Category: OSIS

Identity at RSA

I’ll be at RSA Conference next week participating in the following events.

What: The current goal is to demonstrate that SAML, WS-Fed and Information cards can co-exist and some of use cases where it makes sense. For instance, if you already have a federation setup (using SAML or WS-Fed), you can leverage Information Cards as an authentication mechanism and tighten the security. Similarly if you are planning on authenticating using an Information Card, you can extend the reach (and hence get more value for your investment) by federating using SAML/WS-Fed.
Who: Fugen, Internet2, Microsoft, Oracle, Ping Identity, Sun, Symlabs.
When: April 7th, 9AM-12:30 PM
Where: Red Room 302, Moscone Center North/South, Esplanade level

What: This is an interop event where you will get to see most (if not all) of Information Card as well as OpenID providers and consumers. What started off as an informal interop session at IIW, now has 57 participants. A lot of credit for this goes to Mike, Dale and Pam for continuing to encourage (read harass) other participants.
Who: 33 Companies. 24 Projects. 57 Participants.
When: April 8th, 9th. Working session 11AM-4PM. Demos: 4-6PM.
Where: Mezzanine Level Room 220, Moscone Center.

What: This has now established itself as a standard event at the main identity conferences. This is where we leave the vendor, customer, big enterprise, small company hats behind and just have a good time. Most end up getting wasted and missing out on their next day appointments.
Who: All available.
When: April 8th. 6-8 PM (it’s not really going to end at 8).
Where: 111 Minna Gallery (Tel: 415.974.1719).

See you there.

IIW2007B – My Takeaways

I’m back from IIW2007B. As always, there was a lot of energy, lot of discussions and lot of networking.
OpenID 2.0 was announced. OAuth 1.0 was announced. There were quite a few sessions on VRM. Some good discussions on reputation around OPs, RPs and users. I also got to spend one afternoon in the OSIS session where the discussions have moved beyond the “happy path” and the vendors (me included) are ready to tackle the edge use cases around Information Cards.

One of my favorite session was “What’s next for OpenID” led by Dick (Sxip) and Josh(JanRain). Now the OpenID 2.0 is wrapped and shipped, what needs to be improved for the next version(s).

Here are my notes from the session: (if you were there and I have missed or misinterpreted anything, feel free to correct).

  • Single Sign Out: OpenID allows the user to have a single identifier and get a single sign on experience across multiple applications. RP applications have different session time outs and this results in an inconsistent user experience as well as security issues. The protocol should have a way to “single log out” from all the applications.
  • Phishing resistant: OpenID has a couple of security issues, phishing being the primary one. It’s very easy for a rogue RP to redirect the user to a fake IdP and steal his/her credentials. There are a few solutions e.g. firefox plugins but it will be nice to have support for it in the protocol (or at least a best practice or recommendation for providers).
  • User experience less geeky: It may seem easy to some but typing (and remembering) is confusing and cumbersome for non-geeky, non-identity people.
  • Performance: Too many redirects. Direct authentication to the site using username/password results in a faster experience.
  • Cardspace – OpenID integration: CardSpace and OpenID are both addressing one fundamental problem – “Reducing Password overload”. Both have their strengths and weaknesses. It will be nice to have some convergence.
  • Identifier control: This is the identifier recycling issue plus some additional concerns. e.g I have my own domain name that I have redirected to my favorite OpenID provider. RPs may attach my identifier (i.e. my domain name) to my account at the RP. If I forget to renew my domain name (or I get hit by the bus), someone else may acquire my domain name and thus get access to my account at the RP.
  • Non-browser authentication – Ability to authenticate to non-browser applications.
  • Consolidation / Synonyms – If a user has multiple OpenIDs, then the RPs should allow attaching multiple OpenIDs to the same account.
  • Identifier management – The users may already have an OpenID identifier from AOL,Yahoo etc. but don’t know how to use it at the RP. This is a usability issue for the RP sites.

In the past, if you raise issues like “phishing”, the standard response was “this is a problem with SAML too” OR “this is out of scope for OpenID”. It was refreshing to be able to openly discuss the weaknesses and figure out ways to improve the protocol. I consider this a sign of maturity.

Identity Mashup

A while ago Paul and I had a conversation about how the neighborhood kid teases his daughter Ophelia Pauline Edna Nicki Irene Daphne for the lack of certification. And how I was concerned that my son, San Ashish Mator Lester  gets picked since his friends think he is fat and difficult to understand.
It’s refreshing to read that compared to Higgins, San…Lester is considered sexy. It’s about time our kids hook up. In case you are interested,  Inspired by Intellectual Women in December is planning to have a speed dating event. There are couple of other dating services, Open Source Invitation for Singles  as well as Contrasting but Cordial where San…Lester normally shows up.

However, the word on the street is that Ophelia…Daphne doesn’t believe in pair wise relationship or trust. Ours is a conventional family. It’s not like we are asking for exclusivity but at least some kind of white list will be nice.


Image | WordPress Themes