Create a new entry. Note that if your entry starts with a heading it will be used as the title (e.g., "! My Title").

21-Aug-2017 12:05
2017-08-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Aug-2017 07:59
2017-08-15#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Aug-2017 08:08
2017-08-09#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
07-Aug-2017 11:24
2017-08-07#

Some Thoughts about Authentication and Authorization#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Aug-2017 08:31
2017-08-04#

Ran Across Today#

Which brings us to the second reason for this post, the difference between “Architecture” and “Design”. In a nutshell, architecture is a type of design where the focus is quality attributes and wide(er) scope whereas design focuses on functional requirements and more localized concerns.

Randy Shoup - Techniques for dealing with shared data, joins, and transactions in a microservices architecture#

https://www.infoq.com/presentations/microservices-data-centric

Scratch Notes...

Software combines #

Organizes
  • Small Teams directly defined within a particular function of the business.
  • Teams need other teams.

Processes - Test Driven Development#

  • Testing increases velocity
  • Tests make better code
  • Provides courage to try new thing, knowing you can refrator something and know it will work or not.
  • Tests allow fast failures

We do not have time to do it right? - Do you have time to do it more than once?

  • The more time constraints the more it is better to build it right (80/20 rule)
  • Better to build one thing right than two things half-right.

Continuous Delivery #

  • Release smaller sprints.
  • Allows rapid experiments

DevOps#

  • You build it, you Run it.
  • End-to-end ownership of what you write - Full lifecycle of software.
  • No separate QA team
  • No separate Deployment team

Evolution to microservices#

  • ebay 5th generation
  • Pearl
  • C++ 3.4 million lines of code
  • Java - Several different Java Apps
  • Polyglot of microservices.

Twiter similar.#

Amazon #

  • Mono perl and c++ OBIDOUS
  • Java Scala

No place started with Microservice and no place at this scale is NOT using Microservice.

Microservices may not be the right for startups. Monos are ok.

Microservices #

  • Scope is single purpose
  • Moduler and independenrt
  • SOA done properly (Bounded Context)

Isolatated persistence

  • No sneaking in to look at the other guys data.
  • Same team that writes the micorservice owns the data store OR - use a external data store
  • Still ISOLATED
  • Only external access to data store is via public interface

Event-triggered should be a first-class object#

  • A thing happend - Something I cared about
  • Asynchronous Operation - No care if someone is listening.
  • State changes or events must be used.
  • Why - Represents how the world works

Must be within an interface within microservices

  • interface is for any data into or out of a microservice
  • Stich Fix is still a mono data base with 175 tables
    • Single point of failure.

Solution is decoupling data how to do it #

  • Write a service interface to isolate data access for the table.
  • Rinse and repaet
  • Simple discussion but a lot of code changes and joins etc.

Bounded context mentioned many times.

Managing data within microservices.

  • shared data
  • Joins work well in mono-data

One service OWNS the data (Customer)

  • Every other service is a RO non-authoritative service

Approach one just look it up? - Every other service looks it up

If too expensive to do ...Eventing from Customer service

Shared metadata - Much of it does not change often.#

  • colors, US States, Shoe Sizes zip codes ....

Joins in microservices #

  • Approach one - Joins in application
  • make two calls to different services.
  • Works well for one-to-many just as a Web page does.

Approach two

  • Maintain a cache of a join
  • Item feedback example many-to-many
  • Listens to items service and feedback service to make join ....
  • Materializing a view in realtime
  • NoSql does this

Transactions #

Easy in relation db. ACID etc.
  • SAGA Pattern -
  • Commit - Workflow that updates different data stores.
  • Rollback - reverse workflow
  • Serverless - Functions as a Service is a great way to do this.

Big believer Lambda Google Cloud functions Azure Functions - triggered by events and produces an event

Stich Fix is hiring - 50% are remote

Events that do not arrive or like SLP exactly once deliver out of order more than once

Evens should use - At least once deliver

  • More than once Mutiple times - Item impotent
  • Out of order - Do you care - Consumer must maintain state
Create customer Delete Customer when out of order this is a probabilistic Cuncurrent replicated data types or Tomombstones

At most once - think of UDP

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Aug-2017 21:01
2017-08-03#

Ran Across Today#

"In 2016, over $80B was spent on cybersecurity, and yet the number of breaches skyrocketed to 4.2 billion incidents last year alone. Minimizing an organization’s attack surface while its network continues to expand requires a paradigm shift in security strategy. Security of the past is no match against today’s evolving threats." -Tom Kemp CEO Centrify

More Information#

There might be more information for this subject on one of the following: ...nobody
02-Aug-2017 13:51
2017-08-02#

More Information#

There might be more information for this subject on one of the following: ...nobody
01-Aug-2017 08:43
2017-08-01#

Ran Across Today#

Sovrin Foundation - Phil Windley (@phil), Chair of the Sovrin Foundation Board of Trustees, just posted this announcement that the Sovrin Provisional Network went live at 17:30 GMT today.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2017 07:49
2017-07-31#

Privacy#

People say they want privacy.

More people are using End-to-end Encryption apps than before.

But in real life, I think it is mostly what people say. People are unwilling or un-able to do the work to be private.

Unable #

Privacy is hard. Encryption is hard and few people understand how to use it let alone how it works.

Un-Willing#

Because privacy is hard it take more time and effort. Just try to send an encrypted email to someone.

Try to get two people to agree to use an Instant Messaging application that offers End-to-end Encryption.

Government Entities and Privacy#

I want privacy to keep my information from people that I do not want to know what I am doing or saying. More than anyone else I want privacy from Government Entities.

More Information#

There might be more information for this subject on one of the following: ...nobody
30-Jul-2017 14:07
2017-07-30#

Access Control and OAuth 2.0#

An access_token does NOT contain a Resource Owner's claims, but it contains the subject of the delegation of privileges to the OAuth Client (application). "Subject" is a technical term and it means a unique Identifier. Simply saying, "subject" is a user ID in your database.

At a Resource Server endpoint, you should:

  • 1 Extract an access_token from the request. (RFC 6750)
  • 2 Get detailed information about the access_token from the Authorization Server. (RFC 7662)
  • 3 Validate the access_token. The validation includes (a) whether the access token has expired or not, and (b) whether the access token covers scopes (permissions) that are required by the protected resource endpoint.
The steps above from 1 to 3 are an Access Control against OAuth Client applications). OAuth 2.0 (RFC 6749) is used for this.

Using OpenID Connect You can confirm that an id_token has been issued by a right party by verifying the JSON Web Signature (JWS) (RFC 7515) attached to the id_token. An id_token itself is not a technology to protect Web APIs. But you may be able to use it for that purpose if you use at_hash claim in an id_token properly (see "3.1.3.6. ID Token" in OpenID Connect Core 1.0). However, at a protected resource endpoint.

After the steps above, then you will do:

The steps above from 4 to 6 are an Access Control against the Authenticated Resource Owner.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Jul-2017 07:39
2017-07-29#

Universal Inbox#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Jul-2017 10:03
2017-07-28#

There appears to be an increased interest in two divergent ideas in regards to privacy.

The Five-Eyes are exploring the back-door into Encryption while at the same time there appears to be an increased interest into privacy.

Ran Across Today#

  • LIGHTest
  • STORK - a platform which allows people to use their national electronic ID to establish new e-relations with foreign electronic services

STORK #

STORK project is to establish a European Union eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their National Identity Card eID.

Cross-border user authentication for such e-relations will be applied and tested by the project by means of five pilot projects that will use existing government services in European Union Member States. In time however, additional service providers will also become connected to the platform thereby increasing the number of cross-border services available to European users.

Thus in the future, you should be able to start a company, get your tax refund, or obtain your university papers without physical presence; all you will need to access these services is to enter your personal data using your national eID, and the STORK platform will obtain the required guarantee (authentication) from your government.

User centric Approach = Privacy Guarantee

The role of the STORK platform is to identify a user who is in a session with a service provider, and to send his data to this service. Whilst the service provider may request various data items, the user always controls the data to be sent. The explicit consent of the owner of the data, the user, is always required before his data can be sent to the service provider.

STORK project has been completed! is stated on the website and refers to a STORK 2 but there website is not found.

Zero Trust#

Zero Trust is a data-centric network design that puts micro-perimeters around specific data or resources so that more-granular rules can be enforced and implemented.

BeyondCorp is an implementation by Google for a Zero Trust Model.

The Zero Trust Model is simple: cybersecurity professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. The Zero Trust

Forrester’s Zero Trust Model has three key concepts:#

  • Ensure all resources are accessed securely regardless of location. Assume that all traffic is threat traffic until your team verifies that the traffic is authorized, inspected, and secured. In real-world situations, this will often necessitate using encrypted tunnels for accessing data on both internal and external networks. Cybercriminals can easily detect unencrypted data; thus, Zero Trust demands that security professionals protect internal data from insider abuse in the same manner as they protect external data on the public Internet.
  • Adopt a Principle of least privilege strategy and strictly enforce Access Control. When we properly implement and enforce Access Control, by default we help eliminate the human temptation for people to access Protected Resources. Today, Role Based Access Control (RBAC) is a standard technology supported by network Access Control and infrastructure software, Identity and Access Management systems, and many applications. Zero Trust does not explicitly define RBAC as the preferred access control methodology. Other technologies and methodologies will evolve over time. What is important is the Principle of least privilege and strict Access Control.
  • Inspect and log all traffic. In Zero Trust, someone will assert their identity and then we will allow them access to a particular resource based upon that assertion. We will restrict users only to the resources they need to perform their job, and instead of trusting users to do the right thing, we verify that they are doing the right thing.

In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust." Zero Trust advocates two methods of gaining network traffic visibility: monitoring and logging. Many security professionals do log internal network traffic, but that approach is passive and does not provide the real-time protection capabilities necessary in this new threat environment.

Zero Trust promotes the idea that you must inspect traffic as well as log it. In order to do so, network analysis and visibility (NAV) tools are required to provide scalable and non-disruptive situational awareness. NAV is not a single tool, but a collection of tools that have similar functionality. These NAV tools include network discovery tools for finding and tracking assets, flow data analysis tools to analyze traffic patterns and user behavior, packet capture and analysis tools that function like a network DVR, network metadata analysis tools to provide streamlined packet analysis, and network forensics tools to assist with incident response and criminal investigations.

There are only two Data Classifications that exist in your organization:

  • Data that Someone Wants to Steal
  • Everything Else
The first type is sensitive or toxic data, which can be easily identified with the equation 3P + IP = TD.

The three P's stand for Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry (PCI); IP is intellectual property; and TD is toxic data.

Forrester breaks the problem of securing and controlling data down into three areas:

  • Defining the data. This involves data discovery and data classification. Security and risk professionals, together with their counterparts in legal and privacy, should define data classification levels based on toxicity. This allows security to protect properly data based on its classification once it knows where that data is located in the enterprise.
  • Dissecting and analyzing the data. This involves data intelligence (extracting information about the data from the data, and using that information to protect the data) and data analytics (analyzing data in near real time to protect proactively toxic data). Look for security information management (SIM) and network analysis and visibility (NAV) solutions to intersect with big data to enhance security decision-making.
  • Defending and protecting the data. Data defense is the fundamental purpose of cybersecurity, and is the area where organizations focus most today. To defend your data, there are only four levers you can pull — controlling access, inspecting data usage patterns for abuse, disposing of data when the organization no longer needs it, or “killing” data via encryption to devalue it in the event that it is stolen.

Zero Trust is:

  • applicable across all industries and organizations – It is an easy to implement way to improve safety that any organizations can implement.
  • not dependent on a specific technology or vendor – Zero Trust is a vendor neutral design philosophy that allows maximum flexibility to create architectures that meet specific demands.
  • scalable – Vital information is protected while public facing data travels freely.
  • focuses on keeping internal data safe and would not result in any foreseeable encroachment on Civil Liberties.

micro-perimeter around each resource

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Jul-2017 20:18
2017-07-27-#

Ran Across Today#

S&T is a novel, powerful, and Open Source research tool for keyboard acoustic eavesdropping. It allows users to perform keyboard acoustic eavesdropping Side-channel attacks: training a Machine Learning model on the different noise of each key of someone's keyboard, and then use this model to understand what he's typing from keystroke noise alone. https://github.com/SPRITZ-Research-Group/Skype-Type

More Information#

There might be more information for this subject on one of the following: ...nobody
24-Jul-2017 08:31
2017-07-24#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Jul-2017 09:45
2017-07-23#

Biometric authentication runs afoul of religion in West Virginia#

An article Biometric authentication runs afoul of religion in West Virginia

Not For Identification Purposes#

Whenever you see someone talk about a new Identity items remember Not For Identification Purposes

Ran Across Today#

Appears most of the questions people encounter with OAuth 2.0 and OpenID Connect involve the Client-side application and how to perform integration.

Either they are trying to "roll-their-own" and deal with the too many details or they have general implementation issues from an architecture point of view such as Single Sign-On and using with multiple Applications or microservices.

What Auth0 and Microsoft get right is the simplicity.

In a traditional application Access Control and Authentication is done at the beginning of the session. There was a "user repository" where the application would call to obtain the Digital Identity information.

When we move to microservices this type of service would require each microservice to have this same ability to call the "user repository" which is not efficient or vary scalable.

Many of the posts we see on OAuth 2.0 and OpenID Connect implementation issues revolve around:

Prompt Parameter #

Well really the challenge revolves around questions like: and there are several more.

Most of these can be solved by:

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Jul-2017 08:53
2017-07-22#

No thinking to day.

NGINX

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Jul-2017 09:32
2017-07-17#
By unknown  Permalink  Comments? (0)
16-Jul-2017 09:29
2017-07-16#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Jul-2017 19:36
2017-07-14#

Ran Across Today#

Well not today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
13-Jul-2017 08:12
2017-07-13#

Ran Across Today#

So end-users have continued to lap up messaging applications and tools at unprecedented rates, but they become ever-more siloed and fragmented as user bases. Over-the-top messaging apps have each developed their own dedicated communities, but they are still islands in a large connected sea.

Consumers may like their rich functionality but they remain limited and reliant on friend, family and work contacts all utilizing the same downloaded app. This also implies that only Mobile Network Operators with IP network coverage are able to give end-users full continuity of coverage and a seamless user experience across multiple networks.

WHAT IS Messaging as a Platform (MaaP)? To most users messaging is just an ‘app’ – a program on their phones they use to keep in touch. Advanced Messaging will change that though – messaging is now becoming a ‘platform’ on which applications will be built to deliver whole new levels of interaction and experience.

This is where SMS is headed.

End-users simply want all the services they need as quickly and conveniently as possible, and MaaP lets operators deliver that. If you want to book a taxi, a flight or look up train times for example, you will not need to download a specific new app – just hit your messenger. MaaP removes that barrier of another app to download and connects suppliers directly to consumers.

Messaging as a Platform will give operators all new possibilities for developing and implementing innovative services, and most importantly, for generating new revenues.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
11-Jul-2017 00:50
2017-07-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Jul-2017 09:32
2017-07-04#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Jun-2017 09:18
2017-06-28#

Side-channel attacks #

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Jun-2017 11:38
2017-06-26#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-Jun-2017 10:45
2017-06-25#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Jun-2017 09:37
2017-06-23#

Biometric Authentication#

More Information#

There might be more information for this subject on one of the following: ...nobody
22-Jun-2017 16:34
2017-06-22#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Jun-2017 09:27
2017-06-20#

Founding Member IDPro
.

Next Things#

It has been said that Chatbots (Artificial Conversational Entity) will be how we will converse with the Internet.

No more HTML forms for filling in our information we will use conversation with a Artificial Conversational Entity that will prompt us for answers.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
19-Jun-2017 15:19
2017-06-19-#

The Internet of Things Will Expand Connected Life Despite Concerns About Vulnerabilities, Risks and Infringements of Civil Liberties[1]#

Among the key themes emerging from 1,201 respondents' answers were:
  • People crave connection, it's human to connect; it is magical, even addictive.
  • As life increases in complexity, convenience is the default setting for most people.
  • The always-on younger generation can't imagine being anything but connected.
  • Resistance is futile: Businesses will punish those who disconnect and social processes reward those who connect.
  • Fully withdrawing is difficult; maybe impossible.
  • You can't avoid using something you can't discern; so much of the IoT operates out of sight that people will not be able to unplug completely.
  • Risk is part of life; the IoT will be accepted despite dangers because most people believe the worst-case scenario won't happen to them.
  • More people will be connected and more will withdraw or refuse to participate.
  • Some will opt out.
  • The IoT isn't that grand, so why worry either way?
  • Effective regulatory and technology-based remedies will emerge to reduce threats.
  • Governments should be doing more to regulate negligent companies, punish bad actors.
  • Lack of trust and safety and privacy issues will move those with fears to withdraw from the IoT.
  • "TMI" and less-than-stellar performance from complex technology systems will drive dropouts.
  • The dangers are real, whether or not people choose to disconnect; threats are likely to turn into attacks and other acts, possibly some violent.
  • Security and privacy issues are magnified by the rapid rise of the IoT.
  • IoT security concerns endanger civil liberties.

Doc Searls - "The only way to fully reduce vulnerability to surveillance and other forms of Bad Acting is to give individuals full control over the things in their lives. Today we are only beginning to evolve toward that end state; but the demand will be there, which is why there will be a business in it, and it will come to pass"

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Jun-2017 09:05
2017-06-18#

Ran Across Today#

Two part for the Certificate Request Process

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Jun-2017 10:02
2017-06-17#

Gluu Server#

The Gluu Server includes a variety of components, each of which serves a different purpose. You can use any or all of the following:

Using oxd to support federation in an application provides both technical and business advantages:

oxd consolidates the OAuth2 code in one package. If new vulnerabilities are discovered in OAuth2/OpenID Connect, oxd is the only component that needs to be updated. The oxd APIs remain the same, so you don’t have to change and regression test your applications;

oxd is written, maintained, and supported by developers who specialize in application security. Because of the complexity of the standards–and the liability associated with poor implementations–it makes sense to rely on professionals who have read the specifications in their entirety and understand how to properly implement the protocols;

Centralization reduces costs. By using oxd across your IT infrastructure for application security (as opposed to a handful of homegrown and third party OAuth2 implementations), the surface area for vulnerabilities, issue resolution, and support is significantly reduced. Plus you have someone to call when something goes wrong!

OAuth 2.0 #

SAML vs OpenID Connect#

Metadata#

Both SAML and OpenID Connect have Discovery Mechanisms

Clients#

SAML has

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Jun-2017 12:54
2017-06-15#

Best Practices OpenID Connect#

Minimal id_token verification#

OPTIONAL id_token verifications:

Read the OpenID Connect Implementer's Guides

Advanced OpenID Connect Clients#

OpenID Connect Client#

OpenID Connect DO THESE#

OpenID Connect DO NOT THESE#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
12-Jun-2017 08:49
2017-06-12#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
30-May-2017 11:23
2017-05-30#

Ran Across Today#

  • Credential Stuffing is the process of using automated systems to brute-force a website with login information stolen from another site, hoping it will match with an existing account.

More Information#

There might be more information for this subject on one of the following: ...nobody
27-May-2017 11:27
2017-05-27#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-May-2017 08:46
2017-05-25#

Golden Ticket#

More Information#

There might be more information for this subject on one of the following: ...nobody
24-May-2017 11:08
2017-05-24#

Ran Across Today#

Appears NetIQ changed all the XDAS Events with the lated eDirectory 9.0.3.0 (40005.12)

More Information#

There might be more information for this subject on one of the following: ...nobody
21-May-2017 09:56
2017-05-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-May-2017 11:28
2017-05-05#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Apr-2017 08:20
2017-04-29#

Ran Across Today#

Personal Metadata[1]#

Personal Metadata digital information about users' location, phone call logs, or web-searches – is undoubtedly the oil of modern data-intensive science and of the online economy. This high-dimensional metadata is what allow apps to provide smart services and personalized experiences. From Google's search to Netflix's “movies you should really watch,” from Pandora to Amazon, metadata is used by commercial algorithms to help users become more connected, productive, and entertained. In science, this high-dimensional metadata is already used to quantify the impact of human mobility on malaria or to study the link between social isolation and economic development.

Metadata has however yet to realize its full potential. This data is currently collected and stored by hundreds of different services and companies. Such fragmentation makes the metadata inaccessible to innovative services, researchers, and often even to the individual who generated it in the first place. On the one hand, the lack of access and control of individuals over their metadata is fueling growing concerns. This makes it very hard, if not impossible, for an individual to understand and manage the associated risks. On the other hand, privacy and legal concerns are preventing metadata from being reconciled and made broadly accessible, mainly because of concerns over the risk of re-identification.

Data ownership and privacy[2]#

Perhaps the greatest challenge posed by this new ability to sense the pulse of humanity is creating a "new deal" around questions of privacy and Data Ownership. Many of the network data that are available today are freely offered because the entities that control the data have difficulty extracting value from them.

As we develop new analytical methods, however, this will change. Moreover, not all people who want access to the data do so for altruistic motives, and it is important to consider how to keep the individuals who generate this information safe. Advances in analysis of network data must be approached in tandem with understanding how to create value for the producers and owners of the data while at the same time protecting the public good. Clearly, our notions of privacy and ownership of data need to evolve in order to adapt to these new challenges.

This raises another important question: how do we design institutions to manage the new types of privacy issues that will emerge with these new reality mining capabilities? Digital traces of people are ubiquitously preserved within our private and public organizations— location patterns, financial transactions, public transportation, phone and Internet communications, and so on. Certainly new types of regulatory institutions are required to deal with this information, but what form should they take?

Companies will have a key role in this new deal for privacy and ownership. One suggestion is that there is an incentive system, one that gives added value to the users. Market mechanisms appear to be a particularly interesting avenue of exploration, since they may allow people to give up their data for monetary or service rewards. Ideally, this would be put into place in order to gain approval from the majority of the population to use data collected from their digital interactions.

Other important considerations revolve around data anonymity.The use of anonymous data should be enforced, and analysis at the group level should be preferred over that at the individual level. Robust models of collaboration and data sharing need to be developed; guarding both the privacy of consumers as well as corporations’ legitimate competitive interests are vital here.

What must be avoided is either the retreat into secrecy, so that these data become the exclusive domain of private companies and remain inaccessible to the Common Good, or the development of a “big brother” model, with government using the data but denying the public the ability to investigate or critique its conclusions.

Neither scenario will serve the long-term public interest in having a transparent and efficient government.

The new deal on data#

The first step toward open information markets is to give people ownership of their data. The simplest approach to defining what it means to "own your own data" is to go back to Old English Common Law for the three basic tenets of ownership, which are the rights of possession, use, and disposal:
  • possession: You have a right to possess your data. Companies should adopt the role of a Swiss bank account for your data.You open an account (anonymously, if possible), and you can remove your data whenever you’d like.
  • use: You, the data owner, must have full control over the use of your data. If you’re not happy with the way a company uses your data, you can remove it.All of it. Everything must be opt-in, and not only clearly explained in plain language, but with regular reminders that you have the option to opt out.
  • disposal: You have a right to dispose or distribute your data. If you want to destroy it or remove it and redeploy it elsewhere, it is your call.

Ownership seems to be the minimal guideline for the "new deal on data". There needs to be one more principle, however—which is to adopt policies that encourage the combination of massive amounts of anonymous data to promote the Common Good. Aggregate and anonymous location data can dramatically improve society. Patterns of how people move around can be used for early identification of infectious disease outbreaks, protection of the environment, and public safety. It can also help us measure the effectiveness of various government programs, and improve the transparency and accountability of government and nonprofit organizations.

Web Blog_blogentry_290417_1 and IoT#

In this IoT scenario, billions of devices collect data out in the world and send it back to somebody's cloud for storage and/or processing. That data has value, not only to the company generating it, but to the technology companies that provide the data-crunching services. And as whole notion of "big data" involves aggregating data from many sources, analyzing it, slicing and dicing it, the issue of data Provenance and Data Ownership becomes murkier.[3]

More Information#

There might be more information for this subject on one of the following: ...nobody

http://fortune.com/2016/04/06/who-owns-the-data/

By unknown  Permalink  Comments? (0)
28-Apr-2017 08:44
2017-04-28#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Apr-2017 08:26
2017-04-23#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Apr-2017 09:53
2017-04-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Apr-2017 08:30
2017-04-18#

API Chaining#

Object-oriented Programming#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
16-Apr-2017 09:53
2017-04-16#

Advanced Key Processor (AKP)

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Apr-2017 09:10
2017-04-14#

Verifiable Claims#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Apr-2017 04:09
2017-04-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
06-Apr-2017 09:18
2017-04-06#

Next Generation Identification#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Apr-2017 08:34
2017-04-04#

Nishant Kaushik [1]#

"What that means is that after sending her through a strong Identity Proofing process (like in the banking example above), part of what came out of it is a weak authentication credential. The strength and rigor of those credentials have nothing at all to do with the strength and rigor of the process that was used to establish them. In other words, there is absolutely no correlation between the assurance of the identity and the assurance of the authentication. We simply cannot solve our security woes without addressing this mismatch."

From what I believe he is implying, is that regardless of the Identity Proofing during the Credential Enrollment, there is a "weak" credential issued and / or there is a weak assurance between the credential and the Authenticator.
Or are they the same. They do have the same outcomes. That is a weak credential or a weak connection between the credential and the Authenticator

I know at a bank I use, the only Authentication Method that I can use is password-based

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Apr-2017 09:13
2017-04-03#

Ran Across Today#

I always wonder why there are so many words. Saw this word today: proffer. Had to look it up.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Mar-2017 09:34
2017-03-24#

Enough is Enough[1]#

I am sick and tired when I see statements like: "When considering that users' inability to properly protect and manage passwords causes over 90% of cyber attacks, it is evident that our current IAM approach which mostly uses passwords for authentication cannot support the security of the future state where many devices will be interconnected," says Henry Bagdasarian, Founder of Identity Management Institute and cybersecurity thought leader."

Where i have an issue is: "When considering that users' inability to properly protect and manage passwords".

First let look at: the " inability to properly protect and manage passwords".

So "user's" are told to:

  • user strong passwords (generally this means password more than 10 characters)
  • do not use the same password on any other of the 200+ sites you visit
  • Many times users are told to change their password every so many days.

And we think anyone can do this and still remember passwords?

The problem is not the user's "inability to properly protect and manage passwords", it is that that IAM professionals would even consider this is an accomplishable feat.

The IAM Professionals have failed to deliver or implement a reasonable alternative.

The article goes on and says "Identity Management Institute predicts that organizations will slowly move away from passwords". No kidding? That has been said for more than 10 years.

Perhaps a better question is why are so many Service Providers still asking for passwords and keeping PII data? We have very strong Authentication abilities now with the use of OpenID Connect and Social Identity Providers which many offer Multi-Factor Authentication where the credentials are never revealed to the Service Provider.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Mar-2017 09:08
2017-03-18#

Typically#

Typically, when we access a Website we do this in an effort to access Data of some type. Perhaps we need to access data about the news or we go to our Financial Institution to access our bank account. The "news" and our bank account are Protected Resources. The news may not requires Authentication to read the news, but we probably can not change the news without Authentication.

When we access the news, the website may not need to Authenticate the user (to read the news). (Even though the website may perform Identification using a cookie or some other method.)

When we access our Financial Institution we will and probably insist that Authentication be performed on the user accessing our bank account.

Use case Copy Password#

We have all probably used these sites or applications. These "Client Applications" allow us to access some Protected Resource. Like our bank account.

Some of these create a "Password Vault" in which you store your passwords to other sites. Hopefully they protect this "Password Vault" well. Then they replay your password to the other sites to access the Protected Resources. (This is impersonation, not delegation). The Protected Resources thinks it is you accessing the resources and has no idea it is "Client Applications".

This use-case also exposes the user's credentials to the "Client Application".

One of the biggest violators I know of is Quicken.

Some other Client Applications may just ask for our credentials to access the bank account in real time and do not use a Password Vault.

In both of these Use cases, the Protected Resource (our bank account) has no methodology to determine that ti was the Client Application accessing the Protected Resource rather than Us. This is impersonation. The Client Application is impersonating us and the Protected Resource has no method of Auditing to say otherwise.

Use Case Enterprise LDAP Authentication #

Many enterprises use a central LDAP for authentication services. Interestingly, this pattern is similar to the Password Vault Authentication Method. When using LDAP for authentication, a Client Application collects credentials directly from the user (in Plaintext) and then replays these credentials to the LDAP server to determine if they are valid. The Client Application must have access to the plaintext password of the user during the transaction; otherwise, it has no way to perform LDAP Authentication.

In a very real sense, both these Use Cases is a form of Man-In-The-Middle attack on the user, although one that is hopefully benevolent in nature.

In a typical Enterprise LDAP Authentication setup, the user's credentials may be exposed to several applications and each of these applications are an exposure to an attacker.

Both of these approaches, the Client Application is impersonating the Resource Owner, and the Protected Resource has no way of distinguishing a call directly from the Resource Owner from a call being directed through a Client Application.

Both of these approaches, are a Password Anti-Pattern of Sharing Your Password

The import differences Delegation vs Impersonation #

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Mar-2017 17:50
2017-03-08#

Anonymity#

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Mar-2017 09:52
2017-03-07#

Ran Across Today#

OpenID Connect MODRNA Authentication Profile 1.0

OpenID Connect Account Porting defines mechanisms to support a user porting from one OpenID Connect Provider to another, such that Relying parties can automatically recognize and verify the change.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Mar-2017 11:34
2017-03-01#

Complexity and why OAuth 2.0 and OpenID Connect Help#

In a traditional WEB Access Management product there are three primary methods used:

How WEB Access Management product implemented#

In many, if not most, WEB Access Management product implementations only "course-grained" access is protected by the WEB Access Management product. "Fine-Grained" access is typically done within the Application. ( APIs and Microservices of course excluded here]).

So when a new application comes on-board a new application needs to be configured, the Access Management team must configure the setup the protected URLs. The WEB team knows what needs protected but not how to configure the Access Management tool. The Access Management team know how to configure the Access Management but not what to protect. This implies a communication, often via Change Control Process where information can be lost or miss-understood.

When using OAuth 2.0 and OpenID Connect, once OAuth Client is setup, the Web Team can control Application access using the security-constraint within the Web container which is a concept they are familiar.

As the Application can obtain Identity State using OpenID Connect the requirement for WEB Agents WAM becomes less important.

Many WEB Access Management product implementations#

Many of the WEB Access Management products use OpenID Connect to communicate with their agents.

The advantage of WEB Access Management products#

The big advantage provided by these WEB Access Management products is the management of the Policy Information Point where the policies which determine access to Protected Resources are stored. In many Organizations, the Policy Information Point is not well utilized as many organizations have never classified applications or performed Data Classification sufficiently to be able to make proper use of this centralized Policy Information Point. The effective Policy Information Point and Policy Enforcement Point is within the Application.

There is also some advantage of the WEB Access Management products in the use of a formalized and centralized Policy Administration Point providing the organization has performed the proper Data Classification

OpenID Connect, where the rubber meets the road#

OpenID Connect allows the Applications Team, who is, typically, really deciding the Access Control policy to implement Access Control in methodology they are most familiar without having to go through change control process to have the desired actions implemented by another group.

OpenID Connect #

OpenID Connect also has an advantage in that the Application never even sees the Credentials of the user which provides an added security benefit.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Feb-2017 09:44
2017-02-24-#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Feb-2017 14:48
Overview#
Web Blog_blogentry_210217_1

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Feb-2017 17:27
2017-02-20#

Industry 4.0 #

Industry 4.0 encompasses a promise of a new industrial revolution.

One that marries advanced manufacturing techniques with the Internet of Things to create a digital manufacturing enterprise that is not only interconnected, but communicates, analyzes, and uses information to drive further intelligent action back in the physical world.

EMPTY THE REPOSITORY: WHY VIRTUAL TOKENS ARE BETTER FOR AuthZ#

If you’re using a business application, it is very likely to have a user repository attached. This is usually a simple database containing an ID and list of authorized actions for each user. It’s a simple system, and as a 2014 survey showed, its downfall is that the average enterprise has over 500 applications in use. We know that the number is closer to 500,000 applications running per enterprise. With one repository per application, the challenge of managing these repositories cannot be understated.

Several solutions have been tried, with LDAP (Lightweight Directory Access Protocol) as the most popular. This is, in effect, is a single directory designed to share user and authorization information between many applications. Its advantages are that it is an industry standard designed so that every developer can freely integrate it into their product. The drawback however, is that it didn’t fit all AuthZ needs and so wasn’t widely adopted.

The Problems with Repositories Mimic those of Static AuthZ#

In addition to the problem of volume, repositories have drawbacks common with other traditional forms of AuthZ.
  • Administration: In order to change permissions for a given application, the repository needs to be updated. Either manually or by a provisioning system, in both cases it’s a complicated task that requires time and resources.
  • No Flexibility: Authorizations don’t change based on any variables. For example, a cyber security event, or user login through a mobile device, won’t remove any assigned permissions. . Repositories are static, however, and their users & permissions must be programmed in advance.
  • Inefficient Distribution: With over 500 repositories in the average enterprise, the problem isn’t just a matter of scale. It is difficult to apply AuthZ policy consistently over such a large volume of databases. If the AuthZ policy isn’t applied consistently – whether due to accident or indifference, then certain applications may become security risks.

Virtual Tokens Provide the Answer#

Virtual tokens take one of the traditional aspects of AuthZ and flips it on its head. What if, instead of storing AuthZ information in large repositories within each application, you instead reduce it to a small repository fitted for an individual user? This is what a virtual token represents. Upon access, this token is sent to the application, which responds accordingly.

This approach displays some marked advantages over the traditional repository approach. For one, it’s responsive -the data carried by the virtual token allows the application to respond dynamically based on conditions described by the AuthZ token. Secondly, virtual tokens are allowed to be small, containing only the information that’s necessary for the app to authenticate and authorize the user.

Say NO to Provisioning#

Lastly, virtual tokens reduce the need to maintain all those repositories, so no more unmanaged AuthZ, no more “ghost” IDs.

Oracle bets Java EE future on REST APIs#

REST Ahead
.

Oracle is banking on REST and JSON to modernize Java EE for microservices and the cloud. ... He cites features such as a new API to dynamically configure Java EE applications, native support for OAuth/OpenID Connect, health check services, and Java SE 9-based modularity.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Feb-2017 13:18
2017-02-20#

OAuth 2.0 Use Cases#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Feb-2017 09:20
2017-02-10#

Did some work on the ideal IAM Charter

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Feb-2017 11:42
2017-02-09#

Passwords just Do Not Scale#

We have all heard the Common rules:
  • Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.
  • Avoid using the same password at multiple Web sites.
  • and several more..
So if you have 27 passwords, an average I saw, and another statistic I saw was 35% are not using strong enough passwords.

A strong password can be generated at passwordsgenerator.net (Funny the site is not secure no HTTPS) loks like:

,!V@G8z[-9D#hF.J
So no one will ever remember such a thing and many "Secure Sites" may not allow some of the characters within the password or not allow 16 characters.

So we need 27 of these passwords for the average person. NOT GOING TO HAPPEN!

Generally sites would be better off requiring a password and Multi-Factor Authentication.

Mobile Device and Authentication in Financial Organizations#

Conclusion[1] Americans are spending a growing share of their digital time on mobile. According to recent data released by KCPB, adults in the United States spent 5.6 hours per day on their Mobile Devices in 2015, an amount of time that has grown at a compound annual growth rate of 10.98% since 2008. Financial institutions are scrambling to offer consumers mobile access to their products and service that is comparable to access available via the online Web available through the desktop computer since this is the experience consumers have come to expect. This shift to mobile has placed financial institution’s security and authentication needs in a state of flux as the FIs experiment with new ways of delivering banking services securely through the mobile channel.

In addition, each financial institution has its own unique view of risk and requires solutions that can be customized to fit its risk management governance model and often individual product risk profiles.

Financial Institutions recognize that they need more sophisticated fraud management and identity verification processes than user ID and passwords alone. Biometric identification through fingerprint, voice, and facial recognition is of growing interest as a way to balance security with improving the user experience. However, Biometric tends to come later in the fraud detection value chain. Early in the process, financial institutions need to be able to balance the need for enhanced risk processes with the all-important customer experience. Creating too much friction in the account acquisition or on-boarding process is noncompetitive, as financial institutions know. What they need is thus multi layered authentication workflows that allow them to apply rules in a logical manner that prevents unnecessary input or verification steps. Mobile is also opening up new tools to fight fraud, as these devices come with a range of sensors that allow a much deeper understanding of who the user is (i.e., the user’s identity and patterns of behavior). FIs are looking to build capabilities that address this aspect by investing in solutions that leverage geolocation, for example, and other relevant data.

The increased sophistication of cutting-edge software solutions to fight fraud brings financial institutions the opportunity to use these tools to build mobile identities with carrier data for their account holders. By creating a more nuanced and complex identity, one that incorporates personal, device-dependent data and location data into a comprehensive view, will allow financial institutions to provide a far more seamless experience for the “good” consumer and allow faster and more effective identification of fraudulent account activity.

Balancing Authentication Simplicity and Security[2]#

When it comes to verification/authentication, the key to keeping the process convenient for the mobile consumer is to ensure that the solution can do the following:
  • Keep the consumer in the mobile channel
  • Take place in near real-time with little lag
  • Require little to no manual data entry from the user
  • Run in the background and remain invisible to the user (as much as possible)
  • Pair with an additional layer of security (e.g. biometrics) for a second factor of authentication
Using these five guidelines for end-user convenience, most organizations can create a mobile authentication process that is both simple and secure.

By creating a secure mobile ID verification process that is also a convenient experience for customers, financial marketers enable customers to move through the buying process more quickly, while at the same time keeping fraudsters out. They are also able to reduce or eliminate costly manual reviews, which in turn, helps keep the overall cost of acquisition and managing customer relationships lower. Further, mobile ID verification/authentication meets Know Your Customer (KYC) and other compliance requirements.

Mobile ID verification can also make the digital account opening process easier on customers and improves the experience by allowing them to stay in the mobile channel for ID verification. This varies from other ID verification methods, in which users would typically need to leave the mobile channel to send a scanned copy of their ID documents to the business through unsecure email or fax channels or even visit the branch office.

It’s important to note that user experience is key for customer acquisition and mobile on-boarding. With a mobile ID verification user experience that is just as quick and easy as mobile users expect, digital marketers are able to improve the customer journey metrics for mobile self-service and boost customer satisfaction.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Jan-2017 17:09
2017-01-23#

Ran Across Today#

Mobile Moment From here book, The Mobile Mind Shift, she spakes of Mobile Moment as: ".. a point in time and space when someone pulls out a mobile device to get what he or she wants immediately, in Context"

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Jan-2017 10:42
_2017-01-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Jan-2017 09:32
Identity Management has been around for a long time, even before we started automatting Web Blog_blogentry_030117_1.

In a typical Identity Management installation, we create users in LDAP and apply some Access Control Models control access to various Target Resources.

We may synchronize the Digital Identity from one repository to another. There are probably several methods used in most Organizational Entity from some perl scripts to sophisticated IDM Vendor Products.

Well, it is now 2017 and we have better, safer methods available.

Today a Organizational Entity must implement a dynamic IAM solution that serves employees, customers, partners and devices, regardless of location. This is the evolution of IAM to Identity Relationship Management (IRM).[1]

As customers look for and expect more ways to engage with businesses, companies are making the shift from the closed, protective world of IAM to the open, evolving, and confidently secure IRM universe. This is because identity and Access Control tools are a necessity for managing trust relationships with parties inside and outside of a company – relationships that are now tied directly to the business’ top line.

This shift in business emphasis has a direct technical impact on how we think about identity and Access Control. As a result, we need to take into account the following business-focused pillars when choosing an IRM solution:

  • CONSUMERS AND THINGS over employees
  • ADAPTABLE over predictable
  • TOP LINE REVENUE over operating expense
  • VELOCITY over process

Changing Business Values & A New Technical Approach to IAM#

IRM solutions that are able to satisfy the business needs of an organization and the new values of the CIO will shape the future of IAM. The shift to cloud, social, moble, and SaaS is revolutionizing the Organizational Entity, and IAM needs to evolve to help businesses capture new opportunities without worrying about the associated complexities that are a result of this change.

This shift in business emphasis has a direct technical impact on how we think about identity Management and Access Control. Through this shift we have must come to value:

  • INTERNET SCALE over enterprise scale
  • DYNAMIC INTELLIGENCE over static intelligence
  • BORDERLESS over perimeter
  • MODULAR over monolithic

Where do We Go in 2017#

To address the need for Identity Management or more so Identity Relationship Management, we have to build on a solid base.

We need to establish your security infrastructure on protocols and standards that have been peer-reviewed and are seeing market adoption.

For a long time, lack of such standards has been the main impediment for large organizations wanting to adopt RESTful APIs in earnest. This is no longer the case since the advent of the Neo-Security Stack:

These protocols gives us all the capabilities we need to build a secure and INTERNET SCALE API platform using OAuth 2.0 and OpenID Connect for the base.

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Jan-2017 10:29
2017-01-02#

RBAC is not RBAC and RBAC on paper is difficult ( StackOverflow 2012)#

RBAC is not RBAC is not RBAC and RBAC on paper is difficult, but nearly impossible to implement in a real-life.

Everyone has their own "idea" of RBAC and most everyone uses different terms for everything associated with RBAC. Generally from an LDAP implementation perspective you seldom have all the "pieces parts" to do a proper implementation within LDAP.

The "pieces parts" in simple terms are:

  • S = Subject = A person or automated agent or Users
  • P = Permissions = An approval of a mode of access to a Target Resource
  • T = Target Resources = The Object to which you want to assign permissions

The Role, at minimum, needs to associate a Permission and a User. The Target Resource could be outside of LDAP entirely. So it could be an Application on a Tomcat server or simply the right to read "other" entries within the LDAP Server.

So typically the best you will do within LDAP is to setup an object which has a list of users and if there are some resources that are within LDAP, assign the proper directory permissions for those target resources.

Then there is the little problem implementation.#

We have now need a Policy for implementation of our Role. So our role, we will call it USER-READ-ONLY, is not useful without a policy on how it is to be used.

In our case, we could just say the USER-READ-ONLY Role can read anything in our Organization.

So we now have a Policy. Where is this policy stored? The Digital representation of a Policy is stored in the "Policy Information Point" or PIP.

How do we interpret the Policy Supplied from the PIP? Policies are interpreted by the Policy Decision Point (PDP).

Who decides if a Subject (user) can access a resource? The Policy Enforcement Points (PEP).

Putting all this policy stuff together we end up with the digital representation of the Policy is provided by the Policy Information Point to the Policy Decision Point which then passes the decision to the Policy Enforcement Point where the access is permitted or denied.

So in our RBAC story, where is the PIP, the PDP, and the PEP? Well if the Target Resource is in the LDAP directory, then it is the LDAP directory that is the PIP (which we probably hardcoded and is not abstracted, the PIP likewise and the PEP too, and that was easy.

But if it is our Tomcat Application, it MUST be a method within the Tomcat Application that can interrupt knows must use a method to say "I have this Subject (user) and he wants access to this Target Resource (inventory) to perform this Permission (READ-ONLY)".

Sure there are some standards for all this stuff. (Google XACML, RFC 3198, ISO 10181-3, NIST) but they are Standards with wide gaps for practical implementations.

So keep in mind REAL implementations of RBAC is hard.

Sure IMHO, we should know about RBAC, study the papers and make it a strategic direction, but the real life implementation across a broad base of vendors and applications, well we are just not there yet.

-jim

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jan-2017 09:37
2017-01-01#

Risk-Trust-Access Control#

In reviewing some papers on Authentication I was reminded that there must be some reason to perform Authentication before you start.

To perform Authentication and or Authorization, you must start with Risk. If there is no Risk, then there should be no Authentication and if there is no Authentication, there can be no Authorization.

To determine Authentication, you must perform do Risk Assessment. Yet many, no most, Organizational Entities I have worked for or observed have never "really" performed a Risk Assessment. And those wo say they have have only placed generic terms on Risk Management and loosely classified data in some policy. Little attention or emphasis is placed on how and where Classified Data is stored or protected from an Unfortunate event

RAT#

Authentication Authorization and Accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Dec-2016 14:20
2016-12-22#

RAT#

DevOps is a term used to refer to a set of practices that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes.[1][2] It aims at establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Dec-2016 06:49
2016-12-04#

Key Performance Indicator (KPI) is a measurable value that demonstrates how effectively a company is achieving key business objectives. Organizations use KPIs to evaluate their success at reaching targets. Learn more: What is a key performance indicator (KPI)?#

More Information#

There might be more information for this subject on one of the following: ...nobody
01-Dec-2016 12:32
2016-12-01#

Ran Into Today#

Decentralized Identifier

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Nov-2016 11:56
2016-11-23#

Ran-Across-Today#

  • Cloud Access Security Brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Nov-2016 11:54
2016-11-17#

Identity Ecosystem Framework News#

Towards a Trusted Framework for Identity and Data Sharing#

Where he mentions several sources on Identity Ecosystem Frameworks

"The WEF Blueprint for Digital Identity argued that financial institutions are well positioned to drive the creation of such digital identity ecosystems because they already serve as intermediaries in many transactions, are generally trusted by consumers as safe repositories of information and assets, and their operations, - including the extensive use of customer data, - are already rigorously regulated."

"Finally, as was the case with the Internet, government needs to play a leadership role in the creation of such highly complex identity ecosystems by supporting the required R&D, experimental testbeds, and legal frameworks."

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Nov-2016 13:29
2016-11-08#

Path to a Functional Certificate#

So you decide you need to add HTTPS to that apache WEB server that you have been running for 5 years with on HTTP.

How would you do that?#

You have a few options.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Oct-2016 11:20
2016-10-28#

Ran Across Today#

Well, not just today, but again and I revisit Identity Proofing

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
13-Oct-2016 12:40
2016-10-13#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Sep-2016 17:00
2016-09-21#

OAuth Scope Example#

We put together an OAuth Scope Example based on real-life example.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
10-Sep-2016 12:34
2016-09-10-#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-Sep-2016 09:00
2016-09-05#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
29-Aug-2016 12:53
2016-08-29#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Aug-2016 12:54
2016-08-28#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Aug-2016 14:04
2016-08-27#

Ran across today#

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Aug-2016 11:37
2016-08-26#

Contract of Adhesion#

Most EULA and Privacy Policies are a Contract of Adhesion

Today I wanted to file a complaint at the Federal Communications Commission for a phone scam that was directed at myself. However, due to their Privacy Policy it is to me, unconscionable that anyone would, if they read the Privacy Policy which reads in part:

"Any comment that you submit through this website may be made public, including any personally identifiable information that you provide in your submission. We may share your comment with others, including the public, in aggregated form, in partial or edited form, or verbatim."

This is indeed so, almost comical, as elsewhere on their site they state:

"For this unique relationship to flourish, we endeavor to publish your comments whenever possible, but expect conversations to respect traditional conventions of polite discourse. The FCC will remove and/or decline to publish any comment that:

  • Contains obscene or vulgar language
  • personal attacks of any kind, or offensive terms that target a specific race, color, sex, sexual orientation, national origin, ethnicity, age, religion, or disability;
  • promote commercial services or products (relevant non-commercial links are not per se prohibited);
  • are off-topic; or
  • make unsupported accusations.
Comments will be accepted or rejected in whole – we do no edit comments to remove objectionable content."

So it is not that they do not read and moderate comments, it is just, I assume, that they do not care if your Personally Identifiable Information is disclosed to the public.

As far as I can tell this is a direct violation of the Federal Privacy Act.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-Aug-2016 15:33
2016-08-25#

What's New#

In the past we needed to provide Authentication and Authorization at the application level and that Digital Identity was verified, via various methods, back to LDAP. Using LDAP we typically only used password Authentication.

When we started using LDAP, most of the applicaitons were traditional monolithic applications which all of the application work was done within one large application often with some back-end storage database.

This scenario allowed us to provide Consistent Sign-On so end users only had one username/password combination and, in general, all was well.

Then we wanted Single Sign-On and so we added an WEB Access Management system in front of LDAP. These proprietary WEB Access Management systems did allow HTTP Single Sign-On in most cases. We often added GSSAPI to the mix so we could usually get the credentials from the Windows Client Operating System and use it to perform Authorization to the WEB Access Management and provide even a broader range of Single Sign-On and, in general, all was well.

Then Security Assertion Markup Language (SAML) came along and we could connect to outside monolithic applications and provide even a broader range of Single Sign-On and, in general, all was well.

Then the world started changing. The monolithic application wanted became too large and complex to handle and their appetite for access to data not within their databases became more and more desirable. We added more and more attributes to LDAP which we synchronized from this data-store to that data-store and the Identity And Access Management systems became too complex to handle.

The monolithic application projects became larger and more complex. Then Identity And Access Management projects became more and more complex.

As tends to happen in the technology world, programmer's started using Lean Product Development to simplify and prioritize what was really necessary. These Lean Product Development caused the monolithic applications to be broken down into smaller "chunks" of applicaitons that were loosely coupled. These loosely coupled applicaitons have become (and will become even smaller) and adds to the agility of the Lean Product Development.

This continued Lean Product Development has led to the movement to Application Programing Interfaces where nearly any application, monolithic or not, can have almost "instant" access to the data.

And in this API Economy, Application Programing Interfaces (APIs) act as the digital glue that links services, applications and systems. This allows businesses to make the most of their data to create compelling customer experiences and open new revenue channels.[1]

What does it mean to Identity And Access Management teams?#

More work and more learning. We used to only need to provide Authentication and Authorization services for users and now we need to be able to determine if this Application is able to access some API or other application on be-half of this user.

The good news, we have help. OpenID Connect provides the tools to make all this happen and there are a lot Open Source projects that can help.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Aug-2016 12:22
2016-08-21-#

Ran Across Todat#

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Aug-2016 12:42
2016-08-20#

Ran Across Today#

Parameters, Attributes, Claims#

In RFCs there are many terms without universal understandings.

Parameters, Attributes, Claims are often used terms in RFCs and often used interchangeably.

Looking at RFC 7519 which uses Parameters within JOSE Headers (Section 5) and "Header Parameter Names Registration" (Section 10.4) and then uses "Claims" in "JWT Claims" (Section 4) and "JSON Web Token Claims Registry" (Section 10.1).

Then in "Replicating Claims as Header Parameters" (section 5.3) "...allows claims present in the JWT Claims Set to be replicated as Header Parameters..". So what is the difference in "Claims" and "Parameters"?

And then to be make RFCs even harder to comprehend, in Security Event Token (SET) draft-hunt-idevent-token-03 we add "Attributes". Where they state: "The following are attributes that are based on RFC 7519 claim definitions and are profiled for use in an event token".

So is there any difference in Parameter, Attributes, Claims

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Aug-2016 11:04
2016-08-17#

Internet Drafts#

Trusted Platform Module (TPM)#

Financial Industry Regulatory Authority Inc (FINRA) #

Financial Industry Regulatory Authority Inc (FINRA) is a private corporation that acts as a Self-regulatory Organization (SRO).

FINRA is the successor to the National Association of Securities Dealers, Inc. (NASD) and the member regulation, enforcement and arbitration operations of the New York Stock Exchange.

It is a non-governmental organization that regulates member brokerage firms and exchange markets. The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Aug-2016 17:54
2016-08-15#

Pros and cons of Authenticator App Code]#

Pros#

SIM swapping won’t hijack your MFA codes if you’re using an Authenticator App. The codes depend on the app itself, not on your SIM card. Authenticator apps work even when you don’t have mobile coverage. Cons
  • Authenticator Apps depend on a shared secret that both the app and the server need to store. This “seed” is combined with the time to generate the MFA code. If an Attacker can crack the app or the server and recover the secret, they can clone your MFA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.

When you access online services from your Mobile Device, you’ll usually be running the Authenticator App on the same device. This means the crooks have a common point of compromise for both factors of your MFA. A second, lightweight “feature phone” used for SMS codes makes it easier to keep the Authentication Factors apart.

More Information#

There might be more information for this subject on one of the following: ...nobody
09-Aug-2016 11:50
2016-08-09#

From today#

We constantly see people wanting to know where and ho to perform Token Storage.

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Aug-2016 23:10
2016-08-08#

Today we Found#

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Aug-2016 12:33
2016-08-05#

Java Authentication Service Provider Interface for Containers#

More Information#

There might be more information for this subject on one of the following: ...nobody
02-Aug-2016 07:50
2016-08-02#

Things from today#

  • Credential Service Provider
  • Attribute Provider (AP) - Manages and provides assertions of identity attributes to other relying and federated parties.
  • Attribute Provider Statement (APS) - A document that captures the security, privacy, data protection, and attribute management practices of a given attribute provider or party acting as an attribute provider for a given set of transactions.
  • Attribute Value Metadata (AVM) - Data describing an asserted value for an associated attribute.
  • Authorization - The decision to permit or deny a subject access to resources (e.g., network, data, application, services) based on the evaluation of access control policies.
  • Credential Service Provider (CSP) - An entity that issues digital credentials to subjects and issues or registers authenticators for subjects’ use. A CSP may be an independent third party, or may issue credentials for its own use. A CSP may provide and verify attributes or may include attributes provided or verified by other entities.
  • Federation - A process that allows for the conveyance of identity attributes and authentication information across a set of networked systems.
  • Identity Provider (IDP) - A CSP in a federation that manages the subject’s primary authentication credentials and issues assertions derived from those credentials.
  • Metadata - Structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource. Metadata is often called data about information or information about information.
  • Relying Party (RP) - An entity that relies upon a subject’s authenticator(s) and credentials or an IDP’s assertion of a subject’s identity, typically to process a transaction or to grant access to information or a system.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2016 10:34
2016-07-31#

What I ran across today#

Phil Windley#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Jul-2016 14:43
2016-07-26#

What I ran Across today#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Jul-2016 10:34
2016-07-14#

A Schema for Logging the LDAP Protocol#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Jul-2016 12:02
2016-07-10#

General Data Protection Regulation (GDPR)#

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.[3]

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.[4]

More Information#

There might be more information for this subject on one of the following: ...nobody
06-Jul-2016 13:39
2016-07-06#

Mobile wallets: Where do I keep my receipts?#

Since Google's released its first mobile wallet five years ago, a slew of companies have released their own mobile wallet products.

Among them are Apple Pay and Samsung Pay, retailers like Walmart and Kohl's, and even banking institutions including Chase Pay and Capital One. However, even though new Mobile-Digital Wallets continue to the market with a frequent cadence, they have yet to be widely adopted by consumers. And, as the market continues getting more saturated, it begs the question, will they really ever get enough traction to take off?

Even though companies continue to heavily invest in the development of Mobile-Digital Wallets by increasing their compatibility with various point-of-sale systems and including more of what consumers want, none of the current options on the market have taken into account a fundamental part of the shopping experience: receipts.

This lack of forethought begs the question, if consumers are expected to carry out entire transactions using only their mobile device – because it's more convenient – why should they still be expected to keep track of paper receipts? Mobile wallets need to prioritize digital receipts and include them as a basic utility in their solution. Doing so will play a key role in increasing consumer adoption.

and more at: Mobile wallets: Where do I keep my receipts?

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Jul-2016 22:04
2016-07-04#

Where to Store Photos#

I have accumulated more than 50k photos and more than 2 GB of video files.

Some of these media files will never be shared, but at any given moment there have been times when I needed to share them with a select group of My Contacts and or to share them with any of the Social Network sites.

There are several constraints I have for any online storage:

  • Storage - cost to store this amount of data online is usually prohibitive
  • Sharing - Some of these photos are not in the public domain and so copyright And Intellectual Property Rights must be retained by Resource Owner
  • Must be able to detect an existing Media File Exist and be able to make copy or replace the file
    • Google is terrible at this. I have never been able to find a method to stop creating dupicates. Heck, I do not even know how it happens.

More Information#

There might be more information for this subject on one of the following: ...nobody
19-May-2016 16:55
2016-05-19#

What I learned today#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-May-2016 16:25
2016-05-15#

The Moments Ahead for Identity#

At that moment we will have forged great relationships with our chief customer officer Chief Privacy Officer chief information security officer identity professionals at this moment will have a strong voice at the decision-making table but this is not possible if we continue to take a project centric view of identity and not a program centric this is not possible if we don't shift to this notion of an outcomes-based identity in the moment to head there are really only two things that manner
  • mitigating risk
  • customer delight
that's what we're gonna be measured on we're gonna be measured on how well we mitigated risk for our enterprises we will be measured on how well we delight of our customers.

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Apr-2016 22:56
Overview#

Dogs vs Drones#

  • An estimated 4.7 million dog bites occur annually in the US.
  • An estimated 368,245 persons are treated in emergency departments for nonfatal dog bites annually.
  • Approximately 42% of dog bites occurred in children aged less than 14 years.
  • Dog bite rates were significantly higher for boys (293.2 per 100,000) than for girls (216.7 per 100,000).
  • Work-related dog bites are also a significant injury problem, 16,476 dog bites, or 7.9% of total dog bite injuries were work-related.
  • Children sustained 3.2 times higher bite rates that required medical attention than adults (6.4 per 1000 v. 2 per 1000).
  • Young children were more likely than adults to be bitten on the head, neck or face.
  • In 1986 there were 585,000 dog bite injuries that required medical attention.
  • By 1995 there were 800,000, a 36% increase from 1986 to 1995.

More Information#

There might be more information for this subject on one of the following: ...nobody
16-Apr-2016 14:25
2016-04-16#

HIPAA has failed!#

HIPAA includes a section, Title II, entitled Administrative Simplification, requiring:
  • Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
  • Protection of confidentiality and security of health data through setting and enforcing standards.

From and patient perspective, HIPAA has failed on both items.

Anyone who has recently been to a Doctor's office can relate to my recent experiences.

Went to my primary Health Care Provider and was of course required, as in if you do not sign, no service, several pages of complex and meaningless to the average patient, of HIPAA forms. This was in addition to the fact that I had already been to this Health Care Provider's web site and filled out several forms and agreed to HIPAA items there.

I provided my primary Health Care Provider with printed records from my personal medical records a history of related procedures and previous diagnoses. I also provided, by way of paper forms, answers to my medical history.

And as often happens, my primary Health Care Provider referred me to a "Specialist" Health Care Provider where I again was required to several pages of complex and meaningless to the average patient, of HIPAA forms.

The "Specialist" Health Care Provider asked about the history of related procedures and previous diagnoses and by way of paper forms, answers to my medical history.

BTW, they are both in the same building complex.

The "Specialist" Health Care Provider suggested we do a procedure and I scheduled an appointment at the clinic where the procedure is to be performed. I was told to arrive 15 minutes earlier than the appointment, when I again was required to several pages of complex and meaningless to the average patient, of HIPAA forms AND asked about the history of related procedures and previous diagnoses and by way of paper forms, a answers to my medical history.

BTW, they are both in the same building complex, in fact, the clinic was used the same waiting room.

So how has HIPAA done on "Improved efficiency in healthcare delivery by standardizing electronic data interchange"?

My Personal Health Record (PHR)#

I have tried for years to find a method of obtaining my Personal Health Record as an Electronic Medical Record and have yet to find nothing out there is even close.

In this case, My primary Health Care Provider had a nice and pretty well thought out portal where I could:

  • schedule and cancel appointments
  • See and pay bills including Insurance results
  • see medical information that was performed by my primary Health Care Provider.

However, I could not:

  • Upload any data to the site.
  • Send email to my my primary Health Care Provider (Or any other method of communication)

Whenever I have asked Health Care Providers why they do not have these capabilities they site either money or Federal Health Care Laws.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Apr-2016 17:59
2016-04-15#

Backend as a Service#

Backend as a Service allows developers to concentrate on the purpose of their applications without dealing with the common details for applicaitons. Common details for applicaitons like:
  • How they Authenticate
  • How they upload files
  • How Back-end communication is performed.
End-users do not typically care about the common details for applicaitons but rather how well the application fits their needs.

A common user experience is more important than the wizardry or technical details that developers often think are important.

One of the keys to a good User Experience is to have have the same feeling about the program regardless of device and use. Users expect a universal, and effective, User Experience.

As an example, security experts tell users things like:

Not dealing with common details for applicaitons also allows developers to more done faster.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
06-Apr-2016 12:20
2016-04-06#

Web Linking#

Universal Links, Custom URI schemes, Mobile deep linking, #

In the context of mobile apps, deep linking consists of using a uniform resource identifier (URI) that links to a specific location within a mobile app rather than simply launching the app. Deferred Deep Linking allows users to deep link to content even if the app isn't already installed. Depending on the mobile device platform, the URI required to trigger the app may be different.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Mar-2016 12:45
Overview#

Managing Privileged Accounts#

Recently when working with a client there was a scenario where some "White-Hat" hackers who already had full administrative access to a machine and possessed many specialized tools was able to obtain the credentials of another administrator.

Now to be clear, the organization already was:

  • using separate administrative accounts for each user.
  • the administrative accounts were separate from the user's non-administrative account
  • administrative accounts had a password expiration policy that was enforced.

What was Done#

There was a decision to:
  • reduce the access to the Microsoft Active Directory team's accounts less than "Domain Administrators"
  • place "all" "Domain Administrators" access within a check-out Privileged Account Management system.

The organization already had a Multi-Factor Authentication application in place and it was suggested that this be used instead.

Conclusion[1]#

Organizations can substantially benefit by having a process in place for the use and management of administrative privileges. A robust process for the management of administrative privileges includes:
  • Providing clarity on what administrative privileges are necessary
  • Minimizing the use of shared administrative accounts
  • Having a method of being able to verify the privileges associated with each account
  • Having a method of reliably controlling and monitoring the use of account privileges

Not only will having a robust process for the oversight of administrative privileges bring peace of mind to management, it will also provide organizations with better security. Developing a robust process for the management of administrative privileges involves first developing policies for administrative privilege use and then determining the appropriate mechanisms to enforce those policies.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Mar-2016 13:30
Overview#

OpenID Connect Use Cases#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Mar-2016 16:31
2016-03-15#

Portable Contacts#

Portable Contacts is an open protocol for developers to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all over the web. The goal of the project is to increase data portability by creating a common and open specification to bridge proprietary contacts Application programming interfaces (API) such as Google's GData Contacts API, Yahoo's Address Book API, and Microsoft's Live Contacts API. It combines OAuth, XRDS-Simple and a wire-format based on vCard harmonized with schema from OpenSocial.

The editor of Portable Contacts specification was Joseph Smarr of Plaxo and the project co-maintained by Chris Messina. Portable Contacts is used by services such as Google Contacts,[1] Windows Live Messenger Connect,[2] as well as other specification such as OStatus.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Mar-2016 12:25
2016-03-14#

Internet Of Things And the Numbers#

Speaking with a developer that had been working with a Manufacturing Company working with farm planters. He was saying that the company wanted to track:
  • When each seed that was planted
  • How much fertilizer was put on each seed

This then implies, that each seed might need a Digital Identity for each seed.

So I was wondering, in the world of Internet Of Things, just what numbers are we talking about?

If you use 30" rows and 5.5" spacing, there would 30,700/seed per acre. The US alone plated 90,000,000 acres of corn in 2015.

So when we do those calculations, we came up with 20,700 * 90,000,000 = 2,763,000,000,000 or two trillion seven hundred sixty-three billion identities in the US alone each year.

As there are currently only 7,408,433,000 (7.4 Billion as of 2016-03-14) people in the world, we get some ideas as to the scale of the Internet Of Things.

John Deere collects and shares data collected by 200,000 telematically-enabled machines to provide growers with timely and accurate data for optimal growing conditions.

A Tractor and a planter consists of:

  • Tractor has 20 CPUs and 6 million lines of code.
  • A 24 row planter 77 cpus, 7 million lines of code and

Each seed 1.5 deep and 5" apart with 3.3 cm accuracy at at 10 mph

Each planter row plants 80 seeds / second (24 rows * 80 seeds/ser = 1,920 seed/sec per platner)

Even if they are not all identities, it is a lot of data. And there will identities for some level along the way:

  • Each tractor?
  • Each Application?
  • Each user that accesses the data?

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
11-Mar-2016 14:13
2016-03-11#

Cross-platform Authentication#

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Mar-2016 16:15
Overview#
The IPFS Project

The InterPlanetary File System (IPFS) is a new hypermedia distribution protocol, addressed by content and identities. IPFS enables the creation of completely distributed applications. It aims to make the web faster, safer, and more open.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Feb-2016 14:58
2016-02-18#

Researchers find two flaws in OAuth 2.0[1]#

In a PDF submission to Arxiv, the researchers said in the first attack (known as an HTTP 307 Temporary Redirect), identity providers (IdP) inadvertently forward user credentials (ie, username and password) to the relying party (RP) or the attacker. In the second attack, a network attacker can impersonate any victim.

FIRST
"This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider,” the researchers said.

"In this attack, the attacker (running a malicious RP) learns the user's credentials when the user logs in at an IdP that uses the wrong HTTP redirection status code."

The researchers said that in order to fix this problem, only HTTP 303 codes should be permitted in OAuth, since "the HTTP 303 redirect is defined unambiguously to drop the body of an HTTP POST request.

SECOUND
The second flaw involves an attack on the RP website: "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data." ] The Man-In-The-Middle (MitM) attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.

"As a result, the RP sends the Authorization Code or the access token (depending on the OAuth mode) issued by the honest IdP to the attacker, who then can use these values to login at the RP under the user's identity (managed by the honest IdP) or access the user's protected resources at the honest IdP."

The researchers said to fix this, OAuth 2.0 should include the identity of the IdP in the redirect in some form. "More specifically, we propose that RPs provide a unique redirection endpoint for each IdP. Hence, the information which IdP redirected the browser to the RP is encoded in the request and the RP can detect a mismatch."

Using the "status" parameter within the Authorization Request or using the PK???? would stop this issue.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
14-Feb-2016 17:36
Overview#

OpenID Connect#

When a user signs in successfully on a Identity Toolkit-enabled] site, Identity Toolkit’s widgets set a cookie named “gtoken”. It is a JSON Web Token (JWT), a cryptographically-signed JSON object encoded in base 64. The Identity Toolkit JWT is very similar to an OpenID Connect ID token and we will refer to this as the Identity Toolkit ID Token.

Identity Toolkit ID Token does NOT conform to the OpenID Connect specification in one important way. The user_id field in an OIDC ID token is the identifier of the user at the IDP. The user_id field in the Identity Toolkit ID Token is a global identifier, unique across all IDPs, for this user, in the context of your site or app. It is not shared with other sites or apps which use Identity Toolkit. In other words, Identity Toolkit does not provide a global identifier across different developers (relying parties).

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Feb-2016 15:44
2016-02-08#

Security "folks"#

I have found it very easy to make systems secure if you do not have to live with those decisions.

In many organizations I find the Security "folks" laying down rules.

However, those Security "folks" do not have to deal with:

  • working with the end-users
  • the "day-to-day" work of keeping the environment working.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Feb-2016 01:01
2016-02-03#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
31-Jan-2016 04:55
Overview#

Ran into today#

Certification Authority Rating And Trust (CARAT) #

These Guidelines are intended to help organizations create closed, but interoperable Public Key Infrastructures (PKIs) that can be used to facilitate pilot projects employing public key technology.

Such organizations, called Policy Authorities in this document, can use the Guidelines to analyze their particular needs and to construct a PKI that will meet those needs. One important product of that analysis is likely to be a Certificate Policy, which may be thought of as a charter for a particular PKI.

A Certificate Policy defines who the parties are, the relationships and obligations of the parties to one another, and what uses are acceptable within the PKI. The last part of these Guidelines includes high level drafting instructions for Certificate Policy writers. The Guidelines suggest that Policy Authorities use contracts to make the provisions of a Certificate Policy legally binding among the parties

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Jan-2016 14:29
2016-01-20#

Back-channel Communication#

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Jan-2016 12:27
2016-01-08#

Minimum Viable Platform[1]#

Steffen Hedebrandt also talks about the idea of the Minimum Viable Platform. Hedebrandt defines this, in its most basic terms, as something that connects producers with consumers through value/interaction.

Here’s a little more on what Hedebrandt means when he talks about the idea of a business as a platform:

"Apple and Google have created these app stores where you can share whatever you build with people, rather than having this example of where you buy raw materials, create something, put it in a shop and hope that it sells."

Some other Examples:

  • airbnb
  • uber
  • youTube

Log Everything#

In a recent meeting we were asked to participate in a new Logging POC. The discussion went something like:
  • I asked what was being logged?
  • the response was everything
  • I elaborated, is this for Auditing or Metrics?
  • the response was everything
My conclusion, they have no idea what they want to accomplish. Seems like I see more and more of this type of thing happening within large corporations. Apparently some area has a bunch of money and they need to make an impact so they try everything instead of defining what the use cases are and then finding a solution.

Auditing Monitoring Metrics Logging#

Metrics#

What questions can Metrics answer?
  • How many users are on my Site?
  • How slow is the PayPal API?

Generally, metrics some in various categories:

  • Business Metrics - How many widgets we sold, were returned etc.
  • Application Metrics -
  • System Metrics - How much disk space is in use, what is the CPU load?

Measure->Collect & Sample->Store->Query & Graph

Metric Processes#

  • Dashboards
  • Complex Alert Processing (CEP)
  • Anomaly Detection
  • Alerting

Type of Metric Tools#

  • Gauges - Measures a value
  • Counters - Increment or Decrement integers
  • Meters - Measure the rate at which a set of events occur
  • Histograms - Measures the Distribution of values
  • Timers - A timer is a histogram over a duration

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
07-Jan-2016 15:15
2016-01-07#

Adaptive Directory Access Protocol (ADAP)#

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Jan-2016 19:25
2016-01-05#

Consent Specifications#

We have already looked at Minimum Viable Consent Receipt and today ran into Health Level Seven Privacy Consent Directive (PCD) from Fast Healthcare Interoperability Resources

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jan-2016 23:11
2016-01-01#

User-centric Identity vs System-centric Identity#

The term User-centric Identity is getting bandied about a lot these days. It's generally understood to be a different way of expressing the entire identity transaction as opposed to what might be called the "enterprise-centric" approach traditionally used within provisioning, federation and even simplified sign-on situations. There is still much confusion as to exactly what steps are necessary to make the transaction truly user-centric, though.

Unfortunately, when most people outside the identity field look at the two supposedly opposed organizational methods they simply don't understand what all the fuss is about as both methods revolve around the identity of people, the users. There's also nothing that mandates that either method is solely concerned with the identity of people; both can (and are) extended to the identity of things, concepts, protocols and more.[1]

Identity 2.0, also called digital identity, is set of methods for identity verification on the internet using emerging user-centric technologies such as Information Cards or OpenID. Identity 2.0 stems from the Web 2.0 theory of the World Wide Web transition. Its emphasis is a simple and open method of identifying transactions similar to those in the physical world, such as driver's license.[2]

Industry analyst firm the Burton Group described it as follows: "In Identity 2.0, usage of identity more closely resembles today's offline identity systems, but with the advantages of a digital medium. As with a driver's license, the issuer provides the user with a certified document containing claims. The user can then choose to show this information when the situation requires".

The current internet model makes taking one's identification difficult from site to site. This was described in the Burton Group report as, "today's identity systems—which represent a "1.0" architecture, feature strong support for domain management but exhibit scalability and flexibility limitations when faced with the broader identity requirements of Internet scenarios." In that light, user-centric proponents believe "federation protocols (from Liberty Alliance, the Organization for the Advancement of Structured Information Standards OASIS, and the Web Services working group) are bastions of a domain-centric model but do little to recast the architectural foundations of identity systems to support grander structures."[3]

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Dec-2015 11:48
2015-12-27#

TLS is Broken#

"The Transport Layer Security (TLS) Protocol Version 1.2" (RFC 5246) clearly states "The TLS protocol provides communications security over the Internet"

Yet everyday millions of people work behind TLS Proxies that provide no security and no indication to the end-user that the connection is NOT secure. Some of these conditions are "legal" TLS Proxies operated by organizations that the end-user has provided their consent for their employors to spy on them. There are of course MANY others that the typical Internet user has no idea that they are using a TLS Proxy.

Many "free" WI-FI systems and most Hotel and Motel systems utilize TLS Proxies often operated by their chosen provider.

Many Internet Providers utilize TLS proxies for all of their connections.

These TLS Proxies typically Decrypt the "supposedly" secure TLS communication and perform inspection and logging of data all unknown to the end-user. These TLS proxies are of course subject to review by any number of Government authorities often without the end-user being notified.

Many of these TLS proxies generate certificates on-the-fly and present them to the user as a "valid" certificate signed by one of the hundreds of Certificate Authorities builtin to the browser or added by the employer.

Regardless of the technology used, the TLS Proxy is by definition a Man-In-The-Middle attack and TLS does not detect the attack. Which clearly does not "The TLS protocol provides communications security over the Internet"

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Dec-2015 12:39
2015-12-26#

Things for today#

  • custom URI scheme
  • reverse domain name notation
  • browser-view - A full page browser with limited navigation capabilities that is displayed inside a host app, but retains the full security properties and authentication state of the system browser. Goes by different names on different platforms, such as SFSafariViewController on iOS 9, and Chrome Custom Tab in Chrome for Android.

Most of this comes from:https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Dec-2015 12:20
2015-12-23#

Zero-knowledge proof#

OAuth 2.0 & XACML[1]#

Authorization has many different facets, and to describe OAuth solely as an ‘authorization standard’ begs confusion with the other authorization facets. For instance, the Extensible Access Control Markup Language (XACML) is manifestly focused on authorization, but there is effectively no overlap at all between XACML and OAuth 2.0 (in fact they are nicely composable).

In the case of obtaining the Resource Owner’s consent before the token is issued to the client, the OAuth 2.0 Authorization Server effectively plays the role of the XACML Policy Information Point, in which the policy is defined and subsequently stored as an XACML policy. In this case, the XACML policy might record the fact that the Resource Owner consented to the client being able to read their attributes held at the Resource Server, but not make any changes. Once it receives the token from the AS, the client can then use that token on its API calls to the RS. At the resource server, an XACML policy enforcement point (PEP) would intercept the API call (let’s assume it was an HTTP POST that attempted to add some new attribute to the resource owner’s store) and call out to the XACML policy decision point (PDP) to obtain an access control decision. In this case, as the resource owner has previously specified that the client could read but not write, the POST request would be denied and the PDP would respond accordingly to the PEP.

To be clear, OAuth does not presume or require an underlying XACML infrastructure. The point here is only that OAuth and XAMCL, while both authorization-centric, are compatible.

OAuth 2.0 & SAML[2]#

As you might expect for two general purpose security frameworks, there are a number of different integration points between OAuth 2.0 and the Security Assertion Markup Language (SAML), including:

We show compare some of the various facets of Standards Based SSO.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Dec-2015 16:26
2015-12-17#

Why OAuth#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Dec-2015 12:19
Overview#

OWIN#

Kept hearing about OWIN and that it was some standard.

More Information#

There might be more information for this subject on one of the following: ...nobody
12-Dec-2015 11:56
2015-12-12#

Stumbled On#

PrivacyLens gives users fine grained control of what information is sent from an identity provider to a service provider. It derives from, and augments the capabilities of uApprove. It is installed by embedding it into an existing installation of the Shibboleth Identity Provider.

uApprove is a User Consent Module for Shibboleth Identity Providers v2.x to enforce acceptance of terms of use and user attribute release consent. It serves the following purposes:

  • The user is informed about the release of his data (attributes) to a Service Provider (SP) when he accesses the SP for the first time or if his data changed.
  • The administrator of an Identity Provider (IdP)
    • can ask the user to accept an IdP's terms of use before accessing any services
    • gets a tool that implements data protection laws by enforcing user consent before personal user attributes are released to an SP
    • knows when a particular user gave consent to release which attribute and value to a particular SP

From the user's point of view, uApprove is an application which presents him a webpage, on which

  • he may have to accept or decline the Terms of Use of an Shibboleth Identity Provider upon first access to the system (this option can be disabled by configuration)
  • he can globally accept the release of all his/her attributes to any Service Provider
  • he has to accept the release of his/her attributes upon first access to a given Service Provider (if the global release has not been approved)
Shibboleth IdPv3 comes with built-in user consent that obsoletes uApprove!

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Dec-2015 12:33
2015-12-07#

Galois-Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Nov-2015 13:03
2015-11-29#

New entries#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Nov-2015 13:01
2015-11-26#

Privacy-Preserving Attribute-Based Credential Engine#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Nov-2015 15:38
2015-11-23#

JSON-LD#

Data is messy and disconnected. JSON-LD organizes and connects it, creating a better Web.

More Information#

There might be more information for this subject on one of the following: ...nobody
18-Nov-2015 11:13
2015-11-18#

Mutual SSL Authentication#

Found this nice article on Mutual SSL Authentication

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Nov-2015 13:10
2015-11-14#

CommonAccord#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Nov-2015 11:47
2015-11-04#

Blockchain Other Uses#

Along with bitcoin transactions, the blockchain can be used to store any digital data. While some view such uses as “bloating the blockchain”, bitcoin’s decentralized nature means that they cannot effectively be stopped. This led the developers of Bitcoin Core, the official bitcoin client, to introduce an official mechanism for adding arbitrary metadata to transactions in early 2014[1]

This mechanism is used by services such as Proof of Existence and BlockSign to notarize the existence of a document by embedding a digital signature of that document inside a transaction.

Other Blockchains#

Sidechains[2]#

The distributed Bitcoin mining network performs quadrillions of calculations every second that maintain the integrity of its blockchain. Other blockchains are not remotely as secure, but they innovate much faster. Sidechains, an innovation proposed and developed by the startup Blockstream, allow for the best of both worlds; the creation of new blockchains "pegged" to Bitcoin, so that value can be transferred between them, which can conceivably be automatically secured by Bitcoin miners via “merged mining.”

The sidechains vision of the future is of a vast globe-spanning decentralized network of many blockchains, an intertwined cable rather than a single strand, each with its own protocol, rules, and features — but all of them backed by Bitcoin, and protected by the Bitcoin mining network, as the US dollar was once backed by gold. Sidechains can also be used to prototype changes to the fundamental Bitcoin blockchain. One catch, though: this will require a small tweak to the existing Bitcoin protocol.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Nov-2015 13:34
2015-11-03#

The definitive guide to form-based website authentication#

https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication?rq=1

Server Name Indication#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Nov-2015 12:57
2015-11-01#

Forget Firewalls - Enterprise Data is your New Perimeter[1]#

One of the biggest challenges modern enterprises are facing is the evolution toward connected businesses. To survive in this fiercely competitive environment, businesses strive to be as agile as possible, to continuously adopt new business models and to open up new communication channels with their partners and customers. Thanks to rapidly growing adoption of cloud and mobile computing, enterprises are becoming more and more interconnected, and the notion of a security perimeter has almost ceased to exist.

Since you can NOT protect your infrastructure, you must protect your data.

  • Information must be self describing and defending
  • Policies and controls must account for business context
  • Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business contexts
  • Policies must work consistently through the different layers of technologies we implement.

The process has been termed as Information Rights Management and you involves the following:

  • Data Discovery - You must know where your data exists - You can not protect what you do not know.
  • Data Classification - Not all data is created equal and every organization has its own data taxonomy
  • Data Visibility - You need to know who is using your data at anytime, inside and outside of your network.
  • Data Protection - All sensitive data must be Encrypted Data At Rest, Data In Transit, Data In Process In the Wild
  • Data Security Analytics - You must be able to make data decisions in real time if a data breach is detected.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
30-Oct-2015 11:57
2015-10-30#

Transaction Authentication Numbers#

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

TANs provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Oct-2015 01:18
2015-10-28#

CyLab Usable Privacy and Security Laboratory#

From a twitter entry we ran across CyLab Usable Privacy and Security Laboratory

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Oct-2015 16:08
Overview#

API-Gateway#

The API-Gateway should have some some ability for Authentication Methods and some Access Control Models integration.

These are some of the players:

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Oct-2015 14:12
2015-10-23#

NIST Privacy-Enhanced Identity Brokers#

The National Cybersecurity Center of Excellence (NCCoE) at NIST has released a Building Block White Paper "Privacy-Enhanced Identity Brokers"

"An Identity Broker can provide business value to both RPs and IdPs since each RP and IdP only needs to integrate with the identity broker once. The value to the RP is quite simple connect once (to the identity broker) and accept many types of credentials. Yet the identity broker may raise risks to individual privacy; the broker, if deployed incorrectly, is in a significant position of power, as it creates the potential to track or profile an individual’s transactions. In addition, it could gain insight into user data it does not need in order to perform the operations desired by IdPs and RPs.

Privacy Enhancing Technologies (PETs) are tools, applications, or automated(?) mechanisms which—when built into software or hardware—reduces or eliminates adverse effects on individuals when their personal information is being collected and/or processed. PETs implemented by identity brokers can reduce the risk of superfluous exposure of individuals’ information to participant organizations that have no operational need for the information, as well as shrink the attack surface for unauthorized access.

This document describes the technical challenges unique to integrating Privacy Enhancing Technologies with Identity Brokers. It suggests scenarios suited for exploring the tradeoffs of mitigating or accepting specific privacy risks. Ultimately, this project will result in a publicly available NIST Cybersecurity Practice Guide—a description of the practical steps needed to implement a reference architecture that addresses existing challenges in the current identity broker marketplace."

The complete document can be found at: https://nccoe.nist.gov/sites/default/files/nccoe/Privacy_Enhanced_Identity_Brokers_Building_Block_WP.pdf

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
16-Oct-2015 11:06
Overview#

WebSEAL#

"WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy."

WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPS requests from a Web browser and delivering content from its own Web server or from junctioned back-end Web application servers. Requests passing through WebSEAL are evaluated by the Tivoli Access Manager authorization service to determine whether the user is authorized to access the requested resource.

WebSEAL provides the following features:

Supports multiple authentication methods Both built-in and plug-in architectures allow flexibility in supporting a variety of authentication mechanisms.

Accepts HTTP and HTTPS requests Integrates and protects back-end server resources through WebSEAL junction technology Manages fine-grained access control for the local and back-end server Web space Supported resources include URLs, URL-based regular expressions, CGI programs, HTML files, Java servlets, and Java class files.

Performs as a reverse Web proxy WebSEAL appears as a Web server to clients and appears as a Web browser to the junctioned back-end servers it is protecting.

Provides single sign-on capabilities

More Information#

There might be more information for this subject on one of the following: ...nobody
11-Oct-2015 12:52
2015-10-11#

Defining some parameter pages for Char#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Sep-2015 11:46
2015-09-29#

Principle of least privilege#

Secure by design#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Sep-2015 11:28
2015-09-18#

Password-Based Key Derivation Function#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Sep-2015 08:39
2015-09-03#

NIST uses three NIST Special Publication subseries to publish computer/cyber/information security guidance, recommendations and reference materials:

NIST's primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials; A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity; A general IT subseries used more broadly by NIST's Information Technology Laboratory (ITL), this page lists selected SP 500s related to NIST's computer security efforts. (Prior to the SP 800 subseries, NIST used the SP 500 subseries for computer security publications; see Archived NIST SPs for a list.)

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Sep-2015 16:29
2015-09-02#

Article 29 of Directive 95-46-EC#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Aug-2015 09:09
2015-08-29#

Common Domain for Identity Provider Discovery#

Service providers need a way to determine which identity provider in a circle of trust is used by a principal requesting authentication. Because Circles of Trust are configured without regard to their location, this function must work across DNS-defined domains. A common domain is configured, and a common domain cookie written, for this purpose.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Aug-2015 08:56
2015-08-27#

#

A number of folks have been discussing liability topics in side-email, and I wanted to share some excerpted thoughts here in preparation for Friday’s subgroup call. (Unfortunately, I can’t be on the call myself; Dazza has graciously agreed to facilitate.)

The top liability/adoption conundrum I think we face is the one of whether a resource server (RS) can become comfortable with “outsourcing” protection to an authorization server (AS). An imperfect but apt analogy in the identity world is the relationship between relying parties (RPs) and identity providers (IdPs). Adrian has been describing this as wanting to define a “safe harbor” for the RS.

And looking at what use cases to start with, we’ve got a healthcare elephant in the room, so I suggest we tackle it and see how it goes. :-)

A pattern we’re seeing in the HEART Profile group use cases involves: Alice visiting a primary care provider (PCP) for the first time; we can imagine her offering for the PCP’s electronic health record (EHR) system to connect up to "her AS" (*more about this in a sec).

So we’re just talking about very initial UMA steps here, not even a whole flow, and there don't even have to be any Bobs in the picture yet (unless he’s needed for Third-Party off-screen extra purposes).

(I realize not every jurisdiction in the world has private-sector PCPs, but I believe that in some public-sector systems, private PCPs work under contract to the government — might they feel liability pressure?)

What do I mean by "her AS"?#

Adrian and I had a really interesting exchange about what the relationship should be between the RS, Alice, and "Alice’s AS".

Adrian's take:

  • The RS has no right to object to whatever AS Alice wants to tell it to use, because it has no stake in the matter — it just does what the AS tells it to, it gets safe-harbor protection by getting a list of assurances that either come built-in with UMA, or are can be built on top of it (I’m not sure I understand the whole list...).

Eve's take:

  • I really want to believe this. Obviously, what I want us to be able to build is an ironclad case for this! But an RS in real life has to act as an OAuth client to an UMA AS, has to trust that the AS actually does the right thing in coughing up tokens, that it’s secure, etc. Without those “trust framework” types of assurances, it would be crazy — or, more to the point, the CEO, CFO, and CIO of the RS operator would be crazy — to allow Alice to just point to Zeke’s Nocturnal AS (motto: “We Fly By Night”).

In fact, if Alice built her own AS, it could be even shadier because she could collude with it to put lots of other people’s data at risk — the AS may end up seeing identifiers and claims of requesting parties, and maybe Alice is opening up the AS at home and looking at all the data. (Not that the RS may strictly care about these vulnerabilities, but *I* care…)

In case it turns out to matter for use case exercise purposes, here are some candidate variations on the chosen AS that I identified:

  • Alice-AS: Alice runs her own AS, whether on a home server or at her ISP or in AWS or whatever
  • Social-AS: Alice chooses her own AS, say, run by Google or Facebook or some similar service (a la social IdPs) through a “NASCAR" interface
  • Gov-AS: Alice uses a public-sector AS
  • Private-AS: Alice uses the AS offered by the same closed system in which the RS runs (a la the new Privacy Control Center in Google Apps)

Do the scenario, the goal, the roles, and the UMA flow give enough to work with in mapping to contractual parties?

===============================================================================

to wg-uma #

I just belatedly saw another note from Adrian that made a crucial clarification. He suggests that “when a resource has only one Resource Owner, there is a benefit in allowing that RO to specify the AS”. UMA only enables one (lowercase, technical) resource owner per resource, so I think what this really may mean is that "the data rights ownership inheres 100% in the individual RO" (or something like that).

Would examples of data like this include health data stored in an EHR system?... I get the feeling that the data rights are never 100% on the RO's side, because the service operator may have data retention rights/requirements and so on.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Aug-2015 11:48
2015-08-26#

IDENTITY, CREDENTIAL, & ACCESS MANAGEMENT#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Aug-2015 12:09
2015-08-24#

Trust Framework in Healthcare Technologies#

Keith Hazelton keith.hazelton@wisc.edu via kantarainitiative.org
This post to the UMA WG challenges our OTTO presumption that federations are an inescapable precondition for the solution. The specific challenge comes from what Adrian says about the health record domain. —k

From: <wg-uma-bounces@kantarainitiative.org> on behalf of Adrian Gropper
Date: Wednesday, August 19, 2015 at 14:39
To: Eve Maler
Cc: "wg-uma@kantarainitiative.org UMA"
Subject: Re: WG-UMA Legal Use Case - User Managed vs. Controlled Access

Eve,

I really don't see how to introduce UMA in healthcare or anywhere else if the use-case is as in the university e-transcript case study. That model is unrealistic, at least in healthcare:

  • Presumes adoption of shared data models and scopes (the HEAR in the demo) to a practical extent for authorization management. FHIR is moving in that direction and promises standardization for interchange purposes but authorization is a higher bar because it presumes that Alice's comprehension, state, and federal data protection mandates (42CFR) will align with the interchange standards. There is no reason to believe this alignment will happen. FHIR is governed by a group of industry peers for their interchange purposes. Authorization is not necessarily on their agenda. My example is healthcare specific, but I suspect it applies to most other verticals, probably even education.
  • Presumes adoption of identity and other federations. There are absolutely no ID federations in healthcare and none are even on the horizon. Healthcare may be a more extreme case but we see similar behavior in many other industries that serve consumers. In finance, consumer ID federation is limited to small transactions at ATMs. Education is a misleading outlier because the participants are peer higher education institutions. ID federation will happen sooner or later but the path is far from clear and UMA should not wait if we want real-world adoption for IoT and selected verticals.
  • The outsourced model for general purpose authorization management is currently the Apple App Store and they have no reason to adopt standards in the near term. We see the Apple authorization domain moving from the regular apps, to HealthKit apps, to payment, and now to HomeKit. UMA will enter the market as the standard for businesses that want to compete with Apple's strong privacy protections. Substitutability of the Authorization Server will be essential to competing with Apple and other walled gardens of authorization.

I'm not as close to other verticals as I am to healthcare but it seems to me that the evidence points in the direction of dynamic registration of the UMA Authorization Server first, followed by dynamic registration of the client second. Although I'd like to see every implementation of UMA include OIDC by default, like MITRE ID Connect does, the more we rely on federation of identity and standard authorization data models, the less likely we are to succeed.

Adrian

HEART Profile WG#

The HEART Working Group intends to harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs, and to facilitate the development of interoperable implementations of these specifications by others.

MVCR#

Demo of User-Managed Access (UMA); UMA where consent means Minimum Viable Consent Receipt (MVCR) needed; Value proposition and Real World use.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Aug-2015 10:31
2015-08-23#

Defining Trusted Infrastructure#

I am part of a group at EMC assigned with defining and developing our point-of-view on trusted infrastructure. We started by checking out what the industry was already saying. The most credible definition we came across is from the Trusted Computing Group (TCG), a well-respected nonprofit organization that defines security specifications.

A taxonomy for securely sharing information among others in a trust domain#

In any given collaboration, information needs to flow from one participant to another. While participants may be interested in sharing information with one another, it is often necessary for them to establish the impact of sharing certain kinds of information. This is because certain information could have detrimental effects when it ends up in wrong hands. For this reason, any would-be participant in a collaboration may need to establish the guarantees that the collaboration provides, in terms of protecting sensitive information, before joining the collaboration as well as evaluating the impact of sharing a given piece of information with a given set of entities. The concept of a trust domains aims at managing trust-related issues in information sharing. It is essential for enabling efficient collaborations. Therefore, this research attempts to develop a taxonomy for trust domains with measurable trust characteristics, which provides security-enhanced, distributed containers for the next generation of composite electronic services for supporting collaboration and data exchange within and across multiple organisations. Then the developed taxonomy is applied to a possible scenario, in which the concept of trust domains could be useful.

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6750210&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6750210

Open Trust Taxonomy for OAuth2 References #

http://ilpubs.stanford.edu:8090/675/1/2005-11.pdf:

Gathering Information#

  • Identities
  • Information Integrity

Dealing with Strangers#

Strangers Peers that appear to be new to the system. They have not interacted with other peers and therefore no trust information is available. Adversary A general term we use to apply to agents that wish to harm other peers or the system, or act in ways contrary to “acceptable” behavior.

Reputation Scoring and Ranking#

Inputs#

Regardless of how a peer’s final reputation rating is calculated, it may be based on various statistics collected from its history.

Output#

In the end, the computed reputation rating may be a binary value (trusted or untrusted), a scaled integer (e.g. 1 to 10), or on a continuous scale (e.g. 0,1).

Peer Selection#

Once an agent has computed reputation ratings for the peers interested in transacting with it, it must decide which, if any, to choose. If there is only one peer, and the question is whether to trust it with the offered transaction, the agent may decide based on whether the peer’s reputation rating is above or below a set selection threshold

Blockchain#

Although the Open Trust Taxonomy for OAuth2 Blockchain idea is appealing, the Blockchain is a Unforgeable Entity store in that once entered, the content can not be removed.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Aug-2015 09:12
2015-08-22#

Identity Trust Framework#

A legal definition.[1] A Trust Framework is the governance structure for a specific identity system consisting of:
  • the Technical and Operational Specifications that have been developed –
    • to define requirements for the proper operation of the identity system (i.e., so that it works),
    • to define the roles and operational responsibilities of participants, and
    • to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and
  • the Legal Rules that govern the identity system and that --
    • regulate the content of the Technical and Operational Specifications,
    • make the Technical and Operational Specifications legally binding on and enforceable against the participants, and
    • define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.

Examples of Identity Trust Framework#

These are Examples with no regard to the compliance to anything else:
  • FICAM: processes and controls for determining an identity provider’s compliance to OMB M-04-04 Levels of Assurance
  • ISO 29115 Draft: a set of requirements and enforcement mechanisms for parties exchanging identity information
  • Kantara: a complete set of contracts, regulations or commitments that enable participating actors to rely on certain assertions by other actors to fulfill their information security requirements
  • OIX: a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
  • OITF Model: a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information
  • NATE
  • DirectTrust

NSTIC 4/15/2011 Final#

The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.

A Trust Framework is developed by a community whose members have similar goals and perspectives. It defines the rights and responsibilities of that community’s participants in the Identity Ecosystem; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. . . . In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.

Examples of complete Trust Frameworks might include

More Information#

There might be more information for this subject on one of the following: ...nobody
  • [#1] - - based on data observed:2015-05-18
By unknown  Permalink  Comments? (0)
06-Aug-2015 07:24
2015-08-06#

WG-OTTO#

WG-OTTO -- This is the Open Trust Taxonomy for OAuth2 Work Group

Vectors of Trust#

The NIST special publication 800-63 SP-800-63 defines a linear scale Level Of Assurance (LoA) measure that combines multiple attributes about an identity transaction into a single measure of the level of trust a relying party should place on an identity transaction. Even though this definition was originally made for a specific government use cases, the LoA scale appeared to be applicable with a wide variety of authentication use cases. This has led to a proliferation of incompatible interpretations of the same scale in different trust frameworks, preventing interoperability between these frameworks in spite of their common measurement.

Since identity proofing strength increases linearly along with credential strength, the LoA scale is also too limited for describing many valid and useful forms of an identity transaction. For example, an anonymously assigned hardware token can be used in cases where the real world identity of the subject cannot be known or is verified through some out of band mechanism.

This work seeks to decompose the elements of the LoA values in a way that they can be independently communicated from an Identity Provider (IDP) to a Relying Party, making comparison between Trust Frameworks possible.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Aug-2015 16:56
2015-08-04#

Constrained Application Protocol#

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things. The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2015 08:55
2015-07-31#

How native applications can link[1]#

A separate (but complementary) feature coming to both Android M and iOS 9 is an improvement on how native applications can link between themselves, and their associated web servers. Both Android's App links and Apple's Universal Links allow application developers to claim an association with a particular web domain. Once claimed, any http(s) addresses to that domain will be interpreted by the OS as belonging to that application and not the default system browser. Similar to the previous custom URL schemes used for inter-app messaging, the new linking mechanism promises to close the security issue associated with custom URLs, namely how it was possible for other applications to squat on the URLs of a given app, and so gain access to the data shared by those URLs. By requiring that an app developer, in order to lay claim to a particular domain, be able to demonstrate ownership of that domain by placing a specific file on that domain, the new link mechanisms will shut out the hackers.

The Native Applications Working Group (NAPPS) WG in the OIDF is in the process of discussing the impact of these new mobile OS features on the emerging NAPPS spec. Apple's Universal Linking and Android's App Links both appear to provide a meaningful security enhancement and so it may make sense for NAPPS to stipulate their use. ... Again, in the context of a native application getting the user authenticated against an OAuth AS, the new linking mechanisms promise to provide additional assurance that the tokens are being issued to a valid application, and not some malicious application that was able to get itself installed and squatting on the valid custom scheme URLs. (The Proof Key for Code Exchange by OAuth Public Clients (PKCE) mechanism was motivated by the same risk, though PKCE allows the AS to ensure only that the tokens were returned to the particular application that requested them, which could be a bad app).

More Information#

There might be more information for this subject on one of the following: ...nobody


By unknown  Permalink  Comments? (0)
29-Jul-2015 10:39
2015-07-29#

InComm's drive to bring open-loop prepaid to Mobile-Digital Wallets[1]#

In June, Pew Charitable Trusts estimated that some 23 million adults use general purpose reloadable prepaid cards in the U.S. on a regular basis.

InComm, one of the leading prepaid program providers worldwide, sees an opportunity in that number to entice more consumers — particularly the financially underserved and millennials — to use mobile payments at a time when more contactless terminals are present in U.S. storefronts thanks to the current EMV shift underway nationwide.

To accomplish this, InComm has partnered with Gemalto to use the digital security company's Allynis Trusted Services Hub to digitize its open-loop prepaid card offerings so that consumers can add them to select mobile wallets. Gemalto last year introduced Allynis as a way to help banks, transportation companies and other financial services providers make the right connections with mobile network operators and original equipment manufacturers to access the coveted secure element on NFC-enabled smartphones.

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Jul-2015 18:03
2015-07-26#

OAuth, OpenID Connect and User Manage Access is allowing IDAM to become decentalized which allows the ability to scale and allow agile federation.#

https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA

OAuth 2.0 has three Entities #

- Is responsible to be or Authorization server to the PIP

In OAuth 2.0 there is no specification as to how the Authorization Server and the Resource Server communicate. Typically is assumed they are within the same security domain, often on the same server, and the communication is proprietary.

In User Managed Access, the Resource Server may outsource protection to a centralized Control Console.

In User Managed Access, the Authorization Server implements standardized APIs for privacy and selective Sharing.

User Managed Access adds an additional Entity the Requesting Party (Bob). The usage case was what if Alice wants to share with Bob.

The User Managed Access specification further defines relationships between the Entities:#

Resource Server and OAuth Client#

Resource Server exposes whatever it wants and is protected by the Authorization Server, Just like in OAuth 2.0 The Requesting Party Token maybe thought of as the Access Token from OAuth 2.0 with a few extra properties which make it more flexible and is presented to the Authorization Server Requesting Party Token Endpoint.

Authorization Server and Resource Server#

In User Managed Access the Authorization Server has to Interact with the Resource Server perhaps over the Internet as they could be operated by different companies.

The Authorization Server exposes a Protection API which is protected by the Protection API Token which allows the Resource Server to inform the Authorization Server via the Resource Set Registration Endpoint of which Resources need protected and which OAuth Scopes are applicable to each Resource. This communication is defined within the Auth 2.0 Resource Set Registration.

The Authorization Server is the authoritative source for the Resource Owner (Alice), but, the Resource Server is authoritative for what it's API can dp and what the Resource Owner (Alice) has created there.

The Resource Server may have a one-to-many relationship(s) with Authorization Servers.

Resource Owner (Alice) must consent to the Authorization Server and Resource Server working on her behalf which is done with via the Protection API Token.

Authorization Server and OAuth Client#

User Managed Access exposes a Authorization API protected by an Authorization API Token or AAT for the OAuth Client. In User Managed Access the Authorization Server can consume User Managed Access, SAML or OpenID Connect based Claims for Authorization.

Requesting Party (Bob) must consent to the OAuth Client working with the Authorization Server as "claims" about him may need to be revealed to pemit his access to the Resource Server which is done via the Authorization API Token.

Authorization Server and Requesting Party (Bob)#

If the Requesting Party (Bob) can prsent

In User Managed Access

Key Use Cases for User Managed Access http://bigdata.csail.mit.edu/

Managing Personal Data Store Access#

Where Alice the owner of the Personal Data Store determines others Authorization.

Protected Resource Sharing#

Blue Button (http://www.healthit.gov/patients-families/blue-button/about-blue-button)#

Tradiional WAM vs User Managed Access#

Traditional WEB Access ManagementUser Managed Access
Complex and feature-richRESTful and simpler
Usually proprietaryStandard interop baseline
Mobile/API ??Mobile/API-Friendly
Brittle deployment architecture (Agents)Just call Endpoints
NOT agnostice to Authentication methodagnostic to Authentication Method and federation
Hard to source distributed Policiesflexible in policy expressions and sourcing
Usually coarse-grainedLeverages API's "scope-grained Authorization"

Enterprise User Managed Access case study

Out-Of-Band Actions that are not in the specifications Alice decides what resources are protected which is not in the specifications. Alice also sets the policies in regards to protections of Resources.

xacmlinfo.org/2011/10/30/xacml-reference-architecture/

Some References for user Managed Access

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Jul-2015 10:21
2015-07-21#

ShoCard[1]#

ShoCard certifies and stores ID documents into the Blockchain, so that you can securely retrieve them later and prove your identity whenever you need to. Its first use case is for bank and credit card identification processes.

Your ShoCard is basically a tiny file that only you can manipulate. When you create your ShoCard, you first scan your identity document and sign it. Then the mobile app will generate a private and public key to seal that record. It is encrypted, hashed and sent to the network of communicating nodes running bitcoin software for later use.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-Jul-2015 13:13
Overview #

2015-07-05#

Edge-Node#

01-Jul-2015 10:13
2015-07-01#

Tap-to-pay#

1. "A Microsoft-sized opportunity: Payment processing" - The payments industry doesn't know much about Microsoft's plan for mobile payments, but Thomas Yohannan gives his take on the situation.

In March, Microsoft introduced a "tap-to-pay" feature that will be in its forthcoming Windows 10 for phones and small tablets (a.k.a. "Windows Mobile"), which would support Host Card Emulation.

Newer Android phones use HCE to transmit NFC signals to terminals, which means third-party developers can use this process to build NFC functions into their apps. Just as important, the elimination of the Secure Element makes the payment platform carrier independent, and hence carrier agnostic. These advances are sure to be greeted well in the marketplace, but what is more intriguing is where Microsoft is headed with the possible introduction of mobile payments into their ecosystem.

Based on a money transmitter license that was granted in Idaho, it appears as though the Redmond, Washington-based company is looking to go up against Android Pay, Apple Pay and the LoopPay system that helps form the base for Samsung Pay. Some may see this as a proactive approach by Microsoft to keep pace with competitors in the payments space. However, Microsoft may be trying to become a backend processor.

This move may put Microsoft in direct competition with PayPal, Square and Intuit. These companies have built the backend and have transaction engines to process payments, so they know how to send cash. However, unlike these backend processors, the advantage Microsoft would have is it would help establish potentially secure payment solutions not tied to hardware solutions. Creating a competitive product in this space would be advantageous for an enterprise software company like Microsoft.

Card Verification Method#

There is a fine line between Cardholder Verification Methods and Card Verification Methods.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Jun-2015 11:47
2015-06-29#

Encryption And Hashing#

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Jun-2015 06:57
2015-06-25#

Locked Account Check#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Jun-2015 09:00
2015-06-21#

How to provide password authentication for an Application UserID?#

When using most other connections to services, like LDAP, databases, OAuth 2.0 etc, with an application how can we store the password securely and still be able to obtain the cleartext password to perform required functions?

Basic Approaches #

These are Basic Approaches to Application password storage.
  • Store a password(s) behind a password - Basically this means that we require you to type in some passphrase as application starts in order to read the accounts.xml file, and, to be truly secure, require you to type it again if you write to it.
  • Obscure a password - This means we do something to store the password in some format other than plain text, then the application automatically convert to plaintext (in memory). This is security by obscurity, and is a Very Bad Thing in that it gives application owner a false sense of security that we believe would be worse to have than to let informed users deal with the password issue themselves. Consider that a naive application owner might think that it is safe to share the accounts information, because the passwords are "encrypted".
  • Store the password in plain text and control access to the file - This is what is probably best. Store the password in plain text, but the file itself is only readable by application owner.

References:
  • Mozilla - Let’s talk about password storage - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
  • Apache - EncryptedPasswordStorage- https://wiki.apache.org/subversion/EncryptedPasswordStorage
  • MonoWall - Why are some passwords stored in plaintext in config.xml? - http://doc.m0n0.ch/handbook/faq-plaintextpass.html

Persona#

What is Persona.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Jun-2015 07:33
2015-06-20#

10 Reasons Why OpenID Connect#

More Information#

There might be more information for this subject on one of the following: ...nobody
16-Jun-2015 16:02
2015-06-16#

redirect_uri#

Standards Based SSO#

OpenID Connect turns SSO into a standard OAuth-protected identity API

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Jun-2015 23:05
2015-06-14#

OAuth 2.0 Authorization#

Here we show the Authorization Code Grant Type which would typically be used for WEB Server type applications.

Some basic conditions must exist in advance:

1) The Resource Owner (user) accesses the OAuth Client (The Photo application).

2) The OAuth Client constructs the Authorization Request as a URI, adding the following parameters:

    • response_type - REQUIRED Value MUST be set to "code".
    • client_id - REQUIRED The client identifier
    • redirect_uri - OPTIONAL as it may be registered with Authorization Server in advance.
    • scope - OPTIONAL The "Desired" scope of the access request
    • state - RECOMMENDED An opaque value used by the client to maintain state between the request and callback.

3) The Resource Owner (user) is redirected by the OAuth Client (The Photo application) with the Authorization Request to the Authorization Endpoint on the Authorization Server.

4) The Resource Owner (user) Authenticates the Authorization Server.

5) The Resource Owner (user) is then redirected to the redirect_uri of the OAuth Client (The Photo application).

6) When the OAuth Client (The Photo application) redirect_uri is accessed, the OAuth Client (The Photo application) connects directly to the Authorization Server and creates Access Token Request which includes:

7) If the Authorization Server can accept these values, the Authorization Server sends back an Access Token Response which includes:

8) The OAuth Client (The Photo application) can now use the Access Token to request resources from the Resource Server. The Access Token serves as both:

There is no OpenID Connect involved with this operation. This is all part of OAuth 2.0 Protocol

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Jun-2015 10:01
2015-06-09#

ProjectVRM#

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Jun-2015 10:46
Overview#
Smart Home adoption will only gain momentum if the different devices can be connected into over-arching use cases, but currently the market for Home Automation and Internet Of Things gadgets is heavily fragmented.

Some of the Frameworks#

Eclipse SmartHome#

Eclipse SmartHome is designed as a set of OSGi bundles that can be run on any OSGi container, such as Eclipse Equinox or Apache Felix. All that is required underneath is a Java7-compliant Java Virtual Machine (JVM), which are available for all major platforms and architectures such as x86 or ARM.

Freedomotic#

Freedomotic is an open source, flexible, secure Internet of Things (IoT) development framework, useful to build and manage modern smart spaces. It is targeted to private individuals (home automation) as well as business users (smart retail environments, ambient aware marketing, monitoring and analytics, etc).

openHAB#

openHAB a vendor and technology agnostic open source automation software for your home. Build your smart home in no time!

pimatic#

smart home automation for the raspberry pi is a home automation framework that runs on node.js. It provides a common extensible platform for home control and automation tasks. (Runs on raspberry pi )

HomeKit#

HomeKit is a framework in iOS 8 for communicating with and controlling connected accessories in a user’s home. You can enable users to discover HomeKit accessories in their home and configure them, or you can create actions to control those devices. Users can group actions together and trigger them using Siri.

Google's ??? Nest/Nearby/Android@home ???#

Google as always, has a lot of things on the fire but no product has shown up.

2lemetry#

2lemetry is an Internet of Things platform and technology company that powers the connected enterprise, tying people, processes, data and devices together—transforming raw data into real-time Actionable Intelligence.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Jun-2015 10:54
2015-06-03#

Some things ...#

I have been meaning to look into some of these things:

Identity Broker#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jun-2015 10:37
Overview#

Google gets back into mobile payments with Android Pay#

Google gets back into mobile payments with Android Pay

Responsive Organizations#

We talk a lot about Agile and Lean and a lot of this is written off as being for ONLY for software developers.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-May-2015 15:14
2015-05-27#

Neo-Security Stack#

OAuth Scopes#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-May-2015 14:46
2015-05-26#

The Changing Device Mix#

By 2017, 87% of connected devices will be phones and tablets. IDC's connected device tracker.

More Information#

There might be more information for this subject on one of the following: ...nobody
19-May-2015 11:38
2015-05-19#

Social Login#

The term Social Login has come up more and more.

More Information#

There might be more information for this subject on one of the following: ...nobody
18-May-2015 16:24
Overview#

PicoContainer#

PicoContainer's most important feature is its ability to instantiate arbitrary objects. This is done through its API, which is similar to a hash table. You can put java.lang.Class objects in and get object instances back.

More Information#

There might be more information for this subject on one of the following: ...nobody
16-May-2015 09:45
2015-05-16#

Microservice#

Eric Evans, the founder of Domain-Driven Design (DDD)#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
10-May-2015 09:59
Overview#

FreeIPA#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Apr-2015 16:13
2015-04-14-#

Preventing eDirectory from Auto Adding Indexes#

Getting lots of system indexes created by IDM adding lots of values to some attributes.

Edirectory Indexes are created automatically when an attribute has more than 25 values or if the value of the attribute is more than 2048 bytes.

Such attributes are moved to a separate attribute container and indexes are created for them. These auto-generated indexes are marked as system indexes.

EDirectory does not permit deleting system indexes and hence, any attempt to delete them gives an error.

To workaround this issue, add the following value in the in _ndsdb.ini file in the DIB directory, and then restart ndsd:

  • disablemovetoattrcontainer=true

This prevents the attributes from being moved to the attribute container. However, this command will not affect the attributes that are already there in the container.

We have also seen conditions where there were a very large number of attributes in use on many entries. When one of the entries added the 25th value, the existing index is dropped and the system index is created. When this happens, there is a time when there is no Edirectory Indexes on an attribute. This causes very slow searches.

When there are many entries with several values, creating the new index took forever.

More Information#

There might be more information for this subject on one of the following: ...nobody
06-Apr-2015 18:29
Overview#

Comment: Testing Note

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Apr-2015 14:06
2015-04-02#

example.com#

example.com, example.net, and example.org are second-level domain names reserved by the Internet Engineering Task Force through RFC 2606, Section 3,[1] for use in documentation and examples. They are not available for registration.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Mar-2015 15:03
2015-03-31#

DirXML 4.0.2.0 SE#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Mar-2015 12:17
Overview#

Certificate Management Protocol#

Certificate Management over CMS#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Mar-2015 16:37
2015-03-03#

CITester#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Mar-2015 11:59
2015-03-03#

PayPal strengthens mobile plans with Paydiant acquisition[1]#

One of PayPal's biggest issues over the past few years is its inability to gain a strong foothold inside retailers' physical storefronts. But its announcement Monday to acquire mobile-wallet technology provider Paydiant helps the company address two problems at once as the mobile payments market continues to undergo a remarkable transformation.

"PayPal has done payments really well, but they've had issues on both the mobile and offline side of things," James Wester, research director of global payments for IDC Financial Insights, told Mobile Payments Today in an interview. "This shores up both areas in one acquisition. It gives PayPal a credible way of saying they have a different path to mobile payments compared with Apple and Google."

That path begins with Paydiant's white-label technology, which provides retailers with a mobile wallet and other value-added services such as loyalty. The company counts Capital One, Harris Tweeter supermarkets, Orange Leaf, and Subway as its biggest partners. And Paydiant is the mobile-wallet technology provider behind the Merchant Customer Exchange’s CurrentC app. Going forward, it will be business as usual for Paydiant and its current partners.

"There are no changes on that front," Paydiant Co-founder Chris Gardner told Mobile Payments Today in an interview. "We started having conversations with our customers recently to give them a heads up about PayPal and the reaction has been overwhelming positive.

"It's pretty hard to imagine we would get a negative reaction when we told them we're adding the might of PayPal while those merchants still get to use our white-label platform."

PayPal did not disclose the terms of the agreement, but re/code reported the purchase price at $280 million. Paydiant will stay at its current Newton, Mass. location for now, but PayPal has a rather large presence in downtown Boston despite its West Coast roots.

In keeping with the mobile payments theme, PayPal also announced it is adding contactless acceptance to it PayPal Here mobile card reader.

The connection Paydiant's relationship with PayPal goes back almost a year as it integrated the company's payments platform about six months ago.

"Our approach has always been to support the payment mechanisms retailers want to use," Gardner said.

That mantra is at the center of this particular marriage.

Paydiant uses a technology-agnostic approach and tailors a merchant's mobile wallet to work with whatever a business thinks is best: Bluetooth, NFC, QR Codes or even a combination of methods. The end goal, Gardner said, is to help the merchant sell more goods regardless of the technology used to complete the transaction.

"People like to say it's NFC versus QR codes, but I think the reality is we're collectively solving a business problem here and the goal is to create great experiences for consumers, particularly how it pertains to retailers," Gardner said.

Paydiant's line of thinking jibes with the one-size-fits-all approach PayPal pursues with merchants. PayPal now can offer retailers payment acceptance options, business loans, and way to break into mobile payments.

"We want to be a real partner to retailers because that is a key differentiator that we have on a global scale," Chris Morse, PayPal's director of communications, said in an interview. "It's us being much more aligned with the retailers' and this relationship helps us extend that."

Current market#

How this relationship eventually benefits MCX remains to be seen, but Wester believes the merchant consortium now has more credibility.

"Outside of the payments industry, are people going to recognize that PayPal now is a partner with a company that is partnered with MCX to make the CurrentC app?," Wester said. "That may be a long chain that PayPal will have to reinforce with consumers, but I think there is a credibility issue of having PayPal involved. It's a recognized payments option for consumers in the online space."

MCX might need to lean heavily on PayPal's recognition if and when CurrentC launches because it sits squarely behind the eight ball now thanks to recent developments in the last few weeks.

"MCX needs to get out there now," Wester said.

When it does, CurrentC will face competing systems as the Mobile wallet market now has more defined landscape.

"I think at one point, we thought we would have one wallet to rule them all and everyone else would be picking up what's left," Wester said. "Now what we're seeing are wallets with similar user experiences and that benefits them all.

"We now have all of the sensible, viable mobile payment platforms out there and now it's going to be up to the consumer to decide what they want to pay with."

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Feb-2015 09:52
2015-02-28#

Tim Cook Says Apple Watch Could Replace Your Car Keys#

Why does anything "said" by Apple get headlines. Does anyone think this is something innovative?

Many home automation systems have used bluetooth or NFC to unlock doors for homes. The key here is trying to "Just Get Along" so that patent, ego and political barriers will allow companies to engage in coopetition to do what the customers desire.

Apple Car and Android Car and (I assume Samsung Car) is not the right way. We need a Car API that can be used for all.

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Feb-2015 16:41
2015-02-25#

Mobile-Digital Wallets#

There are several Mobile-Digital Wallets and we think they are important to watch due to the generally strong Authentication used. Some of them are:

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Dec-2014 11:48
2014-12-10#

Authentication Failures#

More Information#

There might be more information for this subject on one of the following: ...nobody
19-Nov-2014 12:25
2014-11-19#

ldapPermissiveModify #

The current LDAP modify operation can be extended by setting the ldapPermissiveModify option to TRUE. If you attempt to delete an attribute that does not exist or to add any value to an attribute that already exists, the operation goes through without displaying any error message.

Discarding transaction because of optimization#

When the engine examines a complete transaction and decides that the transaction results in no change, it throws the transaction away.

For example, if you have a client that removes an attribute value and then adds the same attribute value back, that transaction results in no change so the engine will discard it.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Nov-2014 17:37
2014-11-04 #

Processes and Threads[1] #

In concurrent programming, there are two basic units of execution: processes and threads. In the Java programming language, concurrent programming is mostly concerned with threads. However, processes are also important.

A computer system normally has many active processes and threads. This is true even in systems that only have a single execution core, and thus only have one thread actually executing at any given moment. Processing time for a single core is shared among processes and threads through an OS feature called time slicing.

It's becoming more and more common for computer systems to have multiple processors or processors with multiple execution cores. This greatly enhances a system's capacity for concurrent execution of processes and threads — but concurrency is possible even on simple systems, without multiple processors or execution cores.

Processes #

A process has a self-contained execution environment. A process generally has a complete, private set of basic run-time resources; in particular, each process has its own memory space.

Processes are often seen as synonymous with programs or applications. However, what the user sees as a single application may in fact be a set of cooperating processes. To facilitate communication between processes, most operating systems support Inter Process Communication (IPC) resources, such as pipes and sockets. IPC is used not just for communication between processes on the same system, but processes on different systems.

Most implementations of the Java virtual machine run as a single process. A Java application can create additional processes using a ProcessBuilder object. Multiprocess applications are beyond the scope of this lesson.

Threads #

Threads are sometimes called lightweight processes. Both processes and threads provide an execution environment, but creating a new thread requires fewer resources than creating a new process.

Threads exist within a process — every process has at least one thread. Threads share the process's resources, including memory and open files. This makes for efficient, but potentially problematic, communication.

Multi-threaded execution is an essential feature of the Java platform. Every application has at least one thread — or several, if you count "system" threads that do things like memory management and signal handling. But from the application programmer's point of view, you start with just one thread, called the main thread. This thread has the ability to create additional threads.

More Information #

There might be more information for this subject on one of the following: ...nobody
01-Nov-2014 22:03
Overview#

Page Views#

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Oct-2014 07:47
Overview#

U2F#

Working with U2F and Yubico#

Purchased a FIDO U2F Security Key
  • ASIN: B00NLKA0D8
  • Item model number: Y-123

The Yubico Demo Site requires a Chrome Extension to operate. The Extension allows the

Registered at Yubico Demo Site demo site that allows testing of the device:

  • enter userID/Password
  • touch U2F device
  • Registration Successful

Login at Yubico Demo Site:

  • enter userID/Password
  • touch U2F device
  • Authentication Successful

The site will allow you to register the same userID as an existing userID which overwrites the data. So if you password does not work, you will need to re-register your device.

Windows and OS X#

I tested on OS X and Windows:
  • OS X Yosemite running Chrome Version 40.0.2194.2 dev (64-bit)
  • Windows 7 Professional running Chrome Version 38.0.2125.104 m (64-bit)

Mobile#

Then went to try the mobile App. Downloaded App:
  • enter userID/Password
  • touch U2F device
  • Nothing happened

Turns out, if you want to use mobile devices, you need the Yubico NEO:

  • ASIN: B00LX8KZZ8
  • Item model number: Y-072

AND you need NFC

I ordered the Yubico NEO and will report back when I get it.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Oct-2014 18:38
Overview#

DirXML Engine Version#

Hoto determine the DirXML Engine Version.

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Oct-2014 12:43
2014-10-15#

Discussion on Kanban#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Sep-2014 10:42
2014-09-23#

RFC 5805#


Forwarded message ---------- Michael Ströder asked:

Which LDAP servers have support LDAP transactions as defined in RFC 5805?"#

was asked by Michael Ströder

Some answers:

UnboundID #

The UnboundID Directory Server has full support for LDAP transactions as described in RFC 5805. These transactions are also supported through the UnboundID Directory Proxy Server in configurations in which all backend servers have identical sets of data, as well as support for transactions in certain entry-balanced configurations (where the data may be split up into multiple non-identical sets.

In addition, the UnboundID LDAP SDK for Java includes a simple in-memory directory server that is primarily intended for application development and testing purposes rather than any kind of production use. This in-memory directory server also provides full support for LDAP transactions.

OpenLDAP#

Howard Chu: It's currently in OpenLDAP's git repo and support will be in release 2.5.

Is (it) RFC 5805 used with any particular use-cases?#

Howard Chu: The main driver this time around was supporting Samba 4. A lot of the Microsoft AD-related attributes require referential integrity to be maintained atomically.

OID#

OID claimes support for RFC 5805 http://docs.oracle.com/cd/E28280_01/admin.1111/e10029/rfcs.htm

More Information#

There might be more information for this subject on one of the following: ...nobody
17-Sep-2014 16:56
2014-09-17#

from-reset="true"#

When the DirXML Filter has a value set to RESET, then the engine will send a document to the Subscriber Channel similar to:
  <input>
    <modify class-name="User" from-reset="true" qualified-src-dn="dc=com\dc=willeke\OU=people\OU=Int\uniqueID=molly1" src-dn="net\willeke\people\Int\molly1" src-entry-id="203791">
      <association>19e01092f77c1741914fd10fd4a5aa79</association>
      <modify-attr attr-name="L">
        <remove-all-values/>
        <add-value>
          <value timestamp="1375354879#36" type="string">HOUSTON</value>
          <value timestamp="1408446289#7" type="string">CYPRESS</value>
        </add-value>
      </modify-attr>
    </modify>
  </input>

The key XML Attribute to notice is the from-reset value is present.

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Aug-2014 15:16
2014-08-26#

Flow of a Password Flow From Active Directory to eDirectory#

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Jul-2014 13:43
2014-07-28#

DirXML Error in Microsoft Active Directory Driver#

Mapping:

  • L-l
  • S-st

Note that st on Microsoft Active Directory is defined as:

( 2.5.4.8 NAME 'st' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

and Edirectory:

( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )

And l on Microsoft Active Directory is defined as:

( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

and Edirectory:

( 2.5.4.7 NAME ( 'l' 'localityname' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'L' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )

So the issue is these are Single-Valued on Microsoft Active Directory and not on EDirectory.

As the Filter is as merge default, then there is an attempt to merge the values on AD, which results in an error.

AFIK, if the filter were set to IDV, then the problem would be solved. (I did it, just did not save it.)

Or we could use the Rule Handle Multi-to-single valued conversions

Input document:

    <modify cached-time="20140728110308.012Z" class-name="user" event-id="idv01#20140728110308#4#1:ff02b957-77d2-45a6-fe86-57b902ffd277" qualified-src-dn="dc=net\dc=willekedir\OU=people\OU=Int\uniqueID=tungals1" src-dn="\NWPROD\net\willekedir\people\Int\tungals1" src-entry-id="162887" timestamp="1406545375#9">
      <association state="associated">79fd787a59f8554a843804aa376de0c5</association>
      <modify-attr attr-name="st">
        <add-value>
          <value timestamp="1406545375#8" type="string">OH</value>
        </add-value>
      </modify-attr>
      <modify-attr attr-name="l">
        <add-value>
          <value timestamp="1406545375#9" type="string">DUBLIN</value>
        </add-value>
      </modify-attr>
    </modify>

Produced this DirXML Error with the LDAP Error

  <output>
    <status event-id="idv01#20140728110308#4#1:ff02b957-77d2-45a6-fe86-57b902ffd277" level="error" type="driver-general">
      <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
        <client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
        <server-err>00002081: AtrErr: DSID-030F154F, #1:
        0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 8 (st)</server-err>
        <server-err-ex win32-rc="8321"/>
      </ldap-err>
    </status>
  </output>

The LDAP_ATTRIBUTE_OR_VALUE_EXISTS implies there is already a value for the Att 8 (st).

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Apr-2013 08:58
Developing a Spring 3 Framework MVC application step by step tutorial#
I have spent hours and hours working on trying to understand and work with Spring.

I have figured out there are some advantages; but, I consider Spring "Fragile".

It was supposed to be, in the beginning, a simpler way than J2EE. I am not sure that is any longer true.

Tutorials#

I have done many of the Tutorials for Spring. At least half of them fail. Usually, they fail do to the complexities of the many dependancies required for Spring to operate.

Generally, Spring hides a lot of these dependancies by using Maven, which when it works is wonderful, but Maven too still a complex implementation.

Simple Spring Tutorial#

I found this Simple Spring Tutorial that worked and it was helpful. I think the reason it worked was it is Simple. Gets the points of Spring across.

The Simple Spring Tutorial still asks you to go to: "Download the latest version of Spring framework binaries from http://www.springsource.org/download".

They mention they used spring-framework-3.1.0.M2.zip for the Tutorial. Of course, when you go there, the distribution is "spring-framework-3.2.2.RELEASE-dist.zip".

But, you can, if you hunt, find the "spring-framework-3.1.0.M2.zip" files.

This one worked, or at least, I could make it work, with a little effort. The Simple Spring Tutorial was posted on July 15, 2012, which only 9 months old. I wonder if it will work in 12 months?

Developing a Spring 3 Framework MVC application step by step tutorial#

We got through the simple one, let us try something bigger.

You are instructed to: Download all Spring Framework JAR from here. The current release shown there is "spring-framework-3.2.2.RELEASE-dist.zip".

Then you are instructed these are the "Required Jars :"

  • commons-logging-1.1.1.jar - Well, this is not part of the here., but I knew what he meant. Do you?
  • hsqldb.jar (Used for HSQLDB) - Well, this is not part of the here.. I hunted it down.
  • org.springframework.aop-3.1.1.RELEASE.jar - I found: spring-aop-3.2.2.RELEASE.jar
  • org.springframework.asm-3.1.1.RELEASE.jar - Never did find this in the 3.2.2
  • org.springframework.beans-3.1.1.RELEASE.jar - I found spring-beans-3.2.2.RELEASE.jar
  • org.springframework.context-3.1.1.RELEASE.jar - Found: spring-context-3.2.2.RELEASE.jar
  • org.springframework.core-3.1.1.RELEASE.jar - Found: spring-core-3.2.2.RELEASE.jar
  • org.springframework.expression-3.1.1.RELEASE.jar - Found: spring-expression-3.2.2.RELEASE.jar
  • org.springframework.jdbc-3.1.1.RELEASE.jar - Found: spring-jdbc-3.2.2.RELEASE.jar
  • org.springframework.transaction-3.1.1.RELEASE.jar - Found: spring-tx-3.2.2.RELEASE.jar (Well, it was the only one that looked close)
  • org.springframework.web-3.1.1.RELEASE.jar - Found: spring-web-3.2.2.RELEASE.jar
  • org.springframework.web.servlet-3.1.1.RELEASE.jar - Never did find this in the 3.2.2

So what is a person learning Spring supposed to do? Well, I downloaded the "old" 3.1.1 release. All the jars are present.

Issues with Developing a Spring 3 Framework MVC application step by step tutorial#

I did find a couple of issues with the Developing a Spring 3 Framework MVC application step by step tutorial.

The application does not run. I requested the source code to see if there are typos or ???.

Created the SpringJdbcDao Interface as follows:

package com.dao;

public interface SpringJdbcDao
{
}
For some reason the author implied it was not required "because it doesn’t contain any special code". I guess newbies are supposed to know how to create the file.

In the "JBTJdbcController", the line:

 mfssService.insertMfssMemDts(vngmem);
Should be:
mfssService.insertMemDts(vngmem);

In the dispatcher-servlet.xml file:

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
Should be:
TBD

In the "SpringJdbcDaoImpl.java" file, the line:

return springJdbcDao.searchMemDts(vngmem);
Shows as an un-implemented method in 'SpringJdbcDaoImpl'.

The Problem#

The fact that an application written a year ago will not run on the current release implies to me there is a problem. With security issues being revealed all the time, there is a demand to upgrade to the "latest" versions. With Spring, this could cause a re-write of the application.

If my premise is true, then I know how this works in a large organization. Instead of being agile, the management of "Fragile" applications, due to fear, puts out the sentiment of "Do not Touch it" unless we have too.

Am I missing Something?#

Let me qualify. I am not a fulltime developer. Though I have written a lot of applications, they are not complex enterprise applications that "Developers" work on everyday.

But is sure seems to me, that Spring has become very complex and now has all the issues of J2EE that it was intended to solve.

Or, am I missing something.

29-Jul-2012 08:01
OS X Mountain Lion#
The upgrade appeared to be painless. Well except for the the 4+ hours for the download and installation time.

Things that Did Not Work#

  • Eclipse - See below
  • NeoOffice - Got warning on launching to upgrade. Upgraded to the 3.3 Beta 2 and it launched.
  • Java - REMOVED Java 1.6 from my machine!#@$()*(*@Y$%

Things that Are Still Broken#

  • Time Machine - Still wants to back up when I am using the machine. Still Just Plain Stupid!

Eclipse#

Launching Eclipse reveals "To open “Eclipse.app,” you need a Java SE 6 runtime. Would you like to install one now?" Checking Java reveals:
ava -version
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b21)
Java HotSpot(TM) 64-Bit Server VM (build 23.0-b21, mixed mode)

Check Eclipse for new Downloads and see that Juno (version 4.2) is available. Download the package and launch Eclipse and get the same error.

Found a link which says to accept to install. Not sure I really care about Java 1.6, but may want need it and I really do not want to mess with this any longer.

Well this worked, but now, as expected, my default Java is now 1.6.

15-Jul-2012 18:01
Jalbum and Server Mode#
I have been using Jalbum in normal and "server mode" for several years.

We keep our security camera JPGs organized using a combination of bash scripts and Jalbum.

Jalbum Reference#

http://jalbum.net/en/help/manuals/console-mode

You can find the parameters from the command:

java -jar JAlbum.jar -help
jAlbum v10.2.1 started in console mode

Options and their default values:
-characterEncoding 
-ftpForceUTF8 false
-skin Turtle
-excludeByDefault false
-imageLinking LinkScaled
-projectFile 
-directory 
-scalingMethod ScaleMedium
-metaData true
-thumbSize 124x124
-exifUserComment true
-updatedDirsOnly false
-classicReaders false
-cpuCores 8
-copyOriginals true
-thumbnailPrefix 
-urlEncode false
-customImageOrdering 
-ftpServer 
-webPassword 
-closeupPrefix 
-remoteDirectory album
-slides true
-writeUTF8 true
-showInRecentAlbumsList true
-visibleOnProfilePage true
-widgetInjection true
-closeupDirectory slides
-smartUpload 
-outputDirectory album
-skinsDirectory /usr/share/jalbum/skins
-ftpPort 21
-slideDirectory slides
-runTool 
-reverseOrder false
-uploadAll 
-remoteFS info.cqs.remotefs.RemoteFSBean@40110c31
-imageSize 640x480
-hiResDirectory hi-res
-internalVersion 10.2.1
-hardwareScaling false
-pageExtension .html
-subdirs true
-ftpUser 
-useThumbForFolderIcon true
-keepMetaData false
-iptcCaption true
-textEncoding UTF-8
-ignorePattern \..*
-style Black.css
-includeHiResImages true
-accountProfileName 
-includeDirectories true
-qualityPercent 85
-passiveMode true
-pageNamer 
-jpegComment false
-rows 4
-baseDirectory 
-displayVersion 10
-protocol ftp
-makeThumbs true
-albumWidth 560
-dateFormat 
-imageBackgroundColor #ffffff
-suppressIEWarnings true
-textFileComment true
-resourceDirectory res
-exifImageDescription false
-thumbnailDirectory thumbs
-readXmp true
-mediaRSS true
-albumHeight 420
-sharpenPercent 25
-highQualityThumbs true
-indexPageName index
-excludeBacklinks false
-connected false
-myjalbum false
-programDirectory /usr/share/jalbum
-highThumbnailCompressionQuality false
-superimposeFilmIcon true
-directoriesFirst true
-includePattern 
-skinProperties 
-imageOrdering OrderByDate
-titleSource IPTCObjectName
-cols 6
-notifyFollowers true
-ftpPassword 
-progressiveMode false
-user.<your variable> <value>
Required arguments are -directory and (-outputDirectory or -sameDirectory)
Elapsed time: 0.316s
15-Jul-2012 10:22
2012-07-15#
Just some notes on today.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 15-Jul-2012 10:21 by jim