tag:blogger.com,1999:blog-32023330732787564222012-01-27T14:21:18.733-08:00Phil Hunt's blog on identity standards, privacy, and some other stuff...Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.comBlogger1051100tag:blogger.com,1999:blog-3202333073278756422.post-25529737083173458742012-01-17T21:58:00.000-08:002012-01-17T21:58:05.948-08:00

This blog will be going on strike January 18 from 8AM to 8PM in support of the SOPA/PIPA protest. This protest reflects my personal concerns about the upcoming US legislation and does not necessarily reflect those of my employer.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-58836555499036173282011-10-14T15:03:00.000-07:002011-10-14T15:03:50.213-07:00

The Java JCP has approved a new JSR relating to the use of Identity information within Java. The JSR351 charter is: To define application programming interfaces and identity interaction models that facilitate and control the use of identity by applications and in access control decisions. Ron Monzillo gave a talk (presentation available here) at JavaOne on JSR 351, I'll paraphrase his

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-77974086143372748492011-10-07T15:05:00.000-07:002011-10-10T11:11:05.850-07:00

IIW XII is coming up October 18-20, so I thought I'd share with you a couple of discussions I'd like to open at IIW. The first one is how best to add user identity or authentication information to OAuth2. The OAuth Identity Information Problem As many of you know, OAuth2 enables a process whereby a client application, as authorized by a user, is issued a "valet key" (a token) for accessing

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-46642417033745307222011-08-18T14:12:00.000-07:002011-08-19T09:36:11.358-07:00

I have become recently worried about the rising popularity of informal standards these days. Informality is something that has been rapidly emerging in the rush towards cloud computing. The rush to develop new protocols is often quite important and is being done out of critical and urgent need. Many of these groups have achieved early success. Yet they remain afraid that getting the legal aspects

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-42745926985791992802011-05-10T13:29:00.000-07:002011-05-10T13:36:57.639-07:00

I attended several sessions at IIW last week discussing the new Simple Cloud Identity Management (SCIM) proposal. Already, there have been several positive and negative blog posts on SCIM. I won't try to rehash them, but here are a list of a few: Martin Kuppinger, Kuppinger-Cole, April 23, SCIM – will SPML shortcomings be reinvented? Nishant Kaushik, Oracle, April 25, SCIMming the Surface of User

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-69506373947351531272011-04-15T22:25:00.000-07:002011-04-15T22:39:22.501-07:00

Today I received a question about OAuth and whether it replaces existing federation deployments. Would OAuth, WS-Trust, and SAML work together? The answer is no. In fact, OAuth is built to use any authentication system, local or federated. Note: Coincidentally, Paul Madsen, also posted an interesting graphic that gives a swim lane view of OAuth's flow with an IDP.  I discussed some of this in

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-48402837584322376282011-04-13T10:02:00.000-07:002011-04-13T11:38:08.295-07:00

My previous post asked the question "Does OAuth do authentication"? In this post, I explore OAuth2 and its support of authorization.When most people ask the question about whether OAuth2 supports authorization, you might be thinking in terms of today's authorization/access management/policy systems. But, as mentioned in my previous post, authorization here is within the terms of how HTTP defines

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-47384193584405741842011-04-08T11:00:00.000-07:002011-04-08T11:32:41.504-07:00

I'm not kidding. OAuth itself doesn't seemed to be defined. It's not an acronym just a name. In fact the specification draft simply says:The OAuth 2.0 Authorization Protocol"OAuth" itself isn't spelled out in most places. Wikipedia says its "Open Authorization". But who knows. I can't tell you how many times this question comes up. But if you ask me, it doesn't matter and that is a good thing.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-78547412250951839932011-03-23T10:39:00.000-07:002011-04-03T08:43:57.151-07:00

Updated: Revised flow to add javascript implicit flow.I received a lot of interesting comments on my previous post, "Does OAuth Have Legs". That post was about trying to understand what was meant by legs in OAuth. It included a useful diagram which I have since updated based on feedback. The revised diagram is available below (click to enlarge).A couple of notes:The flows depicted are from the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-11173281872903684782011-03-09T10:54:00.000-08:002011-03-09T14:21:17.021-08:00

There has been growing interest in a group of protocols, namely HTTP, REST, OAuth, and JSON, and how they can support web services. REST and JSON, have been around for a while, but one of the puzzling problems was how to handle authentication in REST especially for non-browser based clients using HTTP. So far the only options have been BASIC authentication or SSL/TLS mutual authentication. So

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-81739119074293797112011-03-01T10:12:00.000-08:002011-03-01T16:18:22.554-08:00

I posted a new Internet Draft, the "Chain" grant draft today for the consideration of the OAuth2 working group. The specification defines a new grant type that enables an OAuth protected service to in turn act as an OAuth client to another OAuth protected service. The grant type allows the first server to exchange the current oauth access token for a new token valid on the target service. This

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-57858695182756400062011-02-21T16:15:00.001-08:002011-02-21T17:28:56.713-08:00

Some folks have been asking, "what's all this stuff about legs in OAuth?" and "I don't understand the difference between 1, 2, and 3 legged OAuth?"I have put together a flow-chart to try and show, from a client app perspective, what constitutes a 1, 2, or 3 legged authorization (click on image to enlarge).Basically the rule of thumb is, each time you make a request response within the OAuth

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-12457809696536538862011-01-28T14:37:00.001-08:002011-01-28T15:06:13.719-08:00

It's privacy day, and it seems like a good time to re-introduce folks on the long-running Identity Governance Framework project. For a few years now, Oracle has been working hard on laying some privacy groundwork for developers. This project initially started with the development of a standard specification called the Identity Governance Framework. The objective of IGF was simple: define some

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-31086920922068020042010-12-03T10:37:00.000-08:002010-12-16T14:45:52.987-08:00

It seems many are still looking at OAuth as simply a delegation protocol. I think it is much more. Let's take a moment and highlight some features that go beyond simple delegation, and get at some of the real value behind OAuth.Authentication & The Password Anti-PatternOne way to look at OAuth is that it is a "Proxy Authentication" system. It allows applications acting on a user's behalf (as a

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com4tag:blogger.com,1999:blog-3202333073278756422.post-26839585269614632272010-11-24T16:54:00.000-08:002010-11-24T17:47:59.178-08:00

For 5 or more years now, there has been a push by many in the identity management industry to rally around the idea of user-centric identity. Why not give users complete control over information being shared between web sites? From a web service provider it should make sense. Why retain data if it could be provided easily by the user? It made a lot of sense. Thus user-centric identity was born.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-81901244840166816342010-11-10T09:49:00.000-08:002010-11-10T13:54:15.797-08:00

Continuing the summary of the OAuth Enterprise BOF, I want to call attention to a discussion on session management and OAuth. While we didn't start off talking about it, we soon came to realize a key potential benefit–session management. The group was looking at the issue of UI complexity and features like "Share" buttons–a user clicks on a "Share" button and passes a token on to friends and

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-60236865702371882602010-11-09T09:48:00.000-08:002010-11-09T11:00:46.716-08:00

As I blogged earlier, it seems like it is time explore the idea of enterprise use of OAuth. Many folks chimed in via email and blog comments that they were interested in a group discussion. So, at IIW 11, folks from Gartner, Google, HP, Paypal, PingIdentity, Salesforce.com, VMWare, Oracle, and others got together for a series of sessions on OAuth at IIW.Please note, the opinions here are my own

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-8185684404000320662010-11-06T12:07:00.000-07:002010-11-06T12:10:57.685-07:00

Via Kevin Moulton...The European Commission called on Thursday for stronger protection of Internet users’ personal information, after news of data leaks at companies like Facebook and Google highlighted concerns about digital privacy.New York Times article.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-18294679285925176702010-11-02T15:09:00.000-07:002010-11-02T15:12:44.176-07:00

For those interested, the following sessions have been proposed for Wednesday at IIW 11 (tomorrow):Introduction / level-set (Patrick Harding)Client App credentials discussion (Chuck Mortimore)Chaining, Can OAuth happend for Application access to directories/databases? (Phil Hunt)The case for OAuth for Enterprises who already have SAML Artifact support. Discussion (Prateek Mishra)Relationship

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-27349041689784451222010-10-14T12:14:00.000-07:002010-10-14T12:32:26.484-07:00

For those considering attending the Internet Identity Workshop 11 in Mountain View, California, here a couple of session proposals that may be of interest:Enterprise OAuth BOF - this is looking like it may be an all day session on Wednesday as lot of topics have already been proposed (email me or comment if you want the list). If you are interested in adding topics, please let me know by

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-49155471371887854082010-09-30T09:51:00.000-07:002010-09-30T10:11:30.232-07:00

As I mentioned yesterday, I've been doing a lot of thinking about OAuth and what it brings to "web" applications. Is delegation really a big deal? I think so. While social networking has developed this protocol and the enterprise community has considered its relevance, something else has been changing and will likely contribute to demand for OAuth. I'm talking about the re-emergence of the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com3tag:blogger.com,1999:blog-3202333073278756422.post-91904131139320354112010-09-29T17:10:00.000-07:002010-09-29T17:11:28.709-07:00

I've been spending some time lately on OAuth and exploring its applicability for enterprise software and the cloud. To date, OAuth's use cases have been focused primarily on social networking. Yet customers are asking, will OAuth be useful? The answer, I believe, is YES! But first, some background for those new to OAuth...What is OAuth?OAuth is an open authorization protocol used to allow

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com6tag:blogger.com,1999:blog-3202333073278756422.post-49775022024836444872010-08-24T12:28:00.000-07:002010-08-24T12:46:12.594-07:00

This past spring, several organizations began a discussion on the SAML TC about the possibility of adding subject and attribute management functions to SAML. The proposal was the subject of a some debate. Why was this an important requirement? Why not use SPML or other protocols? After considering several possibilities, a new concept emerged called "Change Notify" which suggests converting

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-13872579000437129272010-07-08T14:18:00.001-07:002010-07-12T10:02:47.132-07:00

I recently attended a briefing by Eve Maler, chair of the UMA Workgroup. As usual, Eve had lots of info to share, and I'd like to pass it on.First, for those of you who don't know, OAuth 2.0, is a protocol designed to allow people to authorize one web service to access the resources of another web service. For example, allowing a photo printing service to access photos on Flickr. UMA takes the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-84940968866732462272010-03-05T13:14:00.000-08:002010-03-05T13:23:50.682-08:00

"Not just write once, run anywhere, but delpoy and deliver anywhere too."That statement is a quote from Nandini Ramani, Director of Java Development at Oracle (formerly Sun), recently talking about the need for JavaFX in this video. Instead of dealing with the many types of display devices, mobile phones, etc, JavaFX provides a platform for abstracting away the complexities of the myriad of

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-78797439414537201542010-02-01T13:00:00.000-08:002010-02-05T21:00:36.553-08:00

Over the past few months, a good deal of progress has been made around IGF and the open source implementation around it. In particular, last fall, Liberty Alliance ratified the IGF 1.0 specification as final. In mid January we published ArisID 1.1, the first open source implementation of IGF 1.0. Finally in late January, we checked in the first implementation of an open source provider based on

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-77544322548185420572009-10-03T14:46:00.000-07:002009-10-03T15:19:18.867-07:00

I listened to a fascinating show on CBC Radio last Friday that discussed the case of Suaad Hagi Mohamud's detention in Kenya. In this case a woman from Toronto, Canada, who when asked by Canadian embassy officials in Kenya to answer some seemingly basic questions to confirm her identity, failed. So much so, that on May 28, Canada informed Kenya that she was believed to be an imposter and voided

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-31765089839543487442009-08-28T13:02:00.000-07:002009-08-28T14:55:59.219-07:00

Johannes Ernst blogs "If the Open Stack Is Mere Plumbing: The Plumbing Of What?". That question seems surprising from one of the proponents of OpenID. I thought it was all about simple identity for blog comments? Seriously though, he has a point.If we look beyond OpenID, I would have to say it is the plumbing of layer 7 of the network - Applications! So, while I was joking when I said that I

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-38647481736364307342009-08-04T13:25:00.000-07:002009-08-04T13:46:11.427-07:00

Felix Gaehtgens of Kuppinger-Cole writes about his conversation with Prateek Mishra of Oracle, who indicated that Cisco and Oracle have posted a new XACML API to the OASIS XACML TC.It was a “soft launch” that was announced at the Kantara meetings on Monday at Burton Catalyst (which very unfortunately, I missed). When Prateek mentioned it to me, it stopped me dead in my tracks, because I find it

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-573408891858282922009-07-24T08:55:00.001-07:002009-07-24T11:13:27.775-07:00

TechCrunch posted an article: "The Anatomy of the Twitter Attack" that details how an attacker leveraged use of search, social, and public email services to hack the Twitter corporate services....modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-49049177302344344212009-07-17T09:58:00.000-07:002009-07-17T10:32:17.439-07:00

The Canadian Privacy Commissioner recently completed an in-depth review of Facebook after receiving a wide-ranging complaint about the privacy practices and policies of Facebook.I won't go into the details here, I suggest you read the report yourself. It is a good read and has stirred discussion both here in Canada, the US, and around the world.Not discussed, but I think equally important is the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-6960374468141587772009-06-17T13:22:00.000-07:002009-06-17T13:49:22.065-07:00

Not sure why I had not seen this before. But there is an interesting post on the Oracle AppsLab showing how my colleague, Clayton Donley build an iPhone app in his spare time that takes advantage of secure access to enterprise identity sources (e.g. directory) and leverage social networking information found in Oracle Connect, our internal social network service.So, you can find people, and when

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-54184234901779223972009-05-08T13:07:00.001-07:002009-05-08T13:16:02.848-07:00

Felix Gaehtgens of Kuppinger Cole interviews Oracle's Dr. Prateek Mishra about IGF and its role in setting a foundation for privacy at this week's European Identity Conference.Check out more interviews, and comments about the EIC here.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-56345924721307069162009-05-07T10:17:00.000-07:002009-05-07T10:39:46.753-07:00

I am happy to announce that Project Aristotle won an award for "Best new or improved standard" at the European Identity Conference. The win is shared with the Open Authentication (OAuth) and the Information Card Foundation (ICF).The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-76444715660781516742009-04-24T08:30:00.000-07:002009-04-24T08:34:44.613-07:00

William Jackson of Government Computer News writes about the Kantara Initiative in the article "A more perfect union of ID management schemes."

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-49059861854218002552009-04-21T09:05:00.000-07:002009-04-21T16:43:23.763-07:00

Yesterday, my plan was to write a post announcing some changes at Project Liberty. I was distracted by the announcement that Oracle has entered into an agreement to acquire Sun Microsystems! Some other interesting coverage can be found here.Now, the other big news!The Liberty Alliance Project announced formation of a new organization known as the Kantara Initiative. Kantara is an organization

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-64199642203291121572009-04-03T14:11:00.000-07:002009-04-03T14:25:57.421-07:00

Todd Beets, Senior Enterprise Architect at Qualcomm is interviewed by Oracle's Hormazd Romer about Oracle Identity Management. See the video here:Todd talks about a new phase of their identity services offering where Qualcomm can offload the responsibility of managing identity from within applications and move identity management to a shares services infrastructure -- letting developers focus on

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-67177184505585681552009-03-14T12:01:00.000-07:002009-03-14T17:20:57.209-07:00

Last week, I responded to Dave Kearn's article "How a universal directory might work". I commented that there does not need to be some centralized service managed by one or a few vendors to unify directories or virtual directories. Rather, the solution needs to be akin to the kind of thing that created the Internet itself, TCP/IP's stack architecture.Project Aristotle is the beginning of one

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-28648122207265726112009-03-08T12:02:00.000-07:002009-03-08T12:13:59.267-07:00

In his most recent column, Dave Kearns comments on IGF and how it could be used with virtual directories to form a world wide directory service.This is a very interesting thought, but Mark Wilcox and I agree, a universal directory service operated or controlled by a single vendor isn't the right way to solve federated provisioning. For one thing, LDAP isn't the only requirement. Today's

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-83885669716201691492009-02-17T13:44:00.000-08:002009-02-17T13:44:20.143-08:00

During my last webcast about Project Aristotle at OpenLiberty Project, I introduced a new concept called Identity Modality. The idea occurred to me as I was trying to describe the different types of identity exchange protocols and methodologies and how they impact developers.I noticed there are several different ways and modes in which information is exchanged. There are times when the user is

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-32249431350077390952009-02-16T10:50:00.000-08:002009-02-16T10:50:05.374-08:00

Every now and then I see people putting forward the notion that they would like to physically control all their identity information and have it held in a single place of their choosing. But does that really solve the problem of privacy? It certainly seems like it does.The problem is that this idea ignores the nature of relationships we establish with service providers and agencies on the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-5973959924992738322009-01-27T22:31:00.000-08:002009-01-27T22:37:12.267-08:00

January 28, 2009 is the second annual Data Privacy Day in the United States, Canada, and 27 European countries. Oracle has worked with other major companies to help found, sponsor and participate in Data Privacy Day activities in the United States.Read more to find out what you can do today to become more knowledgeable about privacy and to protect your own personal information.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-36636303639655747812009-01-26T10:35:00.000-08:002009-01-26T10:57:18.545-08:00

An interesting post from the blog of the Privacy Commissioner of Canada:One Man’s Experiment With a Location-Aware LifestyleIn the scenario described, the services used all have configurable settings about how much information to share to the public. Yet by mashing together a couple of services (iPhone & Flickr), some unanticipated consequences occurred. In this case, a reporter was able to track

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-85260083913105500602008-12-18T14:49:00.000-08:002008-12-18T15:01:35.110-08:00

A tutorial explaining how to use Oracle Virtual Directory as a "provider" for the ArisID open source API is now available on Oracle Technology Network.As mentioned on the recent webcast, this is the first provider made available for ArisID.If anyone else would like to help with Project Aristotle, or begin writing a provider of their own, drop us a line, we'd love to help get more implementations

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-50555537124688929382008-12-15T16:19:00.000-08:002008-12-15T16:36:29.934-08:00

Felix Gaehtgens of Kuppinger Cole comments on the birth of ArisID...For one, Identity Governance is definitely a problem, but not one that is seen to be very urgent - there are typically many other open problems that have the focus and attention of IT professionals. This may be short-sighted however, because regulation is certain to become tighter and relate more directly how identity information

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-51486013550010568902008-12-11T14:49:00.000-08:002008-12-11T14:50:12.012-08:00

Thanks to all who attended the webcast on ArisID this morning! It’s always great to talk about this stuff and share ideas! A copy of the presentation can be obtained here. Also, as promised, here is a video of the Sonic Records ArisID demonstration. You can view it online here. Or, you can download the full-size video here (24MB). Phil

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-59079354519329990722008-12-05T09:55:00.000-08:002008-12-05T10:06:00.739-08:00

From Liberty Alliance: ArisID, the first open source software implementing Liberty Identity Governance Framework (IGF) components, provides enterprise developers and system architects with a library for building enterprise-grade identity-enabled applications using multiple identity protocols, and lays the groundwork for allowing enterprises to manage and audit the identity requirements of

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-33495403848145770712008-12-01T08:59:00.000-08:002008-12-01T11:09:40.406-08:00

The Globe and Mail posted an interesting article entitled "Canada backpedals on sharing ID database with U.S.".Here is a great example of the differences between sharing access to information and copying information between organizations. It seems the original plan was to let the U.S. "house a database of personal information about Canadians who hold special driver's licences aimed at better

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-81693633765761244102008-11-19T07:52:00.000-08:002008-11-19T09:52:25.356-08:00

Good news! For some time now, there has been a lot of work going on at OpenLiberty to design a new "declarative" API that enables application developers to write applications that consume, and manage identity information in a way that allows infrastructure components take care of all the nasty problems like* Which protocol to use* What data providers are appropriate for the current transaction*

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-61444438355418982462008-09-30T16:16:00.000-07:002008-09-30T16:27:34.060-07:00

The attempt to merge various identity standards appears to be on the rocks with Johannes and Kaliya commenting here about the withdrawl by the Identity Commons folks.Johannes is on the money about the culture clash. But in the end, the real loser is the customers as the the Identity version of HD-DVD vs Blu-Ray debate over competing standards and features will continue.Customers, it is your time

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-48511811786679045582008-09-02T20:19:00.000-07:002008-09-02T20:44:56.506-07:00

I've been an offshore sailing racer for some time. One of the great things about joining Oracle a few years ago was learning about our sponsorship of the BMW Oracle racing team.Early this year, after strong pressure from my brother, I bought a Hobie Tiger (catamaran) and started F18 racing. He said that I would get a kick out of the awesome speed that cats generate. Seems my boss had a similar

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-38166941002904580122008-08-28T07:31:00.000-07:002008-08-28T07:44:27.963-07:00

I will be doing a session on the Identity Governance Framework at Digital Id World on Wednesday September 10 at 3PM. In addition to a brief introduction to IGF, I will be spending time on the IGF open source project at www.openliberty.org. This will include a brief demo of our progress so far.Wondering about how the next generation of applications will handle all these new and old Identity

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-71786388006881948752008-08-22T11:32:00.000-07:002008-08-22T11:32:53.069-07:00

A few days ago, Microsoft's Kim Cameron re-issued his "Laws of Identity" in a "short version" that is easier to understand. Others, including Clayton Donley, and Dave Kearns have also commented.Here is my look at Kim's laws. You'll find my own thoughts about identity principles in bold italics below.People using computers should be in control of giving out information about themselves, just as

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-67349968213537173222008-08-12T10:11:00.000-07:002008-08-12T11:25:54.835-07:00

Kim Cameron comments today on a New York Times article on OpenID and Information Cards.In his blog post, Kim comments that if people just use InfoCards, than phishing attacks for passwords are no longer possible.When people authenticate to OpenID in a reliable way - for example, by using Information Cards - the phishing attacks are no longer possible, as I explain in this video. At that point,

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-37670696892932642332008-08-09T14:08:00.000-07:002008-08-09T14:09:40.103-07:00

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-21241118244204732622008-07-07T12:27:00.000-07:002008-07-07T12:38:28.238-07:00

University of Ottawa's Michael Geist talks about the "Triple Lock on Apple iPhone" that is coming to Canada.Wow! I was concerned about too much lock-in and protectionism on the Apple iPhone before, but Roger's new twist on protectionism, high-fees, combined with new legislation in Canada (bill C-61) makes this product a no-go for me. Until I see openness and value for me as a consumer, I'll stick

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-52407890397395580332008-07-07T11:01:00.000-07:002008-07-07T11:48:58.258-07:00

As many of you know, the Information Card Foundation was recently announced. Oracle is one of the founding members. Eric Leach, writing for the Oracle Access Management blog, interviews Uppili Srinivasan, Senior Director of IdM and Security Products, about Oracle's participation in the ICF:Eric: What can Oracle's Identity and Access Management customers expect from our participation with the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-34266353672360775192008-06-23T11:14:00.000-07:002008-06-26T10:47:22.032-07:00

Great news! Liberty Alliance announced the release the first drafts of the Identity Governance Framework and the Identity Assurance Framework.The current IGF draft has 3 major components:Privacy Constraints - This document describes a small set of atomic privacy constraints based on WS-Policy that can be used in other IGF specifications. Privacy constraints are atomic constraints on the use,

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-52729611664058237572008-06-17T12:31:00.000-07:002008-06-20T10:58:55.948-07:00

Burton Group's Catalyst Conference is coming up.If you are coming to Catalyst, remember to stop by the Oracle hospitality suite on Wednesday and look for the OpenLiberty IGF demonstration. I'm excited to say that we are getting to the point where we can show how IGF will work in practice. I'll be there talking about the open source openLiberty IGF project and demoing how the IGF Attribute Service

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-2444343817551164532008-05-29T22:44:00.000-07:002008-05-30T09:23:20.162-07:00

I've been meaning to create a demo showing what it might be like for a developer to write applications that access identity information using the new CARML-enabled Attribute Services API. Accordingly I've put together this brief 10 minute video that demos how easy it is to write a JSP script to access identity information through a declarative API without having to worry about protocols, vendors,

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-31047058694286529542008-05-05T18:29:00.000-07:002008-05-05T18:34:11.609-07:00

Felix Gaehtgens leads an interesting round-table discussion on the "Identity Bus" and the need for a higher-level interface to identity with Dave Kearns, Kim Cameron, Jackson Shaw, and Dale Olds.Felix...sorry I couldn't make it. I wish I could have been there!

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-32289178062335630592008-04-28T19:00:00.000-07:002008-04-28T19:05:56.581-07:00

Techdirt comments that "If you're going to put up fake grassroots videos on youtube, shouldn't you at least pretend to be real people?"I absolutely love this! I always here from people about how our right to privacy should be tied to our ability to fake an identity. However this article shows how not even trying to make it believable can backfire! Excuse me, is that Mr. or Ms. Asdfjkl?

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-57651319369834611782008-04-23T10:27:00.000-07:002008-04-23T10:31:30.011-07:00

Thanks to all who attended the webcast today!The slide-deck for the IGF presentation and the others in the "Privacy in Perspective" series are available at: http://www.projectliberty.org/liberty/resource_center/presentations_webcasts

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-5716138620773807442008-04-21T15:26:00.000-07:002008-04-21T15:38:54.429-07:00

In case you have not seen the press release, I will be doing another webcast on IGF this Wednesday at 8 Pacific. This is part of a series, called "Privacy in Perspective" that Liberty is presenting.The series began with a presentation by Robin Wilton of Sun Microsystems on April 16, and ends with a webcast on May 7, when Byron Acohido and Jon Swartz, technology editors of USA Today, who will be

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-6164096953836846262008-04-18T23:27:00.001-07:002008-04-18T23:28:25.070-07:00

IMG_2184.JPG Originally uploaded by Phil Hunt Tonight there was a forecast for flurries and thunderstorms. Look at the size of those snowflakes! This is Vancouver...we almost never get snow. This is half way through April!

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-9441110294421663212008-04-16T16:55:00.000-07:002008-04-17T11:02:56.293-07:00

While Jeff Bohren's previous post points out having to justify the business need (which I responded to here), yesterday afternoon, Jeff pointed out developers need to be convinced.As I said, I wasn’t suggesting that IGF replaces AD. But if you expect developers to migrate to a new way for developing client applications you need to give them a compelling business case.Well that's actually easily

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-48354997322468629332008-04-16T10:08:00.000-07:002008-04-16T11:18:17.043-07:00

Jeff Bohren responds in his latest blog post to a post from Clayton Donley. The gist of Jeff's post is the suggestion that IGF replaces or changes AD. That is not the case.But the hardest thing is getting adoption of these standards. The point of my post was not to suggest that standards for identity services other than LDAP aren’t a good thing. The point was that to drive adoption you have to

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-66341119039157963992008-04-13T11:20:00.000-07:002008-04-15T08:39:18.022-07:00

Last week, members of the OASIS consortium participated in a interoperability demonstration of XACML. My co-worker, Rich Levinson, was there leading Oracle's participation, along with participants from BEA, IBM, Sun, Axiomatics, Cisco, and the US Department of Veteran Affairs, [correction: and Redhat/JBoss too!].For me the cool thing was the scenario put forth by Veteran Affairs. It was a

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com3tag:blogger.com,1999:blog-3202333073278756422.post-29411383612520867742008-04-10T17:37:00.000-07:002008-04-10T18:15:22.359-07:00

Kim Cameron posted a response today to my post yesterday about requirements for his next generation Meta-directory and how IGF aims to do just that. It seems Kim and I are in total agreement on these points and developer appeal is definitely key. I do want to clarify one paragraph from his response:I haven’t seen CARML - perhaps it is still a private proposal? [UPDATE: I’ve been advised that

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-86607851138955804292008-04-08T22:36:00.000-07:002008-04-09T00:05:05.533-07:00

As you may know, there has been an ongoing discussion on what does the next generation of meta-directory look like. Kim Cameron's latest post elaborates on what he thinks is needed for the next generation of "metadirectory".By “next generation application” I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-16942362419487159792008-04-07T10:07:00.000-07:002008-04-08T15:34:39.169-07:00

In a post today, Dave Kearns quotes Kim Cameron on the original definitions of meta-directory.This quote from Kim caught my eye:"In my world, a metadirectory is one that holds metadata - not actual objects, but descriptions of objects and their locations in other physical directories."LOL! This is *EXACTLY* the definition of a Virtual Directory. The virtual directory normally does not (with the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-20988354929999201622008-04-02T12:24:00.000-07:002008-04-02T12:46:42.591-07:00

Pamela Dingle writes an appeal to Enterprise Application Vendors in her recent post. From my perspective she hit's the nail on the head for enterprise vendors:I believe we’ve hit a crossroads, my friends. Here’s what’s happening. We have a groundswell of support and interest in technologies that reduce the need for passwords in the Enterprise. Some of these technologies have been around awhile.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-74587442677896543042008-04-02T09:13:00.000-07:002008-04-02T09:43:00.922-07:00

For those of you who don't know, Vikram Kumar of the New Zealand State Services Commission has an excellent blog on Identity and Privacy.Vikram's latest post, "When is government a Justifiable Party?" is a must read on the issues of government participating in a transaction.Vikram talks about the natural and cultural resistance people have to having a government run services and in particular

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-62583735849418704982008-04-02T08:54:00.000-07:002008-04-02T09:01:14.191-07:00

As some of you know, I have a degree in Electrical Engineering. Apparently we engineers have a slightly different way of looking at things. Let's just say there is something about engineers that gives us our own identity. I'm just not sure what it is. Can someone explain it to me?Check out this video.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-59400865249626199962008-03-30T21:30:00.000-07:002008-03-31T21:12:48.591-07:00

A big welcome to Clayton Donley who has just decided to join the blogosphere! Of course, Clayton and I go way back to OctetString days. Clayton now is top dog for directory services at Oracle and you can expect some interesting posts from now on!His first post responds to Dave Kearn's recent article about the two-billion user benchmark achieved with Oracle Internet Directory.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-18629997559724627722008-03-28T14:00:00.000-07:002008-03-28T17:09:51.290-07:00

It seems that as time passes, there are going to be more and more web services that can provide information about ourselves such as who we are, and what our reputation is. We've moved from relatively simple enterprise identity systems where data was held in a corporate directory towards multiple networks of identity information networks where we provide information about ourselves with the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-47491743555149021282008-03-02T23:26:00.000-08:002008-03-02T23:40:09.905-08:00

You may recall last week I blogged about volunteering for the weasel workers at the World Cup in Whistler. I forgot about this picture showing the correct posture for doing world-cup-alpine-push-ups.This photo and more from the Whistler Alpine Volunteer's photo gallery.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-21402332815775802682008-02-29T14:06:00.000-08:002008-02-29T14:17:43.880-08:00

For those following IGF, the first major check-in for the Attribute Services API is now complete. For more details check out the blog post on the openLiberty blog.The IGF Wiki has also been updated to reflect the recent check-in.The next step is to build a "stack" adapter to enable the recently released Higgins IdAS system to act as a stack for the new high-level CARML Attribute Services API.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-41808103425882063322008-02-27T13:46:00.000-08:002008-02-27T14:13:17.623-08:00

In the last couple of days, 2 blogs posts came to my attention that may be of interest.The first is from Felix Gaehtgens of Kuppinger Cole. Felix talks about why IGF is becoming more important in today's increasingly global society...[...] For a starter, many enterprises still have private identity data stored in many different data stores. Even though the trend is to minimise the number of “data

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-34830326162094229092008-02-27T08:51:00.001-08:002008-03-02T23:40:47.275-08:00

My employer, Oracle, has a great program called "Oracle Volunteers" to encourage employees to volunteer time in their communities. With this inspiration in mind, my wife and I decided to volunteer to work for the Whistler Weasel Workers (named after the most technical and steep piece of the men's downhill course known as "The Weasel") and the Whistler Alpine Volunteers to help put on the Telus

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-26716652231533581432008-02-07T13:41:00.000-08:002008-02-07T15:51:13.599-08:00

Last week, I had an interesting week at the Higgins F2F in Provo, Utah.Higgins is really starting to evolve in a nice way to be not only an excellent identity selector, but also an open source implementation of a multi-protocol Identity Provider.Higgins also has an growing role as an incredibly useful code library for both applications developers and Identity service provider developers. This

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-44682720203945007222008-01-29T22:54:00.000-08:002008-01-29T22:59:25.028-08:00

I was sitting in a meeting today in which several folks were wearing Bandit t-shirts complete with the new Bandit logo. I recalled Dale Olds blogged about it a few days ago.Then I remembered a quote from The Incredibles by Edna E Mode...Do you remember Thunderhead? Tall, storm powers? Nice man, good with kids....November 15th of '58! All was well, another day saved, when... his cape snagged on a

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-59605668085793936442008-01-24T11:50:00.000-08:002008-01-24T11:52:35.339-08:00

An article written by myself and Marco Casassa Mont of HP on Liberty Alliance's IGF initiative addressing privacy and SOX is featured in Sarbanes-Oxley Compliance Journal.This article is a good introduction to the problems of privacy and compliance as it relates to personal information and how IGF is intended to make the compliance of applications and the businesses that deploy them much easier

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-71236686724993940972007-12-10T15:03:00.001-08:002007-12-10T15:17:11.675-08:00

TUAW, The Unofficial Apple Weblog reports that iTunes has limited the number of accounts you can use to sync purchases on your iPod to 5.Now, that may seem reasonable until you also find out that Apple has no way to allow you to consolidate purchases from many accounts into one. I found this out when I wanted to transfer purchases from my 2nd generation ipod to my new ipod touch and called Apple

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-76726943793536477372007-12-06T10:41:00.000-08:002009-02-16T16:02:17.699-08:00

I read an article by Rosie Lombardi in InterGovWorld that turned out not to be what I thought it was about on first reading the title "Secret identity: Solving the privacy puzzle in a federated model".The article turned out to be a discussion not of classic web federation, but one of different approaches to using LDAP in a federated government setting. In the article, Rosie lays out the case for

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-36769332591065638862007-12-01T12:42:00.000-08:002007-12-01T13:39:20.028-08:00

Inspired by Paul's dare, I decided to take some pictures of my home office.Unlike Paul's digs, I've decided to be tortured by comfort.That's the view north from my deck of Yaletown and the north shore mountains. Yaletown has seemingly doubled the number of high rises in the past 5 years. 5 years ago, somebody told me it was the highest density neighborhood in North America. I haven't been able to

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-34360648187696561862007-11-26T10:29:00.000-08:002007-11-26T10:52:19.411-08:00

Because of Canadian copyright law and backward thinking of traditional distributors of content in Canada, Canadians are being increasingly locked out of access to new services and content.See "Canada locked out of tech fun" by Raju Mudhar, of the Toronto Star on November 25, to see what I mean.If I am not able to buy any of these goods or services at any price, who is benefiting? How are artists

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-60979004681188167912007-11-19T10:40:00.000-08:002007-11-19T11:55:32.969-08:00

Last Saturday I posted some screen shots showing some help text included in the Microsoft Cardspace client that indicate that what is displayed (display tokens) is not necessarily what is transmitted to a web site, and further that there are no guarantees that Cardspace has no control over what the web site does with the information once submitted.Interestingly, Kim wrote a response to a thread

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-8600431069349979962007-11-17T21:55:00.000-08:002007-11-17T22:33:49.588-08:00

A colleague of mine noticed something interesting in the Cardspace help text (click to enlarge)...Important: The data that is retrieved and viewed may or may not be the same as the data that is being sent to the requesting site. A managed card is encrypted so that it can only be opened only by the requesting site. When you retrieve a version of the requested data, it is the responsibility of the

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-1741836769519583662007-11-13T10:53:00.000-08:002007-11-13T17:12:41.047-08:00

I recently blogged about a couple of use-cases of organizations and why they might become attribute authorities and their general motivations. What are some more of the general motivations and for that matter de-motivators?Yvonne Wilson of Sun writes... I think the attribute provider concept makes a lot more sense when there is an entity that already has information about a person and which would

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-58021603845576542212007-11-12T12:04:00.000-08:002007-11-12T13:08:46.587-08:00

Marco Casassa Mont was wondering a while back about Bob Blakley's piece on the Identity Oracle in which he states that in the Identity Oracle concept, providers of information will charge other relying-party customers for its services.Marco comments thatI guess that to be a viable business, the Identity Oracle needs to have relationships with many Relying Parties – which themselves might have

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-46297956874928719692007-11-11T12:13:00.000-08:002007-11-11T13:20:10.455-08:00

Paul Madsen comments on Dale Old's comment that "user-centric" should just mean the user participates in the flow of personal information.Hmmm. In my mind, I prefer to interpret user-centric to mean the user has control. Control is what users care about. Conflating the idea of user-control with specific implementation or architecture is a mistake.I mention this because a desktop-centric model

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-39479201362169055372007-11-10T13:04:00.001-08:002007-11-10T13:28:01.780-08:00

My colleague at Oracle, Nishant Kaushik, was asking me about whether I knew if something was going on to develop a high-level API for Identity Services in the open source community. I realized that in a way, my work at Open Liberty on the implementation of the CARML API for the Identity Governance Framework was in fact turning out to be the startings of that exact API. From the developer's

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-75618978781340969952007-11-07T10:03:00.000-08:002007-11-07T10:25:21.448-08:00

Jeff Bohren jumped on my post yesterday on self-issued cards not being more secure. I think this quote underlines a point he may be missing... Let me give you a chilling example. Suppose a potential employer asks an Identity Oracle if Jeff can purchase firearms in the state of FL. If the Identity Oracle says no, then since Jeff would have already disclosed his age and lack of criminal

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-81332278798490362922007-11-06T13:38:00.000-08:002007-11-06T13:47:52.261-08:00

This is a little off-topic for this blog, but after seeing this video by Gwyneth Cravens, I think many will be interested in learning more about Nuclear power and the possibilities the technology holds in reducing carbon emissions. But don't listen to me...watch the video.

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-78820588718134630912007-11-05T14:54:00.001-08:002007-11-05T22:01:16.024-08:00

Ben Laurie responds to Pam Dingle's post on the issue of self-issued cards vs managed cards. I have to say I disagree!Self-asserted cards are no more user-centric than plain old web forms. There's nothing user-centric about them. There's nothing giving users more control here at all. The only difference is the convenience factor offered by streamlining the form-filling process and another might

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-12970028419302809652007-10-29T06:49:00.000-07:002007-10-29T17:01:30.808-07:00

I just wanted to thank the US Department of Homeland Security for promoting Canada in its latest marketing video which includes the Canadian side of Niagara Falls.I only have a couple of questions:1. Would it be impolite for the Canadian Gov't not to return the favour?2. What is US DHS doing in the tourism marketing business anyway?3. Is this just another case of Canada crowding the skyline and

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-86135614705489240032007-10-25T23:34:00.001-07:002007-10-26T00:52:03.771-07:00

Today, I was honored to attend the Liberty Alliance 2007 Tokyo meeting hosted by the Liberty Alliance Japan SIG.As usual, it was great to hear Roger talk about the great progress being made. I continue to be surprised at the amount of important work going on at Liberty. Paul Madsen blogs about it here.For me, it was a special honor as next month marks the first year anniversary of the Identity

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-8991375267889402832007-10-23T15:36:00.000-07:002007-10-23T15:48:52.705-07:00

A hilareous speech, entitled "ALL YOUR TEXT ARE BELONG TO US" at the PodTech conference by Dictionary Evangelist, Erin McKean.Hmmm..are we technologists prone to using neologisms or what?

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-56462632443400289692007-10-22T21:55:00.000-07:002007-10-22T22:35:36.266-07:00

The Liberty Alliance meeting got off to a great start today here in Tokyo. After some great discussions and hard work this morning, Paul Madsen, our outgoing Technical Expert Group chair got things going by arranging for a beach football (soccer)  match...Have some ill-feeling towards a TEG colleague? Didn't appreciate their constantly changing feedback on a spec you edited? Resent travelling to

Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0