu’ and go on-demand.

But what a pleasure!

Given “Lost’s” time travel motif, I can’t help but comment on and create a blog post on how coolio it is to be able to randomly jump throughout the five season mythology of “Lost”, pause, rewind, watch again - study - and then loop through the Lost storyline - again - but this time via episode #22 - instead of episode #4.

The other bonuses to watching “Lost” on Hulu are the web exclusive clips and an ‘enhanced’ set of episodes which actually explain what the hell is going on!

Collectively - watching “Lost” on-demand goes way beyond just watching TV. It’s navigating through a labyrinth of storyline mythology and time travel.

Highly recommended!

Identity 360 - Imprivata: Independent Community Bankers of America (ICBA) Convention & Techworld Booth # 547

2010-02-08T21:14:54Z

Join Imprivata at ICBA-s annual Convention & Techworld in Orlando, Florida from March 17th-21st. The event is the largest community banking convention in the country devoted solely to the needs of America-s independent community banks.

Anil Saldhana - Red Hat: Tip: Interpretation of missing EJB Method Permissions in JBoss

2010-02-08T20:41:56Z

The EJB 2.1 specs on this case says:

"It is possible that some methods are not assigned to any security roles nor contained in the exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked."

What this basically means is that if you have not specifically assigned method permissions or made them "unchecked", then it is left to the vendor's interpretation.

Default interpretation of missing method permissions in JBoss is "excluded" mode.

Based on JBAS-2471, we have incorporated a jboss.xml setting that will provide the appropriate interpretation of missing method permissions - whether to interpret them as "exclude" or "unchecked".

=======================================


<!ELEMENT missing-method-permissions-excluded-mode (#PCDATA)&rt
===========================

First Case:
In the first case, if you specify:
<missing-method-permissions-excluded-mode>true</missing-method-permissions-excluded-mode>

in your jboss.xml, then all methods that do not have an associated method-permission are excluded from the deployment.

Second Case:
In the second case, if you specify:
<missing-method-permissions-excluded-mode>false</missing-method-permissions-excluded-mode>
in your jboss.xml. then all methods that do not have an associated method-permission are operating in an unchecked mode.

Reference:
1. Discussion on ejb3 interpretation of this flag. (Under investigation)
2. Default setting in standardjboss.xml

Anil Saldhana - Red Hat: Tip: Role Mapping in JBoss Application Server v5.x

2010-02-08T20:25:25Z

If you are interested in mapping roles at the deployment level (such as EARs, WARs, EJB Jars) to the roles deduced at the security domain level, then you should read this article: http://community.jboss.org/wiki/MappingRolesinJBossApplicationServerv5x

Note the use of org.jboss.security.mapping.providers.DeploymentRolesMappingProvider

Note: This is an additional forced interpretation of role mapping for the containers when our normal regular interpretation is deployment roles for addition into a RunAs identity.

Phil Windley - Kynetx: Build 424: Functions and Array Operators

2010-02-08T17:02:02Z

The latest build of the Kynetx Rule Language (KRL) provides a significant upgrade in capability with the addition of functions. We've also added some new array operators that take advantage of functions to make using arrays easier.

KRL supports functions as first-class objects in the expression language. KRL supports only anonymous functions, but they can be given names by binding them to a variable in a declaration. Here's an example:

pre {
  add5 = function(x) {
           x + 5
         };
}

Functions are evaluated statically (e.g. the environment they are defined in, not the environment they are executed in determines the binding of free-variables) and can be recursive. Here's an example of a recursive function in KRL:

pre {
  fact = function(n) {
            (n <= 0) => 1
                      | n * fact(n-1)
         }
}

Functions are declared using the keyword function and contain optional declarations followed by a single expression that returns the result of the function when executed. To see this, consider the following example which uses Newton's method to calculate square roots (taken from Section 1.1.8 of Structure and Interpretation of Computer Programs):

sqrt = function(x) {
    average = function(x,y) { (x + y) / 2 };
    good_enough = function(guess, x) {
       v = (guess * guess) - x;
       v < 0.01 && v > -0.01
    };
    improve = function(guess, x) {
       average(guess, (x / guess))
    }
    sqrt_iter = function(guess, x) {
       good_enough(guess, x) => guess
                              | sqrt_iter(improve(guess,x), x)
    };
    sqrt_iter(1.0, x)
}

Functions can return functions as values and functions can be passed as the arguments to other functions and operators in KRL. The following example defined a generalized summation function that sums the numbers from a to b incrementing using inc and applying the function f to each term:

sum = function(f, a, next, b) {
  (a > b) => 0
           | f(a) + sum(f, next(a), inc, b)
};
inc = function(x) { x + 1 };
cube = function(x) { x * x * x };
sum_cubes = function(a, b) {
  sum(cube, a, inc, b)
}

We could define a function that creates incrementor functions. When given a number, it returns a function that increments by that value:

inc_generator = function(n) { function(x){ x + n } };
inc = inc_generator(1);
inc_by_2 = inc_generator(2);
inc_by_25 = inc_generator(25);

Being able to write functions adds significant power. More so with some of the other languages changes we have in mind for the next few months.

Weve also added several new array operators in recent builds. Most notably, array references now work as follows:

a = [1,4,3,6,5];
b = a[1]

This would bind the value 4 to the variable b. Note that array references only work for arrays of one-dimension, so c[1][2] is not allowed (presuming c is an array of arrays).

In addition, there are a number of new operators available for arrays. The following array operators are now available (in addition to length which has been previously available):

sort - sorts the array. With no argument, sorting is done in ascending order. The argument "reverse" causes sorting to happen in descending order. The argument can also be a function that takes two argument and returns a boolean value which will be used as the comparison function for the sort.
filter - filters an array, producing a new array. The operator takes a function argument that takes a single parameter and returns a boolean value. The return array contains elements for which the function returns true.
map - modfies an array from mapping a function to each member of the array. The operator takes a function argument that takes a single parameter and returns any value. The array returned from map is the result of applying the function to each member of the original array in turn, collecting the results into a new array.
head - returns the first element of an array without modifying the array.
tail - returns an array that is identical to the orginal array except without the first member.

You could use these like so:

pre {
  f = function(x) { x < 4 };
  g = function(y) { y * 2 };
  a = [1,4,3,6,5];

  b = a.sort(); // returns [1,3,4,5,6]
  c = a.filter(f); // returns [1,3]
  d = a.head(); // d has the value 1
  e = a.map(g); // e has the value [2,8,6,12,10]
}

Operators are fairly easy to add and handy to have, so if you have ideas for other operators, on arrays, strings, and so on, just let us know.

Jackson Shaw - Quest: Microsoft case study on Quest’s SaaS solutions

2010-02-08T16:38:35Z

We’ve been on the Microsoft Azure bandwagon since that parade started. Early last month Microsoft published a case study about our solution:

Quest Software wanted to enable its customers to share access with their partners and with Quest support staff, to manage user roles centrally, and to log in just once to use multiple Quest services. Using Windows Identity Foundation, Active Directory Federation Services 2.0, and Windows Azure, Quest can provide strong data security, centralized role management, and single sign on and direct access capabilities.

We have three Quest products that we have SaaS enabled so far. You can find them all at: http://www.quest.com/ondemand/...

Recovery Manager OnDemand for Active Directory provides backup and object-level recovery of Active Directory data. It is designed to enable flexible, scheduled backups without manual intervention, facilitating quick and scalable recovery of Active Directory data.

InTrust OnDemand securely collects, stores, reports, and alerts on event data from Windows systems, helping organizations comply with external regulations, internal policies and security best practices.

Site Administrator Reports OnDemand for SharePoint provides free overview reports for an unlimited number of SharePoint sites. The information in these reports allows you to assess the scope of the site you’re reviewing, understand how it is being used, and determine site storage metrics.

Technorati Tags: Quest,QSFT,SaaS,Microsoft,Windows Identity Foundation,ADFS,Windows Azure,Azure,Active Directory,Active Directory Federation Services,Geneva

Identity 360 - Imprivata: PRESS RELEASE - IMPRIVATA PROVIDES WAYNE MEMORIAL HOSPITAL A HEAD START IN THE RACE FOR ELECTRONIC MEDICAL RECORDS

2010-02-08T16:25:50Z

http://www.marketwire.com/press-release/Imprivata-Provides-Wayne-Memorial-Hospital-Head-Start-Race-Electronic-Medical-Records-1113617.htm

Paul Madsen: New line of greeting cards

2010-02-08T14:36:17Z

Posted via email from Paul's posterous

Rakesh Radhakrishnan - Sun: Agile Application Governance Across All Platforms

2010-02-08T14:30:01Z

Given the solid integration that's already in place as an ISV partner for Oracle Fusion Middleware, todays news on Oracle's Acquisition of Amberpoint should come in as very good news for our common Telco install base (such as BT, Orange and Telcom Italia). Amberpoint is standards based that includes XACML.

Identity 360 - Imprivata: Imprivata OneSign Provides Wayne Memorial Hospital a Head Start in the Race for Electronic Medical Records

2010-02-08T14:00:41Z

With Imprivata OneSign Single Sign-On, Wayne Memorial Hospital Improves Patient Care, Increases Data Security and Closes in on Federal Incentive Dollars at the Finish Line

Identropy: Identity Assurance, an everyday life issue (part 1 of 2)…

2010-02-08T12:45:00Z

In this 2-part article, I hope to explain the importance of identity assurance in everyday life. I will first level set on terms and definitions in part 1, and then illustrate with real-life examples in part 2.

The notion of identity assurance is to establish, with a level of certainty, that the human being represented by a credential in an electronic transaction is in fact the alleged person. Whether you realize it or not, whenever you perform an electronic transaction, you are making some kind identity assurance tradeoff.

Identity assurance does not only apply to scenarios in the extranet in which consumers or users from one organization interact with systems in another. It also applies within the enterprise where you need to view identity lifecycle management holistically, as opposed to fragmented steps, such as provisioning, authentication, single sign-on, etc.; and how they contribute to creating and maintaining identity assurance.

My Personal History

In late 2006, I was first introduced to the issue of identity assurance as a trend in identity management. It all started with the FFIEC's October 2005 guidance on Authentication in an Internet Banking Environment. It appeared on my radar as I was strategizing on the future of web access management and the product portfolio for which I was responsible. I was also wrestling with transaction assurance and access management 2.0. At the time I did not realize the profound impact that this concept would have on my career.

In late 2007, as I was managing a high-assurance digital identity service offering at a large global bank, I was introduced to Liberty Alliance Identity Assurance Expert Group. I joined the group as a co-chair which led to my current role as Chair of Kantara Initiative's Identity Assurance Work Group that is responsible for the Identity Assurance Framework. It works closely with the Kantara Initiative Identity Assurance Certification Program, which actually instantiates the framework in an actual program. So, I guess you can say I have become an identity assurance activist.

It's All About Risk

In any electronic transaction where a human is represented, an implicit identity assurance tradeoff is made. A human may be represented in a transaction by providing a user name, email address, or simply by checking off a box accepting certain terms and conditions. The question is whether we are aware of or comfortable with the tradeoff. In all instances, you and the party with whom you are transacting are agreeing that your identity can be representing in this way for this transaction, and accept the consequences of what might happen if something goes wrong (i.e. your credentials are spoofed or compromised, or you chose to share your credentials with somebody that acts on your behalf and does something wrong).

The higher the sensitivity of the transaction, the higher the confidence (i.e. assurance level) you would like to have. Therefore, an identity assurance level (AL) should map to the risk level in any given transaction.

All identity assurance documentation that I have read or been involved with converge on four basic levels of assurance:

Level 1: Little or no confidence
Level 2: Some confidence
Level 3: High confidence
Level 4: Very high confidence

OMB Memorandum M-04-04 illustrates this rationale from the perspective of the US Government. It effectively explains the application of identity assurance to transactions, considering the impact of something going wrong, and also the expected frequency of its occurrence. Below is a table I borrowed from this document that focuses on authentication.

Advice: Be aware of the sensitivity of a transaction. Think through the mechanism employed to mitigate risk and if it is sufficient enough to convey the appropriate level of confidence. Consider the intersection of identity assurance with your data and risk classification.

It's Not Just About Authentication

Another important realization, particuarly for me given my background as a product manager, was that identity assurance is not just how strongly you authenticate someone. A number of factors come into play. Moreover, identity assurance, like other facets of identity and access management (IAM), is a lifecycle process. An identity lifecycle includes stages ranging from registration (initial creation, identity verification, credentialing) to contextual access control (authentication, risk and activity monitoring, stronger authentication), renewal and termination.

An IAM solution must account for the fact that identity assurance decays over time and that lifecycle processes, such as renewal or termination, are necessary to either preserve the assurance level or eliminate the risk of a compromised identity.

Even though this concept may seem obvious, traditional IAM deployments do not incorporate identity assurance as a guideline, and thus rely on a static notion of identity.

This approach towards risk and identity assurance allows end users and organizations to gain trust in relying on online channels to conduct sensitive and higher-value transactions.

In my next blog post, I plan to illustrate these concepts with some real-life examples. In the meantime, I look forward to your comments...

Kuppinger Cole: Data Leakage Prevention – Something (not only) Swiss Banks Should have a Closer Look Into

2010-02-08T12:33:57Z

In Joerg Resch

It has been in the press and Martin already wrote something in his blog about it -German tax authorities have been approached by various individuals who want to sell information about Germans who hold bank accounts at some Swiss Banks, like Credit Suisse and UBS. I don´t want to go into the discussion, wether such a deal, where the government buys “stolen” data (I put it into brackets, because over here, data are not a thing and only things can be stolen) from somebody, is immoral or not. But it certainly is pushing the market for customer information, if it´s value becomes as visible as it is in this case. I´m pretty sure that some of those unknown individuals possessing sensitive customer information already learned that there are institutions out there who would pay significantly more than German tax authorities (for example the banks from where the data had leaked).

So, data leakage prevention, access governanve, privileged user management – these basic disciplines of information security are becoming more than ever part of the survival kit for institutions holding customer identity information. A much better (and cheaper) way to learn more on how such leakage can be avoided, would be to join us at the European Identity Conference 2010. We´ll have some best practices showing that it isn´t impossible at all to prevent such leakage.

Ludovic Poitou - Sun: The basics of Flash Memory

2010-02-08T11:45:12Z

These days, everybody get excited with Solid State Disks, flash memory and the performance improvements they have over other mass storage solutions.

We've been running some benchmarks of Sun Oracle Directory Server 7.0 leveraging new Sun flash based hardware modules. Before we go in details about their benefits, my colleague Brad Diggs posted a very educational article on the basics of Flash Memory to set a common understanding of the technology.

Read on and get ready for more data points on how ZFS and Flash Memory can improve Directory Server performances and scalability.

Technorati Tags: directory-server, dsee, ldap, performance, zfs

Rakesh Radhakrishnan - Sun: Reducing Risk and Revenue Losses

2010-02-08T02:47:09Z

Excellent paper that talks to the integration points between an Integrated Identity Infrastructure and Revenue Assurance. I will hopefully get to present on the topic of "Identity, Policy and Context for Revenue Assurance" at this upcoming local event on OSS/BSS.

Rakesh Radhakrishnan - Sun: Identity, Policy & Context Centric Convergence

2010-02-08T02:25:11Z

Excellent paper by SWIFT on "Identity as the Convergence Layer", which implies, Identity (authN authorities), Policy (authZ authorities) and Context (attribute authorities) as the layer that enables Customer or User Centric Convergence.

The 5 industry standards initiatives around Identity for Communications Convergence includes;

TMF Identity for NGOSS (IPSF also folded in)
ITU T work on Identity and Security for Telco
ETSI for Identity and Profile Management (GUP, SUP, DUP, etc.)
Kantara WG on Telco IDM (and historical work done by Liberty Alliance)
SWIFT's work on Use Cases around IDM for NGN including Policies and Context

Rakesh Radhakrishnan - Sun: Customer's Context Centric Convergence & Consolidation

2010-02-08T01:53:37Z

The more I learn around the value proposition that Oracle offers to the Telco Industry, the more I am excited to be working in the Communication Global Business Unit. Through its massive set of acquisitions for the Telco vertical and the Identity Infrastructure space Oracle offers a big piece of the solution sets that would be required by the Carriers in this industry who are essentially facing three large scale challenges (given the Convergence around IP - wireless+wireline convergence, Network+IT convergence, Voice+Data+Video convergence, Device Convergence, etc., and the massive transformation we see with a Global Broadband Wireless deployments), which include:

Enabling Next Generation Service and Content Delivery (converged and contextual - relevant to each and every unique subscriber/customer needs)
Improve Cost Control and Compliance (heavily leveraging an Identity Infrastructure and containing costs both on the IT and Network side)
Drive Customer Centric Information Architecture (based on SOA)

Other than the software infrastructure products (communications SDP) that heavily integrate with a common identity infrastructure, for the infrastructure services it has to offer; all three major Applications offered for this vertical also leverage this common identity infrastructure in a very big way:

Billing and Revenue Assurance heavily rely on an Identity Infrastructure as described in this paper (including Risk BAC, Logging, Auditing, etc.)
The OSS stack also leverages the Authentication and Authorization functions for Unified Operator Management (as elaborated by TMF)
The Oracle Customer Hub for a 360 degree view of a Customer, for compliance and better customer service and more (integration with Unified Profile, Virtual Directory, HSS and more)

The best part is now all this can be combined with Sun's Open Telecom Platform offerings that are ATCA, SAF and other industry standards compliant HW infrastructure and Expertise in integrating with NEP's network facing systems around IMS, WiMAX, LTE, CCSF, HSS, PSCF, etc., making it a phenomenal story - especially when Telco are geared up to deliver Managed Cloud offerings!!

Eve Maler - PayPal: Low-hanging fructose

2010-02-07T18:46:15Z

Simon Phipps often feeds me tidbits — intellectual rather than gustatory — having to do with nutrition. Recently he recommended I watch a lecture by Dr. Robert Lustig of UCSF in August of last year, called Sugar: The Bitter Truth.

This lecture is really better described as a call to action with biochemistry diagrams. Lustig argues that fructose is an evil that’s been behind the rise in obesity and metabolic syndrome of the last few decades; that soda, juice, and sports drinks loaded with sucrose or HFCS are the single biggest factor in childhood obesity (his specialty); and that we had better start treating fructose as the chronic hepatotoxin it is and stay the heck away from it. I agree.

The lecture series is called Current Controversies in Nutrition: Letting Science Be the Guide. Well, yeah — what other guide have they been using all this time, for goodness’ sake? You know, I started my carbgrrl.com series admitting a worry about looking like a loon…no more. Richard Nikoley, primal blogger extraordinaire, often talks about Modern Ignorance and the ways in which supposed experts tie themselves in knots because of broken preconceptions about stuff we used to understand instinctively. (Richard blogged this lecture, and also another I’ll touch on here sometime soon…) It sure looks like Lustig is emerging from a cave of institutional ignorance, blinking — and pissed off. Good.

Lustig’s obsession with fructose probably doesn’t give an accurate picture of all the factors in play. He seems to think glucose is just fine to consume in whatever quantity — it’s the “energy of life”, he says (around 1:26:00) — and so I suspect he’s misguided about the evils of spiking one’s insulin over and over, in addition to spiking one’s triglycerides. Remember that the glucose that feeds our brains and bodies can be made from practically any old thing lying around, as I’ve discussed before. And in GCBC, (The Great) Gary Taubes discusses the pernicious effects of eating fructose and glucose in combination:

Because sucrose and high-fructose corn syrup (HFCS-55) are both effectively half glucose and half fructose, they offer the worst of both sugars. The fructose will stimulate the liver to produce triglycerides, while the glucose will stimulate insulin secretion. And the glucose-induced insulin response in turn will prompt the liver to secrete even more triglycerides than it would from the fructose alone, while the insulin will also elevate blood pressure apart from the effect of fructose. [GCBC, Ch. 12, p. 201]

I have a couple of other quibbles (I’m not sure Lustig’s lust for fiber is entirely warranted), but it’s absolutely worth watching if you care about this stuff.

Ben Laurie - Apache / The Bunker: Perhaps Not So Stupid, After All?

2010-02-07T16:04:34Z

Stupid now generates correct (single-block, still) SHA-256 code in C. It has functions. We’re starting to wonder about adding structures, and the semantics of arrays – particularly whether an array passed for output can also be used for input (or vice versa). I’m inclining towards making that illegal – if you want a function that, say, fills in every second entry in an array, then you’d need to pass in the array to be filled in, and return a second array which would be the result. The function would have to copy the input array to the output before filling in the new values (or copy the parts it isn’t going to fill in). It seems to me this makes analysis simpler, but can easily be optimised by smart compilers, too.

I guess its time we started writing some of this down! I’d also like to add generators for some common scripting languages, like Perl, Python and PHP.

The thing I’m a little scared of is that eventually, if I’m going to take this seriously, we’re going to need a bignum implementation – not too hard to do if you don’t care about efficiency, I guess.

Drummond Reed - Cordance: Avatar – Ahhhhhhhh

2010-02-07T00:18:49Z

This may be the only blog post I ever write with no link in it. But, reading today that Avatar has finally knocked off Titanic as the #1 grossing movie of all time, one hardly needs to provide a link to either.

Given my passion for film, I just want to say: hats off to James Cameron. He may not be the most likeable character in the world. But twice now this man has taken me and countless others (a signficant percentage of the human population, in fact) to a place in film an ocean beyond (or a planet beyond) what we have ever experienced before.

Which really is a new place in consciousness, when you think about it.

I thank him for that, and everyone who helped him realize his vision.

Two pieces of advice:

See it in 3D. It doesn’t matter how long you wait to do it. Just see it in 3D.
Sit as close to the axis of the center of the screen as you can, i.e., both in the middle of the theatre and at the height of the center of the screen. It really helps with the 3D experience. Ironically in most 3D theaters this is usually the back row or very near it. In other words, the vast majority of the seats are way too close. Go figure.

Identicentric: Encrypted iPhone Applications

2010-02-06T23:53:50Z

It was just over four months ago when we set about learning the iPhone SDK and putting together our first application, a revamp of STRIP, the personal information manager that was so popular for the Palm platform.

Now that we’ve got a mostly-finished product (we’re still making a few tweaks and getting ready to start the beta), we took a step back to look at the code we built to keep the development DRY and enable quick development of future applications. Essentially, we’ve built ourselves a framework for building applications that have a fully-encrypted database layer using SQLCipher, with a robust data model, a login facility, random password generation and seeding, etc.

What took us four months to do at first, now only takes us a few days. Using the code we extracted from STRIP we were able to put together one of our other app ideas in less than four work days. Introducing Codebook, a secure notepad:

Codebook is a LOT like the built-in Notes application on the iPhone. They aren’t exactly the same, but the critical difference is that no one is getting in and reading your notes unless they have your password:

Drummond Reed - Cordance: The Incredible Internet Answer Machine

2010-02-06T19:41:57Z

I know reams have been written about “are we all getting dumber because the Internet is getting smarter?”

But still, it does take my breath away, almost every day.

In another one for the “new heights of irony” file: I was using Gmail this morning and once again wondered about the little orange dot that appears next to the names of some email senders.

I’d wondered at least a half dozen times before what this meant, because when you hover over it, there’s no balloon (there should be, Google).

So this morning I finally asked The Incredible Internet Answer Machine.

I just opened another tab and typed “Orange dot in Gmail” into my Google search bar.

The #1 hit (in .29 seconds) was the exact answer to my question…

…in Yahoo Answers!

(We’re going to have to rename it The Incredible Internet Irony Machine )

BTW, the answer is: Orange means the sender is using Gmail but is in “idle” status because they haven’t looked at their Gmail page in awhile – they are busy using some other browser tab or application. Green = active on Gmail now, Red = busy, Grey = offline.

Drummond Reed - Cordance: Fixing the Google Account problem

2010-02-06T19:21:51Z

Every so often you experience a technical problem you can’t find any information about and which takes you forever to solve. Then, after you finally solve it, you are left scratching your head saying, “I don’t get it—there must be millions of people with this problem—why is there so little information about it?”

Once before, back in 1991, I ran into such a problem with Windows 3.0. After finally solving it, I shared my solution with my friend Seattle Times tech columnist Paul Andrews. He published it in his column, and it turned out that thousands of people had the same problem but nobody understood quite what was happening. So that’s why there was so little information about it.

Now 20 years later, even though we’ve got the Internet and Google and all, I’ve just been through the same experience. And the irony? The problem is with none other than Google accounts—the very accounts that we need from this search giant to access many of the services it offers.

Over the holidays I finally bore down, worked the problem all the way through, and solved it. And throughout the process I was consistently stunned to find so little information available about it, either from Google or anywhere else.

So this time around I’m being proactive about it and publishing the solution right here so it will be easy for anyone to reference. (And, of course, for Google’s own search engine to find — the Internet brings new heights to irony.)

Warning: read this all the way through. The easy fixes are also the ones you may live to regret.

The Problem

A friend shares a Google doc with you.
You receive an email containing a link to this Google doc.
When you click on the link, you are prompted to log into your Google account, but once you do, you can’t get access to the doc because the email address that the friend used is not the same email address you used to originally create your Google account.

Arrggh! (That’s an exact quote from an email I just received from a friend for whom I’m solving this problem by writing this blog post!)

The Simple Solution That Will Get You In Trouble

There is a simple solution for which I thank George Fletcher of AOL, who first explained it to me and others on the OpenID mailing list who were having this problem a few years ago.

The solution is: register a new Google account under the email address that your friend used to share the Google doc with you.

It’s very easy…BUT…read the warning afterwards as to why it’s a red herring.

Go to http://google.com.
If you are signed in, sign out (top right corner).
On the next screen (the plain jane Google home screen), click the Sign in link in the top right corner.
On that screen, underneath the login box on the right, click the link “Don’t have a Google account? Create an account now”.
Even though you may already have a Google account, enter the email address you want to register for another Google account (the one your friend sent the Google doc too).
Confirm the email address via the standard process.
When you are done, log in using to this new Google account (using the email address you just registered, not the one for your other Google account).
Go to Google Docs (http://docs.google.com).
The Google Doc your friend shared with you will be on the list.

Yes, it’s that simple. BUT…

The New Problem This Creates

The reason NOT do solve the problem this way, to which I can attest by long and painful experience, is that while you will now have access to all the Google docs shared with you…you will also have to log in and log back out of each of your different Google accounts in order to access the different sets of Google docs shared with you under your different email addresses.

This might seem like a small pain at first, but believe me, after the 500^th time you will be wishing there was a better way.

There is.

The Better Solution…That Still Isn’t the Right Answer

The “better way” is a standard feature of almost any identity or directory system: aliases. (Disclaimer: I’m in the Internet identity business, so this is the kind of stuff I deal with all the time.) In an identity or directory context, an “alias” is just an alternate name for the same account. And in fact Google accounts supports aliases. What’s interesting, though, is that: a) they don’t call them “aliases”, and b) aliases for Google accounts are completely different than aliases for Gmail accounts.

Gmail accounts, you ask? What’s the difference between a Google account and a Gmail account?

Therein lies a whole ‘nother can of worms (and possibly the reason there is so little information about the Google account problem).

Let me start by explaining the difference (as best I understand it – this WHOLE BLOG POST is an open invitation for the good folks at Google to correct any of my misunderstandings and provide better explanations).

First, a Google account and a Gmail account are not exactly the same thing. The first rule is: every Gmail account is a Google account, but NOT every Google account is a Gmail account.

In other words, if you have a Google account that is NOT a Gmail address, then you have a Google account is NOT a Gmail account.

The second rule is: BOTH a Google account AND a Gmail address can have an alias. BUT THEY ARE NOT THE SAME THING, AND NEITHER CALLS THEM ALIASES.

I am not making this up. An alias on a Google account (and remember, every Gmail account IS also a Google account) is another name for the entire Google account. But for Gmail, an alias is ONLY an alternate email address that you can send or receive email from using your Gmail account. A GMAIL ALIAS IS NOT A GOOGLE ACCOUNT ALIAS. A GOOGLE ACCOUNT ALIAS IS NOT A GMAIL ALIAS.

Is that clear as mud?

Now, adding an alias to a Gmail account is quite easy, remarkably powerful (most people have no idea how much flexibility Gmail offers to manage your email for any number of email accounts), and surprisingly poorly documented. I just spent 10 minutes searching Gmail for help on this just to see if there was a Gmail help page I could just link to.

Nope.

So here’s how.

Instructions for Adding an Alias to Your Gmail Account (but NOT for your Google Account Even If It Is a Gmail Account!)

Login to your Gmail account.
Click the Settings link in the top right.
Click the Accounts and Import tab.
In the second section, Send mail as, click the button labelled, Send mail from another address.
Enter the email address as instructed.
Google will send you an email with a link you must click to verify you own the address.
Go to that mail account, find the mail, click the link (it all takes about 30 seconds).

You’re done. Go back to your Gmail Settings page, click the Accounts and Import tab, and the new email address will be listed in the Send mail as section. You can now send email from this email address by choosing it in the d“From” rop down box in Gmail. (See the help link for more info about the different ways you can send mail from a Gmail alias.)

You can add as many email adddresses as aliases to your Gmail account as you want (at least I couldn’t find documentation about a limit). But keep in mind that all of these will ONLY be Gmail account aliases, not Google account aliases — and having them as Gmail aliases does nothing to solve the Google account problem.

So you have to go through a different process — even with the same set of email addresses — to make them Google account aliases. (For example, I have the same four email addresses as BOTH Gmail aliases and Google account aliases.)

The following instructions apply for adding an alias to ANY Google account (whether or not it is a Gmail account), BUT—and this is a big BUT—if your Google account is NOT a Gmail account, keep reading afterwards about why this can come back to bite you.

Instructions for Adding an Alias to Any Google Account (Even If It Is a Gmail Account)

Go to www.google.com/accounts. That is the home page for configuring any Google account. If you’re currently logged into Google, Google figures out which Google account you are using via a cookie in your browser. If you’re not logged in, they’ll prompt you to login, and the Google account you will be configuring is based on the email address you use to login.
Once you are logged in, confirm it is the correct Google account by checking the email address in black text at the very top of the page (on the left side of the block of links in the top right corner). If this is the right account, proceed. If this is not the right account, meaning you want to add an alias to a different Google account, then sign out (upper right corner), then sign back in under the email address for that different Google account.
Under Personal Settings in the top center of the page, the entry at the bottom of the column will be Email addresses. If you have not yet added any aliases to this Google account, you will see only one email address—the same email address as at the top of the page. It will have the grey words (Primary email) next to it. This is the “primary key” for this Google account. You can’t change it! See the warning below.
To add an alias (do you see the word “alias” anywhere near here? Or anywhere on this screen? Does Google give you any clue that this is where you should go to access such a feature??), click the Edit link below this email address.
On the next screen (https://www.google.com/accounts/EditUserInfo), you will see two blocks: Edit personal information and Add an alternate email address to your account. You want this second block.
At the bottom of this second block is a text box labeled: Add an additional email address. Enter the email address you want to add as an alias (the one to which your friend shared the Google doc you can’t access) and click Save.
The next screen will tell you that you’ve been sent an email to verify that address.
When you receive the email, click the link in the email.

Congratulations, you have just set up that email address to be an alias for your existing Google account.

The benefits?

It no longer matters which of your two email addresses your friends share a Google doc with. Either way, the Google doc they shared will show up in your Google docs dashboard at http://docs.google.com. As far as I know, this is true for all the email addresses you add as an alias (again, I don’t know if there is a limit).
You no longer have to log in and out of two different Google accounts. All your Google docs will be there in your one master account. Hooray!

Now for the final gotcha. You can do all the above and still end out with a royal headache one day because of the following rule Google explains when you register an alias as described above:

You can use alternate email addresses to sign in to your Google Account, recover your password, and more. Alternate email addresses can only be associated with one Google Account at a time.

In other words, for good security reasons, you can only add an email address as an alias to one Google account at a time. On the surface that doesn’t appear to be an issue…until you circle back to what I explained above…that every Gmail address is also a Google account. By simple deductive logic, you arrive at this conclusion:

You cannot add a Gmail address as an alias to ANY Google account!

In other words, at Google, all email addresses can all serve as primary keys for Google accounts BUT only only non-Gmail accounts can serve as an alias (a secondary key).

So it boils down to this: if have a Gmail account, or ever plan to get one, then you are forcing yourself into the multiple-Google account problem for life UNLESS…

…you make your Gmail account your primary Google account.

Yup, that’s the secret. As long as you make your primary Google account a Gmail account, you’ll never have the problem of wanting to use Gmail but finding yourself forced into the multiple-Google account problem.

What To Do If You Already Have the Multiple Google Account Problem

Okay, say you’ve already fallen into this trap. You did what I did several years ago: created your own non-Gmail Google account using a non-Gmail email address so you could access Google docs under that email address. Then later you started using Gmail, and so now you have at least two Google accounts (and maybe more). And people are constantly sharing Google docs with you under one or the other of the two (or more) email addresses, and you are driving yourself nuts logging in and out of Google trying to remember which email address was used to share which Google doc.

But you CAN’T take your non-Gmail email address and make it an alias to your Gmail Google account (as I advise) because your non-Gmail address is already a Google account.

How do you fix it?

The answer is: a) completely undocumented (at least I couldn’t find it), and b) scary as hell.

That’s why I’m writing this blog post. There’s no reason Google needs to make this so hard. Why they haven’t written it up in one of their generally decent Help articles I have no clue. I even wrote one of my identity friends at Google to ask him. His answer was essentially, “This is just too hard for most users to understand.”

Well, that may be true, but IMHO it’s not a reason to withhold the documentation. The users who are experiencing the problem are highly motivated to understand it, and in fact the solution is pretty easy once you know what it is.

It’s just scary.

In brief, the way to make a non-Gmail Google account an alias for your Gmail account is to first delete the non-Gmail Google account.

Completely. Kaput. Gone. Which, as you might suspect, would ordinarily mean YOU LOSE EVERYTHING ASSOCIATED WITH THAT ACCOUNT.

How’s that for a scary thought? Honestly, that’s why I held off fixing this for so long. Who wants to bother with working around that?

Luckily, the workaround is not that hard once you know what it is and you are sure it is going to work. That’s the other reason I’m writing this blog post: I could not find anything posted anywhere – or even get it confirmed by those I knew at Google – that this procedure would work and everything would be okay in the end.

But I finally got so tired of the problem that I just did it, and I’m happy to say it works just fine.

So: please read and follow the instructions below carefully. I don’t want anyone coming back and telling me that they lost precious data because of my advice that they delete their Google account.

Part One: Share (or Otherwise Backup) All the Data in the Google Account

First, make sure you have at least one other Google account (preferably a Gmail account—see above—however this procedure should work with any other Google account. In these instructions I’ll assume this other account is a Gmail account.)
Go to the home page of the Google Account you want to delete at https://www.google.com/accounts/ManageAccount.
Make sure this is the account you want to delete by checking the correct email address in black text at left end of the links at the very top of the page.
Under Personal Settings, click on the Dashboard link (second one down) called “View data stored with this account”.
This helpful utility (created for personal privacy management) will show you all the data you have at Google associated with this account. Now comes the hard part. You need to go through every Google service on this list, then go through any associated documents or data files for each of those services, and share them with your Gmail account. Even more importantly, if you are the owner any document/file, then transfer ownership to your Gmail account. If you don’t own a document/file (someone else shared it with you), don’t worry, you can’t lose it when you delete this Google account. But, as long as you have Edit privileges on the document/file, share it with your Gmail account just so you don’t have to go back to the original owner and ask them to reshare it later. If whomever shared it with you DIDN’T give you Edit privileges, just contact them and have them share it again with your Gmail account.
Did I say do this for EVERY document/file in EVERY Google service you use? Go back to your Personal Dashboard and check it again.
IMPORTANT: as a final check, log into your Gmail account and VERIFY that all the docs are shared. If you own the document/file, VERIFY that your Gmail account is the new owner.
Check everything one more time. If you are unsure than anything has been shared and will not go “poof” when you delete this Google account, just download a copy to your local hard drive (or email it to your Gmail account). Like I said, never come back to me and say you lost any Google data because of this blog post.

Part Two: Delete the Google Account

Go back to the home page for the Google account you want to delete: https://www.google.com/accounts/ManageAccount.
MAKE SURE this is the right Google account by confirming the email address in black at left end of the links at the very top of the page.
Next to the My products header (the second horizontal section down the page), click the Edit link. This should take you to https://www.google.com/accounts/EditServices.
The second option on the page is to Delete Account. Choose that option and follow the instructions to confirm you want to permanently delete this account (and wipe that sweat off your brow). Seriously, if you’ve shared or backed up all the files associated with this account, you’ve nothing to fear. It’s just like reformatting a hard drive <ouch>.

Once you’re done, take a deep breath. Wait 15 minutes. (I don’t know if you actually have to wait this long, but I figured it’s long enough to wait for Google’s servers to go through all their account deletion machinations.)

Part Three: Add The Alias to Your Primary Google Account

Log back in to your Gmail account (or whichever Google account you want to make your primary).
Follow the instructions earlier in this blog post to add the email address (for the Google account you just deleted) as an alias to this Google account.
Once Google confirms it as an alias, you’re done.

Problem solved.

Why It’s Still Not Perfect: A Final Warning

It’s worth pointing out that privacy, not just security, can be an issue with account aliases. Sometimes you don’t want someone to know you are using Gmail address to do all this cool stuff. But if your Gmail account is your primary Google account (as I advise), then take note of the following warning:

Note: In some Google services, if you share your alternate email address with your contacts, they might be able to learn your primary email address.

In short, Google hasn’t fully figured out yet how to provide you with completely separate personas on the Web. In my personal opinion, they would be well-advised to do so. It’s not easy — acheiving this level of privacy can be as hard as acheiving corresponding levels of security. But Google has the talent and, I believe, the motivation to attain this goal. I hope they consider it soon.

Daniel Raskin - Sun: Bookmarks for February 6th

2010-02-06T19:03:32Z

These are my links for February 6th:

Phil Windley - Kynetx: Redirectionless OAuth Credentials Exchange

2010-02-06T18:15:26Z

Image via CrunchBase

Am I missing something here? Twitter is working with select partners to test what is variously being called OAuth delegation or browserless OAuth credentials exchange method (not sure why browserless since it's not about the browser, it's about the redirection).

The bottom line is that in an effort to be more user friendly, this removes the redirection to the Twitter site where you authoirize access by letting the third-party site (the site being delegated to) collect and then pass along the user's username and password to get the OAuth credentials. Abraham Williams captured the POST headers from Seesmic Look and they clearly contain the username and password.

I don't see how this can be a step forward in secure third-party access to APIs like Twitter. Once users start being allowed--even required--to (again) enter usernames and passwords into third-party sites, they'll be ripe for phishing attacks. Maybe I'm misunderstanding this based on the scetchy information available, but it looks phishy to me.

Marc Canter - Broadband Mechanics: I’m not passive in any way

2010-02-06T14:16:21Z

My wife just said it perfectly.

I’m going to pursue the answers. I’m not gonna sit still and accept the status quo.

Kismet has brought me here and I’m letting fate guide me.

My current class has us building the user experiences for the Case Connection Zone. Stay tuned on that one. It’s installing 1,000 megabit connections into 104 homes and apartments on Hessler St. - directly adjacent to the CWRU campus.

Watch the videos of the class - and enjoy me having a GREAT time teaching!

Phil Hunt - Oracle: First Open Source Reference Implementation of IGF 1.0

2010-02-06T05:00:36Z

Over the past few months, a good deal of progress has been made around IGF and the open source implementation around it. In particular, last fall, Liberty Alliance ratified the IGF 1.0 specification as final. In mid January we published ArisID 1.1, the first open source implementation of IGF 1.0. Finally in late January, we checked in the first implementation of an open source provider based on OpenDS 2.2 (more on that below).

ArisID is an API for accessing and managing personal or identity related information using CARML as an XML data model. In addition to being useful from a privacy perspective, CARML enables important new developer features:

The ability to automatically generate a data model in the form of Java beans.
The ability to use sophisticated data providers that can connect applications to personal information sources using multiple protocols and virtualization.

If the principles of using an XML data model sounds familiar, it should. ArisID follows very similar architecture to Java Persistence Architecture. The key difference is that use of the CARML data model does not assume the pre-existance of a particular database or LDAP schema. Instead, a developer is able to create an application specific data model and write code as if the data model were a straight forward database. Then, at runtime, the provider layers of the API can be configured to connect to many different types of data repositories and network configurations including multiple directories or databases. With little effort, developers are able to create sophisticated applications that have much greater deployment flexibility in the types of data sources and repositories they can support, including remote and third-party sources.

Starting with the Oracle Fusion Middleware 11gR1(PS2) release, Oracle began to integrating this technology into its own products, setting the stage for a new level of support for open protocols and scalable enterprise deployment scenarios. For more information on how Oracle is using IGF and ArisID in 11gR1, check out the whitepaper, "Oracle Identity Management 11gR1".

As mentioned earlier, ArisID depends on "provider" modules to do the work of implementing data model requirements as expressed in application specific CARML declarations. At present there are now 2 implementations available:

The Oracle OVD Provider for ArisID "Preview" is the first provider to support the ArisID 1.0 API. A developer preview is available here. Expect an update in the next quarter regarding ArisID 1.1.
A brand new OpenDS 2.2 provider for ArisID is now available in the openLiberty sourceforge project repository. The new OpenDS provider allows developers to use OpenDS instead of OVD as a repository for applications using ArisID 1.1. The OpenDS Provider for ArisiD the first fully open source ArisID Provider implementation. For more information consult the readme file contained in the OpenDS Provider for ArisID distribution zip.

Project Aristotle is now moving forward with efforts to support integration into popular IDEs. As always, new contributors are always welcome, please see the OpenLiberty.org web site for more information. Also, feel free to subscribe to the igf-dev mailing list.

Finally, thanks to the OpenDS team (Ludovic, Bo, Matthew) for their assistance in helping to get the first open source implementation of a provider for ArisID done. In some respects, the Oracle/Sun merger delayed a lot of this work, but now that it is done, we can get back to work and contribute more to our respective projects. As Nishant Kaushik says, Sun + Oracle = Exciting Days Ahead! By the way, click here for webcasts about Fusion Middleware and in particular Identity Management.

Identity 360 - Imprivata: E-HEALTH INSIDER (UK) - GEORGE ELIOT ROLLS OUT SINGLE SIGN-ON

2010-02-05T19:50:09Z

http://www.e-health-insider.com/news/5614/george_eliot_rolls_out_single_sign-on

Pamela Dingle - Bonsai Identity: Commercial Phishing

2010-02-05T16:43:15Z

Twitter broke a very interesting story this week about a hacker who bulk-harvested account details by installing backdoors in a popular torrent hosting solution. Users registered for a valid service, and received value in return, but all the while, their details were being stolen.

This would be a pretty boring phish, except for the part where users re-use passwords and account names ALL THE TIME. The current trend is upsell — harvest a low-value throwaway password at an insecure site and then see what high value matches can be made with the same username and password.

Identity Theft via phishing used to be a consumer identity problem, but Cloud services and extranets have changed that. There is now a new game in town: commercial phishing. If your enterprise users are uninformed enough to use their work email and a standard, muscle-memory-password at a site like a torrent site, attackers now have a growing list of possible commercial candidates for that account. Of course there is always the chance that the worst case scenario will happen and an attacker will harvest your entire Enterprise Directory. You may say, my company is obscure, what use would hacking my company be? Well, if you use outlook web access, and your AD password is phished, and your accountant uses his/her work email address for password recovery on your corporate banking site, there is a path for an attacker to get at your organization’s money from the internet.

I think it’s hysterical that a company will spend all sorts of money for education of their workforce around physical safety and nothing on account safety. Why is there not a brightly colored data safety reminder on every floor, something to idly inspect while you’re waiting for the elevator? As much as you scoff at the idea, the very prosaic advice that this fire poster offers DOES help in muscle-memory situations. The strategy of setting out simple rules and making them highly visible does work.

Not only does a sign like this not exist for account safety, I don’t even think that there is agreed-upon text to go on it. No wonder we’re in the state we’re in.

Ludovic Poitou - Sun: Oracle and Sun Directory Services...

2010-02-05T16:33:10Z

Mark Wilcox, principal product manager for Oracle Virtual Directory has posted an initial update with regards to Oracle and Sun directory services.
Nothing really detailed so far, but it's good place to post your comments on the Oracle + Sun Identity Management Strategy and more specifically regarding directory services.

To me and my coworkers, the most important messages are :

We are going to continue to offer both Oracle Internet DirectoryAND Sun Directory Server Enterprise Edition

and

OpenDS will remain an open-source project

Details are still being discussed and ironed out, but I hope to be able to share them soon. Stay tuned !

Technorati Tags: directory-server, dsee, identity, ldap, opends, oracle

Phil Windley - Kynetx: Subscription Models are Chic

2010-02-05T15:13:33Z

Image via CrunchBase

A recent blog post by Dave McClure, the investor in charge of the Founders Fund seed investment program makes the assertion that "subscription models are the new black" and we've lost a decade of innovation by people living off the table scraps of Google's $10B pay-per-click ad system. (Warning: the blog post is pretty raw.)

In a seeming non-sequiter, he moves on to talking about passwords. But pay attention, because what he's really doing is talking about friction in subscription models and the friction that they inpose. I think it's interesting that the iPhone app store, for example, still requires that I type a password when I purchase an app on my iPhone given that they have a good identification based on the device. Of course, what they're doing is using the password for authorization. Making sure it's me who's purchasing the app.

Paul Madsen: Search optimization

2010-02-05T14:07:56Z

Posted via email from Paul's posterous

Paul Madsen: New line of greeting cards

2010-02-05T14:06:56Z

Posted via email from Paul's posterous

Paul Madsen: Disengenuous

2010-02-05T13:53:13Z

A story in screen shots.

Seems innocuous enough

Hmm, they aren't actually asking me if want to install the app... I'll proceed until they do

So although I wasnt explicitly asked, the app was installed

Buh bye

Neil Wilson - UnboundID: LDAP Client now in Android Market

2010-02-05T07:06:52Z

Ever since I started looking at Android a little over a year ago, I've had a simple LDAP client in one form or another. Since the UnboundID LDAP SDK for Java works on Android, it wasn't too difficult to put a simple GUI on top of it that allows you to perform LDAP searches. However, until recently it wasn't in a state that I felt was suitable for publishing. Prompted by the Android Developer Labs (which I attended earlier tonight), I finally got around to making it presentable, and as of a few minutes ago, the app is now available for free in the Android Market. It's far from a masterpiece, but it can be pretty useful if you want to access LDAP content. Some of the features it has include:

It has support for multiple servers. Each server definition includes an address, port, security mechanism (none, SSL, or StartTLS), optional bind DN and password, and optional base DN.
You can customize the type of search to perform. It has a drop-down that allows you to select the type of search (last name, first name, full name, e-mail address, or user ID), or if you want you can enter your own LDAP search filter.
If multiple entries are returned, you can see a brief summary of each. Tapping on one of them will take you to a more complete view of the entry. Long-tapping will pop up a menu with options for the entry (view a formatted representation, view an LDIF representation, copy the DN to the clipboard, or copy the LDIF representation to the clipboard).
When viewing a single entry, clicking on the header for that entry will allow you to view the entry as LDIF, copy the DN to the clipboard, or copy the LDIF representation to the clipboard.
Clicking on a telephone number in an entry will allow you to dial or send an SMS message to that number, or copy the number to the clipboard.
Clicking on an e-mail address in an entry will allow you to send an e-mail to that address, or copy the address to the clipboard.
Clicking on a postal address or ZIP code in an entry will allow you to show a map of that location, navigate to that location, or copy the address to the clipboard.
Clicking on any other attribute in an entry will allow you to copy the value of that attribute to the clipboard.
A button at the bottom of the panel for a user entry will allow you to add information about that user to your local contacts.

If you have an Android device, then you can find this application in the market just by searching for "LDAP" (it's currently the only match). The full name is "LDAP Client" and the author is "Neil Wilson". I hope to improve it further in the future, but I at least wanted to get this reasonably-functional version out there for people that have a use for it.

Anil Saldhana - Red Hat: Growing Menace of Identity Theft

2010-02-05T02:06:26Z

The latest article in Washington Post titled "Identity thieves use sophisticated techniques to steal money" is a proof of the growing menace of Identity Theft that is plaguing the developed free world.

Once your identity is stolen, it is very very difficult for you to recover from the trauma. Based on victims' experiences (and other experiences in the comments section), we have to admit that Identity Theft is a menace and is a growing reality.

You have to know that your kids/toddlers are not safe either. Check this report on "Child Identity Theft".

Stay Safe.

Dave Kearns' IdM Newsletter: Another Way to Support Access Compliance

2010-02-04T21:37:18Z

Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail.

Dave Kearns' IdM Newsletter: How much security do we need?

2010-02-04T19:27:56Z

My colleague Jörg Resch blogged today about the ignorance regarding layered security approaches. Yes, there is no absolute security. Security is something which is tightly related to risk. Given that we can’t have the perfect security, especially not with people using systems, it’s always about the balance between the security-imposed risk and the cost of risk mitigation.

Mark Dixon - Sun: Users of Cloud-based Services

2010-02-04T16:54:19Z

The following chart may be helpful as we consider the different types of users that should be addressed by Identity and Access Management (IAM) technology and processes in cloud computing.

At the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) layers, the only users are administrators of the platform or infrastructure services, respectively. However, these administrative users may be either on the provider side or on the recipient or enterprise side. End users, whether within the enterprise (employees or contractors) or external to the enterprise (customers and partners), only exist at the application layer or Software as as Service (SaaS) layer.

This illustrates how cloud computing introduces increased complexity into IAM. Not only do the different layers (PaaS, IaaS and SaaS) have unique requirements, but multiple organizations (e.g. provider and enterprise) need to be considered.

For example, the nature of PaaS services will require provider administrators to have root access to the operating system, while enterprise administrators at the SaaS level may only need access to application configuration functions and external SaaS users only need to access to selected application functions.

Hopefully, this provides food for thought as we explore IAM in cloud computing. I’d be grateful to hear your comments.

Technorati Tags: CloudComputing, Identity, IdentityManagement

Courion: Another Way to Support Access Compliance

2010-02-04T15:55:00Z

Courion Access Assurance Blog

This week Dave Kearns wrote a column, User provisioning: right access to the right people, where he outlined some of the key benefits of provisioning, namely: improving productivity and reducing risk. Dave makes the point that productivity is improved by providing new employees with Day One access to various IT resources (email, laptop, enterprise applications, databases, etc.), while risk is reduced by reconfiguring or removing access rights when an employee changes roles or leaves the company.

Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail.

One benefit which we hear regularly from our customers is that automated provisioning significantly reduces the time and effort required to manage user access rights. The result is that they are able to drastically reduce the number of staff dedicated to the provisioning process. In one instance, a $2 billion provider of senior living services was able to reduce headcount from 5 FTEs to 0.5 FTEs, saving hundreds of thousands of dollars annually. In another, a large regional bank was able to double their provisioning coverage from 100 to more than 210 applications and justified the investment to their management through reduced headcount (see Creating Budget Where None Exists).

Another key benefit is in access compliance. Whether your company needs to comply with internal policies, audit findings, or industry and government regulations, you need to ensure that user access rights are being managed appropriately. While provisioning isn't required to be compliant, one of the benefits you can achieve is assuring that users are initially only granted access rights that are needed to do their jobs. This preventative control lowers risk, reduces the potential that you may fail a security audit, and helps streamline the access certification process.

blog.courion.com

Mark Wilcox - Oracle: My Own IPad Thoughts

2010-02-04T15:52:05Z

Jackson Shaw just posted his own thoughts on the upcoming iPad.

I thought I would comment on something he wrote and then toss in my own general thoughts.

Jackson wrote "Hint, if you aren’t working on a Kindle app for the iPad you’d better be!".

To which I would point out - worse case scenario - since the iPad supports existing iPhone apps - the existing Kindle app should work. Same as B&N Nook app and Stanza.

Though maybe the better question will be - will Amazon/B&N upgrade the app to be as slick as what the iBooks app looked like on the demo?

Personally I'm not sure if I really want that metaphor but I appreciate the marketing aspect of it.

And I'm not completely sure that iPad will kill Kindle or the Nook. After all - the iPod hasn't completely killed the MP3 or mobile phone alternatives either. In particular if a low-price (under $100) emerges because the battery life and easier on the eyes screen is good enough features to justify owning a dedicated eReader if you read lots of books. I know not many people read as voracious as I do - but there are still plenty of people who like to read.

But I am pretty sure I'll be buying my own IPad as soon as one comes out - with the goal of it at least being able to be used as my travel PC.

--

Posted via email from Virtual Identity Dialogue

Identity 360 - Imprivata: Doing "More with Less": Improved Security and Productivity Can Be Yours

2010-02-04T13:43:01Z

In this web presentation and discussion, James Hayes, VP and Network Operations Manager at Renasant Bank, will describe the challenges that his team faced and the solution that he implemented to provide his users with secure and fast access to data.

Jackson Shaw - Quest: Apple’s iPad

2010-02-04T13:01:00Z

Things have died down enough for another post on this topic by yours truly. Let me also point out a few really excellent posts on the iPad (both pro and con):

Doc Searls: “Up the creek without an iPaddle”
Rod Simmons: “Why was the Apple iPad announcement BORING”
Jason McC. Smith: “The Apple iPad, explained to geeks”

My view is pretty simple: I’m buying Apple stock while selling both Microsoft and Amazon (if I had any Amazon stock that is). The iPad is going to be a big seller. Maybe not on day 1 but just like the iPod and iPhone the long-term result will be huge for Apple, Steve Jobs, consumers and Apple shareholders (like me). Consumers are key. I wouldn’t buy my father or mother a PC but I’ll buy them an iPad. Explain a netbook to them? You’re kidding, right? Apple will win the consumer over and that’s where the money is. Once Apple wins over the consumers they’ll simply chip away at Amazon and the netbook manufacturers.

I’m a Kindle user. I’d rather travel with a dual-capable device like the iPad (and my netbook) rather than a Kindle (and my netbook). It will be interesting to see how Amazon reacts to this but I have a feeling they are in deep trouble. All the water is draining out of the ocean Amazon because an Apple tsunami is coming. You’d better head to higher ground - quickly! Hint, if you aren’t working on a Kindle app for the iPad you’d better be! (Is Amazon already starting to play defense? Check out this blog post: "Coming to the Kindle: A flexible color touch screen.")

Netbooks are in trouble. If I had one device that I could use I'd chose the iPad. I probably won't be able to toss everything out in favor of an iPad when they start shipping but I bet I might be able to in a few years. I loved reading Jason’s post (above) and this passage in particular:

Until now, the PC world has been differentiated by the cost of the hardware, which is a measure of the raw power possible. Pay more, get more power. But you have exactly the same experience on each machine, just slower or faster.

EXACTLY! My wife, father and mother don’t need a less expensive piece of hardware (netbook). They need a better EXPERIENCE! I expect the iPad will deliver that experience. Money is going to be diverted from netbook purchases to iPad purchases. All the water is draining out of the ocean netbooks because an Apple tsunami is coming. You’d better head to higher ground - quickly!

Many of us in this business travel a lot. Let’s start keeping count of how many iPads we see on planes after they release. I have been tracking Kindles and I will bet $100 right now that within 2 quarters after the iPad release you will see more iPads on your plane than Kindles.

Oh, and if you happen to be in corporate IT you’ll be supporting the iPad soon. It’s really hard to say “No, we don’t support those” to your CEO when he walks in the office with one. (And, it’ll be worse if he walks in and you say: “What’s that?”)

Technorati Tags: Apple,AAPL,iPad,AMZN,Kindle

Kim Cameron - Microsoft: More unintended consequences of browser leakage

2010-02-04T12:16:01Z

Joerg Resch at Kuppinger Cole points us to new research showing how social networks can be used in conjunction with browser leakage to provide accurate identification of users who think they are browsing anonymously.

Joerg writes:

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The Practical Attack to De-Anonymize Social Network Users begins with what is known as “history stealing”.

Browsers don’t allow web sites to access the user’s “history” of visited sites. But we all know that browsers render sites we have visited in a different color than sites we have not. This is available programmatically through javascript by examining the a:visited style. So malicious sites can play a list of URLs and examine the a:visited style to determine if they have been visited, and can do this without the user being aware of it.

This attack has been known for some time, but what is novel is its use. The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”. This brings us to the core of this new work. The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is.

The researchers have created a demonstration site that works with the European social network Xing. Joerg tried it out and, as you can see from the table at left, it identified him uniquely – although he had done nothing to authenticate himself. He says,

“Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!”

Since I’m not a user of Xing I can’t explore this first hand.

Joerg goes on to ask if history-stealing is a crime? If it’s not, how mainstream is this kind of analysis going to become? What is the right legal framework for considering these issues? One thing for sure: this kind of demonstration, as it becomes widely understood, risks profoundly changing the way people look at the Internet.

To return to the idea of minimal disclosure for the browser, why do sites we visit need to be able to read the a:visited attribute? This should again be thought of as “fingerprinting”, and before a site is able to retrieve the fingerprint, the user must be made aware that it opens the possibility of being uniquely identified without authentication.

Kuppinger Cole: “Our Systemes are Secure”

2010-02-04T08:08:54Z

In Joerg Resch

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt – Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits.

Imagine – a trading platform where “real” money is being moved – with just a simple password protection. Not even transactions are protected with TANs. Once you have access to one of the 2,000 accounts on this platform, you can do anything. And they did. The only thing the attackers did slightly better than in most other phishing cases – their mail did not contain too many spelling errors and looked pretty serious.

I hope that the companies now suffering the damage take a good lawyer, because it will be not very difficult to proof, that in the year of 2010 the technology market offers some better options to separate assets from threats than just a simple password.

What really strikes me is that again it is a German governmental institution showing this kind of willful ignorance, when it comes to technology.

Marc Canter - Broadband Mechanics: It’s George’s birthday - and I’m blogging

2010-02-03T22:20:48Z

Happy birthday to my best friend here in Cleveland - George Nemeth!

The Open Web doesn’t have a single vendor

I can’t think of a better person to run Google’s social efforts - than Joseph Smarr!

Subscriptions are the new black - I still think OPEN is the new black. Others agree.

It’s Time to Know

Regrets on being a Digital nation

Monetization and consolidation in the land of Second Life.

Microsoft Azure finally ships….

Werner Vogels and Amazon = rock!

Divest divest divest - is what Yahoo is all about.

Learning from your garden - is crucial

Gotta get me one of those Meebo bars!

Tee Hee Hee - I’ve had to explain to potential customers the difference between en entity page (Pages in Facebook parklance) and Groups - for years. Here’s the guide ot Facebook’s definitions.

Looks like they had a great birthday party for Doug Engelbart! Wish I was there.

the future of Jobs

If Cisco is making money - that’s a good thing! Akamai too! And News Corp s

Critical Mass still going strong in SF

Congrats to UStream - looks like they’re tied into Softbank, Asia and a solid base of future customers. Now where are their APIs?

Essex & Delancey St Juice bar - right near Sammy’s Romanian Steak House.

Strategic Doing, iChange, Quirky, Slideshare Custom channels,

Jackson Shaw - Quest: I want my XDrive!

2010-02-03T21:33:51Z

I caught Mary-Jo Foley’s post on this topic last week…

Microsoft is making available to testers a beta of Windows Azure Drive (formerly known as XDrive), which will allow them to create automatic backups of Windows applications that they may want to move to the Azure cloud.

I think this is a great thing for Microsoft to do. Basically, XDrive will enable Windows applications to be run against an Azure-based cloud “drive” that supports NTFS. Now wouldn’t that be nice to have your application work against your C: drive one day and then re-configure it the next to run against your XDrive? Voila, your data is in the cloud. This is certainly something that I would want as a configuration option for any new, green-field application – an out-of-the-box configuration option to use cloud storage.

Microsoft is clearly doing this to help migrations to the cloud and that’s awesome just in itself. As a consumer, I really want to point – for example – NTBackup at my XDrive.

Technorati Tags: Microsoft,MSFT,Azure,XDrive

Dave Kearns' IdM Newsletter: IAM can be used in many ways, claims expert

2010-02-03T20:14:54Z

The group suggested that a firm's web proxy can also act as a security awareness tool, by redirecting users to an internal page which explains why a certain website is blocked, rather than just denying their access.

Brad Tumy - Oracle: OVD 11g ForkJoin Plugin “FullOuterJoin” explanation #oracle #idm #ovd

2010-02-03T20:07:24Z

I tried to implement the ForkJoin plugin today, for the first time. The documentation is pretty good but not clear about one specific parameter (which happened to be the one that I needed). When you add the plugin and then select to add a parameter, screenshot, one of the options is FullOuterJoin. According to the documentation is a setting under the JoinPolicy. The implementation is a little different, as you can see if you click on the screenshot. I wasn’t sure what to put here, so I checked with Oracle and was told this:

“… that referenced Full Outer Join as being set to either true or false. ” and “… they believe that setting Full Outer Join to true would mean full outer join is performed, set to false would mean left outer join, and to have standard join we would simply not install the plug-in.”

I was able to confirm that by setting FullOuterJoin to true does indeed allow entries from both (in my case) adapters to be returned. The only caveat to this is that entries that should be joined … are no longer joining. So, still trying to figure that part out.

Update (02/05/2010):

I heard back from OVD Dev as follows:

The documentation for plug-in configuration parameters has to be read as:
Names mentioned in bold are parameters that a plug-in supports.
Under each parameter name, description and semantics of all possible values are explained.

First, for Fork Join plug-in, SecondaryOnlyAttributes, PrimaryAndSecondaryAttributes & JoinPolicy are the only parameters supported. ‘FullOuterJoin’ is not a parameter, but one of the possible values for ‘JoinPolicy’ parameter. The other values are ‘StandardJoin’ & ‘LeftOuterJoin’. Please note that there are no spaces in parameter values.

Second, ODSM displays the list of parameters supported by a plug-in from the plugin manifest file. Since ForkJoin plugin manifest file incorrectly has “FullOuterJoin” as the parameter name instead of “JoinPolicy”, the incorrect parameter name is displayed in ODSM.

As ODSM would not allow specifying any other parameter to the plug-in configuration than what is listed in the plug-in manifest, the workaround, for now, is to please make a backup copy and then edit the <$ORACLE_INSTANCE>/config/OVD/<ComponentName>/adapters.os_xml file as follows, then re-start OVD server:

Change following line from:
<param name=”FullOuterJoin” value=”true”/>

To:
<param name=”JoinPolicy” value=”FullOuterJoin”/>

Third, since the value for “JoinPolicy” is not specified in the plug-in configuration, ForkJoin plug-in assumes “LeftOuterJoin” as the default and hence users that are only in secondary adapter (AD2) were not returned.”

CA on Security Management: GRC: The Agile Market

2010-02-03T16:38:00Z

A recent blog post http://bit.ly/bVd2i1 from Forrester Research made some very useful points, in my opinion. The focus of the article was on flexibility, in two key respects. First, flexibility is a key requirement of any GRC program, primarily because the demands for risk and compliance are so fluid right now. There are clearly more regulations coming, but we don't know the...

Dave Kearns' IdM Newsletter: Lieberman Software and Heritage Global Solutions Partner to Deliver Privileged Identity Management Solutions

2010-02-03T16:36:44Z

Privileged identities are accounts such as administrator and root accounts that hold elevated permission to access files, install programs, and change configuration settings. These accounts exist on nearly every server and desktop operating system, business application, database, Web service, and network appliance in an enterprise.

Dave Kearns' IdM Newsletter: Gemalto buys mobile authentication firm Valimo

2010-02-03T16:35:13Z

French smart card maker Gemalto (GTO.PA) has acquired Finnish mobile authentication startup Valimo Wireless, tapping into the surging market for mobile financial services.

Identity 360 - Imprivata: SECURITY PARK (UK) - IMPRIVATA PROVIDES NHS CLINICAL STAFF WITH SECURE ACCESS TO MEDICAL APPLICATIONS VIA SSO TECHNOLOGY

2010-02-03T14:52:48Z

http://www.securitypark.co.uk/security_article264309.html

Paul Madsen: New line of greeting cards

2010-02-03T11:50:17Z

Posted via email from Paul's posterous

Paul Madsen: New line of greeting cards

2010-02-03T11:36:06Z

Posted via email from Paul's posterous

Gerry Beuchelt - MITRE: Links for 2010-02-02 [del.icio.us]

2010-02-03T08:00:00Z

Cross Domain Solutions
The Cross Domain Enterprise Service provides support to Combatant Commands, Services and Agencies (CC/S/A) by implementing, fielding and providing life cycle support for cross domain solution technologies that provide secure interoperable capabilities throughout the Department of Defense (DoD).

Kuppinger Cole: Is History-Stealing a Crime?

2010-02-03T07:52:57Z

In Joerg Resch

In my previous posts I described iSec Lab´s de-anonymizer, which combines a browser´s history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use.

Therefore the question: is it allowed to run such a de-anonymizer? Well, I´m not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a crime only if the stolen data had been protected against unauthorized use and if the attacker did crack that protection. Browser history is not protected against unauthorized use. So it is not a crime over here.

Hubert Le Van Gong - Sun: Oauth Library for Jersey – Percent Encoding Fix

2010-02-03T07:51:03Z

I’m happy to report that we’ve fixed an issue in the percent encoding step of our OAuth signature library for the Jersey framework. The issue reported was caused by the fact that we were using Java’s URLEncoder and URLDecoder classes to compute OAuth’s signature base string. Unfortunately those classes do not perform an RFC3986 compliant encoding which is required in OAuth. The main difference is that a space character will be encoded as a + when we need it to be escaped as a %20 (more info here).

To fix this, we’ve chosen to leverage Jersey’s UriComponent class. There is one notable difference though with how one would encode a URI (see here for a very detailed explanation of URIs): OAuth says that the signature base string is built by concatenating the request method, the request URL and the normalized parameters (with & to separate them) and that those elements must be encoded (prior to concatenation). In effect we are re-encoding elements that are already encoded. As Paul noted, it’s as if we wanted to pass the signature base string in a URI… I remember this possibility was mentioned in conversations about debugging OAuth deployment but that’s the only case I remember for this.

Anyway, to illustrate this, below is the piece of code where the bulk of the action happens:

StringBuffer buf = new StringBuffer(request.getRequestMethod().toUpperCase()); URI uri = constructRequestURL(request); String tp = uri.getScheme(); buf.append('&').append(UriComponent.encode(tp, UriComponent.Type.SCHEME)); tp = uri.getAuthority(); buf.append("%3A%2F%2F").append(UriComponent.encode(tp, UriComponent.Type.AUTHORITY)); tp = uri.getPath(); buf.append(UriComponent.encode(tp, UriComponent.Type.PATH_SEGMENT)); buf.append('&').append(UriComponent.encode(normalizeParameters(request, params), UriComponent.Type.QUERY_PARAM));

Our testing code now also includes elements with spaces to make sure we got it right (thanks to Michael Werle).

Kuppinger Cole: De-Anonymizer Self-Test

2010-02-03T07:13:50Z

In Joerg Resch

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!

De-Anonymizer Test Result

Rakesh Radhakrishnan - Sun: Contextual Composition of Converged Services

2010-02-02T23:02:32Z

Its great to learn more about Oracle's Converged Communications products, this week. Starting with the SDP platform that include Converged Communications Server (JEE, SIP Container, IMS/NGIN/WS Server, etc), Communication Services Gatekeeper (parlayX gateway, SLA/QOS Policy enforcer, etc) and the new Communications Media and Advertising Server, OSS/BSS Servers (end to end from Service Activation to Service Retirement), Media and Entertainment Services, GRC for Telco and an ATCA+SAF compliant Carrier Grade Framework. An awesome product line!! No wonder Telco's worldwide choose Oracle. Now with the Sun acquisition, every Telco I've worked with in the past 10 years (from an ID Stack perspective) - Telstra in Australia to Telus in Canada, Telcel in Mexico to Verizon in US, Vodafone in Europe to Reliance in India, Vimplecom in Moscow to China Mobile in Beijing can leverage the Identity, Policy and Context layer to Deliver Revenue generating NG converged communication services and cloud services!

Rakesh Radhakrishnan - Sun: Secure SIM and SSO based Payment Services

2010-02-02T21:16:07Z

My Keynote with Hadi Nahari, Principal Architect at Paypal is confirmed for april 2010. The POC will continue with an Oracle+Sun ID Stack.. We will present on the requirements and key metrics around performance and scalability that resulted in a proposed Solution Architecture (300 mill+ subscribers, 1 mill policies, 1+ billion attributes, etc.).. This will be my first as an Oracle employee!!

Mark Wilcox - Oracle: The Initial Oracle and Sun Directory Services Update

2010-02-02T20:52:13Z

Nishant wrote a nice post summarizing the information we can share on the Oracle+Sun IDM strategy.

But I want to highlight the summary for Directory Services and have a reference post for people to use as comments.

First - Oracle Virtual Directory will be our virtual directory.

Second - We are going to continue to offer both Oracle Internet Directory AND Sun Directory Server Enterprise Edition.

Third - OpenDS will remain an open-source project

I welcome all of our new Sun colleagues to Oracle. And I look forward to talking to everyone to get feedback and discuss our future direction.

Posted via email from Virtual Identity Dialogue

Paul Madsen: New line of greeting cards

2010-02-02T19:34:10Z

Posted via email from Paul's posterous

Dave Kearns' IdM Newsletter: Some still don’t get it!

2010-02-02T19:19:40Z

Then they kind of messed up. For my convenience and to make sure I would be able to use their shiny new site to buy lots of international train tickets they included my password. Yes, you read that right, they mailed me my password. Without me asking for it.

Paul Madsen: New line of greeting cards

2010-02-02T19:02:42Z

Posted via email from Paul's posterous

Dave Kearns' IdM Newsletter: If you have the same problem for a long time, maybe it is a fact not a problem…

2010-02-02T18:13:41Z

A quick recap: Problem – weak passwords = hacking made easy Root cause – us, the (lazy) users Solution – replace us, the (lazy) users Problem solved, moving on!

Mark Wilcox - Oracle: Explaining Master Data Management Integration with Oracle Virtual Directory

2010-02-02T17:33:21Z

I got a couple of questions recently around OVD and Master Data Management (OVD).

MDM is an industry standard data solution that provides a single source of truth for customer information. It's particularly useful for large organizations who have customer data in lots of different repositories such as telco or higher education. It's complimentary to a provisioning solution - MDM provides a clean source of truth for a provisioning system. But MDM is not optimized for activities like password management or related account activities. Within Oracle we market our MDM solutions as Oracle Customer Hub.

There are two integration points:
1 - Authentication for MDM
2 - Use MDM as an OVD Data Source

The authentication use case is pretty simple - OVD can be used as the LDAP server for the Siebel MDM application. For example if you have 2 LDAP servers containing users who need access Siebel MDM, you can use OVD.

The more interesting use case is MDM as an OVD Data Source. For example lets say you want to build a web application that provides different level of features based upon customer status (e.g. basic vs premier customer). This data is managed in MDM and OVD can use this data to create an LDAP group without needing to copy the data into another LDAP store. Thus as soon as the MDM status changes, the access control permissions are changed automatically at the same time.

We refer to this capability as Identity Publisher.

There are two papers on this subject:
Integrating Oracle Virtual Directory with Siebel and Oracle Customer Hub
Configuration Instructions for Siebel, Oracle Customer Hub and Oracle Virtual Directory

Posted via email from Virtual Identity Dialogue

Jackson Shaw - Quest: Microsoft’s 'Cloud Computing Advancement Act'

2010-02-02T17:25:00Z

I took the time on my flight to New York City to review Microsoft’s call for a “Cloud Computing Advancement Act”. Microsoft’s senior vice-president and general counsel Brad Smith spoke about this at the Brookings Institute last week. You can read Mr. Smith’s speech (PDF) by clicking on the link in the previous sentence. Smith focuses on a number of key areas in this speech: privacy, security and international sovereignty.

While Smith focuses on the U.S. Bill of Rights and the Fourth Amendment to the Constitution he pretty much summarizes my concerns with this statement:

…one obvious attribute of the cloud is that information typically is stored on a server computer that is controlled by a third party. This makes it all the more important for service providers to be thoughtful and clear in deciding and communicating what they will do with this information.

How true! I think many of us take for granted that the information we store in the cloud is private. I use a cloud-based backup service that provides an offline (from my PC) backup of all information on my laptop. I never read their privacy policy. Maybe it's time for me to do that but wouldn't it be nice if we knew that there was a minimal privacy baseline imposed by the government? Is it time for a set of "Miranda Rights" for our cloud-based data?

Dave Kearns' IdM Newsletter: Identification through “Social Pattern Recognition”

2010-02-02T16:46:39Z

The combination of memberships to different groups seems to be nearly as unique as a fingerprint. According to a paper they published (their server is overloaded at the moment, you may need to try again later), this kind of identification through pattern recognition works with most large social networks, like Xing, Linkedin, Facebook etc.

Nat Sakimura: CX on OAuth WRAP

2010-02-02T08:53:26Z

Like there can be OpenID GET/POST and Artifact Binding for CX, there can be WRAP binding as well. It is fairly trivial, arguably more trivial than to define OpenID bindings.

Send CX proposal as an additional parameter on the Verification Code Request. Use wrap_client_id as the proposer’s identifier.
On the PoP verification page, display the terms and conditions included in the proposal.
Create the Verification code from the signature of the proposal and some nonce and random.
Web App Client sends the proposal again as an additional parameter on Access Token Request.
Sign the proposal to create the contract, serialize it with Base64 without line end, and return it as the access token on Access Token Response.

That’s all.

OpenLiberty: First Open Source Reference Implementation of IGF 1.0

2010-02-01T21:06:23Z

Cross-posted from independentidentity.blogspot.com

ArisID is an API for accessing and managing personal or identity related information using CARML as an XML data model. In addition to being useful from a privacy perspective, CARML enables important new developer features:

The ability to automatically generate a data model in the form of Java beans.
The ability to use sophisticated data providers that can connect applications to personal information sources using multiple protocols and virtualization.

Starting with the Oracle Fusion PS2 release, Oracle began to integrating this technology into its own products, setting the stage for a new level of support for open protocols and scalable enterprise deployment scenarios. For more information on how Oracle is using IGF and ArisID in 11gR1, check out the whitepaper, “Oracle Identity Management 11gR1“.

As mentioned earlier, ArisID depends on “provider” modules to do the work of implementing data model requirements as expressed in application specific CARML declarations. At present there are now 2 implementations available:

The Oracle OVD Provider for ArisID “Preview” is the first provider to support the ArisID 1.0 API. A developer preview is available here. Expect an update in the next quarter regarding ArisID 1.1.
A brand new OpenDS 2.2 provider for ArisID is now available in the openLiberty sourceforge project repository. The new OpenDS provider allows developers to use OpenDS instead of OVD as a repository for applications using ArisID 1.1. The OpenDS Provider for ArisiD the first fully open source ArisID Provider implementation. For more information consult the readme file contained in the OpenDS Provider for ArisID distribution zip.

Finally, thanks to the OpenDS team (Ludovic, Bo, Matthew) for their assistance in helping to get the first open source implementation of a provider for ArisID done. In some respects, the Oracle/Sun merger delayed a lot of this work, but now that it is done, we can get back to work and contribute more to our respective projects. As Nishant Kaushik says, Sun + Oracle = Exciting Days Ahead! By the way, click here for webcasts about Fusion Middleware and in particular Identity Management.

Cheers,

Phil Hunt, Oracle

Rakesh Radhakrishnan - Sun: Top Twenty Telco - Trust Oracle+Sun

2010-02-01T20:44:26Z

In the 10 years I was with Sun roughly 1/2 was on leading and consulting on Telco projects worldwide as a Lead Architect (including Telcel in Mexico, Vodafone in Europe, Cingular in US and more) that included integrated EBPP, mobileSOA, ID infrastructure and more, the reminder 1/2 was in SW Sales Org focusing on Identity Infrastructure (US, Canada and LA.). I am glad I will continue playing a LEAD role in Oracle Global Telco Unit reporting direct to a VP. My roles and responsibilities will include;

Acting as the GO TO GUY for Integrated ID Infra for Global Telco Deals.
Representing Oracle Comms at ITU, TMF, GSM, and other Industry Events, etc.
Integrating ID Infra for the Telco Vertical Solutions (Market Requirements, etc.).
Interfacing with different Product specific Product Managers for alignment.
Working closely with Sales/ISV/SI partner Teams focused on Telco a/c's.

Plus more... I already know the strengths that Sun brings to this Telco Industry, and combined with Oracle we will have solid momentum as Telco's roll out 4G & IMS worldwide and integrate Web 2.0 and Comms 2.0 services via a Common Identity, Policy and Context layer. Looking forward to the next 10 years at Oracle!! Its going to be AWESOME!!

Dave Kearns' IdM Newsletter: AuthenTec Inc. dismisses rival's merger bid; alleges patent infringement

2010-02-01T19:45:03Z

AuthenTec, which makes fingerprint-recognition systems for consumer electronics, called the overture by UPEK Inc. "a highly dilutive and speculative transaction" that is not in the best interests of its shareholders.

Identity 360 - Imprivata: RSA Conference Booth #2633

2010-02-01T19:42:36Z

Join Imprivata at the 19th annual U.S. RSA Conference. The event will take place from March 1st-5th at the Moscone Center in San Francisco, California.

Dave Kearns' IdM Newsletter: All NHIN identity management is local

2010-02-01T19:42:12Z

But while the NPI supports Medicare and Medicaid payments, it does not address broader provider identity management challenges that will become more critical as health information exchange (HIE) evolves and the nationwide health information network (NHIN) begins to spreads its roots.