Tag Archives: SAML

New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”

I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

New: “OpenID, Successful Failures And New Federated Identity Options”

Though there’s still a creepy fuzzy anonymous head where my picture is supposed to be, I’ve got my first post up on the Forrester Research Security & Risk blog. It discusses the recent 37signals decision to stop using OpenID and the larger “button-based login” environment in which OpenID can be considered a positive influence. As a bonus, it provides a new Venn diagram comparing features of OpenID + attribute exchange, the SAML web browser SSO profile, and OAuth + “connect”-style login.

Later: Neat, it’s been cross-posted to the CSO Online blog as well.

Making identity portable in the cloud

Yesterday I had the opportunity to contribute to BrightTALK’s day-long Cloud Security Summit with a webcast called Making Identity Portable in the Cloud.

Some 30 live attendees were very patient with my Internet connection problems, meaning that the slides (large PDF) didn’t advance when they were supposed to and I couldn’t answer questions live. However the good folks at BrightTALK fixed up the recording to match the slides to the audio, and I thought I’d offer thoughts here on the questions raised.

“Framework provider – sounds suspiciously like an old CA (certificate authority) in the PKI world! Why not just call it a PKI legal framework?” Yeah, there’s nothing new under the sun. The circles of trust, federations, and trust frameworks I discussed share a heritage with the way PKIs are managed. But the newer versions have the benefit of lessons learned (compare the Federal Bridge and the Open Identity Solutions for Open Government initiative) and are starting to avail themselves of technologies that fit modern Web-scale tooling better (like the MDX metadata exchange work, and my new favorite toy, hostmeta). PKI is still quite often part of the picture, just not the whole picture.

“How about a biometric binding of the individual to the process and the requirement of separation of roles?” I get nervous about biometric authentication for many purposes because it binds to the bag of protoplasm and not the digital identity (and because some of the mechanisms are actually rather weak). If different roles and identities could be separated out appropriately and then mapped, that helps. But with looser coupling come costs and risks that have to be managed.

“LDAP, AD, bespoke, or a combination?” Interestingly, this topic was hot at the recent Cloud Identity Summit (a F2F event, unlike the BrightTALK one). My belief is that some of today’s tiny companies are going to outsource all their corporate functions to SaaS applications; they will thrive on RESTfulness, NoSQL, and eventual consistency; and some will grow large, never having touched traditional directory technology. I suspect this idea is why Microsoft showed up and started talking about what’s coming after AD and touting OData as the answer. (Though in an OData/GData deathmatch, I’d probably bet on the latter…)

Thanks to all who attended, and keep those cards and letters coming.

Quick thoughts on XAuth

It’s the “common domain cookie” trick from Liberty ID-FF and SAML2, except without the notion of a circle of trust. (Thanks to Praveen for forging the CDC connection in my brain.)

Heh.

It’s yet another thing you have to opt out of instead of into. (To disable it, visit XAuth.org from each browser you use.)

Pamela is wise.

I was already getting tired of the “social web” about the end of 2009. Does that make me anti-social?

Ugh — seepage.

The Zen of Venn

“You will never be done with the Venn. That’s your destiny. Accept it.”

So said my colleague Ashish recently, as I agonized over some tweaks to the Venn of Identity diagram. The editing started out as a quick fix to the figure that appears in the IEEE Security and Privacy article of the same name; the diagram text was exactly what Drummond and I had specified — but the graphic emerged from the publication process visually “broken”, with no intersection lines.

But of course technologies and understandings and use cases evolve, and it began to seem like a good time to update the text too. What with the new U.S. federal government effort around Open Identity Solutions for Open Government (and PayPal’s involvement in same), I thought maybe I could do a better job of capturing the main strengths OpenID, InfoCard, and SAML bring to today’s table.

In that Zen-like and Concordic spirit, I hereby present a new — date-stamped — version of the Venn (click for the full-size .png):

VennOfIdentity-Sep2009

I hope this new version can continue to support productive discussions that help solve real-world identity problems.

If you’re wondering whether it’s okay to pick up and reuse the diagram — go for it! Just please note the Creative Commons license below. I’ll keep VennOfIdentity.org pointed to the new Venn category on my blog so that people who see propagated copies can keep up with updates if they like.

Creative Commons License The Venn of Identity – September 2009 by Eve Maler is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

p.s. Thanks to “W.” of the Tech and Law blog for our great email exchange this week on Venn-shaped matters, which sparked even more edits…

About Me

Welcome to XMLgrrl.com! I’m your host, Eve Maler. On my personal blog, Pushing String, you’ll find commentary on digital identity, data portability, meaningful privacy, online trust, and assorted other topics.

You can reach me at eve-at-xmlgrrl.com, emaler-at-forrester.com, and @xmlgrrl. Additional online homes are linked from the Welcome section in the right sidebar.

One way to get to know me is through the nicknames I’ve collected. I’ve had the pleasure of working on a crazy quilt of technologies, protocols, policies, and methodologies over the years, and various monikers related to them have stuck. The first was XMLgrrl, reflecting my part in the creation of the Extensible Markup Language (XML). The next was the SAML Lady, bestowed by a colleague based in Japan on the occasion of a trip to Tokyo to teach the Security Assertion Markup Language, the federated identity standard. Recently I have been serving as chief UMAnitarian, working on the User-Managed Access protocol and associated adoption.

Yes, that’s a cartoon, though based on a real photo of my head from, oh, 1998 or so. In the pre-blog era, I wrote a Web column on XML — sort of “advice for the parse-lorn”.

On January 14, 2011, I joined Forrester Research. You can find my official profile and blog on the Forrester site. (Yep, I’m up to two blogs now.) When I post to the Forrester blog, I’ll add a corresponding “citation entry” here. Following is a bio for me that’s less official but more wide-ranging:

Eve Maler is an analyst, strategist, and innovator around digital identity, security, and privacy, with particular interests in creating successful wide-scale ecosystems and fostering individual empowerment. She serves as a Principal Analyst at Forrester Research, serving security and risk professionals.

Eve was one of the inventors of XML; she also co-founded the SAML effort and has made major leadership, technical, and educational contributions to many other standards and technical communities. In 2009 she launched an open standards effort called User-Managed Access (UMA) to develop an OAuth-based solution that lets a person conveniently and centrally control the authorization of personal data sharing made between online services on his or her behalf.

Eve is a sought-after public speaker, and for several years served as a Web Services and Identity track chair for the annual XML Summer School held at University of Oxford.

Eve co-authored Developing SGML DTDs: From Text to Model to Markup, a book that provided a unique methodology for information analysis and SGML schema design. Eve’s blog, Pushing String at xmlgrrl.com, touches on topics both technical and whimsical.

Some of Eve’s other interests are knitting and singing bluesy-funky rock ‘n’ roll.

Some alter egos for portions of my blog are VennOfIdentity.org (corresponding to the “Venn” category) and carbgrrl.com (corresponding to the “carbgrrl” category).

Creative Commons License
This work is licensed under a Creative Commons License.