January 26, 2015

MythicsODA X5‐2: Just Plain More Everything! [Technorati links]

January 26, 2015 01:29 AM

Every time a major manufacture announces a new system, we hear the same common messages from marketing.  More CPU, more RAM, faster than before, more…

January 25, 2015

IS4UFIM 2010: SSPR with one-way trust [Technorati links]

January 25, 2015 02:05 PM


This article describes and documents an SSPR setup between two AD forests with a one-way trust. FIM is deployed in the internal domain is4u.be. Users from the domain dmz.be are being imported and managed by FIM. There is a one-way incoming trust on the dmz.be domain. All prerequisites from the password reset deployment guide are already satisfied.

DMZ connector configuration

SSPR requires that the DMZ connector service account has local logon rights on the FIM synchronization server. If the service account is from the DMZ domain, a two-way trust is required to allow this setting. Since this is not a valid option in this scenario, a service account from the IS4U domain needs to be delegated the proper rights on the DMZ domain. This includes at least the following:
  1. Replicating directory access
  2. Reset password

WMI verification

The configuration as is was tested and worked, but after a week, following the same scenario resulted in the following error:
An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
Following up on the error, the event viewer gave following info:
Password Reset Activity could not find Mv record for user
This is a very clear error message indicating a problem with the WMI permissions. Checking up on this resulted in the conclusion that the permissions were set correctly. Lookups for accounts in the IS4U domain worked, but lookups for accounts in the DMZ domain failed.

Finding the PDC

Going back to the event viewer, we were given another clue:
DsGetDCName failed with 1355
A bit of researching learned us that the SetPassword call of SSPR always calls DsGetDCName because SSPR needs to find and target the PDC (domain controller with the PDC emulator role). This call seems to fail. We tried getting more info by running this specific call via nltest nltest /dsgetdc:dmz /netbios, but failed with following message:
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
However, resolving the FQDN using nltest /dsgetdc:dmz.be /netbios succeeded. And, even more strange, retrying to resolve using the netbios name did work! Some googling pointed to caching of certain information, which explained why the netbios lookup works after the FQDN lookup and why the initial configuration worked and then broke a week later.


NetBIOS recognizes domain controllers by the [1C] service record registration, but we could not find the correct WINS configuration, maybe because of the one-way trust.


The solution involved changing the advanced IP configuration settings. By adding the is4u.be and be suffixes the DsGetDCName call is enforced to always resolve the FQDN by searching for dmz.be instead of dmz.


January 24, 2015

Julian BondSo farewell then, Edgar Froese, [Technorati links]

January 24, 2015 07:30 AM
So farewell then, Edgar Froese,

I used to love your analogue synthesiser noodlings with Tangerine Dream and found them strangely hypnotic. But my Mother-in-law complained that the bleepy repetition gave her a headache.

It's Kosmische, Motherf*cker.
 interview with Edgar Froese (RIP) »
RIP Edgar Froese, who I interviewed eight years ago for this piece on the analogue synth epic genre.  THE FINAL FRONTIER: The Analogue Synth Gods of the 1970s Groove, 2007 by Simon Reynolds Ask people about synthesisers in ...

[from: Google+ Posts]
January 23, 2015

GluuGluu Server… So Fast! [Technorati links]

January 23, 2015 08:53 PM


One of the questions we get a lot here at Gluu is “How fast is the Gluu Server?” All of the Gluu Server components are horizontally scalable, so the short answer is… “as fast as you want.” Numbers-oriented left-brain engineers feel uncomfortable with this answer.

There is an inherent trade-off between speed and flexibility. If you want the fastest possible person identification, your authentication API needs to be very fast. And probably the fastest authentication API out there is performing an LDAP search or LDAP bind operation (i.e. check password). However, LDAP does not allow for a lot of flexibility in the business logic. For example, you can require a username / password to match, or even another attribute, for example, status=active. But if you want to call your intrusion detection system, LDAP doesn’t enable you to do this.

Fraud detection, asking for a second step out-of-band authentication, or other steps to make the person identification more reliable may delay an authentication. But preventing a breach can make the performance price worth the price–you’re not going to make an API call to an external system without it taking a few milliseconds.

But assuming we’re dealing with a low value person authentication, where throughput is the main concern… how does the Gluu Server do in that situation? Below are some considerations that favor the Gluu Servers over monolithic access management platforms.

One of the most important performance advantage for oxAuth is its stateless REST design. Even in a two-step authentication, there is no assumption that the person is redirected to the same oxAuth server. This enables an enterprise to elastically grow the oxAuth authentication service to meet their needs at the moment. The previous generation of access management servers was not stateless, and required “sticky sessions” to be configured in the load balancer. This had serious negative implications for scale.

There is another important design consideration: whether oxAuth is keeping server side sessions. In really large deployment, server side sessions are bad. If Google had to keep a server side session for every web browser on the Internet logged into Gmail, they’d need a pretty big farm of servers to do it. For super large deployments, the IDP pushes a lot of the work of session management to the browser. However, in smaller enterprise deployments, server side sessions can be handy. For example, the Gluu Server offers custom logout interception scripts. These allow a Gluu Server admin to write some special code to be performed when a person logs out, like make sure you close that Siteminder session, or make sure the portal session is terminated. Eliminating server sessions has a performance advantage because it reduces the amount of disk I/O at authentication time, and Gluu supports this configuration. But if you do want server side sessions, don’t fret. We use LDAP to to replicate the changes and make them available to all the oxAuth servers in the cluster. And scaling LDAP performance is a pretty well trodden technical problem.

There is a small benefit to the OpenID Connect protocol. As a JSON standard, it is smaller on the wire than XML based protocols. JSON also requires less compute and memory to process.

In large scale deployments, benchmarking is always advisable. If you want to do your own benchmarking, Gluu provides some guidance on how to use JMeter for this purpose. Ultimately, no one has the same servers, the same network, the same data profile, the same security requirements as your organization! You’re unique! So remember, seeing is believing. Do you research, and you can get a very good understanding of how to deploy the Gluu Server to achieve any requirement from small to mega-huge!

Performance is really not a competitive differentiator for Gluu. Our performance is about the same as our competitors. But this makes sense because we are using the same java encryption libraries, the same protocols, and the same underlying persistence mechanism. For a few reasons, we think its a little faster, and a little easier to scale. If you’re really concerned about performance for a large deployment, please schedule a meeting with us, and we’d love to discuss some of the factors you should consider.

And if any of our competitors say the Gluu Server is slow, ask them if its hearsay, or if they actually tested it!

January 22, 2015

Mike Jones - MicrosoftJWK Thumbprint -01 draft incorporating feedback from Jim Schaad [Technorati links]

January 22, 2015 10:27 PM

IETF logoThe JSON Web Key (JWK) Thumbprint draft has been updated to incorporate feedback received from Jim Schaad, including defining the JWK Thumbprint computation in a manner that allows different hash functions to be used over time. The specification is available at:

An HTML formatted version is also available at:

OpenID.netRegistration is Now Open for the OIDF Workshop on April 6, 2015 [Technorati links]

January 22, 2015 07:37 PM

Registration is now open for the OpenID Foundation Workshop on April 6 (the Monday before IIW) from 12:00 – 5:00 PM at Aol offices in Palo Alto, CA.

This OpenID Foundation Workshop will provide early insight and influence on important new online identity standards like OpenID Connect. We will provide a hands-on tutorial on the OpenID Connect Self Certification Test Suite led by its developer Roland Hedberg. We’ll review progress on the Mobile Profile of OpenID Connect as well as other protocols in the pipeline like HEART, Account Chooser and Native Applications. Leading technologists from Forgerock, Microsoft, Google, Ping Identity and others will update developments with these key protocols, review work group progress and discuss how they help meet enterprise business challenges. Thanks to OpenID Foundation Board Member George Fletcher and teamAol for hosting.

Planned Agenda:

Don Thibeau

Kuppinger ColeAdvisory Note: Software Defined Infrastructures - 71111 [Technorati links]

January 22, 2015 08:57 AM
In KuppingerCole

Enabling development speed and agility also brings heightened risk to the business. Risks can be greatly reduced by applying appropriate controls, and business benefits increased by leveraging SDI. 

January 21, 2015

Kuppinger ColeMinimal disclosure becoming reality [Technorati links]

January 21, 2015 10:35 AM
In Martin Kuppinger

This week, the EU-funded project ABC4Trust, led by Prof. Dr. Kai Rannenberg, Goethe University Frankfurt, announced that they successfully implemented two pilot projects. The target of the project has been what Kim Cameron in his Seven Laws of Identity has defined as law #2, “Minimal disclosure for a constrained use”. It also observes law #1, “User control and consent”.

Using Microsoft’s U-Prove technology and IBM’s Idemix technology, the project enables pseudonymity of users based on what they call ABC: Attribute-based credentials. Instead of expecting a broad range of information about users, ABC4Trust focuses on the minimum information required for a specific use case, e.g. the information that someone successfully passed some exams instead of his full name and other personal information or just the fact that someone is above 18 years of age, instead of his full date of birth.

This aligns well with the upcoming UMA standard, a new standard, which is close to finalization. I will publish a post on UMA soon.

So there are working solutions enabling privacy while still confirming the minimum information necessary for a transaction. The biggest question obviously is: Will they succeed? I see strong potential for UMA, however the use cases in reality might be different from the ones being focused on in the development of UMA. I am somewhat skeptical regarding ABC4Trust, unless regulations mandate such solutions. Too many companies are trying to build their business on collecting personal data. ABC4Trust stands in stark contrast to their business models.

Thus, it will need more than academic showcases to verify the real-world potential of these technologies. However, such use cases exist. The concept of Life Management Platforms and more advanced approaches to Personal Data Stores will massively benefit from such technologies – and from standards such as UMA. Both help leveraging new business models that build on enforcing privacy.

Furthermore, ABC4trust shows that privacy and pseudonymity can be achieved. This might be an important argument for future privacy regulations – that privacy is not just theoretical, but can be achieved in reality.

Julian BondAnother good reason to avoid Nuclear power. It's centralised, needs centralised control and centralised... [Technorati links]

January 21, 2015 08:48 AM
Another good reason to avoid Nuclear power. It's centralised, needs centralised control and centralised military protection.

 Paris Terror Spurs Plan for Military Zones Around Nuclear Plants »
Lawmakers in France want to create military zones around its 58 atomic reactors to boost security after this month’s Paris terror attacks and almost two dozen mystery drone flights over nuclear plants that have baffled authorities.

[from: Google+ Posts]

WAYF NewsNordic federations met at Trondheim [Technorati links]

January 21, 2015 08:43 AM

January 13-14, WAYF met in Trondheim, Norway with her Nordic sister organisations, to discuss operation and development of identity federations. FEIDE, Norway's federation, hosted the meeting, and Sweden was represented by SWAMID.

WAYF NewsNordic federations met at Trondheim [Technorati links]

January 21, 2015 08:43 AM

January 13-14, WAYF met in Trondheim, Norway with her Nordic sister organisations, to discuss operation and development of identity federations. FEDIE, Norway's federation, hosted the meeting, and Sweden was represented by SWAMID.

Kuppinger ColeAdvisory Note: Your Business is Moving to the Cloud - 71156 [Technorati links]

January 21, 2015 08:25 AM
In KuppingerCole

Take a pro-active rather that re-active approach to the adoption of Cloud services. Plan your move to the Cloud taking a strategic view of your requirements, processes and deployment options. Make the Cloud perform for you - not the other way around.

The question posed in the title of this Advisory Note is rhetorical. The move to the Cloud is inevitable and to be embraced, not only for the benefits touted by Cloud Service Providers, but as an opportunity to make significant changes...

January 20, 2015

Kuppinger ColeMastering the Digitalization of Business: Digital Identities and the Cloud [Technorati links]

January 20, 2015 11:00 AM
In KuppingerCole Podcasts

How to make use of cloud services and digital identities of employees, partners, customer and things to leverage your business to the next level

It is the combination of identity services, mobility support, and cloud services that allows organizations not only digitalizing their business, but keeping it secure anyway. It is about enabling business agility while not ending up with unprecedented risks. Combining business innovation with IT innovation, particularly around identities and the cloud, is the foundation for successfully mastering the digital revolution.

Watch online
January 19, 2015

Kuppinger ColeExecutive View: BalaBit Shell Control Box - 71123 [Technorati links]

January 19, 2015 04:58 PM
In KuppingerCole

BalaBit IT Security wurde im Jahr 2000 in Ungarn gegründet. Ihr erstes Produkt war eine Application Layer Firewall Suite mit der Bezeichnung Zorp. Seitdem hat BalaBit sich zu einer internationalen Holding mit Sitz in Luxemburg entwickelt und verfügt über Vertriebsstellen in mehreren Ländern Europas, den Vereinigten Staaten und Russland sowie über ein großes Partner-Netzwerk. Das Unternehmen genießt breite Anerkennung in der Open-Source-Community, da sie...

Julian BondThink Bigger! [Technorati links]

January 19, 2015 12:36 PM
Think Bigger!

in <134> "It seems to me that the Chinese are the ones who still get it about legitimating a government with concerted, focussed efforts of mega-engineering."

To add further substance to that point, here's two recent articles on Chinese megaprojects:

108 Chinese Infrastructure Projects That Are Reshaping The World

In China, Projects to Make Great Wall Feel Small

via http://www.well.com/conf/inkwell.vue/topics/478/Bruce-Sterling-Cory-Doctorow-Jon-page06.html#post150
 108 Giant Chinese Infrastructure Projects That Are Reshaping The World »
They do big things.

[from: Google+ Posts]
January 18, 2015

Drummond Reed - CordanceFounderDating Breaks the First Rule of Trust—I Will Never Use This Site [Technorati links]

January 18, 2015 10:15 PM

True story: two weeks ago I received an email an entrepreneur I know and respect (who will remain unnamed). It read as follows:

Hi Drummond,

I’ve just joined FounderDating (no, it’s NOT romantic) – a handpicked network of entrepreneurs connecting with advisors and other talented entrepreneurs. Can you do me a quick favor by leaving a quick vouch (aka reference) for me as an advisor? Should take 2 minutes.

(To prove that you’re the real Drummond, you will be asked to use LinkedIn.)

Unlike with some systems, this will help me make much more meaningful connections with potential advisees.

Thank you,
[Name Withheld]

Knowing that this entrepreneur was a very discriminating person who chose his words carefully, I considered this a pretty ringing endorsement of this new site. So I went out of my way to provide a vouch for him.

The site subsequently contacted me with the following email with the subject line, “VIP Invite”:

Hi Drummond:

We noticed your background and wanted to invite you to be a part of a select group of current FounderDating members that are Advisors on FD:Advisors. It’s an expansion of the FounderDating platform that allows entrepreneurs and advisors to meaningfully connect. Others members on FD:Advisors include, Aaron Batalion (CTO/Cofounder, LivingSocial), Josh Handy (Lead Designer, Method Products), Katherine Woo (Chief Product Officer, Kiva) and Sean Byrnes (Cofounder, Flurry), just to name a few.

It’s an opportunity to showcase your expertise, help awesome entrepreneurs and streamline the advisor requests you already get even if you’re not open to others. There is no upfront time commitment. Just click on the button below and fill in your areas of expertise (the ones you want to advise on). We curate the network, but with this invite you are pre-approved.


Hope to see you online,


Cofounder/CEO, FounderDating

Again, given the enthusiasm of the original note I received from the original entrepreneur—and that I am a student of Internet reputation systems given my work on the Respect Trust Framework and Connect.Me—I decided to go ahead and take the plunge. I filled out a few forms, selected a few interest areas, and then did the obligatory selection of a few people would who might vouch for me—chosen from a list of my LinkedIn contacts, of course.

FounderDating never asked me to write or customize a message to them. But this morning, one of them forwarded the email he received (again, I’m redacting his name to protect the innocent):

Hi [Name-Withheld],

I’ve just joined FounderDating (no, it’s NOT romantic) – a handpicked network of entrepreneurs connecting with advisors and other talented entrepreneurs. Can you do me a quick favor by leaving a quick vouch (aka reference) for me as an advisor? Should take 2 minutes.


(To prove that you’re the real [Name-Withheld], you will be asked to use LinkedIn.)

Unlike with some systems, this will help me make much more meaningful connections with potential advisees.

Thank you,

Ah-ha. I immediately realized that the email I first received was NOT written by the entrepreneur who I thought composed it, but rather forged on his behalf, just like this one was forged on my behalf.

Poof. There went all the trust I will ever have in FounderDating.com. I strongly urge that you do no patronize this site. I will not respond to any email or any vouch request from them again.

P.S. When I went to the site to delete my account (for which they had never given me a credential), I clicked the sign-in button and got this error message:







Julian BondA review of King Crimson live. In 2015! It makes me pleased that one of the greatest bands of the 20th... [Technorati links]

January 18, 2015 08:55 AM
A review of King Crimson live. In 2015! It makes me pleased that one of the greatest bands of the 20th century is still producing great performances. http://thequietus.com/articles/17026-king-crimson-live-at-the-orpheum-review

And then this in the comments:- For my own part, I think the really interesting part of this equation is the fact that there's clearly a compelling demand from music fans of all stripes for nostalgia as mainstream entertainment. Why do we seem to have developed a morbid inability to just let go of the past? It's like we're participating in the collective recital of a Really Important Dream, lest its details slip away...

"The collective recital of an important dream, lest its details slip away" This. I've recently been listening to FourTet/Floating points 6hr set and then dipping into Caribou's 1000 track playlist. And in both I was struck by their reverence for the late 60s and early 70s mainly in the form of barely remembered soul and funk. Do we have to keep deliberately remembering this to avoid forgetting it? Or is this turning into some tribal memory kept alive by the elders repeating it to each new generation.

btw. Go and listen to "Starless" and "One more red nightmare" again off King Crimson's album Red. And turn it all the way up to 11. Fair makes the hair stand up on the back of the neck. But this is the one that gets me every time. The Letters from the album Islands.
 The Quietus | Reviews | King Crimson »

[from: Google+ Posts]
January 17, 2015

Kevin MarksWe Like IndieWeb Software [Technorati links]

January 17, 2015 11:48 PM

a response to Anil Dash's I Like Blogging Software

Recently on Twitter Anil Dash and I had a bit of a back and forth:

Hi, it's been two years, will somebody go build this set of tools and go make millions of dollars please? http://t.co/jLX0Dp5DxI

— Anil Dash Dot Com (@anildash) January 14, 2015

@anildash all that's been shipped as #indieweb tools, except we use html instead of json because web. Try it.

— Kevin Marks (@kevinmarks) January 14, 2015
(told for tools there is an autocorrect failure)

@kevinmarks I want products, not toolkits. Cobbling stuff together is too time-consuming & this stuff isn't all in one place.

— Anil Dash Dot Com (@anildash) January 14, 2015

@anildash then use @withknown and send feature requests. Build tools, not specs.

— Kevin Marks (@kevinmarks) January 14, 2015
Marco Rogers chided me for being short with Anil:

@kevinmarks @anildash these are feature requests. From a potential customer. Listening is a good strategy. Berating, less so.

— Marco Rogers (@polotek) January 14, 2015
This is a fair point, and so here is a post going into more detail.

The quoted parts are from Anil's blog post - I'll respond inline:

So, my contribution is to collect some of the notes I've been gathering for the last few years about what I'd like to see in a blogging tool. I know there are apps with many, perhaps even all, of these features, but I'd like to see one emerge as a leading platform for doing innovative work.

(emphasis added)

Here Anil is explicitly calling out for a monoculture, rather than a set of interoperable tools and protocols. As Anil mentions, he used to work at Six Apart, which built several blogging tools in that way, each hoping to be the one. Indeed seeing the success of silos, their monolithic nature can be seen as contributing to this; their widespread adoption coming from focusing on innovating and improving user experience rather than interoperability with others.

With indieweb we are trying a different approach by working through our own wishlists, reusing common components, and making sure we interoperate along the way. This gives us a composable set of tools that do plug together - the toolkit Anil both is and isn't asking for.

My blogging features wishlist:

There are lots of indieweb tools that work in this kind of way; but Anil is very focused on the specifics of formats. Markdown is one popular way of writing text for posts; indeed many indieweb tools support it. JSON is handy as an interchange format between programming languages, but as Anil says, having a documented common format is useful. What we realised working on indieweb is thet we already have a lingua franca for webpages and blogs, and that is HTML. Ultimately all sites publish in this format, so using that and adjusting it minimally to make interop easier is the approach we took.

Our documented format is Microformats 2, which for blog posts involves h-entry and h-feed as common structure, with additional microformats to label other reusable features. Generating HTML from Markdown is relatively straightforward, if not always deterministic, as that was its design goal. Generating JSON from HTML formatted with microformats 2 is also straightforward and more deterministic.

Storing source files in various cloud services is practical and indeed done by many indieweb tools, but requiring a specific cloud service's file system is less flexible and general than using HTML on the web itself, so that's what we do.

This is a lot of fragility - the default Blogger template switched to a JSON model like this and consequently fails to render a lot of the time. Twitter too used an all-JSON web app for a while, before reverting to HTML+json enhancements. The fragility comes from JSON being much less resilient to encoding or writing errors than HTML - HTML5 specifies how to consistently handle even invalid or poorly marked-up HTML pages, whereas with JSON you will get a parse error and lose the whole page, just like XML. By using HTML instead for your format, the page can be read on every platform by default. Now, behind the scenes JSON can be useful - indeed Known uses a JSON store for its posts database, but exposing this publicly will likely lead to incompatibility over time.

We are beginning to see indieweb reader apps that work by parsing the h-feed and h-entry markup published, and give the remixability that Anil mentions, but they are an augmentation to the basic page, not a required path along the way.

On the indieweb, this is handled by two protocols: Micropub and IndieAuth.

IndieAuth lets you prove that you are the owner of the site by logging in, so you can get editing privileges or other enhanced versions.

Micropub is a simple protocol, based on HTML forms, to let you edit and publish posts and notes. By using these two it is possible to have multiple different tools to create and edit posts, independent of the mechanics of their storage, as they also use HTML for interchange.

For comments we use the same documented HTML format, but add the idea of a webmention. This is a simple protocol that enables you to send a link to your post or comment that responds to (mentions) another post. The webmention receiver can parse this, check it does indeed link to it, and interpret it as a comment, a reply, a repost, a like or an RSVP depending on the microformats markup used.

Exactly! Webmention does this, but with verification and context, which means that it can be used for reposting, but also for threaded comments, per-paragraph annotations and other things we haven't thought of yet.

By using HTML as the source interchange format, styling can be done by CSS directly; also it is relatively easy to process and parse HTML and inject it into a site - see the webmentions on my website that are added by an indieweb service.

The webpage itself is the HTML representation of the content; you get the json version by parsing that, using existing parsers - for example:

A posting app can look for the micropub endpoint in the page and the indieauth endpoint and work with that, as tools like Quill, ownyourgram and Postly do now.

I think that's it for now. Let me know if somebody's got all these boxes checked on their platform today, but I suspect the hardest part is the client app for readers, which works in a way analogous to an RSS reader or email client, but would have to support a new format and would be optimized for clean reading and subsequent discovery, rather than the three-pane model which has dominated those apps for the last decade or two.

Anil's assumption that the reader app is harder is shrewd, though it has also been less necessary as the browser enables reading of pages in any case. Indieweb readers are being built now with varying UI based on these underlying protocols, so we should have all the pieces soon.

The closest thing to a single platform that supports this is Known, an open source indieweb-friendly blogging tool that can be installed on your own site or hosted by Known for you.

There's even a Pro version of Known if you want to help make Anil's prediction come true.

If these indieweb ideas sound interesting, come along to the next Homebrew Website Club, or join us in IRC.

Originally on my own website
also on IndieNews

January 16, 2015

Mike Jones - MicrosoftThe JWT, JOSE, and OAuth Assertions drafts have all been sent to the RFC Editor [Technorati links]

January 16, 2015 08:53 PM

IETF logoAll of these 9 drafts have now been approved and sent to the RFC Editor:

  1. draft-ietf-jose-json-web-signature
  2. draft-ietf-jose-json-web-encryption
  3. draft-ietf-jose-json-web-key
  4. draft-ietf-jose-json-web-algorithms
  5. draft-ietf-oauth-json-web-token
  6. draft-ietf-jose-cookbook
  7. draft-ietf-oauth-assertions
  8. draft-ietf-oauth-saml2-bearer
  9. draft-ietf-oauth-jwt-bearer

That means that their content is now completely stable and they’ll soon become Internet standards – RFCs. Thanks for all of your contributions in creating, reviewing, and most importantly, using these specifications. Special thanks go to the other spec editors Nat Sakimura, John Bradley, Joe Hildebrand, Brian Campbell, Chuck Mortimore, Matt Miller, and Yaron Goland.

MythicsPractical Oracle WebCenter Content UI [Technorati links]

January 16, 2015 06:33 PM

This article focuses on practical aspects of Oracle's new WebCenter Content User Interface, frequently referred as Content UI (aka ADF UI and Web…

Mike Jones - MicrosoftFinal pre-RFC JOSE drafts [Technorati links]

January 16, 2015 06:09 PM

IETF logoNew versions of the JSON Web Signature (JWS) and JSON Web Key (JWK) drafts have been submitted that address a few more IESG comments that were identified by our area director Kathleen Moriarty during her final review of the documents. Thanks to Richard Barnes for working on wording to address his comment on security considerations for binding attributes to JWKs. See the Document History sections for descriptions of the edits, none of which resulted in data structure changes.

The plan is for these documents to be forwarded to the RFC editor. The other related documents have already been approved.

The specifications are available at:

HTML formatted versions are available at:

CourionLeadership, and a Commitment to Your Success [Technorati links]

January 16, 2015 05:23 PM

Access Risk Management Blog | Courion

Gartner, a leading information technology research and advisory firm, issued the 2015 Gartner Magic Quadrant for Identity Governance and Administration (IGA) on January 12th.

Courion was recognized as a leader by Gartner for a remarkable 10th time.

Perhaps that recognition has something to do with the fact that the Access Assurance Suite™ performs superbly across a wide range of use case scenarios. Or maybe it has something to do with the fact that organizations that use Courion solutions are highly satisfied and give our support high marks, or that our customers would recommend the Access Assurance Suite to others.

Regardless of the factors that played a role in the analyst alchemy that resulted in Courion being recognized as a leader this year, and a total of 10 times since 2007, we are grateful.

It is external affirmation of our commitment to excellence in provisioning, governance and identity analytics solutions that have made our customers successful. And we can help you be successful, too.


Kuppinger ColeHow CSPs could and should help their EU customers in adopting the Cloud [Technorati links]

January 16, 2015 10:29 AM
In Martin Kuppinger

Many customers, especially in the EU (European Union) and particularly in Germany and some other countries, are reluctant regarding cloud adoption. There are other regions with comparable situations, such as the Middle East or some countries in the APAC region. Particularly public cloud solutions provided by US companies are seen skeptical.

While the legal aspect is not simple, as my colleague Karsten Kinast recently has pointed out, it can be solved. Microsoft, for instance, has contracts that take the specifics of EU data protection regulations into account and provide solutions. Microsoft provides information on this publicly on its website, such as here. This at least minimizes the grey area, even while some challenges, such as pending US court decisions, remain.

There are other challenges such as the traceability of where workloads and data are placed. Again, there are potential solutions for that, as my colleague Mike Small recently explained in his blog.

This raises a question: Why do CSPs struggle with the reluctance of many EU (and other) customers in adopting cloud services, instead of addressing the major challenges?

What the CSPs must do:

There is some technical work to do. There is more work to do on the legal side. And yes, that will cost a CSP money. Their lawyers might even say they will give up some advantages. However, if your advantage is based on a potential disruptiveness to the customer’s business or slow adoption of the cloud services by customers, then the disadvantages might by far outweigh the advantages.

Thus, the recommendation to CSPs is simple: Make this a business decision, not a lawyer decision. Unilateral, not to say unfair, agreements are a business inhibitor. That is a lesson some of the company lawyers of US CSPs still need to learn.

Kuppinger ColeAdvisory Note: Redefining Access Governance - 71185 [Technorati links]

January 16, 2015 10:21 AM
In KuppingerCole

Improve your level of compliance, gain up-to-date insight and reduce recertification workload. Add business risk scoring to your Access Governance Architecture, focus attention on high-risk access and extend your existing infrastructure to provide real-time access risk information. Re-think your existing Access Governance processes and understand upcoming IAM challenges and their impact on your infrastructure. 


Kuppinger Cole10.03.2015: Access Management and Federation for the Agile, Connected Enterprise [Technorati links]

January 16, 2015 09:32 AM
In KuppingerCole

Two things are for sure in IT today: The cloud is here to stay. And on-premise IT at least in medium-sized and large organizations will not disappear quickly. IT environments are increasingly becoming hybrid. This requires well thought-out solutions for connecting the on-premise and the Cloud environments. Furthermore, allowing access of mobile users, supporting cloud-based directories for consumers and business partners, or integrating with apps and things imposes new challenges.

OpenID.net2015 Election for the OpenID Foundation Individual Board Representatives [Technorati links]

January 16, 2015 01:00 AM

The OpenID Foundation plays an important role in the evolution of Internet identity technologies. The OpenID Foundation Individual community board member election 2015 is now underway. Those elected will help determine the role OIDF will play in facilitating faster and broader adoption of open identity standards and profiles such as OpenID Connect, Account Chooser, the Mobile Profile for OpenID Connect, Native Applications, and Health Relationship Trust (HEART). Per the bylaws approved by the OpenID Foundation (OIDF) board on May 8, 2013, Individual community Members will elect three (3) board member to represent them.

Currently, we have four Individual community board members whose terms are expiring (2014 was a ‘transition’ year): Nat Sakimura, Mike Jones, John Bradley, and George Fletcher. I want to thank them for their service to the OIDF. They are eligible to seek re-election, if they so choose.

The Individual community board member election is being conducted on the following schedule:

• Nominations opened: Monday, January 5, 2015
• Nominations close: Monday, January 19, 2015
• Election begins: Wednesday, January 21, 2015
• Election ends: Wednesday, February 4, 2015
• Results announced by: Wednesday, February 11, 2015
• New board terms start: Wednesday, February 25, 2015

Times for all dates are Noon, U.S. Pacific Time.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates. If you’re not already a member of the OpenID Foundation, we encourage you to join now at https://openid.net/foundation/members/registration.

Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. If you are already a member, you have received an email from director@oidf.org advising you that the election is open and how to participate. Please log in with your OpenID membership credentials at https://openid.net/foundation/members/ to participate in the nomination and voting. If you experience problems participating in the election or joining the foundation, please send an email to help@oidf.org right away.

Board participation requires a substantial ongoing investment of time and energy. It is a volunteer effort that should not be undertaken lightly. Should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted. If you’re committed to OpenID and advancing open digital identity and are a person who works well with others, we encourage your candidacy. The OIDF’s Executive Committee has suggested a few questions candidates may want to publically address in their candidate statements:
1.What are the key opportunities you see for the OpenID Foundation in 2015?
2. How will you demonstrate your commitment to the work of the foundation in terms of resources, focus and leadership?
3. What would you like to see accomplished over the next year, and how do you personally plan to make these things happen?
4. What resources can you bring to the foundation to help the foundation attain its goals?
5. What current or past experiences, skills, or interests will inform your contributions and views?

Candidates can address these questions in their election statements on various community mailing lists, especially openid-general@lists.openid.net. Please forward questions, comments and suggestions to me at don@oidf.org.


Don Thibeau

January 15, 2015

Vittorio Bertocci - MicrosoftADAL 2.X Servicing Release Introduces Support for Windows Phone 8.1 Silverlight Apps [Technorati links]

January 15, 2015 08:14 PM

If you head to the NuGet gallery you’ll find that we just released an update to our ADAL .NET package.

This servicing update (we go from v2.13.112191810 to v2.14.201151115) fixes various bugs. The one you’re most likely to have stumbled upon is one issue with Windows Store apps publication – which is solved in the release.

This release also introduces a new feature: the ability to use ADAL in Windows Phone 8.1 Silverlight applications. Until now, ADAL only worked with Windows Phone 8.1 Store applications.

SL apps support was a feature you have been very vocal about: for example, see the twitter exchange I had with Ginny back in June.


In the last few months we heard more and more of that feedback – from internal and external customers. Although there are ways of getting tokens from those kind of apps (the code delta is non zero but pretty small, it’s more of a matter of creating an assembly for it rather than a winmd), we found ourselves spending cycles to help people understand their options – and we realized that it would have been more efficient for everybody if we would simply bite the bullet and include Windows Phone  8.1 Silverlight apps as a new target platform in our official NuGet. So, that’s exactly what we did Smile and given that the programming surface did not change, we were able to do this in a servicing release.

Using ADAL in a Windows Phone 8.1 Silverlight app

Using ADAL in a winphone 8.1 SL app is not very different from doing so in a winphone Windows Store one, which is why we are not releasing a new sample for it at this time. If you think you need one please let us know, though!

The main difference lies in the way in which SL apps deal with the continuation model (behind the scenes we use the WebAuthenticationBroker, which is why this only works with 8.1 and we still need to handle continuation).
The application events cycle is slightly different, which influences where you need to inject the continuation handling code.

Here there’s a quick walkthrough to show how to see ADAL in action in your Windows Phone 8.1 SL app.

Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.14.201151115

using System;
using System.Windows;
using System.Windows.Navigation;
using Microsoft.Phone.Controls;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using Windows.ApplicationModel.Activation;

namespace WPSL_App1
    public partial class MainPage : PhoneApplicationPage, IWebAuthenticationContinuable
        AuthenticationContext ac = null;
        // Constructor
        public MainPage()

        protected override async void OnNavigatedTo(NavigationEventArgs e)
            ac = await AuthenticationContext.CreateAsync("https://login.windows.net/common");        

        private async void btnCallGraph_Click(object sender, RoutedEventArgs e)
            AuthenticationResult result =
                 await ac.AcquireTokenSilentAsync("https://graph.windows.net",
            if (result != null && result.Status == AuthenticationStatus.Success)
                                           new Uri("http://li"), ShowGreeting);
        public async void ShowGreeting(AuthenticationResult ar)
            MessageBox.Show("hello, Mr/Ms " + ar.UserInfo.FamilyName);            
        public async void ContinueWebAuthentication(WebAuthenticationBrokerContinuationEventArgs args)
            await ac.ContinueAcquireTokenAsync(args);


Same old, same old. Quick comments:

The slightly different part is in App.xaml.cs. Here there are the relevant parts:

namespace WPSL_App1
    interface IWebAuthenticationContinuable
        /// <summary>
        /// This method is invoked when the web authentication broker returns
        /// with the authentication result
        /// </summary>
        /// <param name="args">Activated event args object that contains returned authentication token</param>
        void ContinueWebAuthentication(WebAuthenticationBrokerContinuationEventArgs args);
    public partial class App : Application
        /// ... stuff ...
        private void Application_ContractActivated(object sender, Windows.ApplicationModel.Activation.IActivatedEventArgs e)
            var webAuthenticationBrokerContinuationEventArgs = e as WebAuthenticationBrokerContinuationEventArgs;
            if (webAuthenticationBrokerContinuationEventArgs != null)
                var wabPage = RootFrame.Content as IWebAuthenticationContinuable;
                if (wabPage != null)
    /// ... more stuff


That’s really all you need! Let’s give it a spin: hit F5.


Click on the big button. You’ll see the familiar sign in experience from AAD.


Sign in.


You’ll get the usual consent page. Accept, and…


…voila’! I securely accessed my previous corporate data from my Windows Phone 8.1 Silverlight app, with just few lines of code.

Giving Feedback Works!!!

As this new feature demonstrates, we do try to listen and act on your feedback to the best of our abilities. Silverlight support was not in the cards, but your relentless requests helped us to better understand the impact of not supporting it.

I hope this will inspire to be vocal about our libraries and services, because well… it works! Smile
In fact, if you want to be even more directly involved, I’ll take this opportunity to remind you that ADAL is open source and with it all of our libraries. Feel free to file issues, give us feedback and contribute… we *love* it when you do.

Happy coding!

Kuppinger ColeWhere is my Workload? [Technorati links]

January 15, 2015 02:46 PM
In Mike Small

One of the major challenges that faces organizations using a cloud or hosting service is to know where their data is held and processed. This may be to ensure that they remain in compliance with laws and regulations or simply because they have a mistrust of certain geo-political regions. The location of this data may be defined in the contract with the CSP (Cloud Service Provider) but how can the organization using the service be sure that the contract is being met? This question has led to many organizations being reluctant to use cloud.

Using the cloud is not the only reason for this concern – my colleague Martin Kuppinger has previously blogged on this subject. Once information is outside of the system it is out of control and potentially lost somewhere in an information heaven or hell.

One approach to this problem is to encrypt the data so that if it moves outside of your control it is protected against unauthorized access. This can be straightforward encryption for structured application data or structured encryption using private and public keys as in some RMS systems for unstructured data like documents. However, as soon as the data is decrypted the risk re-merges. One approach to this could be to make use of ”sticky access policies”.

However while these approaches may protect against leakage they don’t let you ensure that your data is being processed in a trusted environment. What is needed is a way to enable you to control where your workload is being run in a secure and trusted way. This control needs to be achieved in a way that doesn’t add extra security concerns – for example allowing you to control where your data is must not allow an attacker to find your data more easily,

Two years ago NIST published a draft report IR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation. The report describes the challenges that this poses and sets out a proposed approach that meets these challenges and which could be implemented as a proof of concept.   The US based cloud service provider Virtustream recently announced that its service now supports this capability. They state “This capability allows our customers to specify what data centre locations that their data can be hosted at and what data centres cannot host their data. This is programmatically managed with our xStream cloud orchestration application.”

The NIST document describes three stages that are needed in the implementation of this approach:

  1. Platform Attestation and Safer Hypervisor Launch. This ensures that the cloud workloads are run on trusted server platforms. To achieve this you need to:
    1. Configure a cloud server platform as being trusted.
    2. Before each hypervisor launch, verify (measure) the trustworthiness of the cloud server platform.
    3. During hypervisor execution, periodically audit the trustworthiness of the cloud server platform.
  2. Trust-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud.
    1. Deploy workloads only to cloud servers with trusted platforms.
    2. Migrate workloads on trusted platforms to homogeneous cloud servers on trusted platforms; prohibit migration of workloads between trusted and untrusted servers
  3. Trust-Based and Geolocation-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud, taking into consideration geolocation restrictions.
    1. Have trusted geolocation information for each trusted platform instance
    2. Provide configuration management and policy enforcement mechanisms for trusted platforms that include enforcement of geolocation restrictions.
    3. During hypervisor execution, periodically audit the geolocation of the cloud server platform against geolocation policy restrictions.

This is an interesting initiative by Virtustream and, since it is implemented through their xStream software which is used by other CSPs, it is to be hoped that this kind of functionality will be more widely offered. When using a cloud service a cloud customer has to trust the CSP. KuppingerCole’s advice is trust but verify.  This approach has the potential to allow verification by the customer.

January 14, 2015

Radovan Semančík - nLight2015 [Technorati links]

January 14, 2015 11:47 AM

In 2010 we were happy when the project compiled.

In 2011 we were happy when most tests passed.

In 2012 we were happy when all tests passed.

In 2013 we were happy when we had a stable deployment.

In 2014 we were happy when our software surpassed most competing products.

... really I wonder what 2015 brings ...

(I'm talking about midPoint, of course)

Julian BondRe-visiting a theme that is much on my mind, this January. [Technorati links]

January 14, 2015 11:45 AM
Re-visiting a theme that is much on my mind, this January.
Here's William Gibson paraphrased:- In the 20th century, everyone spoke with reverence of the 21st, while here, deep into the 21st, the 22nd century never gets a look-in.

Where's the SciFi being produced now that describes short to medium term futures? Like say, 50-100 years hence. Because 2100 is only 85 years away or one (reasonably lucky) lifetime for somebody born today. It seems like there's a gap in the middle. Between 5 minutes in the future SciFi which is really about now and ages quickly getting overtaken by events. And far future space opera, which requires an alternate physics to make it work. The middle ground is about both imagining realistic futures but also creating narratives that help to explain where we're going. I'm convinced we need this to counter the endless dystopianism. How are we going to fix pervasive economic injustice, catastrophic climate change, rampant sexism (manifest by white guys holding forth etc.), media conglomeration, network interference, terrorism, etc.? Just describing all that is not enough. We need people to imagine some solutions. 

Bruce Sterling's call to arms. Write more about the 22nd Century #22C

Neal Stephenson's Call to arms. We need more optimistic SciFi to counter the dystopianism.

Kevin Kelly's Call to arms. A request for 100-word descriptions of a plausible technological future in 100 years that he would like to live in.

Stewart Brand's call to arms. Try and imagine a 10,000 year future for mankind.

Jem Finer's call to arms. A 1000 year long song to listen to while it plays out. Longplayer has now been playing for 15 years 013 days 20 hours 16 minutes and 27 seconds (as I write).?

Meanwhile this is just so last century. King Crimson - 21st Century Schizoid Man (BBC Sessions - 1969)
Fripp & Sinfield (& the others) were talking about You, Now.

And here's a shallow look at how 2015 was perceived by historical SciFi
 The WELL: Bruce Sterling, Cory Doctorow & Jon Lebkowsky: State Of The World 2015 »
The WELL: Bruce Sterling, Cory Doctorow & Jon Lebkowsky: State Of The World 2015

[from: Google+ Posts]

Mike Jones - MicrosoftJOSE -40 drafts intended for the RFC Editor [Technorati links]

January 14, 2015 01:58 AM

IETF logoThe document shepherd Karen O’Donoghue and I completed a review of all the IESG comments in the IETF data tracker today in preparation for the drafts going to the RFC Editor. This set of drafts addresses all the remaining comments that we thought should be dealt with in the final documents. The only changes were:

Unless additional issues are identified soon, these should be the drafts that go to the RFC Editor.

The specifications are available at:

HTML formatted versions are available at:

January 13, 2015

Kuppinger ColeKuppingerCole Analysts' View on Compliance Risks for Multinationals [Technorati links]

January 13, 2015 10:59 PM
In KuppingerCole

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided.

Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security....

Julian BondAssorted music irritations [Technorati links]

January 13, 2015 01:12 PM
Assorted music irritations

Yet another music limit that's getting in the way. Google's Play Music has a 20k song restriction on uploaded music. This has a side effect on Chromebooks, tablets and phones. Since they don't really understand local storage and especially local network storage, you're expected to store everything in the cloud. Except the cloud isn't big enough! Even within the 20k limit, actually managing and dealing with a 20k track library is hard with the UI provided. For instance you can delete/remove tracks and albums but not artists. Meanwhile the upload "Music Manager" program is still fairly brain dead and still doesn't understand .pls or .m3u playlist files.

The next problem is that DNLA compatible media servers and clients are universally horrible. It's the kind of thing that gets built into "Smart" TVs and home NAS. So why does Buffalo's NAS fail to index all the files? VLC locks up when trying to display them. The "smart" TV just gives you a huge long list of tracks instead of any kind of Artist or Album display. MS Windows Media Player fails to actually provide any kind of list when acting as a server and is just as useless at working as a client as all the rest. Just about the only bit of "Smart" in the TV I actually liked was the Youtube app.

Another year has gone by and Winamp still survives but there's been no developments, bugfixes or updates while the new owners try and work out the various licensing issues. It still works pretty well but runs out of steam somewhere around 50k tracks. Several people I know have given up and just use VLC with a sensible directory structure. The remaining problem is searching on track metadata rather than just filenames and directories. For actual desktop programs with library management I've yet to find anything as good as or better than winamp. 4 synced window panes for Artist, Album, Track, Playlist, just kind of works. And just kind of works better than tree or any of the other approaches like drilling down into a folder structure. VLC may be good for playing media, but it sucks for managing a library. As for Itunes, it's still horrible on Windows. Maybe it's better on OSX but I wonder. 

One tip for using Youtube. Open one tab to play your "Watch Later" playlist. Then use other tabs to find and cue up more music. Click the "Watch Later" icon on each and they'll get added to the end of the main playlist. It kind of works. And see above about the Youtube TV App.
[from: Google+ Posts]

Kuppinger Cole05.03.2015: Industrial Control System Security: Getting a Grip on OT Cyber Security [Technorati links]

January 13, 2015 07:53 AM
In KuppingerCole

Are your operational technology (OT) networks hosting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, well secured? For many organizations, the answer is still “no”. Information security generally focuses on Information Technology (IT) networks and systems, not on the OT systems used in manufacturing, utilities and critical industrial infrastructures.
January 12, 2015

Kantara InitiativeUMA Public Review [Technorati links]

January 12, 2015 05:39 PM

Another milestone has been reached by the User Managed Access (UMA) WG to develop specs that let an individual control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate interoperable implementations of the specs. To learn more about UMA in general please see the WG homepage for helpful information.

We announce with pleasure that public review is open for two UMA documents. The UMA Participant IPR review and public comment period will close upon 45 days of initiation – February 20. We invite the public to review the documents and share comments for consideration of the UMA WG.

Options for Comment:

  1. Use the comment form available
  2. Use the pro forma and return to support (at) kantarainitiative.org with the subject COMMENT SUBMISSION
  3. IPR Claims may be sent to support (at) kantarainitiative.org with the subject IPR CLAIM

IPR Note:

UMA-WG Participants are required to review to make IPR claims regarding the documents by using the comment pro forma. Non-UMA-WG Participants have no IPR licensing obligation to these documents.

Kuppinger ColeExecutive View: Centrify Identity Service - 71186 [Technorati links]

January 12, 2015 07:35 AM
In KuppingerCole

Centrify is a US based Identity Management software vendor that was founded in 2004. Centrify has achieved recognition for its identity and access management solutions for web and cloud-based applications, as well as management for Mac and mobile devices and their apps. The company is VC funded and has raised significant funding from a number of leading investment companies. The company as of today has more than 5,000 customers. Centrify has...

January 11, 2015

Nat Sakimura佐賀県知事選で樋渡候補が落選した夜に、お構いなしに上野星矢はうまいなぁという話を書くわけです。だけど、本当に重要なのは… [Technorati links]

January 11, 2015 08:38 PM













Paris march: Global leaders join ‘unprecedented’ rally in largest demonstration in history of France






[1] まぁ、遠回し(?)に一貫してdisっているわけですが…。

[2] まずは練習を録音していろいろ反省してバグフィックスして本番録音しようと思っていたら、本番録音する時間がなくなってしまった…。なので、バグだらけ…。

[3] 敬愛する、一回だけ偶然お好み焼き屋さんのカウンターで隣で食事をしたことのある高木綾子さんの楽譜を持っているわけで。

January 10, 2015

Anil JohnWill 2015 be the Year of Public Sector Digital Service Delivery? [Technorati links]

January 10, 2015 07:00 PM

With the acceleration of the implementation of public service delivery platforms in both the U.S and elsewhere, my mission "... to help technical leaders make digital services secure and trustworthy" continues to remain relevant and is not going to change.

However, based on lessons learned over the last two years I want to try some new ways of delivering that information, so expect some tweaks and changes going forward.

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.

The opinions expressed here are my own and do not represent my employer’s view in any way.

January 09, 2015

Julian BondPaul di Filippo short story. [Technorati links]

January 09, 2015 04:59 PM
This post got deleted by the mods in the SciFi community. Hard to tell exactly why. Anyway, it's quite a tasty little short story from one of my favourite authors.

One side effect of the nowt protocols is suppression of Saccadic Masking in the visual processing functions of the brain. This makes them more aware than the rest of us of the 50/60 HZ flicker of LED and energy saving fluorescent light bulbs. In extreme cases the simple act of walking through a new housing development at night can produce petit mal epilepsis unless the nowt is careful to avoid sliding their gaze across the typical fake tudorbethan door lights.

Julian Bond originally shared this post:
Paul di Filippo short story.

 Faster Now »
Some decades ago, neuroscientists discovered that the moment of nowness is actually a composite of everything we've experienced in the past fifteen seconds. Naturally, somebody decided to hack this. T…

[from: Google+ Posts]
January 08, 2015

OpenID.netOpen Invitation to Join the First Meeting of the Health Relationship Trust ( HEART) Working Group [Technorati links]

January 08, 2015 11:15 PM

A few months ago the OpenID Foundation Board of Directors welcomed Deb Bucci as a colleague and representative of the US Office of the National Coordinator for Health Information Technology (ONC). The Board noted the important coincidence of the growing adoption of the OpenID Connect standard and the commitment of public and private sector organizations to OpenID Connect profiles that can accelerate progress on identity-related heath care challenges.That public and private collaboration is reflected the leadership of a new working group. Eve Mailer of Forgerock, OpenID Foundation member and industry opinion leader, has joined Deb as co chair of a new working group.

We are inviting interested parties in the public, private and academic sectors to join the first meeting of the Health Relationship Trust ( HEART) Working Group (WG) on January 12. The HEART WG is a collaboration of the MIT – KIT Consortium and the Open ID Foundation. The HEART WG will be looking at ways to harmonize and develop a set of privacy and security specifications that will help an individual control the authorization of access to RESTful health-related data sharing APIs and facilitate the development of interoperable implementations of these specifications.

The US ONC’s Office of Standards and Technology is supporting this effort joins the Foundation in encouraging the active participation of technical and policy subject matter experts from across the Health IT community. The initial work will focus on identifying/scoping/framing relevant use cases rather than delving into the technical details.

You can review the HEART Project Charter for more detailed information about the HEART WG. Additional Information about joining and registering for our mail list can be found here. Anyone can join the mailing list as a read-only recipient and attend the meetings.

Don Thibeau
The OpenID Foundation

Gluu2015 SXSW Interactive Session Recommendations [Technorati links]

January 08, 2015 04:18 PM


Another holiday season has come and passed. And you know what that means… it’s time to start preparing for SXSW 2015!

For those of you with cabin fever, or alternately for the super-organized who are already planning your agenda… roughly every work day until SXSW we will post a new SXSW Interactive session recommendation, with a bias towards privacy, security, IOT and automation.

Check the SXSW website for a constantly updated full list of sessions.

This year’s recommended SXSW Interactive Sessions (dates to come):

  1. NEW TODAY! Fingerprints are Usernames, not Passwords What are the implications of biometric sensors in consumer devices, and how we might want to change our thinking and approach to protect privacy and increase security.
    By: Dustin Kirkalnd, Canoncial
  2. Biometrics & Identity: Beyond Wearable
    What are the implications of using personal biometric data as the virtual keys that unlock our very real lives? How should we feel about using such sensitive, personal data as a means of self-identification?
    By: Heather Schlegel, The Purple Tornado; John C. Havens, The H(app)athon Project; Leslie Saxon, USC Center for Body Computing
  3. Identities of Things Group: Paving the Way for IoT There’s a ton of promise in “smart everything. But there’s also much confusion. Join this panel of experts to find out how to get involved in defining an IoT future where PEOPLE matter most!
    By: Chrstine Perey, Perey Consulting, Eve Maler, ForgeRock, Ingo Friese, Duetsche Telecom, Monique Morrow, Cisco Systems.
  4. Prototyping Tools and Techniques for UX Designers UX design prototyping has come a long way in recent years. Learn about cutting edge tools, techniques, and various ways to incorporate interactive design prototyping along with user testing into your overall process.
    By: John Goff, Ebay
  5. Calling for a Nation of Makers Learn how the country is supporting the maker movement; how maker tools are becoming more accessible to consumers; and the effects of this widespread entrepreneurial spirit on the future.
    By: Mark Hatch, TechShop, and Thomas Kalil, The White House Office of Science and Technology Policy
  6. A Walk Through the Identity Ecosystem in 3D Take a 3D tour of the modern digital identity eco-system and learn how persons, organizations, and devices provide the new foundation for defining and mitigating identity threats. Glasses included.
    By: Suzanne Barber, UT Center for Identity
  7. Screw Privacy, Just give me value for my data
    A discussion on the issue of data literacy and the data value exchange between shoppers and brands.
    By: Lisa Pearson, Bazaarvoice CMO, and Lee Maicon, Senior Vice President of Strategy at 360i
  8. Security of Things: Who will save us?
    IOT Security: how we got here, where we’re heading, why the hacking community plays a pivotal role, and how to protect yourself when the lines between public and private blur.
    By: Nicholas Percoco, Rapid7
  9. OAuth2 – The Swiss-Army Framework This session will focus on the myriad of ways OAuth2 can be used to protect APIs, and how OpenID Connect is replacing SAML as the developer friendly way to handle SSO and federated logins.
    By: Brent Shaffer, Adobe
  10. Rapid On-Boarding; Building Password-less Apps This session addresses the modern obstacles created by requiring passwords during on-boarding and during later service or app engagement.
    By: Derek Labian & Tom Langridge, MediaFire
  11. Secrets to Powerful APIs What’s new in API development from some of today’s most popular APIs including GitHub, SoundCloud, Stripe, and Dropbox. Topics will include designing RESTful APIs, user authentication, APIs for media, developing SDKs, and APIs for mobile.
    Leah Culver, Developer Advocate at Dropbox, Greg Brockman,CTO Stripe, Erik Michaels-Ober, Developer Soundcloud, Wynn Netherland Developer at Github
  12. Death to passwords – mobile security done right What techniques exist to offer a more mobile friendly person-identification flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who’s facing a situation where creating and storing user accounts matters.
    By: Tim Messerschmidt, Paypal

About Gluu:
Gluu publishes free open source Internet security software that universities, government agencies and companies use to enable Web and mobile applications to securely identify a person and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

Julian BondThis is why I read Bruce Sterling. He points me at stuff like this. [Technorati links]

January 08, 2015 03:38 PM
This is why I read Bruce Sterling. He points me at stuff like this.

via http://www.well.com/conf/inkwell.vue/topics/478/Bruce-Sterling-Cory-Doctorow-Jon-page03.html

What is certain, though, is that Xiaomi isn’t going to the West anytime soon. Not only would the licensing fees be prohibitive,6 but the West already has fully furnished houses and powerhouse brands. The opportunity is simply so much greater elsewhere. It’s absolutely the truth that a company can be worth $45 billion - and, in the long run, probably a lot more - without ever targeting the United States or Western Europe.
 Xiaomi's Ambition - stratechery by Ben Thompson »
Xiaomi is a hard company to understand if you only think of them as a smartphone maker. In fact, they want to own the entire house of their true fans.

[from: Google+ Posts]

Kuppinger Cole12.02.2015: Managing the Password Chaos [Technorati links]

January 08, 2015 03:29 PM
In KuppingerCole

More than 10 years ago, Bill Gates predicted the death of the password. A decade later, reality shows that passwords are still the most common authentication method. Security and costs of passwords are critical factors for enterprises and organizations.

GluuNo Magic — Introducing the IAM Noble Quadrant [Technorati links]

January 08, 2015 03:15 PM


Have you ever looked at an expensive analyst report that positions vendors in a specific industry as leaders, challengers, etc., and wondered how exactly each company was evaluated?

For instance, how was it determined that one company’s “completeness of vision” is marginally or significantly “better” than another’s?

Maybe a better question though is how relevant are these criteria to a buyer? Completeness of vision sounds good. But isn’t completeness of solution more important? Or openness of solution?

More organizations than ever are using and publishing open source software, and consequently there’s less tolerance for vendor lock-in and expensive fees just for the right to use software. Free open source licensed software enables an effective crowd-sourced development methodology. In many cases–but especially where it comes to implementing Internet standards–free open source components have proven to be the best.

Crowd-sourcing development means:

  1. More eyes on the code
  2. More people contributing code, and
  3. Lower total cost of ownership (TCO)–larger community means more supply of engineers

Expensive enterprise software–even open source enterprise software–typically has very low supply of engineers, slow innovation, and higher cost devops.

Unfortunately the pay-to-play analyst model was built by large software vendors who specialized in locking customers in. They raked in the cash and then broke off a chunk for the analysts to say nice things about them publicly. It was a beautiful business while it lasted. But enough time has passed for open source software to catch up with proprietary predecessors, and its clear that many businesses and developers now prefer to use open source when possible.

So in light of these ideas, here at Gluu we think the two most important factors are features and openness. As an organization that publishes and uses open source software in all of our mission critical environments, we felt that it was time to shed light on how Gluu stacks up against some of the other companies in the enterprise identity and access management market.

Security is a top concern for many organizations. A comprehensive assessment of the market is simply incomplete without evaluating open source solutions too. For these reasons we introduce to you Gluu’s 2015 Identity and Access Management Noble Quadrant:

Screen shot 2015-01-06 at 12.57.23 PM

For more information, schedule a meeting to find out how the Gluu Server can help your organization launch a modern authentication and API access management platform based on free open source components.

January 06, 2015

Nat SakimuraTEPPEN 2015のピアノ対決がヤラセというが… [Technorati links]

January 06, 2015 11:46 PM

全然知らなかったのだが、TEPPEN 2015というフジテレビの芸能番組で、芸能人のピアノ対決をやっていたらしい。その中でいまネットで話題に成っているのが HKT48 の森保まどか氏、AKB48 の松井咲子氏、芸人のさゆり氏、の3人。彼女たちがトップ3人なのだが、森保まどかが圧倒的なのに3位でヤラセなのではないかというのだ。




















(同じく芸能人の)松下奈緒の 「Chopin バラード第3番変イ長調」[5]





[1] ロケットニュース http://rocketnews24.com/2015/01/06/530471/
[2] 更に、音量のバランスを変えると、実はピッチも微妙に変わる。強く弾けば弦が端まできちんと振動するので低くなるし、軽く弾けば高くなる。
[3] アラブのダブルリード楽器。
[4] アラブの打弦楽器。これがシルクロードを西に下ってハンガリーのツィンバロンやドイツのハックブレット、英国のハンマー・ダルシマーに、東に下って中国の楊琴になった。
[5] ま、上記3人+松下奈緒だったら、松下奈緒が一番うまい感じですな。
[6] 同じ音量で聞いていると、出だしの音が小さい気がするかもしれないが、それはダイナミック・レンジが広くて、ピアニッシモはとても小さく、フォルティッシモはとても大きく弾いてるから。ダイナミック・レンジは広いし、音一つ一つにニュアンスを込めてるし、フレージングも素晴らしいし、音楽はこうでなくっちゃね。ちなみにこの演奏は、Youtubueにアップされていた、ホロヴィッツ、キーシン、他各種の演奏の中から筆者が厳選いたしましたです。ずーっとホロヴィッツで聞いてたんですがね、ツィーメルマン、いいわぁ。

Kuppinger ColeImpressions from the European Identity & Cloud Conference 2014 [Technorati links]

January 06, 2015 04:27 PM
In KuppingerCole Podcasts

What’s so special about EIC? This is what our attendees say!

See you in Munich in 2015!

Watch online

Nat SakimuraカップヌードルCM「NY/サムライーK」 は本当に木刀でボールを打っているらしい [Technorati links]

January 06, 2015 03:28 PM






[1] http://www.cupnoodle.jp/cm/samurai-k/ 参照

[2] 1年間で全世界の即席めんの消費量は953.9億食, WIZBIZ, (2012/3/7)


Julian BondIt's time for the +Bruce Sterling  vs +Jon Lebkowsky  vs +Cory Doctorow  "State Of The World 2015". [Technorati links]

January 06, 2015 02:50 PM
It's time for the +Bruce Sterling  vs +Jon Lebkowsky  vs +Cory Doctorow  "State Of The World 2015".

It's on The Well so you can't really participate if you're not a Well subscriber except via moderated email. This seems curiously old fashioned in 2015. It may be good for moderation and noise control but feels like a conference with worthies up on the stage talking to themselves while a cast of thousands look on. You can't even heckle! So maybe we should start a reddit or a G+ community or something to have the meta discussion of just how full of bullshit or truthiness they are being.

This year I'm going to try really hard to bite my tongue as Bruce's usually inciteful glocal comments about the world get diverted into yet another discussion about the USA. That lasted about as long as it took to get to Jon's opening paragraphs. Oh well. The view from Austin or Silicon Valley is interesting but we get to do that all the time. I was hoping for more of a global perspective. It being "State of the * World *", and all.


Bruce has a phrase he uses often about the near future as seen from 2015. "old people in big cities afraid of the sky." I'm curious about this. I suspect that the global average age of people in cities is nearer 20 than 70. Perhaps it should be "old people afraid of young people in big cities who are afraid of the sky". I'm picturing Sao Paolo, Shanghai, Mumbai here not Tokyo, Prague, Chicago.


I think we need to marinate on this next bit for a while as well. It fits right in with thoughts about 2030 no longer being the far future; 2050 being on our door step; and as an antidote to Post-Millenial-Tension. Seriously, let's look forward to 2100 not back to 1967.

But speaking of the influence of William Gibson, he said something very striking last year; that in the 20th century, everyone spoke with reverence of the 21st, while here, deep into the 21st, the 22nd century never gets a look-in.  Of course he's right, but this problem seems like honest work to me.  A child born in 2015 will be 85 in the Twenty-Second Century: it's within the reach of a normal, average human life span.

So, the 22nd Century: I'm determined to make it our friend.  I've resolved to talk more and more about it.  Let it be the buzzword, let it become the watchword. The 22nd Century, the #22C : whatever the hell it is, it's getting closer every day.


Bonus link: 2014, Hottest Year Evah! http://www.climatecentral.org/news/record-2014-hottest-year-18502
 The WELL: Bruce Sterling, Cory Doctorow & Jon Lebkowsky: State Of The World 2015 »
The WELL: Bruce Sterling, Cory Doctorow & Jon Lebkowsky: State Of The World 2015

[from: Google+ Posts]

Kuppinger ColeExecutive View: Axway API Management for Dynamic Authorization Management (DAM) - 71184 [Technorati links]

January 06, 2015 10:16 AM
In KuppingerCole

There are three major trends driving the adoption of Gateway solutions:

Proliferation of inter-connected devices
We are at the beginning of an exponential increase in the number of devices and systems that we wish to connect together for data interchange purposes.

The need for...

January 05, 2015

Drummond Reed - CordanceThe Imitation Game: Alan Turing Unsung No More [Technorati links]

January 05, 2015 10:02 AM

The_Imitation_Game_posterAs each year closes, I find myself thinking about the “high water mark film”—the movie that did the most in the past year to raise the bar for filmmaking as a whole. This doesn’t mean it will be the Best Picture winner (although it’s almost always at least a nominee). Rather it’s an entirely subjective judgement in my own mind of how much a particular film did to push the cinematic envelope.

Last year that film was Gravity. This year, although Interstellar was spectacular in many ways, and will live long in my memory for the power of its message of survival, the high water mark film is The Imitation Game:

And at the center of it all is the sheer brilliance and moral power of Alan Turing. Almost no man alive can fully appreciate the impact he has had on the world we live in today. He’s been one of the great unsung intellectual heros of modern times—and this, finally, is his song.

January 04, 2015

Drummond Reed - CordanceThe Google Flight Info Trick [Technorati links]

January 04, 2015 11:04 PM

When I first stumbled across this, I thought I was the only one who hadn’t heard about it. Now I find myself telling other travelers about it all the time and am consistently surprised that they don’t know it.

If you want to see the current departure and arrival time, terminal, and gate for any flight, just type the following into the Google search box:

flight info [airline] [flight-number]

Where [airline] is the name of the airline and [flight-number] is the number of the flight. Example:


Here’s an example of what you get back:


It works from any browser on any device and for every airline and flight number I’ve ever tried. Good job, Google.

Nat Sakimura桑田佳祐ーソラミミ・アベーロードが凄すぎと話題 [Technorati links]

January 04, 2015 01:44 PM


2009年5月4日 放送 、『桑田佳祐の音楽寅さん』だそうです。



  1. 公明党BROTHER(Come Together
  2. さみしい…(Something
  3. 舛添居ず知らぬ間データ(Maxwell’s Silver Hammer
  4. 親だ~れ!?(Oh! Darling
  5. 僕当選さす票田(Octopus’s Garden
  6. iPhone中(I Want You (She’s So Heavy)
  7. 爪噛むおじさん(Here Comes The Sun
  8. 民主党(Because
  9. 油田は危機を招き(You Never Give Me Your Money
  10. 国際危惧!!(Sun King
  11. 民意無視して増した・・・!!(Mean Mr. Mustard
  12. オレ審判!?(Polythene Pam
  13. 「死刑」にするも「罰する」も非道!?(She Came In Through The Bathroom Window
  14. 公然知らんばい(Bye)!?(Golden Slumbers
  15. 借金(かり)が増え!!(Carry That Weight
  16. 次年度(The End

Julian BondSo did you feel a little light headed and a little lighter on your feet at precisely 9:47 UTC[1] this... [Technorati links]

January 04, 2015 11:42 AM
So did you feel a little light headed and a little lighter on your feet at precisely 9:47 UTC[1] this morning? I know I did.


ps. There is no gravity; It's just that the Earth sucks. In your heart, you know it's flat.

[1]The tweet got it wrong. It's UTC, not PST.
 Zero-G Day »

[from: Google+ Posts]

Julian BondWhen are China, Iran, Iraq, Saudi Arabia and the USA going to join the civilised world, stop doing State... [Technorati links]

January 04, 2015 11:28 AM
When are China, Iran, Iraq, Saudi Arabia and the USA going to join the civilised world, stop doing State-sanctioned, judicial executions and consign the death penalty to history? It's 2015 people, grow up!

 Chief Executioner Officers: Mapping The Dealth Penalty World | Zero Hedge »
ISIS, it appears, does not have a monopoly on 'executions'. As Amnesty notes, while there were no executions reported in Europe and Central Asia last year, executions were recorded in 22 countries during 2013, and increased 15% over 2012 (excluding the thousands of people executed in China that go unreported). Common to almost all executing countries was again the justification of the use of death penalty as an alleged deterrent against crime; bu...

[from: Google+ Posts]

KatasoftTrialfire: Next Gen Web Analytics, Backed By Stormpath [Technorati links]

January 04, 2015 08:00 AM

Trialfire’s new visual editor for marketing analytics allows anyone to “pin” parts of a web page, such as a signup button, and send the event data automatically to multiple marketing/analytics systems: Google Analytics, Mixpanel, Kissmetrics, and more.

“You don’t have to be technical. You just connect your site and place your pins,” explains Max Kremer, Co-founder of Trialfire. Trialfire takes development out of the equation when it comes to setting up detailed click-tracking or analytics. “You can just click through your site and magically track whatever you want.”

Trialfire Pin Mode

With a long list of customer requirements, and some high-profile beta customers like the Discovery Channel, Trialfire needed a way to save some coding time, skip the tedious user management programming, and move on to more complex, and disruptive, software design. In this post, we explore their application stack and how they’re using Stormpath for user management and authentication.

The End of Custom Instrumentation

Trialfire was born out of Kremer’s first startup:

“My Co-founder Mike used to always bug me about getting data to measure how engaged users were. We have free trials, are they working or are they not working? How deep are users getting? It was hard to tell because it’s much more complex to get the right analytics out of a web app.”

It wasn’t just a problem for startups. Historically, if any company wanted better insight than just page views, a developer has to insert custom code, instrument each button and link, and connect them back to analytics systems like Google Analytics by hand. When the company was acquired by Autodesk, Kremer saw the same analytics problems amplified as Sales, Marketing, and Product teams worked on strategy. Assumptions had to be backed by real data that was a pain to get.

Weeks Of Development Time Saved

Built on a Java-based backend, with Solr for indexing, Akka for message processing and a very lightweight AngularJS frontend, Trialfire uses Stormpath to handle registration, login and password security and workflows.

“Initially the idea was to not do all of that boilerplate user stuff. ”

Trialfire needed a quick, straightforward solution for user account handling. Integrating the Stormpath API for a hosted authentication service and user store saved Max several weeks of development time.

“We needed people to sign up. A user database or table or collection or however you happen to store your users. You need to do all the password stuff. You need to send verification emails. If I can use a service to do all that for me, then perfect. Especially if that service gives me other capabilities that I don’t have.”

Trialfire Registration

Trialfire integrated Stormpath’s API for its simplicity, but also its extensibility. Adding Google+ or Facebook authentication is a quick change to the Stormpath Java SDK.

Stormpath’s advanced password security also saves the Trialfire team maintenance work.

“Having to manage security is a drain because it means that we have to write automated tests, perform manual testing and ensure we conform to various security standards. In addition to the above you have to worry about threats to security such has hackers. Offloading these concerns to Stormpath allows us to breath easy AND frees up resources to work on core product.”

If you’re a startup interested in using Stormpath, you can start your development with a free account and apply for the Stormpath Sprint discount for Startups. And if you’re working in Java, you can check out our Java integrations, docs, tools, SDKs and sample apps.