ian glazer's tuesdaynight

These are my raw notes put here for reference purposes. – Attendees

• Peter A
• Mary R
• Ian G
• Gerry B
• others

What is mean by identity oracle? * An oracle provides an answer to a question but not a specific attribute ** If you ask an Oracle, is Peter over 21 it says yes. It does not hand back an attribute - birthdate Peter: The Federal Govt is authoritative for very few attributes - State Dept - passport #, citizenship. State govt are authoritative for driver’s license number. SSA for SSN. eVerfify is an example of an oracle, says Gerry. Peter - what will drive this is the requirement for LOA3 credentials needed to access to medical records. P - “We do not have an attribute infrastructure.” A lot of attributes are simply issued via IdP’ I - our examples so far have shown organizations that are authoritative for identifiers but not attributes P - raises need for back end attribute exchange Gerry - Problem with authoritative attribute provides is that the PDP makes a decision as to what is truly authoritative for a given context. Authoritative data source must provide SLA or MOU so that relying party can establish trust. P - BAE is 1/2 of the equation and attribute provider (market?) is the other half A - is there a business model for attribute providers? G - have problems seeing attribute exchange at enterprise scale let alone government scale. Quality and availability are just some of the issues. Access decisions are fairly local and these decisions are not things that known often at the higher enterprise layer. Things are made authoritative by policy decision. P - Second model for authoritative - a local decision to assign authoritative-ness to something Nishant - should we get rid of the term authoritative? Peter for sees multiple attribute providers having say over the same attribute for the same person If I use an Oracle, do I have to know its sources? No, says Gerry, as you form an agreement with the Oracle ahead of time as to what happens when something goes wrong P- I am running validation services which services 400 back-end apps. I am standing up a BAE to help. I could build that infrastructure or I could can contract out to an Oracle. The Oracle has to tell me its sources so I can make a decision to use it or not. Gerry comments that you may not want to know the Oracle’s source of data. Returning to the eVerify system - is a person allowed to work? eVerify doesn’t disclose sources of info but DHS takes responsibility for its decisions. Pam asks about redundancy of providers. Redundancy allows same decision to be made via separate paths. Anil feels that there is a business case for multiple providers. Mary raises the point that there are organizations who have a lot of data on people. These are often highly regulated organizations because they are related to financial services. G - uses Health Vault and Google Health as an example of multiple providers of heath information data A - Talked to financial roundtable - these ors not interested in B2C but very interested in B2B situations. Having the govt offering services to help vet people would be of great service. Govt business for providing identity information? There are certainly companies that will aggregate public data for a fee. If a service provider helps get me as a business information I need to hire someone (citizenship for example), would I use it? Would I form a business to do this? N raises BT’s You Are You service as an example of this. Pam - talking about building cloud-services in this area. Definitely interest from small business for federation and using Google as authoritative source. Sees consumer-focused needs later down the road. I asks P about persisting “over 18” information if it is acquitted from Equifax. P says they’d have to issues SORN and protect as PII. I am curious about about Govt as Oracle and the implications with respect to the Privacy Act. Peter wants to facilitate market for Oracles. NIH had MOU with InCommon which included use of attributes and information. This included agreed upon protections for those attributes which was coherent with InCommons users’ requirements. Peter acknowledges this doesn’t scale but he offers as a counterpoint that NIH is doing this federation to federation. He asserts there wont be that many to federate to. I many not want to maintain a BAE with hundreds of connections to attribute providers. Likely outsource the work to an Oracle. “It is easier to affiliate with a hubs than it is affiliate with each provider,” says Peter A. Peter says that NIH sees need to to handle attributes and thus NIH is setting up BAE. He acknowledges that there needs to be policy and practice around this, which Peter is on the hook to build. FICAM roadmap says that if you are standing up an attribute service it must be a BAE if you want funding. G - If I am a BAE affiliate and I want to consume other affiliate’s data, what is the quality I can expect? Anil says that this is currently being discussed amongst architecture groups. G talked about the quality within his organization. There is no strong commitment to the data that internal data collectors collect. At the end of the day if something goes wrong, is it my fault or someone else’s. THis is part of the contractual relationship between data consumer and provider. Hold Harmless clause within MOUs used the by the PKI Bridge. So long as org is acting in accordance with their own policies then they are to be held harmless. G - in certain situations this works, but in others it does not. I might have to run my own infrastructure or shop for another provider who can back up their assertions. Pam asks if this is govt to govt discussion, would a private group come in an provide services for G2G? Anil says yes and that currently this is happening. Because there are so many million of high level of assurance credentials, one would think that someone would want to build an ecommerce infrastructure to consume these creds - says Peter. Peter asserts authentication is a solved problem and next up is authorization, claims, roles, etc. Every application owner want to maintain control over who comes into the app. But this a way that Peter gets people to plug into the federated SSO environment. Are people building services to consider risk-based authorization in transaction, asks Pam. Anil mentions the consideration of environmental attributes for initial authorization. G says this is a hot space now. Anil brings up how PayPal takes a low assurance cred and uses it for financial transactions.

My series of posts related to Facebook and The Washington Post has become very interesting today. Luke provided some insightful feedback on WaPo’s use of an iframe served up to provide a socially-connected experience, and in doing so he raised an interesting point. He said:

The opt-in question is interesting. Since no information is being transferred, it’s not clear that there’s anything to opt into. I think the social plugins work the same as myriad other plugins and ad networks around the internet, with the exception that it’s more obvious to the user what’s happening. If users needed to click a button in order to see personalized stories, then the vast majority wouldn’t get to experience the value that’s created.

I’ve been getting a lot of comments on my post about Facebook and The Washington Post. I wanted to just write a brief follow-up on it. I had Luke Shepard of Facebook present at the Gartner Catalyst conference last week and through a bit of serendipity he found Tuesdaynight and my recent post. He kindly provided this clarification on what was going on:

The Washington Post still has no idea what your Facebook account is – the blue box is an iframe onto facebook.com, and it’s served entirely by Facebook. No information is transferred to the Wapo, and none of the rest of your activity on Wapo is linked back to Facebook, unless you explicitly choose to (by clicking the “Like” plugin, for example).

Sorry to interrupt you attempting to set you Facebook privacy settings, but I have to tell you something. I’ve got me a new blog over at Gartner. You can get all my rambling goodness on identity management related stuff over there. As for the rants about privacy, they are likely going to stay here, but you never can tell.

Also, I am thinking of building a new version of Privacy Mirror to use the graph API. Any one have feature requests?

I was looking at some local news on Washington Post’s website. I happen to notice that there in the right gutter along with miscellaneous ads which my brain filters out of my awareness, was a blue box. In the blue box was a list of things my Facebook friends have “liked” on WaPo recently.

And this took me by surprise.

I opened a different browser and headed to Facebook. First, I checked my Application Settings to see if a Washington Post application had slipped into my profile. I had this happen - Gizmodo and some other sites appeared in my authorized application list without getting my authorization. See this article for more. There was no Washington Post application. Next up, I checked my Privacy Settings to verify once more that I disabled Instant Personalization. And yes, that was still the case.

With a case of the volcano blues, I found myself at the International Association of Privacy Professionals Privacy Summit 2010. As I sat in sessions and caught up with customers at this, the largest gathering of its kind, I noticed an undercurrent to the overall conversation. This undercurrent sounded, in some sense, very similar to conversations I have with my identity management customers regarding maturity and metrics. Privacy has moved beyond the compliance officer and is receiving better representation in business operations. Example of this include an increased presence of privacy practices in

A while back we recorded some of the Burton Group analysts and consultants talking about a wide variety of topics. I thought I’d share them with you. So in lush mono and 2D, here’s me talking about:

• Personal and workplace tools
• Privacy
• New behavioral norms
• Using analogies to convey ideas

I’ve been a bit quiet on Tuesdaynight lately… sorry - it has been a bit crazy around here lately. At any rate, we are 7 days away from Burton Group Catalyst EU! In the 7+ years that I’ve been involved in one way shape or form with Burton Group, I’ve never been to a Catalyst EU - so I am very excited. For those of you joining us, you are in for a treat - John Seely Brown will delivering the keynote for us. Besides Mr. Brown, the IdPS team has got some great content waiting for you:

So you’ve probably seen the news - Gartner is acquiring Burton Group. Looks like we’ll be kept whole in a variety of ways; see this note from Gene Hall. I’ll let you know more as I know. This does bring the number of analyst firms focused on identity, privacy, and relationships down to a very small number. It will be interesting to watch how the market responds. What is with Tuesdays in my life? 9/11 - a Tuesday. IBM buys Access360 on a Tuesday. Gartner buys Burton Group on a Tuesday. In keeping with this odd streak of Tuesdays, I think I’ll be at Toledo Lounge tonight - see you there?

Facebook’s recent changes to its privacy system has been garnering a lot of attention and not a lot of it is good. Both the EFF and Kaliya Hamlin (via ReadWriteWeb) have written up their takes on the matter and, all in all, I think they are decent assessments.

With all the supposed changes in Facebook’s privacy system, I decided to revisit my work with Privacy Mirror (you can catch the backstory: here and then here). Having retested PM with both friends and strangers, here’s what I’ve learned: Plus ça change, plus c’est la même chose.