Identity Blogger

There is always my way out…

jbohren — Fri, 27 Jan 2012 13:31:29 +0000

Google’s new privacy policy is generating a lot of discussion. The controversial part is that Google is going to cross reference the data it collects on different services for the purpose of tweaking the ads and search results you see.

The creeps a lot of people out. What creeps them out even more is that you can’t opt out.

Of course there is always my way out… (cue lightning flash and creepy James Earl Jone laugh).

Seriously though, don’t use Google services exclusively. Use Bing instead of Google for searching. Use Yahoo instead of GMail. Buy an iPhone, or if you want an Android phone, create a new email account just for phone use. Use Facebook instead of Google+.

If you give one company all your data what do you think they are going to do with it?

You ultimately have control over this in your choice of providers. You can opt out by switching.

Internet Protest Day

jbohren — Wed, 18 Jan 2012 13:55:09 +0000

You may notice a lot of sites today have “blacked out” or are otherwise protesting the PIPA and SOPA acts being considered in the US Senate and House of Representatives.

If you are not familiar with the acts you really need to be. Please take time to visit the EFF pages on SOPA and PIPA here and in more detail here.

The job you save could be your own.

Thoughts on SCIM

jbohren — Fri, 13 Jan 2012 02:50:08 +0000

Now that SCIM 1.0 is final and SCIM 2.0 is starting I wanted to share my thoughts. First here is what I like about SCIM:

SCIM defined a standard schema in 1.0. I wish SPML had done the same. Not doing so was one of the biggest mistakes we made.
SCIM supports filtered and paged searches. That’s a must have in my book.
SCIM supports multi-value attributes with the proper modification semantics. You be surprised how many Identity APIs I have seen that don’t get the modification semantics right.
SCIM only did what it needed to do, nothing more.

So what don’t I like about SCIM? I don’t really care about the REST vs SOAP aspect. It’s not going to be widely used unless it’s wrapped in an API or toolset. So that’s a moot point. So I can’t really think of anything I don’t like.

But will SCIM be accepted where SPML was not? I don’t know, but I think there is a decent chance. I think announcing the IETF SCIM 2.0 effort so soon may be mistake as it may convince people to just ignore it until 2.0 comes out.

But ultimately the proof of standards is in adoption. For it to succeed it has to be both adopted by the cloud providers as a service and by IT as a client. Each of them wants the other to go first.

My biggest question is will the backers of SCIM implement it in their main product lines. Will SalesForce.com stand up a SCIM provisioning service? Will PingIdentity then add SCIM support to their SalesForce.com offering? We shall see.

Jackson Shaw has some great points to make about it here, but I didn’t really get the parrot reference. He points to this article about SCIM which also makes some great points.

Open Source IdM platforms

jbohren — Wed, 11 Jan 2012 03:03:23 +0000

Radovan Semančík has put together an interesting list of open source IdM platforms. There are not as many as I would have expected.

Security via obscurity failed… in 1903

jbohren — Mon, 09 Jan 2012 17:03:06 +0000

This is a wonderful story about the hacking of Marconi’s wireless system in 1903. Marconi touted the security of his system based on a tight (and presumably not publicly disclosed) frequency bandwidth. Of course it was hacked in a public and humiliating fashion.

Security via obscurity, as effective in 1903 as it is today.

Hat tip to Bruce Schneier.

2011 in review

jbohren — Sun, 01 Jan 2012 01:30:46 +0000

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,600 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

Specs, Patterns, and Provisioning

jbohren — Sun, 01 Jan 2012 01:13:37 +0000

One of the most puzzling complaints I have heard about SPML is the search filter. The complaint is that it requires the service to support search filters of arbitrary complexity. I have never considered it that hard and have posted sample code to demonstrate it.

Still, perception has a reality of its own and search filters are often given as a reason not to support SPML.

So now that SCIM has finalized the 1.0 version, the filter-phobes can breathe easy, right? Not so much it seems. Like SPML, SCIM has a search filter mechanism that supports filters of arbitrary complexity. Which is a good thing for without that capability a provisioning service would be severely limited.

But really this should not be a reason to avoid either SPML or SCIM. This class of problem comes up regularly and provisioning service developers should learn how to handle it (if don’t already). One could argure that it would even be considered a pattern.

Actually it is: the Specification Pattern.

BYOD, but not on takeoff

jbohren — Tue, 27 Dec 2011 00:41:37 +0000

One of the more frustrating thing about flying is being asked to turn off your devices on takeoff and landing. You probably already suspect that your Kindle was not going to make the plane crater into the ground, but reading this will make you even more convinced that the whole thing is quite absurd.

Off course now we hear that pilots and navigators will start using iPads in the cockpit. iPad in the cockpit, perfectly safe. Kindle on seat 26f, safety hazard.

To paraphase Bruce Schneier, it’s Safety Theater, nothing more.

A tale of two standards

jbohren — Thu, 17 Nov 2011 02:55:19 +0000

The new RESTful provisioning standard, SCIM, is being discussed a lot recently in comparison to SPML. Dave Kearns has some interesting thoughts here.

While Dave makes some good points I think he is entirely missing the reason the SPML was never accepted. SPML never gained traction because enterprises and application vendors never adopted it. It didn’t matter whether the provisioning vendors supported it or not, and it won’t matter if provisioning vendors adopt SCIM or ignore it.

Enterprises and service providers drive adoption. The ISVs will meet their needs. If SPML or SCIM is demanded, it will be provided. That demand never materialized for SPML, partly because the provisioning vendors already had non-standard solutions for the problems SPML was intended to solve.

Will this demand materialize for SCIM? Time will tell the tale of these two standards.

The new chapter in which I return to identity management.

jbohren — Mon, 31 Oct 2011 02:51:25 +0000

The latest chapter of my career finds me back in the identity management business. I have joined OptimalIdM, a company founded by some great folks I worked with at OpenNetwork.

OptimalIdM’s main focus is their virtual directory product, VIS, but we also have federation products and other IdM plays.