I spent two days at the Internet Identity Workshop 10. IIW events are set in an open space, unconference style. True to its workshop designation, it’s a place to do work collegially. It’s not a place to give scholarly papers or some polished slide gesticulation.

I list hereafter the topics that I engaged on at IIW10, in a similarly frugal style. They complete my sweep of the Identosphere that I had started here.

OAuth 2.0 – The authors clarified several points in the specification (is the refresh token entirely optional? yes) and kindly requested help to turn the I-D into a RFC that can pass muster with the IETF security directorate (esp. for the security considerations section);

UMA – User Managed Access provides a method for a user to control access to her resources, wherever they might be. For this, UMA defines an authorization manager. The authorization manager reacts to requests by online services acting on a user’s behalf and makes access decisions based on user policy. My colleague and identity extraordinaire Eve Maler is a leading force behind this effort. UMA is set to leverage OAuth 2.0 and various card, token technologies. I saw the demo of a UMA system built by the SMART team at Newcastle University;

Personal Data Stores (PDS) and an internetwork of PDS (PDX for Personal Data eXchange) using XDI-like protocols;

OpenID Connect –  It combines OpenID federated login with OAuth 2.0 access authorization;

PingPong IdP Discovery 1.0 – We all advocate the freedom to register with one or more Identity Providers (IdP) among many available. As such, we need a protocol to assist in the IdP discovery and thus determine which IdP(s) can authenticate a given user;

Mozilla’s account manager –  This work exemplifies identity in the browser. Unlike password managers, it includes ways for a site to advertise to the browser multiple styles of identity artifact (e.g. Openid, InfoCards, or plain old passwords) and current state (signed in or not);

A meta-point: These identity systems are distributed systems and, not surprisingly, pose the same challenges as any other distributed system: get the naming rules right, identify and manage all dependencies, spell out consistency requirements and the companion failure semantics, etc.

Today is a white stone day for microbiologists, science, and all of us. Craig Venter and team have successfully created a new species “whose parent is the computer” (in Venter’s words). Their fabricated cells are capable of continuous self-replication and have already replicated several billion times. It is quite a new benchmark for a man-made scale out. This breakthrough ushers us in a new era much like the invention of steam engines and silicon chips did.

Around 2005 0r 2006, I met some microbiologists at a Grid Computing meeting. In a chat over dinner, they told us that in five years or so we would be hearing of some folks playing jr. God in a lab. Were they right!

Like the Manhattan project scientists found out at their time, with power come responsibilities. Today’s breakthrough is due to stir up some strong debate around bioethics.

NOTE: This week’s Economist issue has a great op-ed, a briefing article, and a cool cover too.

The community that concerns with Identity in the Web has had a very hectic month of April. Identity is the bedrock foundation of anything social – think 3rd-party value-add services rooted on the social graph that any one of the Twitter, Facebook, Linkedin, etc. expose and promote access to. Among various events, I single out Facebook’s F8 event as the catalyst for several announcements and specs that came out this month.

The emerging OAuth protocol is one of the most interesting sights in the Identosphere. OAuth enables 3rd party access to web resources without propagating or sharing passwords. It has been likened to a valet key, in that resource owners can delegate access along with an envelope of authorized actions.

I have been interested in OAuth for quite some time because it holds potential:

• to stop to the password sprawl and make it less likely that passwords will be mishanded, either in users’ hands or in the back-end of some poorly managed IT or Clouds (as I observed here in the case of smartphones)
• to curb phishing vectors by way of branded sign-in pages that the user is redirected to in a seamless user experience
• to bring devices that are data-entry impaired (like my beloved Roku box) back into the fold of dependable authentication

The OAuth chronology goes like this:

• Dec ‘07, OAuth 1.0 debuts
• Vulns documented
• June ‘09, OAuth 1.0a is introduced addressing vulns
• Shortly afterwards, OAuth 1.0a implementations become available, chiefly Twitter’s
• OAuth 1.0a is demonstrated on the iPhone platform, with applications like Flickit
• May 2009, IETF OAuth Working Group is chartered in the IETF
• November 2009, folks from Microsoft, Google and Yahoo introduce the OAuth Web Resource Authorization Protocol (WRAP) and contribute it to the IETF.  Chiefly, It standardizes on the creation and propagation of tokens over SSL (in lieu of signatures). Also, it codifies a number of use cases and roles. By far, I found this to be the best-written spec in the whole OAuth document series
• April 2010, OAuth 1.1 becomes RFC 5849
• April 2010, OAuth WRAP implementations are announced
• April 2010, the first revision of the Oauth 2.0 Internet Draft is released; it builds upon both OAuth 1.0a and OAuth WRAP

I’m eager to see how OAuth will do vis a vis with these challenges:

• Which impact: Will the OAuth protocol be universally implemented to the letter of the emerging IETF standard? Or will there be dialects, each producing an island of interoperability around a specific social graph like Twitter’s, Facebook’s,  Linkedin’s, etc.
• Set proper expectations: OAuth will not rid us of phishing. There will still be rogue clients and exploits of the client callback URL. However, the risks will provably be contained to loosing the token in lieu of the password (the former being lower-grade security material than the latter)
• Stand cross currents: XAuth (also announced in April!) and browser-specific solutions like Mozilla’s Account Manager pitch radically different solution points to the web identity challenge

I look forward to being at the Internet Identity unConference, May 17-19th, in Mtn View.