An Overview of One Person’s IIW Experience

An Overview of One Person’s IIW Experience

By: Alan Karp

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The opening plenary session had people gather in small groups and individually think of a cross-company or at least cross organization collaboration that succeeded. The first surprise was how hard it was for most people to think of one. Having dredged one up, we were then asked to list five reasons it was successful. The universal answer was shared goals. Another one that came up was an agreed upon governance model. Would final decisions be made by fiat from one person, by majority rule, or something else? We were then asked what we could do in the identity community to make collaborations more likely to succeed.

There was a session on building a taxonomy for the Internet of Things. Was it a human or automaton that initiated an action? To whom does the data belong? For example, data from the Nike Fuseband is for the wearer, but the data from a bathroom scale is for whomever is standing on it. On the other hand, my furnace might "own" the date from my thermostat.

One session discussed Nyms, labels we use for ourselves or apply to other. These need not be pseudonyms. For example, a nickname that is widely understood to refer to a person (Kung Fu Panda for Pablo Sandoval of the SF Giants) is a nym. We discussed how nyms can be used to enhance collaboration. See nymrights.org for more info.

There was a good discussion in the session on OAuth, OpenID and FICAM (Federal Identity, Credential, and Access Management). The goal was to see if the community could come up with profiles that FICAM could accept.

I held a session on Redelegation with OAuth, a topic not covered by the current OAuth spec. The goal is to make it easier for our developers to move the current implementation to a fully OAuth compliant one in a future release if that becomes an important requirement. Unfortunately, the current spec is silent on redelegation, which is using one access token to get another one for the same resource but with reduced rights. The most likely redelegation spec will involve passing something called authorization grants instead of delegated tokens, but that's not much of a change from what our developers are building into Release 1. In particular, the data flow will conform to the spec, but the data passed will be different. That's a good thing, because it's easier to change the data than it is to change the flow. We would have had to pay consultants $10,000 to get this info. Thanks IIW!

An interesting problem arises from a court requirement that divorcing parents take a court-mandated course. These have been done in person, but they are moving to a web model. The problem is knowing that the person sitting in front of the computer is the one who is supposed to be taking the course.

There is a requirement for something called anonymous authentication. Am I over 21? Am I a paid subscriber to this site? We want to answer those questions without the issuer of the credential knowing who used it at the verifier even if the issuer and verifier collude. A cryptographer described the problem and solution without mathematics and asked for and got a number of interesting use cases.

The session on a Healthcare Architecture discussed how the industry is moving from a heavyweight, SOAP-based design to one based on RESTful standards, such as OAuth and OpenID Connect.

A fun session was titled Email Sucks, which started out listing all the reasons we use and like email. We separated email's failings into infrastructure, UI, and how it's used categories.

One guy described an idea for using identity proofing instead of username/password for identification. It's sort of like your security questions, but it takes into account your geographic location, the machine you're using, past patterns of access, etc.

Personal Clouds are a hot topic at IIW, and there was a session on Risks, Threats, and Countermeasures when personal clouds get networked to each other. We filled in a table and added some additional columns.

A company called SquareTag has created the concept of a PICO (persistent compute object) that has a persistent presence in the cloud. This was demonstrated last year in a session titled "Whiteboards are People, Too" that demonstrated how to give an inanimate object a presence in the cloud. This session showed how to develop apps for PICOs.

One guy has been working on something he calls the Collaborative Internet as a way to accelerate progress. The problem is knowing who to listen to. That was a topic for another day. The purpose of the session was to come up with a simple tag line that he could use as a rallying cry. We came up with trust.worthy.net and "Bringing the trust of the village to the Internet."

The final session I attended was on User Managed Access (UMA), a framework that lets people interact with a service to manage access to their resources. The umanatarians (Yes, that's what they call themselves.) showed a video of a nice demo.