Archive by Author

How UMA deals with scopes and authorization

The UMA group has been quite busy of late. Like several other efforts (don’t miss John Bradley’s OpenID ABC post or anything Mike Jones has been blogging in the last few months), we’ve been gearing up for IIW 12 as a great place to try out our newest work, figure out the combinatorial possibilities with all the other new stuff going on, and get feedback.

Newcastle University’s SMART project team will be in Mountain View again, discussing their UMA implementation and UX work. And vice-chair Maciej Machulak and I plan to convene a session to share our draft solution for loosely coupling an OAuth authorization server and resource server to solve for externalized authorization and interoperable scoped access in the UMA context.

Back in February, a bunch of us tried discussing this very subject in Twitter and got pretty far, but it took Paul Madsen to put the whole story together in his blog post Way more than 140. And loving it. Check it out.

Essentially, UMA is choosing to give the host (resource server) more autonomy than it would typically have in a tightly coupled environment, so that it’s not entirely accurate to say it’s a mere policy enforcement point (PEP) and the authorization manager (authz server) is a full policy decision point (PDP). This seems to make good sense in a totally open-Web environment. However, “the full PDP” is an optional feature we could probably add if there’s interest.

The really interesting thing is that, to make externalized authorization work, we’ve had to go “radically claims-based”. The model seems very powerful and generative — it gives the power to upgrade and downgrade granted scopes at will! But it does take a step or two back from pure OAuth 2.0 as a result. This is something I’m keen to discuss with folks in and around IIW; we’ll be presenting these slides to that end.

New: “Identity Assurance Means Never Having To Say ‘Who Are You, Again?'”

Does having published my first Forrester research report and done my first quarterly teleconference mean I’ve made my analyst bones? Hmm. You can read about my identity assurance coverage here. (Regular readers may recall that I wrote about identity assurance on Pushing String last fall, batting around ideas with Paul Madsen and others.)

Baseline health and Paleo 2.0

With Gary Taubes blogging and the extended low-carb/paleo community hopping, I feel less of that ol’ carbgrrl blogging pull, but I follow all the goings-on with keen interest.

One recent post over on Hyperlipid analyzes fasting insulin and — get this — accidental weight loss among the obese. Here are some excerpts that may be mind-blowing to the nutritionally uninitiated:

[O]ut of only five subjects, one obese person became a food refusenick. Various studies have had similar compliance problems, with obese participants refusing food. … What is more interesting is the trend in accidental weight loss.

My take home message is that the lower the carbohydrate intake (and it is reasonable to assume the lower the fasting insulin) the harder it is to consume enough calories to maintain the obese state. It’s possible, but not easy.

I think this decrease in hunger probably only occurs in obesity. For those of us who have adopted a LC [low-carb] eating pattern without the need for weight loss (and still have little excess fat) there are clearly other factors coming in to play, as there will be when a previously overweight person approaches target/ideal weight, what ever that might be.

The experience is actually quite familiar to those of us who have managed to lose serious weight by controlling our carb intake and thus our insulin production. Once you’re able to burn your own body fat for fuel, the uncomfortable hunger pangs of a lifetime of diets fade into memory. It’s remarkable.

What’s being suggested above is that this is a normalization process, back to some baseline of health and body weight. You know how the diet industry insists that you shouldn’t think of them as diets but rather lifestyle changes? It’s the right idea, but — if you’re doing low-fat and “chronic cardio” — the wrong lifestyle.

Gary Taubes relays Bob Kaplan‘s downright poetic way of thinking about this in a recent post:

A restricted-carbohydrate diet doesn’t make you lose weight; it corrects your weight.

A restricted-carbohydrate diet doesn’t make you lose water weight; it corrects your water weight.

A restricted-carbohydrate diet doesn’t improve serum lipids; it corrects serum lipids.

A restricted-carbohydrate diet doesn’t improve health; it corrects unhealthiness.

I think we’re entering into a kind of Paleo 2.0 phase, where many of us are discovering that our “target/ideal” limits are something short of our personal wishlist due to accumulated damage over time. I’ve been trying for several years now to “get the last 20 pounds off” without success, and I’m not alone. (I do feel that I’m asymptotically approaching better health, and I’m strongly motivated by the idea of delaying the effects of aging by avoiding AGEs!) The good news is that the evidence is also starting to accumulate, and people are cottoning on to it earlier in life. Oh, to be able to do things all over again…

New: “CardSpace Is Dead. Long Live Back-Channel Access.”

I’ve got a new post up on my Forrester blog, commenting on CardSpace and the important trends to pay attention to at this juncture.

The most productive thing possible

With a schedule that’s suddenly become insane, I keep thinking about this poster I found a few years ago. Kidding — or serious?

I know. Maybe Kitty’s datebook could help!

New: “OpenID, Successful Failures And New Federated Identity Options”

Though there’s still a creepy fuzzy anonymous head where my picture is supposed to be, I’ve got my first post up on the Forrester Research Security & Risk blog. It discusses the recent 37signals decision to stop using OpenID and the larger “button-based login” environment in which OpenID can be considered a positive influence. As a bonus, it provides a new Venn diagram comparing features of OpenID + attribute exchange, the SAML web browser SSO profile, and OAuth + “connect”-style login.

Later: Neat, it’s been cross-posted to the CSO Online blog as well.


I’ve just made a big change, joining Forrester Research as a Principal Analyst, and this new adventure is sure to be exciting. It’s an honor to join this stellar organization and work with so many talented folks. I’ll be serving security and risk professionals and will focus primarily on identity and access management, so this move feels like a natural outgrowth of work I’ve been involved in for more than ten years now.

My tenure at PayPal was a great learning experience; I’ll never forget my time there, nor the good friends I made. I also managed to learn a few things while “catching up on life” in the few weeks between gigs. Here are some questions folks have been asking me, with answers:

Q: Are you moving back to the east coast?

A: Nope, I’m still based in the Pacific Northwest, but I will likely be out Boston-way somewhat more often. As for other appearances, you’ll definitely be able to find me at Forrester’s IT Forum 2011 in May, and I’ll be figuring out the situation with other events shortly.

Q: Will you continue to blog here?

A: Yes, though the mix of topics will likely change, as I’ll be contributing industry-related posts to the Forrester blog. I’ll post pointers to those here, and my hope is to step up my writing activity on other topics of interest at Pushing String. And I hope you’ll continue to follow my doings at @xmlgrrl (where the #forrester tag will likely make lots of appearances).

Q: What about User-Managed Access and other innovation-oriented work?

A: The plan is for me to continue in my role as “chief UMAnitarian” and to participate in certain other tech leadership activities as time allows. In the last couple of months we’ve gotten a big influx of active UMA contributors, and we’ve had a burst of progress in the last few weeks on defining how to loosely couple “user-centric” policy enforcement points and policy decision points. So I think we’re well on our way to meeting the goals and timing stated in our charter.

Q: So what did you do on your winter vacation?

A: One of my goals was to “learn one big thing”, so I started learning how to play guitar, under the tutelage of my dear old friend Rich. My original use cases were around communicating better with my Mud Junket bandmates who are actual guitarists, but Rich doesn’t fool around: I have to learn good technique and not take any shortcuts. Luckily, the fret-hand callus crop has finally started to come in.

I also read a great book called The Talent Code, which describes what goes on neurologically in people who seem like once-in-a-lifetime geniuses, and discusses how any skill (like guitar-playing!) can be honed more rapidly through “deep practice” that stimulates myelin growth.

With all this plus a healthy dose of R&R, it feels like I’m learning how to learn all over again.

Seeking escape velocity from nutritional Bizarro World

The new book from (The Great) Gary Taubes is finally out: Why We Get Fat: And What to Do About It.

Taubes is obviously a man on a mission, nearly bursting with frustration at the anti-scientific and near-religious wishful thinking that has been passing for diet, nutrition, and public health advice for the last few decades. Near-religious? Yes — really. Why else would we be told this by “experts” for so long, even though their theories can readily be falsified?

If we’re fat and we can prove that we eat in moderation — we don’t eat any more, say, than do our lean friends or siblings — the experts will confidently assume that we must be physically inactive. If we’re carrying excess fat but obviously get plenty of exercise, then the experts will assume with equal confidence that we eat too much. If we’re not gluttons, then we must be guilty of sloth. If we’re not slothful, then gluttony is our sin. [WWGF, p. 29]

But Taubes keeps his vexation in check, using his energy instead to boil down the evidence in his magnum opus Good Calories, Bad Calories to its essence for easier reading. (You may recall that I once called GCBC “a 50/50 split between ‘gripping’ and ‘a hard slog'”.)

Most of all, he uses plain logic and helpful metaphors, along with tinctures of hard science and hard data, to show how diet experts’ arguments and advice — like “Just eat less and exercise more” and “Low-carb is dangerous because our brains need glucose to function” — amount to little more than “Who are you gonna believe, me or your lying eyes?” The logic and the data are useful for applying appropriate skepticism when you face the latest scientific paper that goes awry in its very first sentence by asserting that access to “unlimited calories” and an “increasing sedentary lifestyle” are the problem. Here’s something useful to know (and not all that surprising to learn): we’re exercising harder than ever.

…[I]n the United States … the obesity epidemic has coincided with what we might call an epidemic of leisure-time physical activity, of health clubs and innovative means of expending energy (in-line skating, mountain biking, step and elliptical machines, spinning and aerobics, Brazilian martial-arts classes — the list goes on), virtually all of which we were invented or radically redesigned since the obesity epidemic began.

There are many ways to quantify this epidemic of physical activity. Health-club industry revenues, for example, increased from an estimated $200 million in 1972 to $16 billion in 2005 — a seventeen-fold increase when adjusted for inflation. The first year that the Boston Marathon had more than 300 entrants was 1964; in 2009, more than 26,000 men and women ran. [WWGF, p. 42]

I suppose I’m no longer truly in the target audience for this book, since I can already recite many of the arguments in my sleep. And logic may have very little power over those with a vested interest in believing the opposite. But if you’ve struggled with weight (or — neologism alert — “diabesity”) and have been following along here but haven’t yet read GCBC, I recommend WWGF to you, either as a standalone work or as a gateway drug to the hard stuff.

Talking about security that “assumes DNS holds”

In discussions of economics, a predictive statement is often accompanied by the qualifier ceteris paribus, or, roughly, “other things being equal”, in order to compare apples fairly to apples. In discussions of Internet security, more and more I hear, and have occasion to use, a qualifier like “assuming DNS holds”. For a while, I used a stock formulation that went like “assuming DNSSEC or no cache poisoning”.

An awful lot rides on getting to the domain you think you’re getting to; it’s a basic ingredient in many web protocols. It lets you do things like treat unsigned metadata from a known-good domain as sufficient for lightweight use cases. And being clear about this assumption lets you compare solutions on their other merits.

UMAnitarian Joseph Holsten and I tried to cook up a pseudo-Latin equivalent for the economics phrase: ceteris nomina indubia, hoping to translate it roughly to “assuming non-doubtful names”.

But now I realize the first word isn’t right (ceteris is the “other things” part, like in et cetera), and we need something in the vindicatum or sumo category. Or we could just leave that part out, since “ceteris paribus” doesn’t have the “assume” part either. Any Latin scholars want to opine?

By the way, Pushing String has hit its sixth blogiversary. Thanks for sticking around!

Wishing you a happy, healthy, user-managed new year

UMA Christmas tree 2010

Thanks to Domenico Catalano (@DomCat) for putting together this lovely and geeky holiday message! And thanks to all the UMAnitarians for their contributions of passion, business problem-solving, and technical know-how to the User-Managed Access work.

The end of 2010 has brought new progress on several fronts. The UMA-friendly Java-based OAuth leeloo implementation was released as open source; we’ve begun solving some hard problems in defining interoperable interfaces between OAuth authorization servers and resource servers; we’ve been teasing out the implications of trusted claims as the basis for user-centric access control; and we saw two significant submissions in response to the UMA validation bounty program. We’re grateful to submitters Cordny Nederkoorn, whose interest in UMA grew as a result of his explorations into cloud identity, and Project hData, a unique and important effort that seeks to make electronic health data amenable to RESTful web app treatment.

We’ve got lots more developments in store for the coming months, and we welcome your involvement. From our Kantara home page you can join the group (no membership fees!), subscribe to our mailing list, and check out the latest news, and don’t forget to follow us on Twitter.

Happy holidays!