Postcard from IdentityNext 2013

1
Postcard from IdentityNext 2013

• IdentityNext is a unique conference that pulls
  aspects from several of the identity events Ive
  attended over the years. As only a handful of
  Americans attend, it reminded me of Kuppingers
  EIC (European Identity Conference). There were
  delegates from many Western European counties,
  for example Sweden, Denmark, France, Germany,
  Austria, Spain, Belgium, the Netherlands (of
  course), England and probably a few more. The
  focus on privacy reminded me of the PII (Privacy,
  Identity, Innovation) which is held several times
  around the US. And finally, it was the second
  conference I attended this year that had an
  un-conference portion, inspired by IIW
  (Internet Identity Workshop).
•  
• It was a great honor for me to deliver the
  opening keynote. I wanted to give a general
  interest talk about federations, an introduction
  to OAuth2, and describe how these two
  technologies could be combined to the net benefit
  of society. I was a little tense, especially as
  Id never attended this conference. My slides are
  here. I was amused that Martin Wegdam quoted me
  on Twitter as apologizing for previous XML
  identity standards. I was not really serious As
  Andre Durand says, Identity is a big and
  complex domain of knowledge. If we (as in the
  global community of identity architects) had
  figured it out on the first try, it would have
  been a miracle. Defining standards for identity
  has been an iterative process. And 13 years
  later, I think the work done on OpenID Connect
  puts us on the verge of a good technical standard
  for one aspect of Identityauthentication.
  Connect has achieved something even more
  elusive consensus.

2
One of the best talks was given by author,
journalist and teacher Pernilla Tranberg. She
presented an up-to-date view of the current state
of online privacy, and some pragmatic strategies
we can consider to achieve more control of our
personal data. For example, dont use Google
search use Start Page, which strips out all
the tracking cookies that sell to advertisers the
interested implied by your Internet searches.
Also, advise your kids to sign up for Facebook
using a different name so they can start their
adult life with a clean slate.   One of the most
amusing talks was given by Mike Chung from KPMG
on the topic of predications. He recommended a
number of books Nate Silvers The Signal and the
Noise, two books by Nassim Nicholas Taleb The
Black Swan and Fooled by Randomness. Dan Arielys
book Predictably Irrational. Robert Kaplans
Revenge of Geography and Daron Acemoglus Why
Nations Fail. Robert McNamaras In Retrospect and
Jim Pauls What I Learned Losing a Million
Dollars. Apparently none of which helped him very
much given his self-proclaimed abysmal record
making accurate forecasts in identity and access
management. For example, he forecast in the mid
2000s that WS- would be the predominant
federation protocol among other equally
inaccurate claims. He totally missed the rise of
mobile computing. And even more amazingly,
companies paid him his inaccurate advice. Hearing
stuff like this makes me nervous about the big
bets Gluu has placed on OAuth2, and reminded me
that if Gluu is able to invest our scarce
resources properly in one of the most dynamic
technical markets, were probably more lucky than
smart.
3
Most Americans are unaware of the identity card
programs that have been undertaken by almost all
European governments. The conference featured
talks on the efforts of Sweden, Germany, and
Belgium. All of these cards can be used to access
government services. But many are expanding to
B2B and B2C purposes. For example, in Belgium
there are beer vending machines that read the
birthday off of your national id cards to figure
out if youre old enough to be served. In Japan I
video-taped a machine that automatically poured a
glass of beer. Its clear our country is just so
far behind, its ridiculous. Given my keen
interest for federation, the talk I got the most
out of was Rainer Horbes s talk on federation.
Austrians clearly understand the value of
federations, and also that these federations are
hard to form. So the Austrian Chamber of Commerce
formed the Wirtschaftsportalverbund (which
believe it or not is an abbreviation for
something like the Austrian Identity Federation
Authority) which aims to establish B2B and B2C
federations the cost of identity management and
SSO. This group is creating a framework to help
businesses jumpstart federations, including the
required technical and governance
components. One of the most interesting
conversations I had at the conference was with
Haydar Cimen from KPN and Steve Pannifer from
Hyperion Consulting regarding Snowden. While a
majority of Americans now regard him as a heroic
whistle blower, his support in Europe is even
higher. In fact, I seem to be the only one in my
industry who thinks he needs to answer for his
actions.
4
My problem is that if more people follow his
precedent, our government and businesses couldnt
operate. If he thinks the moral imperative to
uncover this wrong was sufficient to justify his
actions, he shouldnt be hiding in Russia. If he
had stayed in the US, Id support him for
standing up for his beliefs. Many people dont
think he would have gotten a fair trial if he had
stayed. Or that maybe the government would have
water-boarded him, or left him in solitary for
years like they did to Manning. Whatever you
think of Snowden, its clear that our allies view
the US as little better than China, are hesitant
to travel to the US for fear of being the victim
of a big-data analysis snafu, and are resentful
that their systems are being hacked in the
pursuit of Americas enemies in a covert cyber
war for which we apparently have a great talent
(and an insane amount of budget). I was happy to
see many old friends, especially from Surfnet and
Kinnesnet. I also got a chance to chat with Hans
Zandbelt from Ping Identity. Apparently after
working all day on helping companies implement
federation, he cant get enough, so he has been
moonlighting to write his own OpenID Connect
plugin for Apache. Its much simpler than the one
Gluu has undertaken in our crowd-sourcing
project. The nice thing about it is that it is
standalone. Gluu uses a local process, oxd, to
handle the OAuth2 messaging. Some people dont
want this additional complexity.
5
We used this approach because it enabled us to
leverage our Java libraries for OpenID Connect
and UMA, and it would have taken us too long to
do all the messaging in C (as we already have
Java libraries written). Hans plugin supports
less features, but its a great example of how you
can use a subset of the features if it suits your
purpose. More options for developers is great, so
I hope Hans has the energy to keep working on it,
and to make it available to other developers. If
you want to look at the code, its currently here.
Finally, one of the best uses of technology on
display in a video from the UK by hipster the
Urban Wizard. To express his identity he likes
to dress up like a wizard when he walks around
London. He melted his Oyster card (subway debit
card), and attached the chip to his staff. As he
walks into the subway, he touches his staff to
the turnstiles, and magically, the doors swing
open. Apparently the police were not amused, and
wont let him do this anymore. But its a
reminder that technology is not a one-size fits
all affair. People will use things in ways the
developers never intended. Who knows what OX will
be used for one day open source and open
standards are more embracing of this phenomenon
than the metro police Article Resource-http//th
egluuserver.tumblr.com/post/68143784696/postcard-f
rom-identitynext-2013