After over 6 weeks of the IDESG Governance subgroup drafting the IDESG Membership and ROA related docs, these are finally completed. (1) Proposed Membership Agreement (2) Proposed Intellectual Property Rights Policy (3) IDESG Rules of Association Key Dates and Times Ballot on the Membership Agreement & IPR Policy opened at 12:00 noon ET on Read More
Since I’m editing the User Managed Access (UMA) Core spec, I always seem to be getting questions about UMA. Also I’ve noticed that some folks in the IETF OAuth2.0 WG have not really understood the UMA flows (not suprising, since the UMA Core Rev 5C is now over 40 pages long). So I thought a very Read More
Aaron Titus writes an interesting piece based on his analysis of the recent proposal from Trent Adams (PayPal) to modify the NSTIC governance rules. The abolition of the NSTIC Privacy Standing Committee may have unforeseen impact on the acceptance of the whole NSTIC Identity Ecosystem idea, notably from the privacy front. During the last decade — Read More
Today NSTIC started its 2 day Ecosystem Steering Group meeting in Chicago. Never thought that dialing-in all day would be so tiring. Glad that the group (of about 300 people, half in-person and half virtual) got over the initial confusion about voting for the candidates and dealing with proposed changes to the Charter and By Read More
Its kinda late, but here is a link to the recent interview with Dana Gardner from ZDnet. On the panel was Jim Hietala (VP of Security, Open Group), Dazza Greenwood (Civics.com & MIT) and myself. This was in preparation for the open group conference in DC. More Read More
So the news this week was that Eran has decided that OAuth2.0 is a bad specification and wants nothing to do with it. Its kinda a bit too late to complain about OAuth2.0. Its out there, its being used as the basis for many other protocols, such as OpenID-Connect and UMA. Its going to stay Read More
For SAML2.0 developers, users and vendors, it is perhaps worthwhile noting that the OASIS Security Services TC (SSTC) has started the process of revising the SAML2.0 specs. Here is what the SSTC group has agreed to so far: All approved errata, along with any errata presented to the TC subsequent to the last approval, are Read More
So the topic of “trust” always generates a million emails on various lists. Rather than rolling-up my own definition, I thought I’d borrow a good definition from the Trusted Computing Group community (courtesy of Graeme Proudler of HP Labs, UK). It is safe to trust something when: It can be unambiguously identified. It operates Read More
Eve Maler has devised a very useful diagram (for our Google techTalk presentation), comparing the features and intended purposes of OAuth2.0, OpenID-Connect and UMA. Interestingly, the diagram also shows what can be achieved using the venn combinations of two out of three technologies.
At lunch today Sal summarized in one sentence what I have been trying to express for the last couple of years: There is a market out there for leakage in derived identities (in the Internet) What we had been talking about was the (inevitable) need for something similar to what the Jericho Forum folks call Read More
