Identity Matters: User Managed Access

Identity Matters PodcastIn this episode of the Identity Matters Podcast, Eve Maler presents an overview of the User Managed Access (UMA) Work Group. Eve, the UMA WG chair, starts off with background of the group working within the Kantara Initiative and defines the problem space. She then provides an overview of the process the group is taking as well as where they are in their roadmap toward delivering a specification to the IETF.

From the UMA charter: The purpose of the UMA work at Kantara is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.

Identity Matters: User Managed Access

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 | Episode Length: 0:27:41 | Filesize: 18.5 MB

NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.

  • Share/Bookmark
January 28th, 2010 | Projects | , , , | Leave a comment

Global Finance article looks to the future

It’s not a bad start to the new year (and decade) when a journal like Global Finance sees value in the work you’re doing. Their cover story on “A Wide Open World” just hit the stands and I’m pleased that some of my contributions made their way into the article. Specifically:

The ISOC’s Adams believes access to information will be a key driver of change. “Whereas today users generally manage data within the silo of single institutions—for example, individual bank, brokerage, or credit card companies—new capabilities will allow them to delegate access to and control authority over their data as it is shared across institutions,” he says.

While it wasn’t mentioned by name, I was referencing work being done by Eve Maler, Iain Henderson, Joe Andrieu and others in various Kantara Initiative working groups. Specifically in the User-Managed Access (UMA) and Information-Sharing groups. Too bad they weren’t included by name, but I hope this helps give them the recognition they (and their long list of collaborators) deserve.

They also reference my comments about “open trust frameworks” and the Kantara Identity Assurance Program, but reduced it to generalities. There’re a lot of amazingly dedicated folks working hard on open specifications in this area to help standardize a trusted model for information exchange. Even though they’re not named, this is a great example of their work starting to permeate the broader market.

Great job, folks. Keep it up!

(PS Many thanks to Greg and the ISOC communications team for facilitating my contribution to the article.)

  • Share/Bookmark
January 6th, 2010 | Pointers | , , , , , | Leave a comment

Kantara to Build a Trusted Bridge

Kantara Initiative At the ID Workshop leading into the RSA Conference, we announced the impending formation of the Kantara Initiative. To those following the Identity Community, this wasn’t really ground-breaking news as we’ve been working on this for the past year or so (under various monikers). What was worth mentioning in the workshop, however, was that we’d signed a number of founding member organizations (including the Information Card Foundation, Internet Society, DataPortability Project, XDI.org, Project Concordia) and put out a call for more to join before the launch in a few months.  Oh, and we settled on the name.

After much (much) debate, the founders settled on the name Kantara as it is a Swahili word for “bridge” and has Arabic roots meaning “harmony”. And yes, we know that some people believe it should be spelled “Qantara” (while others want to add a trailing “h” on the end, too). In the end, there was strong support for the name as it blends key points of the group’s mission to:

Foster identity community harmonization, interoperability, innovation, and broad adoption through the development of open identity specifications, operational frameworks, education programs, deployment and usage best practices for privacy-respecting, secure access to online services.

Beyond the announcement itself, the bridge-building we hope to facilitate already struck a positive chord throughout the RSA Conference. Of the meetings I attended, here are a list of them where Kantara was mentioned (either by the presenters or in audience questions):

  • Fostering Collaboration and Opportunities in Identity Management
  • Federate Access Policy, Not Identity
  • Building Authorization into the Enterprise Identity System
  • Cloud Computing and Identity Challenges
  • Identity Management for the Cloud: Challenges, Opportunities, and Best Practices
  • Identity and Privacy Models

In each case, the comments were positive and hopeful. Like opening a new birthday present, the IdM professionals were excited to play with the new group. Our goal, of course, is to make sure the Kantara Initiative lives up to our collectively high expectations. Taking a page out of the Concordia playbook, the initiative will provide neutral ground for all participants. There is no cost for participation, and all contributors are welcome. The playing field is level, and we’re excited to see what projects take advantage of the unique opportunity to have a truly open dialog.

Kantara Announcement Tweet RaceThe Tweet Race: As you can tell from the photo to the right, Eve Maler (a.k.a. @xmlgrrl) was apparently happy that her Kantara announcement Tweet beat mine. I’m relatively convinced, however, that she cheated by typing her’s in advance (only needing to hit “send” from the stage), while I had to type mine on the spot. In fact, her announcement blog post also won. Hmmph.

  • Share/Bookmark
April 24th, 2009 | Pointers | , , , , , , | Leave a comment

Reason to Choose an Identity Provider

Buried in a post about OpenID user experience by Chris Messina is a concise bit of advice for users:

picking an identity provider should be like picking a bank or credit card provider: as a fourth-party service provider that advocates for your interest, since you’re their customer!

The “fourth-party” reference is to an article titled “Get ready for ‘fourth party’ services” by Doc Searls in the Linux Journal.

Personally, I’m not a fan of the introduction of this term for the new party around the table. I like to think that a “third party” working on the user’s behalf fits the bill just fine. Following an object-oriented mindset, the third party can adopt the properties relating to it’s responsibility in a transaction without being locked between two others (necessitating a fourth).

What I do like, however, is the concept Chris clarifies later:

Instead of agreeing to terms of service that disclaim all responsibility to you, the customer, I hope that competition in the identity space will lead providers to actually take responsibility for their services — charging good money for doing so. If your account gets hacked — no problem! — your identity provider can put back the pieces and make things right again! You could even take out online identity insurance in case your identity is ever stolen — so you can always get back to your life and recover your data without the hassle and interruption when it happens today.

To unpack this a bit, I see a compelling use case for identity providers emerging, possibly piggy-backing on the PCI Security work. So far, the first quote about picking an IdP is falling on deaf ears as users don’t really think about their choice. They use what they use and that’s about as far as it goes. What users need is a compelling reason to think in terms of choice, and the model Chris suggests might be it.

I spent some time helping to build an affinity card system with MBNA a couple years ago, and that process was telling. As it relates to this discussion, I can easily see that they would jump on the opportunity to capture a market like this. All that needs to happen is for someone to write up a clear business plan around the concept. In fact, I’ll bet there’s an MBA student out there somewhere looking for their thesis.

In a nutshell, here’s what I think this looks like:

  1. Credit Card Company (C3) sets up a new product based on it’s current card-based account system.
  2. C3 stands up a full service identity provider (possibly built using the Higgins Identity Framework)
  3. For high value services, C3 executes federation agreements with key nodes.
  4. C3 contracts with an insurer to cover losses due to ID theft / masquerading (rates most likely locked to the NIST levels of assurance as codified by the Liberty Alliance Identity Assurance Framework).
  5. C3 then advertises the new product to it’s existing customers (ID validation fees waived as an incentive)
  6. Users now have a reason to choose C3 as their IdP for all high value applications (and might as well use them for everything else, too).

C3 still has to convince it’s customers (and attract new ones) to see value in paying for a secure IdP. I don’t believe this is too far away from happening organically, so now’s the time for a C3 to start working on the product line.

Further, it’s distinctly possible that Id end points are going to force the issue by requiring verified identity assurance and security beyond what your run-of-the-mill OP can provide. Hence services like MyID.is (which has it’s own issues, of course, but that’s the direction). If a C3 gets in the game, I have a feeling they’ll be able to build a more effective federation of trust, even when used in an anonymous context.

  • Share/Bookmark
April 8th, 2009 | Commentary | , , , , | Leave a comment

Time Warner Cable and Identity Management

Liberty Alliance ProjectMost people working in the identity field are generally resigned to living an invisible existence. Unlike when I was working for the New England Patriots (where I couldn’t walk ten feet without bumping into coverage of our every breath), toiling away on standards and specifications often receives little to no recognition. That’s why it was great to see the Liberty Alliance work getting props from Peter Stern, the executive vice president and chief strategy officer for Time Warner Cable.

In an article in Multichannel News, Stern talked about how its “TV Everywhere” initiative is ensuring their Internet video services can scale. Deep inside their strategy for the widest possible deployment is their embracing of Liberty Alliance identity management specifications:

Stern said Time Warner Cable has “embraced” the Liberty Alliance standards for creating and establishing users IDs. “We think we can create a scalable solution, without needing a common database across the MSOs,” he said. “The plan is to do this bilaterally, using open standards.”

While it’s not immediately clear which specific standards they’re adopting (it could be a mix of ID-WSF, ID-FF with SAML2.0), it’s clear they’ve evaluated them against their goals as quoted from the article:

  • “We’re looking to create a model that’s friendly to cable, works for consumers… so if you’re paying for it in your living room, you can also watch it online,” Schwartz said.
  • Stern emphasized that the authentication process for TV Everywhere must be very easy for customers and programmers. The user ID and password capabilities for TV Everywhere must be integrated so users can log in once, and access multiple programmers’ services.
  • The system must also “deliver authorizations quickly — consumers don’t want to have to wait for several seconds, let alone minutes, to watch the content so we need to be sure we can build scalable system… across millions of requests happening on a regular basis,” Stern said.

It’s not the popular press (meaning the average user won’t know, or care, about this), but it’s great to see the word spreading about LAP’s identity management tools. Of specific interest to me is that Time Warner Cable is obviously paying close attention to the need to deploy highly scalable and interoperable systems that service end users without locking them into a proprietary solution.

  • Share/Bookmark
April 2nd, 2009 | Pointers | , | Leave a comment

Authentication, Authorization, and Assurance

The deeper I dive into the various projects I’m working on the more I encounter the substantive differences between logging into a system and having the appropriate roles to access what they need. In my rough-n-ready approach to definitions as a way to discuss concepts:

  • Authentication: Identifying yourself using some type of credentialing system
  • Authorization: Having the rights to access and/or modify something.

In our daily lives, we’re familiar with the need to authenticate. Whipping out your ATM card and entering your PIN is a common example of telling the banking system who you are (or at least the identification of your account). In the expanding universe of online services, everyone’s inundated with the standard challenge/response prompting the entry of username and password.

What’s not as often visible is what happens post-authentication. Under the covers, systems generally track what you’re allowed to do once you’ve said who you are. This is where authentication enters the story. After entering your PIN, you can pull some cash from your bank account, but your access is often limited. For example, you are only authorized to access up to $N.

This is all very well and good, but oddly enough it glosses over a fundamental issue at the core of these transactions. Specifically, when the authentication credentials are assigned, it’s not always clear the issuer truly knows the identity of the credentialed party.

This is where “assurance” comes into play. I had a great dinner conversation with Peter Alterman of the GSA who was able to shine a light on the subject. Before entering a system requiring authentication (and associated authorization), you’ll need to assert your identity to a level the managers of the system find acceptable. There is, of course, a complete gamut of acceptable levels as not all systems require the same assurance of their users’ identities.

These days when we’re creating new social networking accounts every five minutes, it’s pretty clear little to no assurance is given to the site that the name you entered when registering is valid. It’s arguable whether or not that’s a problem, but it’s not very controversial that signing up for Facebook has different needs than being credentialed to access your medical records.

Then again, that’s only true insofar as you’re going to stay within that system (or largely similar ones). What happens when you start cross-linking systems in a frenzy of mash-ups and other data portability goodness? Unfortunately, the discussion with Peter really opened my eyes to the host of issues that arise when a user creates a self-credentialing account, then wants to link data from it to a system he perceives as being more secure. It was in the context of discussing a healthcare initiative I’m working on where this problem really became obvious.

Taking my personal experience here, I’ve got what I believe to be the mac-daddy of OpenID accounts. I have been using myOpenID.com (and I firmly recommend it to anyone who will listen), and was thrilled when they rolled out their two (and three) factor identification methods. Now if I want to log into an OpenID Relying Parties, I need to present not just a username / password combination, but also provide an SSL certificate and answer my cell phone, too. Now if you want to access my accounts, you need all three bits: un/pw, SSL cert, and my cell phone.

Now, here’s the ugly secret. I set up that account myself, and no one verified that I was who I said I am when I created my OpenID. Basically, you could call it “Assurance Level 0″ (i.e. no assurance of my identity whatsoever).

Who cares, you might ask rhetorically. Well, you should. While it’s fine-and-dandy for run-of-the-mill social networking systems, what happens when they start asking for your credit card number? We’re right back where we’ve been for decades. Yes, you logged into the system before entering your payment information, but when you roll back to how the account was created it’s not materially different than simply typing your credit card into a non-credentialed system.

So, basically, here’s where I am now. I’m working on a couple of projects that need to maintain a level of security throughout the process lifecycle. Apparently, I need to be much more careful how credentials are allocated, and it’s not enough to rely on self-credentialing. I’m looking into automated multi-factor identification assurance models now (akin to SSL certification methods used by VeriSign that use third-party triangulation).

If you’re curious about this assurance discussion, you might want to pop over to the Identity Assurance Framework released by the Liberty Alliance. You’ll also notice that Peter was a co-chair for some of the work that went into it. I guess I was talking to the right guy.

END NOTE: I wish I knew the origin of the saying, “to name something is to control it”. In my experience that’s nearly accurate in that once a (good) name is applied to something, it’s easier to discuss, and thus feel a sense that what’s been named is more effectively understood. That’s not necessarily true, of course, but at least agreeing on a common name is a good start. Now that I’ve got a handle on the term “assurance”, I have a sense I’ll be able to more effectively grapple with the concept.

  • Share/Bookmark
September 18th, 2008 | Commentary | , , | Leave a comment