Tag Archives: UMAnitarian

Ch-ch-ch-ch-changes

I’ve just made a big change, joining Forrester Research as a Principal Analyst, and this new adventure is sure to be exciting. It’s an honor to join this stellar organization and work with so many talented folks. I’ll be serving security and risk professionals and will focus primarily on identity and access management, so this move feels like a natural outgrowth of work I’ve been involved in for more than ten years now.

My tenure at PayPal was a great learning experience; I’ll never forget my time there, nor the good friends I made. I also managed to learn a few things while “catching up on life” in the few weeks between gigs. Here are some questions folks have been asking me, with answers:

Q: Are you moving back to the east coast?

A: Nope, I’m still based in the Pacific Northwest, but I will likely be out Boston-way somewhat more often. As for other appearances, you’ll definitely be able to find me at Forrester’s IT Forum 2011 in May, and I’ll be figuring out the situation with other events shortly.

Q: Will you continue to blog here?

A: Yes, though the mix of topics will likely change, as I’ll be contributing industry-related posts to the Forrester blog. I’ll post pointers to those here, and my hope is to step up my writing activity on other topics of interest at Pushing String. And I hope you’ll continue to follow my doings at @xmlgrrl (where the #forrester tag will likely make lots of appearances).

Q: What about User-Managed Access and other innovation-oriented work?

A: The plan is for me to continue in my role as “chief UMAnitarian” and to participate in certain other tech leadership activities as time allows. In the last couple of months we’ve gotten a big influx of active UMA contributors, and we’ve had a burst of progress in the last few weeks on defining how to loosely couple “user-centric” policy enforcement points and policy decision points. So I think we’re well on our way to meeting the goals and timing stated in our charter.

Q: So what did you do on your winter vacation?

A: One of my goals was to “learn one big thing”, so I started learning how to play guitar, under the tutelage of my dear old friend Rich. My original use cases were around communicating better with my Mud Junket bandmates who are actual guitarists, but Rich doesn’t fool around: I have to learn good technique and not take any shortcuts. Luckily, the fret-hand callus crop has finally started to come in.

I also read a great book called The Talent Code, which describes what goes on neurologically in people who seem like once-in-a-lifetime geniuses, and discusses how any skill (like guitar-playing!) can be honed more rapidly through “deep practice” that stimulates myelin growth.

With all this plus a healthy dose of R&R, it feels like I’m learning how to learn all over again.

Talking about security that “assumes DNS holds”

In discussions of economics, a predictive statement is often accompanied by the qualifier ceteris paribus, or, roughly, “other things being equal”, in order to compare apples fairly to apples. In discussions of Internet security, more and more I hear, and have occasion to use, a qualifier like “assuming DNS holds”. For a while, I used a stock formulation that went like “assuming DNSSEC or no cache poisoning”.

An awful lot rides on getting to the domain you think you’re getting to; it’s a basic ingredient in many web protocols. It lets you do things like treat unsigned metadata from a known-good domain as sufficient for lightweight use cases. And being clear about this assumption lets you compare solutions on their other merits.

UMAnitarian Joseph Holsten and I tried to cook up a pseudo-Latin equivalent for the economics phrase: ceteris nomina indubia, hoping to translate it roughly to “assuming non-doubtful names”.

But now I realize the first word isn’t right (ceteris is the “other things” part, like in et cetera), and we need something in the vindicatum or sumo category. Or we could just leave that part out, since “ceteris paribus” doesn’t have the “assume” part either. Any Latin scholars want to opine?


By the way, Pushing String has hit its sixth blogiversary. Thanks for sticking around!

Wishing you a happy, healthy, user-managed new year

UMA Christmas tree 2010

Thanks to Domenico Catalano (@DomCat) for putting together this lovely and geeky holiday message! And thanks to all the UMAnitarians for their contributions of passion, business problem-solving, and technical know-how to the User-Managed Access work.

The end of 2010 has brought new progress on several fronts. The UMA-friendly Java-based OAuth leeloo implementation was released as open source; we’ve begun solving some hard problems in defining interoperable interfaces between OAuth authorization servers and resource servers; we’ve been teasing out the implications of trusted claims as the basis for user-centric access control; and we saw two significant submissions in response to the UMA validation bounty program. We’re grateful to submitters Cordny Nederkoorn, whose interest in UMA grew as a result of his explorations into cloud identity, and Project hData, a unique and important effort that seeks to make electronic health data amenable to RESTful web app treatment.

We’ve got lots more developments in store for the coming months, and we welcome your involvement. From our Kantara home page you can join the group (no membership fees!), subscribe to our mailing list, and check out the latest news, and don’t forget to follow us on Twitter.

Happy holidays!

UMA meeting co-located with IIW and other news

Thanks to Phil and Kaliya and the gang, I’m happy to say we’re holding an UMA face-to-face meeting at the Computer History Museum on the Monday just prior to IIW XI (pronounced “yewksie”?).

This follows close on the heels of a face-to-face in Paris at the Kantara conference, so I hope we’ll be able to crank through a lot of work in the next few weeks. What work, you ask? We’re shooting for draft completion of some key items in the upper box shown here (click to get to a full-size site-mapped version on our Working Drafts page):

I’ve already gotten several requests for more info about the IIW meeting. These will be working meetings, not public transfer-of-information workshops, and we always welcome new participation. You can become a participant (voting/frequently attending or non-voting/attend at will, totally up to you) by filling out this form. I’ve put up some very preliminary agendas (Paris, Mtn View); they tend to be responsive to work done in weeks prior, so check back.

(UPDATE: There’s no formal registration process for the IIW meeting as long as you’re already signed up as an UMA participant; just send me an RSVP. Contact info is under my Welcome section in the right sidebar.)


Did you know our Newcastle University UMAnitarians have begun open-sourcing their Java implementation? The first big piece from the SMART Project covers UMA-friendly OAuth 2.0 and has the lovely name leeloo. They promise more to come soon, and I bet we’ll see some swank demos at IIW. Check it out!

About Me

Welcome to XMLgrrl.com! I’m your host, Eve Maler. On my personal blog, Pushing String, you’ll find commentary on digital identity, data portability, meaningful privacy, online trust, and assorted other topics.

You can reach me at eve-at-xmlgrrl.com, emaler-at-forrester.com, and @xmlgrrl. Additional online homes are linked from the Welcome section in the right sidebar.

One way to get to know me is through the nicknames I’ve collected. I’ve had the pleasure of working on a crazy quilt of technologies, protocols, policies, and methodologies over the years, and various monikers related to them have stuck. The first was XMLgrrl, reflecting my part in the creation of the Extensible Markup Language (XML). The next was the SAML Lady, bestowed by a colleague based in Japan on the occasion of a trip to Tokyo to teach the Security Assertion Markup Language, the federated identity standard. Recently I have been serving as chief UMAnitarian, working on the User-Managed Access protocol and associated adoption.

Yes, that’s a cartoon, though based on a real photo of my head from, oh, 1998 or so. In the pre-blog era, I wrote a Web column on XML — sort of “advice for the parse-lorn”.

On January 14, 2011, I joined Forrester Research. You can find my official profile and blog on the Forrester site. (Yep, I’m up to two blogs now.) When I post to the Forrester blog, I’ll add a corresponding “citation entry” here. Following is a bio for me that’s less official but more wide-ranging:

Eve Maler is an analyst, strategist, and innovator around digital identity, security, and privacy, with particular interests in creating successful wide-scale ecosystems and fostering individual empowerment. She serves as a Principal Analyst at Forrester Research, serving security and risk professionals.

Eve was one of the inventors of XML; she also co-founded the SAML effort and has made major leadership, technical, and educational contributions to many other standards and technical communities. In 2009 she launched an open standards effort called User-Managed Access (UMA) to develop an OAuth-based solution that lets a person conveniently and centrally control the authorization of personal data sharing made between online services on his or her behalf.

Eve is a sought-after public speaker, and for several years served as a Web Services and Identity track chair for the annual XML Summer School held at University of Oxford.

Eve co-authored Developing SGML DTDs: From Text to Model to Markup, a book that provided a unique methodology for information analysis and SGML schema design. Eve’s blog, Pushing String at xmlgrrl.com, touches on topics both technical and whimsical.

Some of Eve’s other interests are knitting and singing bluesy-funky rock ‘n’ roll.

Some alter egos for portions of my blog are VennOfIdentity.org (corresponding to the “Venn” category) and carbgrrl.com (corresponding to the “carbgrrl” category).

Creative Commons License
This work is licensed under a Creative Commons License.