Skip to main content

Identity and Authentification

Where it is going ??

Various organisation are working on the problem and its solutions. They produce specification draft, Use case studies, they try to attract members who are waiting for a solution to emerge.

Main players: OpenID & OAuth

OpenId is divided in two: OpenID 2.0 and OpenID Connect. It may be a real plus when linked with WebID, but is still experimental. The decentralized aspect is nice, but I am not sure if people are really concerned. Depending entirely on Facebook doesn't seem to bother anyone. So OAuth or even a proprietary Facebook protocol may seriously reduce OpenID success.

OpenID is supported by Google, Microsoft (LiveID = OpenID), and the US Governement (http://www.idmanagement.gov/)

OAuth 2.0 (IETF) looks like the most successful protocol. It can be used to login even if it was not its first goal.

OpenID and OAuth have a good adoption, which is critical for being relevant in the Identity space

The US "Federal Identity, Credential, and Access Management" (ICAM) validated OpenID 2.0 and SAML 2.0 as Trust Framework. They provide some good documents.

Experiments: WebID & BrowserID

WebID (W3C)

  • takes some idea from Microsoft InfoCard abandoned attempt (after the failed Passport attempt)
  • Avoid the hierarchical trust model used to authenticate servers
  • could moves toward a Web Of Trust, but does not even mention it.
  • Looks like it uses RDF to express Trust relationships ?

BrowserID https://browserid.org/ is a Mozilla Labs experiment with the simplified version of the "Verified Email Protocol". It is very simple and web oriented. It doesn't seems to be very successful so far.

Others ??

Usages

Identity in the Cloud (OASIS) is "just" a long and freightening list of use cases. For those who don't see the problem, it is a good read !

JSR 351 is a work in progress "to define API ... that facilitate the use of identity by applications ..." . It will bring standard Java API to well established standards: OAuth, OpenID ... and also annotations to avoid lookups.

Comments

Popular posts from this blog

VirtualBox, CentOS, Network and Template

I have been working with VirtualBox and CentOS recently, here are some notes about this experience.
I used VirtualBox 4.2 and CentOS 6.3, but most of this should work with other products too. I created the first headless, minimal CentOS via NetInstall.
I cover two points: create a template machine and configure the Network.
Configure the NetworkWe want Internet access and a LAN local to the host.
For background information read: Networking in VirtualBox by Fat Bloke on June 2012.
The easiest is to enable two Network Adapters: One will be "Host-only" and the second "Nat". In the "Preference" menu you can see the DHCP server range for the Host-only Network. So you may set fixed addresses outside this range.
Next: start the guest. There may be various results at first, depending on a lot of things. Some problem might be solved by rm -f /etc/udev/rules.d/70-persistent-net.rules and a reboot.
Anyway, configure the two interfaces (set your own IP and MAC addresses)…

One in six IT projects ends up ‘out of control’

http://www.ox.ac.uk/media/news_stories/2011/110822_1.html

A surprisingly high number of projects are 'ticking time bombs', according to researchers at the University of Oxford. They analysed 1,500 global projects that had revamped their information technology systems within the last 10 years. They discovered that one in six projects in the sample went over budget by an average of 200 per cent (in real terms) or over ran by an average of almost 70 per cent.

Their conclusion is similar to previous studies: http://brunovernay.blogspot.com/2009/10/excellent-studies-on-software-quality.html

TLS: Disabling legacy cipher suites

First: "A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms".If you are using TLS (for HTTPS typicaly) you may want to remove some Cipher Suites.You maybe a little bit less compatible, but also a bit more secure. Things will be better when TLS1.2 is implemented everywhere.You can also claim to be FIPS 140 compliant: http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf !How to do it:From the command line:  http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizationFrom code:  http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String%5B%5D)Jetty: http://wiki.eclipse.org/Jetty/Howto/CipherSuitesTomcat: Look at the "ciphers" attribute in  http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_SupportIf someone knows how to do it on the IBM J9 via configuration, I am interested.