Tuesday, July 7, 2009

OAuth Access delegation Protocol

I have created a presentation on OAuth Access delegation protocol which I would like to share with viewers. As I cannot upload presentation to my blog, I have uploaded it on slide share. Here is the link. OAuth Presentation


Saturday, September 13, 2008

Identity 2.0

Traditionally Identity has been limited to one source and one verification agent of the same source. Identity information stored at one web portal or site cannot be shared with some other portal or site. Overcoming these limitations, Identity 2.0 resembles the real life Identity Systems where user has one driving license or passport which s/he can use as a proof of identity as and when required. The term Identity 2.0 stems from the web 2.0 term (world wide web transition).

Identity 2.0 is also called digital Identity is a revolution of Identity verification over the internet using technologies like Information cards and OpenID. Every entity (user) can have different Information cards as we have in real life like Driving license, Passport, SSN number etc. User can chose to present one of those available cards as an Identity proof while verification.

Now when user register to a new site, user can present one of the information cards and he need not give any other information. Site can communicate with the Identity provider and validate user's identity and gets other information associated with the user from the Identity provider. This helps user where s/he does not need to remember many user profiles at the same time it also helps site in reducing cost associated with the user management.

Having said this, the transition from Identity 1.0 (Traditional Identity) to Identity 2.0 is not as easy as it looks. There are many technologies which could be used for communication between verification agent and Identity provider like federation (SAML 1.1, SAML 2.0, Liberty), web services but there are no standerds around this. At the same time trust of Identity Provider also remains one of the major issue to be addressed. Uninterrupted availability of Identity provider also is a matter of concern. If user'e identity is compromised, The impact is much more than what i could have been with Identity 1.0 because Identity is shared across multiple sites.

What I would love to see happening with Identity 2.0 is, user owns his Identity data. User has a some sort of device or may be a web page exposing user's Identity information in standerd format. All the sites whom I authorize, can fetch that inforamtion. With this, I become the owner of my Identity information. It brings in its own chellenges of securing data and making sure that only authorized sites can access it user's information.

Following are the technologies will bring difference to Identity 2.0
Web 2.0
Information Cards
Higgins trust framework

From all the technologies listed above, I think Higgins framework will bring in the most difference as there are many giants involved in its development that will help to bring in standerds around it.


Saturday, May 3, 2008

Is SSL secure communication

Is SSL secure communication? Many of people in IT industry will reply with Yes without any hesitation. So am I.

Today I came across one of the papers published by Chao-Yang Lu at China's University of Science and Technology. Using Shor's algorithm (a non-linear method of factoring composite numbers) and quantum computers they could actually crack SSL communication.

So the time has come for industry to think of a new more secure encryption algorithm.
I have started brainstorming with myself in the search of more secure encryption algorithm, Have you?


Sunday, March 9, 2008

Identity Management in cyberspace

I came across a very nice article on Identity Management in cyberspace. Here is the link.


Monday, February 25, 2008

Why and Who of Identity Management

The one domain which is catching up on its business because of compliance and increased awareness of data security is, Identity. Identity, The word sounds pretty much technical and new but if you actually look at it, we have been doing identity management since quite a long time. If you look at the Election cards, Ration cards in India and SSN in US. All this essentially falls under Identity Management. Its just that There are now systems in place to manage identity for you.

You may get to hear different definitions of identity but core idea is to associate information about an entity in one unique identifier and representing the whole bunch of information in one unit which is called as identity. Once you have the information or data, Comes information management and comes Identity management in this case.

Identity Management starts from provisioning of identity and it also involves managing all the information of an identity, automating all the process associated with an identity, Making sure that identity has access to all the data he is authorized for, making sure that identity information is secured and is not misused.

With all the systems in place to manage identity, Identity Theft has become a major issue. This is not the risk to individual identity as data but this also risks individual's privacy, reputation and individual's assets. And that was the driving force behind Data Protection Act.

Traditionally Sun and IBM has dominated this market since long and Oracle is also joining the race now with its acquisitions in last few years. Also there are few players jumping into the domain making the Idm market competitive. Read Gartnet Magic Quadrant for User provisioning and Gartner Magic Quadrant for Web Access Management for more information about all the players in Idm domain.