New: Musings on SCIM after IIW
Over on the Forrester blogs, I talk about the latest progress on Simple Cloud Identity Management (SCIM), as seen and discussed at IIW.
(I’ll be at Forrester Security Forum November 9-10, in lovely Miami — you going?)
Archive by Author
New: Report contemplating OAuth and “Zero Trust identity”
Is it possible for an enterprise to turn itself inside-out? Apparently so. I’ve got a new post up on the Forrester blogs that discusses the “Zero Trust” aspect of enterprise security that a number of companies are addressing with various clever uses of OAuth.
New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”
I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”
You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…
New: “Protecting Internal APIs – Is OAuth Ready For Its Closeup?”
Check out my new post on the Forrester blog, looking to hear about your experience and opinions on the use of OAuth to secure your internal app landscape. You know you have stories. I know you have stories. So why not share them??
I hosted a session at IIW last week to start collecting data around this topic, impishly/illicitly called Two Legs Good? (since the OAuth community keeps trying to quit the “legs” habit but can’t seem to manage it). Session notes are at the link. IIW totally rocked this time; thanks to the organizers and all who contributed to making it great!
In order to encourage you to comment over on the other site, I’ve turned off comments here (boy, does that feel weird…). If you prefer to weigh in with 140 characters’ worth of wisdom, just be sure to use the hashtag #Forr2Legs so I’ll see it.
How UMA deals with scopes and authorization
The UMA group has been quite busy of late. Like several other efforts (don’t miss John Bradley’s OpenID ABC post or anything Mike Jones has been blogging in the last few months), we’ve been gearing up for IIW 12 as a great place to try out our newest work, figure out the combinatorial possibilities with all the other new stuff going on, and get feedback.
Newcastle University’s SMART project team will be in Mountain View again, discussing their UMA implementation and UX work. And vice-chair Maciej Machulak and I plan to convene a session to share our draft solution for loosely coupling an OAuth authorization server and resource server to solve for externalized authorization and interoperable scoped access in the UMA context.
Back in February, a bunch of us tried discussing this very subject in Twitter and got pretty far, but it took Paul Madsen to put the whole story together in his blog post Way more than 140. And loving it. Check it out.
Essentially, UMA is choosing to give the host (resource server) more autonomy than it would typically have in a tightly coupled environment, so that it’s not entirely accurate to say it’s a mere policy enforcement point (PEP) and the authorization manager (authz server) is a full policy decision point (PDP). This seems to make good sense in a totally open-Web environment. However, “the full PDP” is an optional feature we could probably add if there’s interest.
The really interesting thing is that, to make externalized authorization work, we’ve had to go “radically claims-based”. The model seems very powerful and generative — it gives the power to upgrade and downgrade granted scopes at will! But it does take a step or two back from pure OAuth 2.0 as a result. This is something I’m keen to discuss with folks in and around IIW; we’ll be presenting these slides to that end.
New: “Identity Assurance Means Never Having To Say ‘Who Are You, Again?’”
Does having published my first Forrester research report and done my first quarterly teleconference mean I’ve made my analyst bones? Hmm. You can read about my identity assurance coverage here. (Regular readers may recall that I wrote about identity assurance on Pushing String last fall, batting around ideas with Paul Madsen and others.)
Baseline health and Paleo 2.0
With Gary Taubes blogging and the extended low-carb/paleo community hopping, I feel less of that ol’ carbgrrl blogging pull, but I follow all the goings-on with keen interest.
One recent post over on Hyperlipid analyzes fasting insulin and — get this — accidental weight loss among the obese. Here are some excerpts that may be mind-blowing to the nutritionally uninitiated:
[O]ut of only five subjects, one obese person became a food refusenick. Various studies have had similar compliance problems, with obese participants refusing food. … What is more interesting is the trend in accidental weight loss.
My take home message is that the lower the carbohydrate intake (and it is reasonable to assume the lower the fasting insulin) the harder it is to consume enough calories to maintain the obese state. It’s possible, but not easy.
I think this decrease in hunger probably only occurs in obesity. For those of us who have adopted a LC [low-carb] eating pattern without the need for weight loss (and still have little excess fat) there are clearly other factors coming in to play, as there will be when a previously overweight person approaches target/ideal weight, what ever that might be.
The experience is actually quite familiar to those of us who have managed to lose serious weight by controlling our carb intake and thus our insulin production. Once you’re able to burn your own body fat for fuel, the uncomfortable hunger pangs of a lifetime of diets fade into memory. It’s remarkable.
What’s being suggested above is that this is a normalization process, back to some baseline of health and body weight. You know how the diet industry insists that you shouldn’t think of them as diets but rather lifestyle changes? It’s the right idea, but — if you’re doing low-fat and “chronic cardio” — the wrong lifestyle.
Gary Taubes relays Bob Kaplan‘s downright poetic way of thinking about this in a recent post:
A restricted-carbohydrate diet doesn’t make you lose weight; it corrects your weight.
A restricted-carbohydrate diet doesn’t make you lose water weight; it corrects your water weight.
A restricted-carbohydrate diet doesn’t improve serum lipids; it corrects serum lipids.
A restricted-carbohydrate diet doesn’t improve health; it corrects unhealthiness.
I think we’re entering into a kind of Paleo 2.0 phase, where many of us are discovering that our “target/ideal” limits are something short of our personal wishlist due to accumulated damage over time. I’ve been trying for several years now to “get the last 20 pounds off” without success, and I’m not alone. (I do feel that I’m asymptotically approaching better health, and I’m strongly motivated by the idea of delaying the effects of aging by avoiding AGEs!) The good news is that the evidence is also starting to accumulate, and people are cottoning on to it earlier in life. Oh, to be able to do things all over again…
New: “CardSpace Is Dead. Long Live Back-Channel Access.”
I’ve got a new post up on my Forrester blog, commenting on CardSpace and the important trends to pay attention to at this juncture.
The most productive thing possible
With a schedule that’s suddenly become insane, I keep thinking about this poster I found a few years ago. Kidding — or serious?
I know. Maybe Kitty’s datebook could help!
New: “OpenID, Successful Failures And New Federated Identity Options”
Though there’s still a creepy fuzzy anonymous head where my picture is supposed to be, I’ve got my first post up on the Forrester Research Security & Risk blog. It discusses the recent 37signals decision to stop using OpenID and the larger “button-based login” environment in which OpenID can be considered a positive influence. As a bonus, it provides a new Venn diagram comparing features of OpenID + attribute exchange, the SAML web browser SSO profile, and OAuth + “connect”-style login.
Later: Neat, it’s been cross-posted to the CSO Online blog as well.
