SSO Summit session: OAuth and WS-Trust

Finally, here are the additional notes I took on the OAuth/WS-Trust session Ashish Jain moderated at the recent(ish) SSO Summit, to supplement his post.

In addition to the use cases already mentioned by Ashish, we discussed use cases for having a security token service in its most basic form. There are “syntactic” reasons to need to exchange tokens:

• Going from a proprietary token format to a standard one (e.g., Kerberos to SAML)
• Going from one standard token format to another (e.g., SAML1.1 to SAML2)
• Going from one proprietary token format to another

The participants considered this pretty much a “necessary evil” for integration purposes — a tactical need that is likely to subside over time as standard token formats stabilize, converge, etc. We saw both internal and cross-domain uses for this, but identified today’s WS-Trust sweet spot as being within enterprises where multiple token formats are (still) in use.

Then there are semantic reasons to exchange tokens. For example, “identity oracle” use cases might have a need for this (handing out a cooked/computed assertion that someone’s “over 25″ rather than sharing their actual date of birth).

There are as many unique use cases here as one can imagine. I noted that Liberty ID-WSF has a few of these baked into services that it has defined, but they don’t currently use WS-Trust. (As an aside, there’s a group taking the first steps in a rapprochement here, appropriately pronounced “sig-wish“! Check it out, and let me know if you’re interested in helping.)

A (g)newbie at Gnomedex

Somehow I’d been missing out on the phenomenon of the Gnomedex tech-enthusiast conference, even though its location in recent years coincides perfectly with my new(ish) Northwest residency. (Hey, I haven’t gone to Bumbershoot yet either — bad, bad Eve!)

This year I’ve got a great chance to fix the situation. I met Chris Pirillo and his lovely wife Ponzi through Eli, and after a couple of fun evenings where I blabbed excitedly about Vendor Relationship Management and he blabbed excitedly about a project that was soon to become his WicketPixie social-media WordPress theme (it would be interesting to “VRM-enable” this theme, yes??), they were kind enough to invite me to speak this year. I’m looking forward to introducing VRM concepts to this audience and getting some discussion going on how to improve the customer-vendor nexus.

If you can be in Seattle August 21-23, I hope you’ll register and join the fun.

It’s a nice day for a Facebook wedding

In addition to our wedding anniversary and the anniversary of our first date, Eli and I now have another event to celebrate: July 27, 2008 was the day we confirmed our “married” relationship on Facebook. We immediately got two messages of congratulation, one facetious…and one seemingly sincere! For the record, we’ve been married for 18 years and together for 22 — but we love having another special occasion to add to the list.

OpenSSO Express and the smoking simian

Today Sun launched OpenSSO Express, a cool new way to get your hands on innovative features destined for its Access Manager commercial product over the long haul but freshly available every three months in a stable, tested, supported build of the OpenSSO open-source project.

Daniel Raskin (dubbed the Smoking Monkey by Coté and taking the moniker quite seriously…) has a great post linking to lots more info and even a podcast on the subject. Check it out!

Federation Soup: mmm, mmm good

Internet2 hosted an interesting gathering in early June, called Federation Soup, which I had the privilege of attending. These folks have had to face some of the hardest federation problems out there because of the higher education community’s unique mix of needs, and they take a relentlessly practical approach. Ken Klingenstein said it was okay to blog what I heard at the event, but it took me a little while! Here are some of the tidbits I collected.

Interfederation looks pretty different in Internet2-land and in places like the U.S. government. In the latter, the emphasis is on PKI bridges, while the education sector is looking for more loosely coupled solutions.

It’s not just about higher education; a fair number of people are working on what are called K-20 initiatives that span education at all levels and of all types. This brings in all the hard problems of gathering consent from the custodians of minor children.

The InCommon federation is pretty attractive. Some parties that come from outside traditional education, such as news organizations that want to distribute content in a controlled way and U.S. government agencies that don’t want to use a peered federation model, are joining this federation or at least considering it. At the same time, InCommon is not the only answer; smaller educational system federations will continue to coexist with it. And some federations need independent branding. Finally, some universities simply don’t feel the need for federation at this point.

A lot of the discussion was around how to increase federation adoption. A common theme was to find the killer app or anchor tenant that makes the whole exercise worthwhile all by itself. Some people felt that what sells is not “trust”, but collaboration services. Buyer’s clubs (such as subscriptions to journals) are also an attraction.

At a BOF on privacy, tricky jurisdiction problems were discussed. What if a U.S. student is studying temporarily in Paris? Do you go by their geolocation, or by the IdP’s jurisdiction, or the SP’s? Do you purge logs for privacy according to EU requirements, or retain them for homeland security according to U.S. requirements?

Finally, for the heck of it, some juicy quotes:

• Scott Cantor: “As far as the software is concerned, there’s no such thing as a federation.”
• Ken K. on identity proofing and levels of assurance: “It’s ratholes all the way down.”
• Someone: “Where the duct tape is holding, people are very reluctant to let go.”

Biometric identification of penguins

Neat project. But is it penguin-centric?

The privacy imperative

Lately I’ve been discussing three human tendencies we should take into account in designing identity-enabled systems: new-relationship energy, the efficiency imperative, and the self-revelation imperative. I’ve put aside the privacy imperative (essentially the opposite of self-revelation) because it seems more interesting to discuss challenges to privacy by examining the forces working against it.

I just got a handy reminder that whatever privacy imperative we have is, at least in part, learned rather than innate. In going through a storage-roomful of boxes to stock some new bookcases, I came across a calligraphy instruction book that’s more than 20 years old. I’d gotten it second-hand, and its previous owner had claimed ownership of the book and practiced his italic in one swoop by writing his name and his social security number inside the front cover…

Relationships are complicated

In my talk at the Burton Catalyst conference earlier this week on The Care and Feeding of Online Relationships, I presented a brief argument for specific requirements on relationship management solutions.

My appreciation of these requirements has deepened through conversations with Bob Blakley (who kindly invited me to speak in his track — Bob, you should blog more!), people involved in Project VRM and Internet2, customers, Sun colleagues, and others.

I’ve noticed that when I present on “everyday identity”, usability folk come out of the woodwork, excited that someone is talking about Don Norman’s work, human-centered design, HCI, and the like. Luckily I have a real expert like Jen McGinn to keep me honest… I think we’d all benefit from listening to usability experts more closely.

(The title of this post is taken from the lovely Flickr photo that I borrowed for the first slide. Thanks, hojusaram!)

Namespace nausea and other XML maladies

Eric Wilde and Bob Glushko have produced a wonderful compendium of problems people have with XML due to overblown expectations or plain old misunderstandings: XML Fever. It’s funny because it’s true!

(And hey, don’t forget about authorial illnesses like Tag Abuse Syndrome [see Sec 4.1.2.3], for which markup models can be carriers…)

The Wordle of the Venn of Identity

Ooh, cool — Wordle can make word clouds out of anything.

This is the Venn of Identity article, Wordled (Wordlified? Wordlimicated?). Can you find the “SPs” in this picture?… At least the “user” is well represented!