The march of the Liberty Alliance federation specification into the real world continues with the changeover of SecuritiesHub to Liberty.
SecuritiesHub was the first federated identity system implemented by Communicator, Inc. and federates signon for Merrill Lynch, Morgan Stanley, Goldman Sachs, J.P.Morgan and other Wall Street firms.
HubID, the Managed Service Identity Management offering (yes, that can sound confusing) from Communicator, Inc. was originally built with Communicator's proprietary Cooked URL (CURL) protocol back in 1999. Communicator committed more than a year ago to convert to Liberty and SAML, and the conversion of their oldest customers is a big milestone in that direction.
On another note, Eric "crabbed" this morning about Cnet's inability to report Liberty as anything other than a "rival authentication system backed by Sun Microsystems."
Maybe they heard him, as this time they added "In the earlier days of Liberty, Sun and Microsoft grappled for dominance over the single-sign-on idea, with Microsoft claiming more customers and Sun claiming more prestigious customers. As Liberty Alliance partners such as United Airlines have gradually gained some of the control Sun had over Liberty, the debate has cooled down somewhat."
Along with Eric, I hope they can get over this, just admit they misunderstood the story, and reach credibility in their reporting on identity.
This article indicates that the I3P Consortium is pushing the government to fund cybersecurity R&D. The categories of research they ask for are:
1. Enterprise security management.
2. Trust among distributed autonomous parties.
3. Discovery and analysis of security properties and vulnerabilities.
4. Secure system and network response and recovery.
5. Traceback, identification and forensics.
6. Wireless security.
7. Metrics and models.
8. Law, policy and economics
I wonder if they realize nearly all of this is about an infrastructure built without sufficient or properly architected digital identity?
Wired News: 9-Digit 'Social' Overused as ID
"The Social Security number is so abused in today's world that it's a very, very poor way to identify anyone," Allen said. "They need to come up with some other way."
The Register
What per se was compromised? Names, addresses, beneficiaries, social insurance numbers, pension values, pre-authorized checking information and mothers' maiden names, and bank account info.....so, not much really ;-)
Bush proposes antiterror database plan - Tech News - CNET.com
EU says Microsoft will alter Passport - Tech News - CNET.com
Last year's story was the rise of identity managment in the enterprise (a story that is still growing in scope and importance. This year's leading edge of the wave story will end up being the interplay between identity and government.
PS: Can SOMEONE please tell CNET that Liberty is not a "rival authentication system backed by Sun Microsystems." That kind of reporting is so bad as to be shameful.
In the now accelerating "Trusted Computing" platform battles, the TCPA indicates that they will support Linux APIs. Now what was Microsoft's NSCB licensing again?
This is a GREAT whitepaper on ID MGMT from a government perspective (warning: it IS 68 pp long). So, i'm getting a hunch: if last year could be characterized as the year of Identity in the Enterprise, this year might well become Identity in the Government. Not that the other isn't happening, just that the main story seems to be changing....stay tuned.
Web SSO, a technology that reduces the complexity of managing multiple accounts and passwords, will show compound growth of 33 per cent over the next four years fuelled by spending on identity management products, according to IDC.
Late Friday, Microsoft announced they are officially dropping the use of the code name Palladium for their trusted computing project. The new name will be "Next-generation secure computing base." The various component names have also changed since last Summer's public introduction of this project - some more than once. The current, apparentoly stable, names and their previous AKAs are:
Next generation secure computing base - AKA Palladium project
Nexus - AKA Trusted Operating Root - AKA TOR - AKA nib
Nexus Computing Agent(NCA) - AKA Trusted Agent
Secure Computing Component (SCC) - AKA SCP, AKA Crypto Hardware
Palladium has sufferred from a large amount of confusion and mis-information based on guesses. I am putting together a Palladium project (now Next-generation Secure Computing Base) update article for the web site which should be posted either late tonight or tomorrow. In it, I will re-visit how all this stuff is organized and what it does (as much as we can know from what has been made public) and try to make this as un-confusing as possible.
International losses from online fraud, which reached $1.64bn over the past 12 months, almost doubled in the past two years, Gartner Group research indicates. Last year, e-sales totalled about $91bn.
This interesting article talks about how enterprises are "taking control of their network" and it will have a major impact on the Internet.
"High-speed Net access at the office has long outstripped its reach at home, tempting workers to enjoy the benefits of broadband for personal as well as business pursuits. Now a broad corporate crackdown on office Net use may be looming, driven by cost-cutting efforts and increased scrutiny of workers' online activities."I have long maintained that the first steps into identity will come from the enterprise "cleaning its house" on the infrastructure it built without a lot of thought in the late '90s. This article indicates that there will be many side effects of that activity on the Internet as a whole.
"Nearly 87 percent of people accessing the Net from work are using a broadband connection compared with about 28 percent from home."
The Internet has never been free, it only seems free because most of us have it paid for by someone else (usually an employer or school.) As those who pay for it start to "take control" of it and tailor it to be what they paid for, much more thought must be given to how it all really works to get the results we want.
As reported here yesterday the Total Information Awareness (TIA) project was put on hold pending Congressional Review. This is the first step in a slow political dance to kill the project.
Fear can be a useful reflex, but fear of the wrong thing just wastes time and energy. If you read Digital ID World, and subscribe to my weekly newsletter (center of home page on our web site), you'll be well equipped to know what to really be concerned about and what not to.
Cisco to buy network security firm - Tech News - CNET.com
I expect to see a bunch of these stories to start poppin up -- in the vein of "network security" and attempts to solve the "security problem."
It is, of course, an identity problem.
Following a year of decline, market revenue for software that integrates business applications is expected to increase by 8 percent to $3.9 billion this year, analysts the Aberdeen Group said Thursday.
I was talking with Phil yesterday -- we were discussing how the first phase of identity adoption (which we're in) would be the enterprise "cleaning house" and re-organizing its IT around the principle of identity....
I think we'll begin to see more and more evidence of that phenomenon as the year goes on -- and stories like this are the beginning of it.
A new Industry Group called the Alliance for Digital Progress (ADP) formed this morning to lobby the government to "vigorously oppose government-designed and mandated anti-copying technologies" in PCs and Consumer Electronics.
In a statement today MPAA President Jack Valenti, accused the tech coalition of warmongering. "The MPAA is trying to reach a mutually agreeable conclusion whose aim it is to stop the thievery of films so that a legitimate digital marketplace can thrive," Valenti said. "We are not the enemy. We are not at war with the IT community. We are hoping that (future) meetings will produce amiable results. Which is why I am shaking my head in wonderment at this million-dollar campaign to deride us."
The alliance is led by Fred McClure of Winstead Sechrest & Minick who has served as Assistant to President George H.W. Bush for Legislative Affairs, Special Assistant to President Ronald Reagan for Legislative Affairs, Associate Deputy U.S. Attorney General and Legislative Director to U.S. Senator John Tower.
The ADP has 27 initial members, including Microsoft, Dell Computer, Hewlett-Packard, Cisco, and Apple Computer; and consumer groups Consumer Alert, DigitalConsumer.org, and 60 Plus Association.
A reuters article indicates that the EU privacy watchdogs are set to say that Passport meets the EU privacy regulations.
"This (Passport) is not a system the controllers see with horror," a source close to the issue told Reuters."The system can be operated within the EU data protection rules provided some adjustments are made."
The other interesting part of this report is that the EU is looking at adopting a document next week on these privacy issues which could potentially bring predictability to others planning such systems, and avoiding long proceedings in each individual case.
Former EFF Atorney Robin Gross is launching IP Justice, to "promote balance in global intellectual property law"
Another episode in the continuing saga of the adjustment of copyright law to technolgical reality...
Q: Why did you found IP Justice?A: I felt like there was a real need to connect the like-minded groups all over the world who are battling against the expansion of copyrights and are concerned about protecting freedom of expression.
Another senator signs on to support legislation to limit funding and create a review for the Total Information Awareness project. A vote on the appropriations bill amendment may come as soon as Thursday.
This is the beginning of the end for this politically inept project, as I have been predicting. What I still wonder about, is why this was all done so blatantly ineptly on a political level. The "all seeing eye" logo, the "in your face" name, putting Poindexter in charge just in case the press missed the rest of it. This all looks to me like a setup to make sure this project was seen and became a lightning rod for criticism of government data mining etc. Why?
Ruling shields AOL on 'hostile code' - Tech News - CNET.com
A large piece of the identity federation puzzle is where to draw lines of liability...this ruling is significant for thinking about that.
Republican lawmaker slams database plan - Tech News - CNET.com
Identity-theft complaints double
The number of identity theft complaints rose from about 86,000 in 2001 to about 162,000 last year, the FTC said. Of last year’s incidents, 42 percent involved credit card fraud. Other major categories involved fraudulent bank and cell phone accounts.
Identity theft complaints high and rising - Tech News - CNET.com
"It's clear that the growth of the Internet has changed the kinds of fraud that appear," Beales said at a press conference. "There are kinds of frauds that were virtually dead that the Internet has brought back...
The Recording industry won a victory when a court ruled that ISP Verizon must cough up the name of one of their users who downloaded more than 600 songs in a single day.
Sarah B. Deutsch, vice president and associate general counsel for Verizon, said the company will appeal the decision. The ruling has "troubling ramifications" for computer users, service providers, and the Internet, she said in a statement. The ruling opens the door for anyone who makes a copyright infringement claim to gain access to private subscriber information, Deutsch added.
Verizon lawyers argued that the DMCA's subpoena section doesn't address the Internet service provider, which didn't have the copyrighted songs stored on any of its computers. But this judge disagreed...
RSA Security Inc. is developing an online identity management technology that, for the first time, puts the control of personal data in the hands of users.The technology, known as Nightingale, is set to be unveiled at the RSA Conference in San Francisco in April.
With the system, users would store their personally identifiable information on their local PC, likely in encrypted form, and grant access to it on a site-by-site basis, according to company officials. Users would then be able to give each site access to a subset of their data, appropriate for whatever transaction they're looking to conduct.
Gates preaches 'digital decade' vision
The digital infrastructure also will need more reliability and better ways to verify identities than the use of passwords, he said."It's simply not an adequate way to authenticate people," Gates said. "We'll need to move up to smart cards or biometrics."
SourceID today released the first Liberty v 1.1 compliant SSO Java code today. It may be downloaded from their site. The code is Java intended to run in any J2EE-compliant servlet container. Indication is given that a .NET version may be forthcoming.
Bryan Field-Elliot, who headed up this effort, stated "This Beta release focuses primarily on the developer's API and mechanisms for integration. The developer's API is functional and documented enough for developers to begin productive development and testing, and for SourceID to receive community feedback towards the next iterative cycle."
Jamie Lewis, CEO and Research Chair of Burton Group said,"Developers need tools that ease the implementation and use of standards before they can reach critical mass. By creating the SSO toolkit, SourceID is working to mask the complexity of the Liberty protocol from developers, making it easier for them to leverage the standard in their applications. And by choosing to provide the toolkit as open source software, SourceID is working to make the toolkit available to the largest possible audience of developers."
American Civil Liberties Union : Privacy & Technology : General
The fact is, Orwell’s vision of “Big Brother”is now, for the first time, technologically possible.
According to this DC.Internet article Sen. Ron Wyden (D.-OR) moved to amend a federal spending bill to remove funding for the Total Information Awareness (TIA) project.
I've repeatedly said that this project will go nowhere, but if I were into conspiracy theories, I'd wonder if this one wasn't so obviously set up to fail politically that it might be a cover to draw attention away from something else. Hmmmm....
An article on News.com today re-hashes most of the ways people get scared by identity technology. It is based on an ACLU report, which has a political agenda, but it gives a good overview of how these technologies get seen when they seem to "suddenly appear".
The Liberty Alliance released their Version 1.1. specification today, on time as they had promised. This continues an amazing record of doing exactly what they say they will, exactly when they say they will.
The Supreme Court ruled that the 1998 law's 20 year copyright extension is constitutional. This is a clear victory for large media companies and song publishers looking to protect the guild-like status that the nearly permanent copyrights give to them.
Apparently the words "for a limited time" in the constitution aren't violated as long as there is some limit, even if it is renewed and extended indefinitely into the future.
According to a Washington Post article " leading trade associations for the music and technology industries, which have been at loggerheads over consumers downloading songs on the Internet, announced a compromise Tuesday they said will protect copyrights on movies and music without new government involvement."
The agreement said that ""How companies satisfy consumer expectations is a business decision that should be driven by the dynamics of the marketplace and should not be legislated or regulated."
While this is a nice sentiment, the group also indicated they would oppose new legislation such as the Boucher bill that would soften the DMCA language on copying for personal use. As part of the agreement, Microsoft Corp., IBM, Intel Corp. and Dell Computer Corp., pledged support for aggressive enforcement against digital pirates.
The groups do indicate they will oppose the re-introduction of the Hollings Bill (which requires hardware protection in all PCs and Consumer Electronics) or any variation on that theme.
The goal - to "tone down the divisive rhetoric that has otherwise predominated many copyright and technology debates" - is laudable and necessary to progress in this area, but actions will speak much louder than words as these companies and industry groups try to avoid legislation they don't want.
An article today in RFID Journal highlights the fact that RFID faces the same issue as Biometrics. This issue is dealing with the transition from developing sensors that work well and meet the price points required, to designing and implementing an infrastructure that can handle and integrate the information. This infrastructure must be robust, scalable, and have data located and handled properly to make privacy concerns minimal.
Identity infrastructure has been a focus of Digital ID World for a reason - all identity technology needs such infrastructure before it can deploy beyond closed, relatively small applications. And the infrastructure needs for all identity technologies turn out to be far more similar than they are different.
A system that identifies guns from gunshot characteristics in real time will be tested in Oklahoma City. Claims are that it will cost $25,000 per square mile to deploy and will "detect exact details of gunshots, including the type of gun used, the number of shots and the precise location from which they were fired."
In an area covered by the device, dispatchers will know the type of gun, how many shots were fired, what direction they came from, etc. as they dispatch the police to the scene.
So -- do guns have privacy rights? Do guns need to worry about big brother?
Sun releases Liberty-enabled software - Tech News - CNET.com
According to this News.com article WalMart and Tesco (U.K. Chain) are about to begin a test of special RFID sensing shelves to track products in the store.
"The shelves can scan the contents of the shelves and, via computer, alert store employees when supplies are running low or when theft is detected."
Procter & Gamble has a similar test lined up soon as well. RFID technology may not sound like you have to pay attention, but it is going to have a big year in 2003, breaking out into the mainstream in many ways. Retail "shrinkage" (a term which means product we lost and don't know why - likely its been stolen) approaches 6%. This represents a significant cost center, and RFID promises to cut shrinkage dramatically, as well as make inventory management much better. Current RFID tags are about $0.30, but will likely be under $0.10 by year end. This cost lowering will speed adoption rapidly.
But when everything is RFID identified, privacy issues rear their head head and privacy advocates worry about the ramifications of embedding tiny digital ID chips in all kinds of personal items. Would corporations use the technology to keep consumer belongings under surveillance not only in stores, but also in their homes and on the street?
Privacy issues have to be addressed directly and coherently in the next few years, or technology will create side effects no one has thought about until they happen.
I keep coming back to the thoughts I expressed in my article proposing the concept of Identity Fair Use. No absolute position on identity property rights (which are what determines privacy) will allow society to function, and the longer we see this as an absolutist black and white issue, to more likely it becomes we make a mess first and have to live with it while we then try to clean it up...
OASIS also announced a PKI Technical Committee today, tackling yet another area critical to identity infrastructure. The stated purpose of this TC is "to advance adoption of the Public-Key Infrastructure (PKI) for Web services and other applications."
This committee was formed within the OASIS PKI Member section and indicates an awarness that PKI systems in their current form face some serious obstacles despite their critical role in identity infrastructure. Terry Leahy of Wells Fargo, chairman of the new committee, said, "The committee will address issues behind deploying digital certificates to meet business and security requirements, focusing on overcoming technical and integration challenges."
That about says it all as to what PKI must deal with...
As a followup to our Dec 6 story, I see that OASIS has made it official that it has formed a Technical Committee to handle making the XNS protocol an OASIS standard. For reasons reflected in our December article, OASIS will call the standard committee XRI. A couple more companies are on the committee from those we could publish in December, namely Neustar and Datapower.
As to what the members of the committee are seeking from this effort, Winston Bumpus, director of standards for Novell, said "Rationalizing the relationship between identity and directory services--whether in the context of users, applications, machines, or data--holds the key to eliminating many of the obstacles, such as adequate security, extensibility and effective management, that are hindering the adoption of Web services."
Oh I get it, sort of like "Web Services can't work without identity" huh?
George Orwell, here we come - Tech News - CNET.com
A bit of a scare piece, but a useful look at some (scary) applications of digital identity technology.
Worldwide IT spending to grow 4 percent in 2003
According to Aberdeen, the chief threat to IT in 2003 is fraud caused by identity theft, whereby a criminal co-opts a piece of another person's identity, such as credit card or bank password details. Total economic losses to consumers, business, merchants, credit issuers, and the financial industry will nearly triple to $24 billion in 2003 from $8.75 billion in 2002, Aberdeen said.
The Nostradamus of Networks?
"Identity management emerges as the overwhelming security concern for networks and online services. "
Amen, brother.
Burton Group - Featured Columnists -- Treat Identity Management Royally
When someone like Phyllis Schlafly writes about copyright extremists in a conservative publication and says:
The purpose of copyright law is to provide incentives and protection to authors to create and publish original works, not give corporations the power to control the flow of information. We should not permit copyright extremists to exploit current laws for that goal, and we should reject their demands that Congress give them even broader power to control and license information.
You know that the RIAA has finally created a backlash in political circles.
This article rehashes much of what has been covered over the past year, but what is new is the anger that is now showing up over the behavior of the RIAA in political circles where you would not normally see it. This is an important development...
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
March 2005
February 2005
January 2005
November 2004
October 2004
September 2004
June 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
