OK! So being at a conference (Cloud Computing Expo in NYC, where Oracle is making big waves with announcements in the PaaS space) where I had no wi-fi or power meant that I was trying to follow the big xAuth announcement via Twitter on my iPhone over 3G – note exactly the easiest thing. And after participating in a flurry of twittersations yesterday, I spent time this morning catching up on all the first take blog posts on it. It’s clear that the other word that the ‘x’ could stand for would be “xtremely polarizing” (fine, that’s two words, but since when has that been an issue for Colbert on ‘The Word’!).

I like to think I am a realist, and my initial take on the xAuth idea was that it was a good idea necessary to solve the usability issues holding back the widespread adoption of federated consumer authentication. The usability issue in question is the old NASCAR issue (you can read a good overview of the issue here, but the image below speaks a thousand words) which either causes clutter and user headache, or favors the big players in the IdP space.

Faced with this, you can understand why application developers get all clingy about the old “username-password” form – it’s simple and well understood by users, no matter the security and identity management challenges it creates.

To me the solution is conceptually simple: when I land on a page that supports IdP based authentication, there should be a way for the UI to display just the icons for IdPs that I use. This could be based on (1) my previous usage history across the web, (2) an explicit list I have set up somewhere, or (3) preferences I set up on the RP site the first time I went there. Solution (1) obviously has huge privacy implications, and becomes a non-starter in most discussions for that reason. So I was intrigued when it seemed like xAuth might be tackling approach (2).

Since then my enthusiasm has been dampened a bit after digging a little deeper. And the take from folks I trust in such matters has been cautiously pessimistic. The idea of a central service that any RP can ping to find out what IdP choices to display to a user appeals to me, but the big thing missing from xAuth.org (the proposed central service) are the user protections and controls that I feel are necessary.

• First off, participation must be Opt-In, not Opt-Out (there seems to be universal agreement on this, except from the RPs – as Pamela points out).
• Secondly, the setup should be an explicit white list with layers: Here are the 4 IdPs I’d use by default across the web, but here are 2 more I will consider for specific RPs or classes of RPs (which I could select from a pre-defined list of participating RPs at xAuth.org), and so on.
• And finally, this needs to converge with the Identity in the Browser movement, so as to solve the shared computer as well as the privacy issues (pertinent to unintentional information sharing with the RP) that emerge from this model.

I don’t like dismissing any proposal right off the cuff because of flaws that may not have been worked out yet, so I am hopeful that the energy and discussion I am seeing on xAuth right now continues to push it (or a suitable alternative) in the right direction. At least it has the identity community abuzz, and given the hole that this weeks postponement of Catalyst Europe left in our schedules, that’s a good thing.

Tags: Authentication Services, Federated Consumer Authentication, Identity Services, User-Centric Identity, xAuth

I just got back home from the RSA Conference in San Francisco this week, where the topic of Trust was second only to all things Cloud. While sessions on Identity Management were few and far between, there was lots of interesting news coming out of the conference (like the U-Prove announcement). I tweeted about the announcements that concern Trust Frameworks, a way for one site (Relying Party) to trust the identity, security, and privacy assertions/claims from a different site (Identity Provider) acting on behalf of a user.

The first announcement was on the launch of the Open Identity Exchange (OIX), a (yet another) non-profit organization (coming out of the OpenID Foundation and Information Card Foundation) that is dedicated to building trust in the exchange of online identity credentials across public and private sectors. The second announcement was regarding the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) provisionally approving both OIX and Kantara Initiative as a Trust Framework Provider to certify online identity management providers to U.S. federal standards for identity assurance (read more here).

Trying to digest all of this was a little difficult, so as I was stuck in traffic on my way home from the airport, I found myself riveted by a twitter exchange that was flying fast and furious between Paul Madsen (everyone’s favorite source for biting identity musings) and Brett McDowell (till recently Executive Director of the Kantara Initiative, and now technology evangelist at Paypal, one of the first IdPs certified by OIX – so you can see he has unique insight). I have reproduced it here for everyone’s benefit (with their permission, of course).

paulmadsen ICAM is one federation willing to deal with multiple trust frameworks. Will others?

brettmcdowell @paulmadsen ICAM isn’t actually dealing with multiple trust frameworks. It’s all just NIST SP800-63 w/ various means to prove you comply.

paulmadsen @brettmcdowell ICAM is ‘accepting’ OIX, KI-IAF, InCommon . To me those are all trust frameworks (ie certification programs)

brettmcdowell @paulmadsen ah, but what is a “trust framework”? The criteria for trust itself (M04-04 & 800-63) or the method for demonstrating compliance?

brettmcdowell @paulmadsen P.S., in the Kantara case, IAF has criteria as well, but it’s been “mapped” to prove comparability to US Federal requirements.

paulmadsen Components of a trust framework – policies, accreditation, certification, admin, metadata infrastructure, keg parties….

paulmadsen @brettmcdowell if everybody agrees on 800 63 for the former, trust frameworks are distinguished by the latter

brettmcdowell @paulmadsen IAF/OITF (frameworks) differentiated by criteria, KI/OIX (.org’s who certify) differentiated by due diligence on applicant

paulmadsen @brettmcdowell thus KI (conditionally) approved for up to non-crypto LOA3 …

brettmcdowell @paulmadsen M04-04 & SP800-63 is like the “spec”, IAF is like the SCR, and OIX is a registry of those asserting compliance to the spec

brettmcdowell @paulmadsen “non-crypto” is another misleading term/issue. It rules out “pure PKI” but not “signed” assertions (SAML) or claims (IMI)

paulmadsen @brettmcdowell but IAF is more than an extra level of policy detail on top of 800 63 criteria. And OIX is more than a registry

brettmcdowell @paulmadsen for KI to be approved for AL3 PKI & AL4 in US Gov, it needs to cross-certify with the Federal Bridge

brettmcdowell @paulmadsen re: “but IAF is more than” and “OIX is more than” Paul, cut me some slack, this is Twitter, some nuances are going to be lost!

paulmadsen @brettmcdowell point was less about the ‘crypto’ part, and more that diff frameworks may target different parts of ‘assurance space’

paulmadsen @brettmcdowell that’s why I avoid all subtleties & nuances

brettmcdowell @paulmadsen I wouldn’t draw conclusions (or battle lines) regarding trust frameworks just yet. Remember the OIX RFI dialog w/KI is ongoing

paulmadsen @brettmcdowell as I complained to @ve7jtb , want to see matrix laying out components of a generic framework, specific instances mapped on

brettmcdowell @paulmadsen that sounded like a proposal not a complaint. I accept your matrix proposal. Looking forward to reading it when you finish

And of course, Paul had to have the last word, and it was typically Madsen-istic.

paulmadsen @brettmcdowell you know, my wife made that same interpretation 16 years ago. Must be more precise

Hopefully that exchange was illuminating, and gave you enough pointers to standards and topics that might help deepen your understanding of Trust Frameworks. It certainly has given me a lot to think about. While RSA may have been weak on identity related discussions, these announcements are likely to have a huge impact on the identity landscape going forward.

Tags: Brett McDowell, ICAM, Kantara Initiative, Open Identity Exchange, Paul Madsen, Trust Frameworks, User-Centric Identity

The Cloud Hanging Over Us

At Catalyst, Dan Blum stated that cloud computing is not ready to be a serious player in the enterprise when it comes to applications that handle sensitive data (some would argue that covers most enterprise apps). This reflects the biggest obstacle facing cloud computing acceptance – Trust. Enterprises need to be able to rely on cloud providers (read: have SLAs) for availability, security, performance, governance and privacy. But how can they do that when there are so many unanswered questions (as I pointed out in my previous post) and a lack of transparency on the part of the cloud providers? How can an Enterprise feel comfortable when Google says “The service is neither designed nor intended for high risk activities” or Amazons contract states “We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data…”

Looking at the Silver Lining

When people talk about the business drivers for cloud computing, it is often summed up as the following list: Cost, Flexibility, Simplicity, Availability. But why not Security? Cloud architecture actually lends itself to a far more robust and reliable security architecture than anything that has come before. Everything can be built right into the platform and the applications, and the need for vendors to support multiple customers in a dynamic environment means that all of it has to be standardized and easy to put up/take down.

So what are the major identity management pieces in this puzzle?

• Federated Authentication that spans the enterprise environment and the cloud environment
  • Alternatively (or additionally), consider supporting User-Centric Identity
• Strong User and Access Lifecycle Management (Provisioning/De-Provisioning Capabilities)
• A Claims-Based Authorization model, coupled with strong XACML-based Entitlement Management
• Enterprise Identity Providers protected by IGF-style policy controls
• DLP (Data Leakage Protection) tools that protect sensitive data moved to the cloud
• A standardized Audit Framework for creating, managing and analyzing audit trails across cloud services

In my follow-up posts (and in the talks I am giving), I will look at each of these in more detail. In the meantime, register for the KuppingerCole webinar I’ll be doing and lets exchange some thoughts.

Tags: Cloud Computing, Federated Identity, Identity Services, User-Centric Identity

Twitter Search will also get a “reputation” ranking system soon, Jayaram told me. When you do a search on a “trending” topic–a topic that is so big it gets its own link in the Twitter.com sidebar–Twitter will take into account the reputation of the person who wrote each tweet and rank the search results in part based on that.

The article does mention that the engineering team at Twitter is still trying to figure out how to do this. But no more than a day later, Stan Schroeder of Mashable pointed out one of the key aspects to making reputation work – it has to be context-sensitive with respect to the identity of the source and their authority on the subject.

Thinking about it, it seems that this reputation ranking system is far more complex than a simple combination of factors such as followers and retweets. The system needs to be contextual; it needs to recognize which tweeple are important for a certain keyword or phrase. For example, tweets from the White House, Barack Obama and politicians aren’t that useful in the context of a Gmail outage, but they’re crucial during some political event.

In other words, the reputation engine (if it is to be done right) can’t just look at the number of followers, the number of retweets and hashtags. It also can’t rely purely on the 140 character biography that all the tweeples have posted on their twitter profiles. No, to really do this thing justice, Twitter (or some other company that could step in) would need to navigate the semantic, social and identity web in a way that builds up an accurate picture of a persons authority regarding a particular subject. And it is not just based on what we put out there, but even more so on what others put out there in response.

If this feels like somebody is about to start building a credit score of our online lives, it isn’t too far off the mark. The implications in the area of personal identity management and privacy could be huge!

This highlights a change we are seeing in the personal identity space. Since there are no secrets any more (as Bob Blakley is wont to remind us every now and then), relationships and reputation are likely to become the primary variables in the identity equation. The question therefore is, what tools do we need to manage and control our online identity in light of this new perspective on identity? Is it simply about having an OpenID and clean living? What tools do the social networks like Facebook and LinkedIn need to incorporate that give us control over not just what we put out there, but what others put out there about us? It’s a tough nut to crack, and should make for some interesting discussions at IIW next week. Maybe I’ll throw it up there on the board as a topic.

Tags: Personal Identity Management, Relationship Management, Reputation Management, Twitter, Twitter Search, User-Centric Identity

The F.B.I. said that the younger Mr. Kernell allegedly hacked into the account in mid-September by resetting Gov. Palin’s password.

I obviously don’t know the specifics of how the F.B.I. says the password was reset. But for the sake of our discussion, let’s assume that the email system relied on a typical challenge response mechanism (currently the norm in most free email systems). The hacker obviously didn’t know the password, but was able to reset the password to something of his/her choosing by successfully answering the challenge questions. In the age of Google, how hard is it to find out the the first school, the first car, the mother’s maiden name or the pets name of a famous public personality like Sarah Palin?

As Bob Blakely likes to point out, there are no secrets any more therefore any system that relies on secrets is inherently flawed.

In a completely separate conversation, a colleague of mine sent me the following thought:

All the banks and merchants I do business with online have been increasing their level of security, especially with password complexity requirements.  Historically I have limited all my passwords down to 3 based on the type of site so I had no need to write them down.  Now because of all the different password complexity requirements, especially the password history requirement, I can no longer do that…. so I’m now forced to write them down

In some sick way, more security by merchants is now leading to worse security for me, the user.  I’m forced back to the sticky note.

From the Good News/Bad News Department

The bad news in all this is that we seem to be going through a phase where additional mechanisms introduced to secure the systems in a user-friendly manner have actually exacerbated the problem because they rely on flawed assumptions. The above issues are clear illustrations of this. The mechanisms deployed (challenge response, password complexity requirements) would have been fine on their own for the system they are meant to protect. But these solutions did not anticipate how they would be impacted by the reality of their users online environment. The aggregation of multiple such systems for a user actually ends up degrading the effectiveness of these solutions, to the point where they end up becoming liabilities instead.

The good news is that new technologies and solutions are emerging that (hopefully) will address these problems. OpenID and Information Cards aim to rid us of the multiple password problem by promising a world of reduced sign-on built on trust. Identity assurance technologies (like the ones in Oracle’s Identity Assurance Partner Alliance) provide safer, more reliable means to verify the interacting parties identity than traditional challenge response mechanisms, thus preventing the kind of attacks described above.

So better days are coming. The real challenge ahead of us is getting all involved parties (consumers, online enterprises, vendors) educated on how these solutions can be used to make our online lives more secure.

Tags: Identity Assurance, Password Management, User-Centric Identity

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier – an email address – is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It’s an interesting problem that I think needs to be addressed by the identity community, because if it isn’t, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

Tags: Digital Persona, Enterprise Identity, Information Cards, Personal Identity Management, User-Centric Identity

Information Cards try to mirror the familiar, real-world experience of presenting cards to prove identity and provide information in the online world, and aims to do so in a safe, secure manner that is resistant to phishing, pharming and MITM attacks. Despite having been put into the wild a few years ago, and despite the tireless efforts of people like Kim Cameron and Pam Dingle to make it accessible, there are scant few web sites (of any note, anyway) that actually allow people to use information cards. The ICF (much like the OpenID foundation, which also kicked into high gear a few months ago) is looking to put some weight behind the effort to evangelize the technology and expand its adoption in the marketplace. As it states on the ICF Web site, the foundations purpose is to

Advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

It will be very interesting to see how the ICF goes about doing this, and when results will start to show. But this is undoubtedly the beginning of something big. For all of us.

Links:

• Press Release announcing the ICF
• New York Times article
• SC Magazine coverage

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Information Card Foundation, Information Cards, OpenID, Personal Identity Management, User-Centric Identity

But I couldn’t keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM’s current offering in the eSSO space – IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix’s v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip’s reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn’t really an upgrade:

“What marketing won’t say is that the “upgrade” from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they’ll probably offer some tools to “help”, but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.”

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn’t really have to be that way. Passlogix is also the OEM component in Oracle’s E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM’s ire). So there is another option available to ITAM ESSO customers – instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM’s move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica’s U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as “zero-knowledge” proofs for privacy).

In layman’s terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek’s Microsoft Watch.

Tags: Access Control Management, Identity 2.0, Information Cards, Oracle Identity Management, Oracle Identity Manager, Personal Identity Management, User-Centric Identity

It’s a big achievement, and the first concrete step towards an identity layer for the internet. My congratulations to Paul, Mary and all the contributors to the Higgins project.

Tags: Identity Services, Project Higgins, User-Centric Identity

While some worry that the entry of such corporate entities could change the focus of what (till now) has been a community and consumer-oriented project, I weigh that against the fact that OpenID would not be relevant in consumer identity unless these players not only accepted it, but championed it. So I think this is a great thing for OpenID.

I am hoping the next step will be that these services start accepting 3rd party OpenIDs instead of just being providers. I look forward to using my Google OpenID at Yahoo.

Tags: OpenID, Personal Identity Management, User-Centric Identity