Friday May 15, 2009

Weave Identity - Synergistic Creativity

A week ago, I blogged about the Mozilla Labs Weave project enabling automatic website login.  A couple of days ago, thanks to Pat Patterson, I read Dan Mills' blog about the effort and watched his video again.  I thought Dan's pragmatic vision about the role the browser could play in simplifying the authentication process was quite perceptive:
"Part of the guiding force here is that we think that regardless of the inner mechanism (a federated identity, a simple username and password, or something else), in the end the action of logging in is essentially the same. Therefore, as the browser we should try to provide a similar experience, regardless of the method being used. As the user’s agent we should also strive to act on the user’s behalf when possible, and we believe this is one of those cases."
The comments to Dan's post were also thought-provoking.  They ranged from
"This is just super-cool and something that \*everyone\* has been waiting for unknowingly. I don’t know why it hasn’t already been done!"
"I’m sorry guys, but I have to strongly disagree with your entire approach here."
What excites me about what happened here is more than just another cool experiment and demo.  Rather than just talk about it, some enterprising folks tackled a real-life problem, formulated an interesting idea, made a quick prototype, put it out for everyone to see, and invited discussion around this visible strawman.   The next prototypes will get better and better.  Real progress has been made and will continue. This is a bright example of what I like to call "synergistic creativity."

Way to go, guys!

P.S. I used to think I coined the term "synergistic creativity," but found that Dean Patrick R. Dugan of Ohio State University beat me to the punch.  I still like the concept!

Technorati Tags: , , , , , , ,

Friday May 08, 2009

Weaving OpenID into the Browser

A few minutes ago, a tweet by @sofiaviolet  led me to an interesting blog post by Scott Gilbertson.  Scott discussed an experimental Firefox plugin from the folks at Mozilla Labs that uses the Mozilla Weave service to enable automatic website login using either username/password or OpenID.  A short video by Labs developer Dan Mills shows how easily it works.

I still have several questions about security, but this certainly begins to address the ease of use issues I mentioned in my earlier post about Identity in the Browser (IDIB).

Technorati Tags: , , , , ,

Wednesday Apr 29, 2009

Security Certificates on Cell Phones

A few weeks ago, Henry Story posted an excellent comment to my blog about Identity in the Browser, linking to his blog post Global Identity in the iPhone browser, which described the use of foaf+ssl certificates to autheticate access to a website. 

Yesterday, I participated in a somewhat spirited discussion with colleagues about the pros and cons of using certificates in mobile devices to provide better security than common username/password techniques.  Getting away from typing passwords on a cell phone would be very helpful.  The main thing I really like about the method Henry described is the ease in selecting different certificates, which may represent different personas for a user.  Being able to increase security and ease-of-use at the same time is encouraging.

However, I think we need to overcome some other key hurdles to bring this method into the mainstream.  Some issues include:
  • How will certificates be distributed and installed, particularly to people who are not particularly technology savvy?
  • What methods will be used to verify that certificates match a person's real Identity?
  • What will it take to get a critical mass of online sites to adopt this method of authentication?
  • What happens if the phone is lost or stolen?

It will be interesting to seek how these and other relevant issues are resolved.

Technorati Tags: , , , ,

Wednesday Apr 01, 2009

Identity in the Browser (IDIB) - More Complexity than Meets the Eye

A few days ago, I mentioned that Identity in the Browser (IDIB) was emerging as an interesting Identity Management topic.  After following a somewhat spirited internal email thread on the subject, I compiled a list of twenty issues that should be addressed as this topic is explored:
  1. Can a general approach be defined that would work in all the commercial browsers?
  2. Impact on mobile web, not just desktop/laptop web
  3. Ease of use for broad range of Internet users
  4. Security of authentication process
  5. Phishing resistance
  6. Security of browsers as a focal point for Identiy
  7. How does this support cloud computing
  8. Use of or interaction with standards or emerging standards 9e.g. SAML, OpenID, OAuth)
  9. Hosted vs. client-based Identity selectors
  10. Support for multiple identities or personae
  11. Support for multiple identity providers
  12. Matching what service providers (SP) want with what Identity providers (IP) and attribute providers (AP) can deliver
  13. Accommodating self-registered and organization-registered identities and attributes
  14. Complexity issues with federation (e.g. multiple sessions, timesouts and logouts)
  15. Policy enforcement across multiple organizations and entities
  16. Audit/compliance/governance
  17. Applicability of certificate based authentication
  18. Impact on InfoCard/CardSpace approach
  19. Impact on Higgins approach
  20. Licensing fees for use of specific technologies
I'm sure this list isn't exhaustive, nor is it even prioritized.  It does illustrate, however, that any new approach must cover much ground if it is to be effective.

It will be interesting to monitor progress as these topics are discussed in more detail.

Technorati Tags: , , , ,


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« July 2016