PR-GB.com… News from origin – Hobsons Debuts Full CAS Integration at CGS Annual Meeting: “”

(Via Google.)

Another vendor server higher-ed supporting CAS out of the box can only be a good thing easing integration across the board.

Jens’s talk is focusing on Identity Management where he’s focusing on life-cycle of identity data. Looks like the talk is going to focus on moving towards user-centered identity.”Access to the right resources, to the right users, at the right time” — focused on providing, not preventing access (e.g. from a security perspective).

Authentication vs. Authorization is an important distinction which as an industry we’ve definitely treated sloppily. The delegation scenario (e.g. Kim Cameron’s many writings on the topic) is also very interesting, as “acting on behalf of” really is such a core capability that we often lose when we move into the electronic realm.

Lessons:

• Identity is about relationships – (especially) university ones change over time
• Multiple authoritative sources – authorities for attributes, not people
• Separating account names from stored account ids
• Dynamic rules instead of static roles – interesting in how that pattern’s been modeled in the uPortal community via the adoption of PAGS groups over statically defined ones…

Interestingly, Jens (also in previous conversations) does believe that Federation has some low-hanging fruit and is worthwhile, at least in the short run. I’m still not sure — though he made a very good distinction in the amount of work necessary for IdP vs. SP participation. Shibboleth… one of the key distinctions that Jens is making for the federation case is that Shib maybe more appropriate for federation requirements with generalized, lightweight access where you have similar rules across all members – e.g. all members can access protected library resources.

TurnItIn, iTunesU, JSTOR are on Jens’s list of shibboleth providers and products, which is a pretty attractive list. Not sure what kind of federation agreements have to be in place for these various resources.eduRoam is neat looking — ability to login to another institution’s wifi would be cool.

Identity 2.0: now we’re talking! Claims based — the comment Jens made about University-centric identity assuming that institutional relationships are the most important relationships people have, but that’s not how users are likely to see it seems quite apropos. Claims combined with self vs. 3rd-party verification in a mixed-model really is a neat model for thinking about identity data, and does seem to match the real-world situation well.

The privacy angle of not requiring the IdP to process the transactions, and hence possibly have access to what I’m doing is something that doesn’t seem to get talked about in the US as much, but as more things move online does seem key.OpenID — where we’re seeing convergence in the identity space. CardSpace is also a key player. OpenID support in CAS really seems to make it well positioned to participate in this space.

Conclusion: not sure I’m sold on Federation as the low-hanging fruit, but some of the Shib enabled services do seem pretty compelling. User-centric definitely looks like it’s gaining steam though, which is definitely exciting. This definitely seems to be an area where Higher Education should be at the forefront, since our it is one of the few areas where Higher Education does seem to have legitimately more complex needs and requirements.

Listening to Phil’s keynote. Will be trying to post video and audio at some point — in the meantime, there’s a good thread about reputation and privacy.

Update: Posted very rough audio recording of the keynote, also available as part of the podcast.

 

 Phil Windley Keynote [58:40m]: Play Now | Play in Popup | Download

ongoing · OpenID at Work – This caused a GIGANTIC thread on the identity-gang list that got back to the question of implicit authorization off of an authentication source. I know when I was looking at Rutgers IdM infrastructure, assumptions about what having a credential meant was a serious barrier to then expanding issuing of credentials/access to a wide variety of useful groups (prospective students, alumni, parents…)

Blogroll: Acegi OpenID, Wicket Roadmap – O’Reilly ONJava Blog

On the ACEGI developer list this morning, Ray Krueger announces OpenID support in ACEGI thanks to the efforts of Robin Bramley. If you don’t know what OpenID is yet, learn more about it over at http://openid.net. Also, some analysis of OpenID from Tim Bray (from Feb).”

Sweet.

Via Jesse – Map of online communities. I wonder if it’s missing an important Balkanized zones of all the institutional silos for Universities, company intranets, etc. Getting back into the whole identity track — how do you go about breaking down all the silos. OpenID seems like it could be part of it, building bridges across communities, kind of passport identity style. Seems like then you’ll have a few “identity superpowers” though and lots of little vassal states. It’d be an open environment, but not sure what the dynamic is. Maybe OpenID gets used by the DMV, and getting a drivers license also gets you an online, vetted id?

eTel: The open source phone crowd talks to itself

An example: An otherwise excellent speaker on identity, Kaliya Hamlin, tried to suggest some potential win-win strategies in identity management that would help users while still enabling the operators to make money. She suggested that the operators offer identity services and tie them to a commerce engine, so users could buy things and charge them through their wireless bills. It’s a great idea, and the Japanese operators are already doing it. But I know from personal experience that as soon as you mention ‘billing’ to most of the US and European operators they run screaming from the room. Their billing systems are already too complex, held together by chewing gum and spiderwebs, and the thought of making a big change to them is terrifying. Kaiya gets an A for effort, but in a forum that had a balanced representation her idea would have been discussed and debated rather than just tossed out there.”

I wonder if there’s enough of a market in pushing cell phones as a credit card replacement to justify starting up a new cell company or MVNO…

ongoing · OpenID

The Real Problem · Of course, out there in the enterprise space where most of Sun’s customers live, they think about identity problems at an entirely different level. Single-sign-on seems like a little and not terribly interesting piece of the problem. They lose sleep at night over “Attribute Exchange”; once you have an identity, who is allowed to hold what pieces of information about you, and what are the right protocols by which they may be requested, authorized, and delivered? The technology is tough, but the policy issues are mind-boggling.

While it’s true that OpenID doesn’t really deal with attribute exchange (and usage, etc — yet) I think what it really does is standardize a user-controlled request process. So… just like restful proponents seek to standardize the semantics of acquiring resources and interacting with them, OpenID provides a simple, standard authentication channel. An application could be locally configured to only accept OpenIDs from certain IdPs (e.g. a University’s OpenID server, federated partners, AOL) or have some kind of assurance checking mechanism, but that’s optional. Whereas, for the common internet case of just wanting a persistent handle so people can come back to the same account again (low assurance).

In terms of attribute release – just like DRM, I have yet to really see a workable attribute usage and release scheme that doesn’t require you to trust recieving parties anyway. And the OpenID approach of having the user approve the IdP’s release of particular attributes seems just as reasonable (and much more scalable) than an institution trying to build a policy with tiers or permissions as to who can get data. Requiring user release seems to solve lots of problems, actually.

Strange love for passwords

Now, I’m not going to speculate too far into the future, to a time when Visa displaces the DMV or passport agency as issuer of authoritative international credentials for every kind of identification and authentication. However, there are no other entities that have Visa and MasterCard’s topical ubiquity and influence.  They’ve picked their technology, and if it isn’t in your hands now, it will be soon. It might not fit corporate authentication or private transaction use cases perfectly, but as noted in RFC 1925, “given enough thrust, pigs fly just fine.”

Actually, in an end game, I could see credit card companies taking over as the issuer or vetter of id tokens. Of course, I’ve always thought it made more sense for a government issued id to combine the token and attribute portions of a passport, driver’s license, all those annoying shopping loyalty programs, AAA card, and any credit accounts you may have. Sort of a universal card. If the tokens were appropriately encrypted and obscured, with some kind of user-controlled release I think we could shift the convenience/privacy tradeoff far enough that people would go for it.

Although — if you really wanted to be ambitious with your identity system, once you had a smartcard based system — maybe an access control vendor, or discount program could get the mass deployment necessary, you could cut the credit card companies out of the middle. At least for debit-card like transactions it seems you could process for 1% or so and still make a tidy profit. Even credit lines have to be highly attractive given the number of parties who want to get in the game.

We released the Rutgers Identity Management Assessment today. It ended up being 65+ pages, but I think we did a pretty good job of incorporating both the inventory side, as well as some observations in our needs and capabilities.

One thing that was interesting in the end was the timing and personalities. 2 months was just about right (would have loved to have an extra week… but you always want an extra week). In any event, shaving off any time would have made it much less effective in my mind, so the timing was likely good.

Personalities also mixed well. Dave’s experienced, laid back, and has a lot of history and knowledge of background and process. I can write, and was able to get a quick picture of the industry model side of things. Seems to have worked out well.