Well, I'm sitting next to Doc, one row back of Denise, and that looks like the back of Esther Dyson's head in front of me. I saw Eric and Andre on the way in. I'm here, all right.
[Coffee Break]
After the break, I'm drifting down to Phil Windley’s DigID Primer. He's talking about certification (keys, scalability, and so on). He notes that some certificate providers will give you a certificate that reports just anything you tell them, which are thus not worth much; on the other hand, some require actual physical verification (and are thus more durable). One catch with certificates arises when certificates expire (annually?), which requires on-going attention in large enterprises. Another hitch involves revocability, which many enterprises don’t want to bother implementing (it’s trouble and cost that they figure they don’t really need to attend to).
Next, he’s turning to XML-based standards (good). First, XML Signature, XML Encryption, giving examples of these. SAML (Security Assertion Mark-up Language), explaining how it works. (I'll link to his paper when he gives the URL, but he's talking faster than I can type (and IM) ) — an XML way of exchanging requests and credentials. SPML (Security Provisioning Mark-up Language) — an XML way of allotting privileges from providers who don’t already have accounts for given identities (your online grocer arranging a new account at a particular florist, for instance). XACML (eXtensible Access Control Mark-up Language) — standards for storing, sharing, representing, and processing access control policies. As Phil says, SAML is about credentials, and XACML is about processing credentials; it's a rule-based language for managing identities and entitlements. It covers a huge variety of variables: personal, kinds of action, circumstances (time, place), authentication mechanism, protocols used, or connectors). You could write a policy in XACML to regulate access and actions for a whole server network. Jon Udell raises the question of the relation of SAML to XACML; Phil points out that there's some overlap, but that SAML is more container-based, XACML is rule-based and emphasizes intra-network implementation.
Now, he's modulating to federation, interoperating identity systems (single sign-on): Liberty Alliance, Microsoft Passport, SourceID, PingID, and so on. Liberty is trying to implement kinda open-ended participatory standards where a user can choose the provider. Alliance is an aspect of .NET, proprietary, and limited to Microsoft’s system. SourceID is an open-source implementation of Liberty specs. PingID functions as a broker for federated identity, in a way similar to the way that Visa and MasterCharge broker credit identity.
His analysis of the key steps for creating a DigID strategy would include adopting an enterprise architecture, an interoperability framework, an authentication and assertion policy consistent with your EA and IF, enterprise directory services and so on, and a privacy policy. Phil wants us to switch from a defensive posture to regarding DigID as an infrastructural enabler for process and growth.
Posted by AKMA at October 15, 2003 10:54 AM | TrackBack