(I’ll be at Forrester Security Forum November 9-10, in lovely Miami — you going?)

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

I hosted a session at IIW last week to start collecting data around this topic, impishly/illicitly called Two Legs Good? (since the OAuth community keeps trying to quit the “legs” habit but can’t seem to manage it). Session notes are at the link. IIW totally rocked this time; thanks to the organizers and all who contributed to making it great!

In order to encourage you to comment over on the other site, I’ve turned off comments here (boy, does that feel weird…). If you prefer to weigh in with 140 characters’ worth of wisdom, just be sure to use the hashtag #Forr2Legs so I’ll see it.

Newcastle University’s SMART project team will be in Mountain View again, discussing their UMA implementation and UX work. And vice-chair Maciej Machulak and I plan to convene a session to share our draft solution for loosely coupling an OAuth authorization server and resource server to solve for externalized authorization and interoperable scoped access in the UMA context.

Back in February, a bunch of us tried discussing this very subject in Twitter and got pretty far, but it took Paul Madsen to put the whole story together in his blog post Way more than 140. And loving it. Check it out.

Essentially, UMA is choosing to give the host (resource server) more autonomy than it would typically have in a tightly coupled environment, so that it’s not entirely accurate to say it’s a mere policy enforcement point (PEP) and the authorization manager (authz server) is a full policy decision point (PDP). This seems to make good sense in a totally open-Web environment. However, “the full PDP” is an optional feature we could probably add if there’s interest.

The really interesting thing is that, to make externalized authorization work, we’ve had to go “radically claims-based”. The model seems very powerful and generative — it gives the power to upgrade and downgrade granted scopes at will! But it does take a step or two back from pure OAuth 2.0 as a result. This is something I’m keen to discuss with folks in and around IIW; we’ll be presenting these slides to that end.

Later: Neat, it’s been cross-posted to the CSO Online blog as well.

My tenure at PayPal was a great learning experience; I’ll never forget my time there, nor the good friends I made. I also managed to learn a few things while “catching up on life” in the few weeks between gigs. Here are some questions folks have been asking me, with answers:

Q: Are you moving back to the east coast?

A: Nope, I’m still based in the Pacific Northwest, but I will likely be out Boston-way somewhat more often. As for other appearances, you’ll definitely be able to find me at Forrester’s IT Forum 2011 in May, and I’ll be figuring out the situation with other events shortly.

Q: Will you continue to blog here?

A: Yes, though the mix of topics will likely change, as I’ll be contributing industry-related posts to the Forrester blog. I’ll post pointers to those here, and my hope is to step up my writing activity on other topics of interest at Pushing String. And I hope you’ll continue to follow my doings at @xmlgrrl (where the #forrester tag will likely make lots of appearances).

Q: What about User-Managed Access and other innovation-oriented work?

A: The plan is for me to continue in my role as “chief UMAnitarian” and to participate in certain other tech leadership activities as time allows. In the last couple of months we’ve gotten a big influx of active UMA contributors, and we’ve had a burst of progress in the last few weeks on defining how to loosely couple “user-centric” policy enforcement points and policy decision points. So I think we’re well on our way to meeting the goals and timing stated in our charter.

Q: So what did you do on your winter vacation?

A: One of my goals was to “learn one big thing”, so I started learning how to play guitar, under the tutelage of my dear old friend Rich. My original use cases were around communicating better with my Mud Junket bandmates who are actual guitarists, but Rich doesn’t fool around: I have to learn good technique and not take any shortcuts. Luckily, the fret-hand callus crop has finally started to come in.

I also read a great book called The Talent Code, which describes what goes on neurologically in people who seem like once-in-a-lifetime geniuses, and discusses how any skill (like guitar-playing!) can be honed more rapidly through “deep practice” that stimulates myelin growth.

With all this plus a healthy dose of R&R, it feels like I’m learning how to learn all over again.

An awful lot rides on getting to the domain you think you’re getting to; it’s a basic ingredient in many web protocols. It lets you do things like treat unsigned metadata from a known-good domain as sufficient for lightweight use cases. And being clear about this assumption lets you compare solutions on their other merits.

UMAnitarian Joseph Holsten and I tried to cook up a pseudo-Latin equivalent for the economics phrase: ceteris nomina indubia, hoping to translate it roughly to “assuming non-doubtful names”.

But now I realize the first word isn’t right (ceteris is the “other things” part, like in et cetera), and we need something in the vindicatum or sumo category. Or we could just leave that part out, since “ceteris paribus” doesn’t have the “assume” part either. Any Latin scholars want to opine?

By the way, Pushing String has hit its sixth blogiversary. Thanks for sticking around!