Tuesday 26 November 2013

Postcard from IdentityNext 2013


IdentityNext is a unique conference that pulls aspects from several of the identity events I’ve attended over the years. As only a handful of Americans attend, it reminded me of Kuppinger’s EIC (European Identity Conference).  There were delegates from many Western European counties, for example Sweden, Denmark, France, Germany, Austria, Spain, Belgium, the Netherlands (of course), England and probably a few more.  The focus on privacy reminded me of the PII (Privacy, Identity, Innovation) which is held several times around the US. And finally, it was the second conference I attended this year that had an “un-conference” portion, inspired by IIW (Internet Identity Workshop).

It was a great honor for me to deliver the opening keynote. I wanted to give a general interest talk about federations, an introduction to OAuth2, and describe how these two technologies could be combined to the net benefit of society. I was a little tense, especially as I’d never attended this conference. My slides are here. I was amused that Martin Wegdam quoted me on Twitter as apologizing for previous XML identity standards. I was not really serious… As Andre Durand says, “Identity” is a big and complex domain of knowledge. If we (as in the global community of identity architects) had figured “it” out on the first try, it would have been a miracle. Defining standards for identity has been an iterative process. And 13 years later, I think the work done on OpenID Connect puts us on the verge of a good technical standard for one aspect of Identity–authentication. “Connect” has achieved something even more elusive: consensus.

One of the best talks was given by author, journalist and teacher Pernilla Tranberg. She presented an up-to-date view of the current state of online privacy, and some pragmatic strategies we can consider to achieve more control of our personal data. For example, don’t use Google search… use “Start Page”, which strips out all the tracking cookies that sell to advertisers the interested implied by your Internet searches. Also, advise your kids to sign up for Facebook using a different name so they can start their adult life with a clean slate.

One of the most amusing talks was given by Mike Chung from KPMG on the topic of predications. He recommended a number of books: Nate Silver’s The Signal and the Noise, two books by Nassim Nicholas Taleb: The Black Swan and Fooled by Randomness. Dan Ariely’s book Predictably Irrational. Robert Kaplan’s Revenge of Geography and Daron Acemoglu’s Why Nations Fail. Robert McNamaras In Retrospect and Jim Paul’s What I Learned Losing a Million Dollars. Apparently none of which helped him very much given his self-proclaimed abysmal record making accurate forecasts in identity and access management. For example, he forecast in the mid 2000’s that WS-* would be the predominant federation protocol among other equally inaccurate claims. He totally missed the rise of mobile computing. And even more amazingly,  companies paid him his inaccurate advice. Hearing stuff like this makes me nervous about the big bets Gluu has placed on OAuth2, and reminded me that if Gluu is able to invest our scarce resources properly in one of the most dynamic technical markets, we’re probably more lucky than smart.

Most Americans are unaware of the identity card programs that have been undertaken by almost all European governments. The conference featured talks on the efforts of Sweden, Germany, and Belgium. All of these cards can be used to access government services. But many are expanding to B2B and B2C purposes. For example, in Belgium there are beer vending machines that read the birthday off of your national id cards to figure out if you’re old enough to be served. In Japan I video-taped a machine that automatically poured a glass of beer. Its clear… our country is just so far behind, it’s ridiculous.

Given my keen interest for federation, the talk I got the most out of was Rainer Horbe’s ’s talk on federation. Austrians clearly understand the value of federations, and also that these federations are hard to form. So the Austrian Chamber of Commerce formed the Wirtschaftsportalverbund (which believe it or not is an abbreviation for something like the Austrian Identity Federation Authority) which aims to establish B2B and B2C federations the cost of identity management and SSO. This group is creating a framework to help businesses jumpstart federations, including the required technical and governance components.

One of the most interesting conversations I had at the conference was with Haydar Cimen from KPN and Steve Pannifer from Hyperion Consulting regarding Snowden. While a majority of Americans now regard him as a heroic whistle blower, his support in Europe is even higher.  In fact, I seem to be the only one in my industry who thinks he needs to answer for his actions. My problem is that if more people follow his precedent, our government and businesses couldn’t operate. If he thinks the moral imperative to uncover this wrong was sufficient to justify his actions, he shouldn’t be hiding in Russia. If he had stayed in the US, I’d support him for standing up for his beliefs. Many people don’t think he would have gotten a fair trial if he had stayed. Or that maybe the government would have water-boarded him, or left him in solitary for years like they did to Manning. Whatever you think of Snowden, it’s clear that our allies view the US as little better than China, are hesitant to travel to the US for fear of being the victim of a big-data analysis snafu, and are resentful that their systems are being hacked in the pursuit of America’s enemies in a covert cyber war for which we apparently have a great talent (and an insane amount of budget).

I was happy to see many old friends, especially from Surfnet and Kinnesnet. I also got a chance to chat with Hans Zandbelt from Ping Identity.  Apparently after working all day on helping companies implement federation, he can’t get enough, so he has been moonlighting to write his own OpenID Connect plugin for Apache. It’s much simpler than the one Gluu has undertaken in our crowd-sourcing project.  The nice thing about it is that it is standalone. Gluu uses a local process, “oxd”, to handle the OAuth2 messaging. Some people don’t want this additional complexity. We used this approach because it enabled us to leverage our Java libraries for OpenID Connect and UMA, and it would have taken us too long to do all the messaging in C (as we already have Java libraries written). Hans’ plugin supports less features, but its a great example of how you can use a subset of the features if it suits your purpose. More options for developers is great, so I hope Hans has the energy to keep working on it, and to make it available to other developers. If you want to look at the code, its currently here.

Finally, one of the best uses of technology on display in a video from the UK by hipster the “Urban Wizard.” To express his identity he likes to dress up like a wizard when he walks around London. He melted his Oyster card  (subway debit card), and attached the chip to his staff. As he walks into the subway, he touches his staff to the turnstiles, and magically, the doors swing open.  Apparently the police were not amused, and won’t let him do this anymore. But it’s a reminder that technology is not a one-size fits all affair. People will use things in ways the developers never intended. Who knows what OX will be used for one day… open source and open standards are more embracing of this phenomenon than the metro police

Article Resource:- http://thegluuserver.tumblr.com/post/68143784696/postcard-from-identitynext-2013

No comments:

Post a Comment