tag:blogger.com,1999:blog-10969942774374740512024-03-05T05:00:26.924-08:00IdentityCubeDomenico Catalano's Blog on three dimensional digital IdentityAnonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-1096994277437474051.post-62709825914324921942015-04-14T10:58:00.000-07:002015-04-14T10:58:15.331-07:00Italia Login as Citizen Life Management Platform <div dir="ltr" style="text-align: left;" trbidi="on">
<div style="-webkit-text-stroke-color: rgb(0, 0, 0);">
Italia Login promises to be the most innovative government platform for citizens, also called “the home for citizens”. This project is part of a set of accelerator initiatives to support Italy’s digital growth for the next 5 years.<br />Italia Login will provide an integrated API platform and supporting technologies which allow better joint participation of the public and private sectors for developing added value services for citizens and enterprises.<br />The following diagram shows a high-level model of the planned Italia Login interactions (extracted from these <a href="http://www.governo.it/GovernoInforma/Dossier/crescita_digitale/banda_ultralarga_crescitadigitale_slide.pdf">governo.it slide</a>).</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYzWD3IAKhmdikOgOMlJAfP9hx7tTzOfskuXnlbJNb_qoQaYR_VAZd6-7wH6t7iJew09m5V6AMteGM1-HTW1yV-mJWMWmlQ_UdZ8WIFjqW3ZytxYWER1_cuUs7-T5uXfdmeTaW5L91NYo/s1600/ItaliaLogin_blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYzWD3IAKhmdikOgOMlJAfP9hx7tTzOfskuXnlbJNb_qoQaYR_VAZd6-7wH6t7iJew09m5V6AMteGM1-HTW1yV-mJWMWmlQ_UdZ8WIFjqW3ZytxYWER1_cuUs7-T5uXfdmeTaW5L91NYo/s1600/ItaliaLogin_blog.png" height="188" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Citizens will log in to Italia Login using their digital identity (managed by an Identity Provider that is compliant with SPID — the <a href="http://identitycube.blogspot.it/2014/12/the-italian-digital-identity-initiative.html">Public System for digital identity</a>), and then they can have access to any apps, provided by the public and private sector, based on their profile.<div>
<br /></div>
<div>
From a design standpoint, Italia Login shows many similarities with the Life Management Platform concept introduced by Kuppinger-Cole's advisory note (see details <a href="http://www.kuppingercole.com/report/advisorylifemanagementplatforms7060813412">here</a>). Life Management Platform has the goal of allowing individuals to consolidate all relevant online data from their lives, and provides tools to manage the essential information of every person’s life and making it usable for other parties.<br /><div>
<br />
<b>Consider the following use case:</b><br />
A citizen needs to enroll his child, through an online service, to an elementary school that facilitates the selection of subsidized school meals in case of parents who are eligible for the subsidy.<br />The enrollment process requires a citizen's personal details and documents about the situations which must be released by another agency (in this case, the National Social Insurance Agency).<br />The document attesting to the parents’ economic situation is necessary to demonstrate the eligibility for access to the subsidy.<br />The main requirements for this use case are the ability to centralize the access to the distributed resources (personal financial details) and enable a data sharing mechanism between the producer of the details (the agency) and the service consumer (the school enrollment application).<br />Italia Login can provide an essential platform for personal data sharing among distributed online services with the goal of supporting an advanced online service for citizens.<br /><br /><b>Challenges to mitigate risks</b><br />Unlocking the value of personal data in a decentralized and distributed system network requires new approaches for protection and security, accountability, and rights and responsibilities for managing user data, which can be summarized as follows:<br /><ul style="text-align: left;">
<li>Provide a new approach to protect and secure decentralized and distributed resources. </li>
<li>Provide the ability to know who has data about you, and where the data is located. </li>
<li>Provide a new approach that helps individuals understand how and when data is collected. </li>
<li>Empower individuals more effectively and efficiently. </li>
</ul>
<br /><b>Applying the User-Managed Access (UMA) model to the Italia Login Platform</b><br /><a href="https://docs.kantarainitiative.org/uma/draft-uma-core.html">User-Managed Access (UMA) is a profile of OAuth 2.0</a>. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies.<br /><br />UMA provides these functions to empower the individual to make choices regarding control and access of their data.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYCzGsVV0TYpRkZC8sBgR8Sm4a9PzJhpA5-_qdlgMvCbZA322uPHs3RvX6C_93avG2SZt29TbZ-mW1j5BgGUYRf4GEDqNUCUX7x4j264iJ8wc053Inhs2F3f_YhAWpSVxxBqWfymD2c00/s1600/ItaliaLogin_UMA_model.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYCzGsVV0TYpRkZC8sBgR8Sm4a9PzJhpA5-_qdlgMvCbZA322uPHs3RvX6C_93avG2SZt29TbZ-mW1j5BgGUYRf4GEDqNUCUX7x4j264iJ8wc053Inhs2F3f_YhAWpSVxxBqWfymD2c00/s1600/ItaliaLogin_UMA_model.png" height="270" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The following scenario shows how UMA can be applied to address the challenges and enable a citizen life management platform:<br /><ol style="text-align: left;">
<li>The Citizen log in (using SPID credential) at the resource server, which expose the resource/API to access the “Financial Status”. </li>
<li>The Citizen decides to share (using a special button at the resource server) the resource with the Italia Login Platform, enabling a delegated authorization for the resource. </li>
<li>The resource “Financial Status” is now under the control of the Citizen at the Italia Login platform as “protected resource” and any attempt to access to the resource by an autonomous third third app must be authorized by the user, without the need to share any credentials. </li>
<li>Italia Login, providing an application and API ecosystem, allows to third-party (i.e. Elementary School App) to access remote resource (i.e. “Financial Status”) through the protected API. </li>
<li>At this point, the Enrollment process can be initialised by the Citizen, launching the Elementary School App, which starts requesting the consent to allow the app to access to the remote resource (Financial Status). </li>
<li>The Elementary School App acts as a Client for the remote resource, and it is able to access to the necessary information to apply for facilitated condition, based on the Citizen’s Financial Status. </li>
<li>In order to create trust relationship between the Client and the Resource Server, the Client must be authorized by proofing specific “trusted claims”, leveraging SPID infrastructure (using OpenID Connect claims, or SAML-based attributes), and evaluated by the Italia Login platform acting as Authorization Server. </li>
</ol>
As the above diagram shows, UMA can play a fundamental role to protect distributed resources with a centralized approach, leveraging the Identity ecosystem (SPID), where the user is able to control personal information within an API ecosystem enabling new opportunities based on the <a href="http://en.wikipedia.org/wiki/Sharing_economy">sharing economy</a> paradigm.<br /><br /><b>About UMA</b><br />User-Managed Access Work Group at Kantara Initiative <a href="http://kantarainitiative.org/confluence/display/uma/Home">wiki page</a>.<br />User-Managed Access (UMA) Version 1.0 has been Approved by unanimous Member support as a <a href="https://kantarainitiative.org/uma-approved-v1-0/">Kantara Initiative Recommendation</a>, the highest level of technical standardization Kantara Initiative can award.<br />User-Managed Access <a href="https://kantarainitiative.org/uma-takes-home-award-from-eic-2014/">awarded 2014 Best Innovation</a> in Information Security Award from European Identity & Cloud Conference (EIC 2014, Munich).</div>
</div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com4tag:blogger.com,1999:blog-1096994277437474051.post-22303640531147028472015-02-20T05:51:00.000-08:002015-02-20T05:51:42.452-08:00SPID and User Perspective about Privacy<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYZbELTMTy9OETAu_wtPydc7a6f47IyyayxwtfVVg-O_dKa9CzyRJi607QWK4egTrxb0eBkSiD9ixXC1IAX_-PN0p9I2aimIcndXIjxNsSAC9gg_iDIv_W_3wMolI4QIUSj2lJTZ5pDjU/s1600/iStock_000034294674Small.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYZbELTMTy9OETAu_wtPydc7a6f47IyyayxwtfVVg-O_dKa9CzyRJi607QWK4egTrxb0eBkSiD9ixXC1IAX_-PN0p9I2aimIcndXIjxNsSAC9gg_iDIv_W_3wMolI4QIUSj2lJTZ5pDjU/s1600/iStock_000034294674Small.jpg" height="132" width="200" /></a>In the last <a href="http://identitycube.blogspot.it/2014/12/the-italian-digital-identity-initiative.html">blog</a>, I’ve introduced the Italian Digital Identity Initiative, called SPID (<a href="http://www.agid.gov.it/agenda-digitale/infrastrutture-architetture/spid">Sistema Pubblico Identità Digitali</a>).<br />
<br />
Technically, SPID will provide an Identity ecosystem for trusted digital identities based on a federated Identity Management system, where citizen can access to public administration (or private) online service using trusted credentials, with the goals to improve accessibility, trust and online security.<br />
<br />
With SPID, from an user experience standpoint, when user attempts to access to a online service (Service Provider or Relying Party), he/she is redirect to a Identity Provider (IdP) for the authentication process.<br />
<br />
The mechanism is based on <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security">SAMLv2</a> protocol, where the Service Provider (SP) initializes the process (SP-initiated-SSO), requiring an authentication assertion, with a specific level of assurance, to the Identity Provider. Based on user authentication the IdP releases an authentication assertion to the SP.<br />
<br />
This approach introduces a potential issue about the user’s privacy, indeed the direct interaction between the SP and IdP, allow the IdP to trace the user transaction with online services, that is the IdP know which government service (or private services) they’re accessing. Considering that the Identity Providers will be, mainly, private companies, this can be a real threat to the user's privacy, which need to be addressed with appropriate regulations and technical solutions.<br />
<br />
A possible approach to this problem, with the goal to mitigate user's privacy issue, is the Identity Hub model, which is used in other digital identity initiatives around the world, like <a href="http://connect.gov/">Connect.Gov</a> (US) and <a href="https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify">Gov.UK Verify</a> (UK).<br />
<br />
<a href="http://www.connect.gov/how-it-works/">Connect.Gov</a><span id="goog_1041990148"></span><span id="goog_1041990149"></span><a href="https://www.blogger.com/"></a>, for example, acts as Hub and it’s in charge to manage the communication between customers, online agency applications and Identity Providers. "The service allows customers to establish their identity in a secure, privacy-enhancing manner, while also providing government agencies assurance of valid customer identification."<br />
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com1tag:blogger.com,1999:blog-1096994277437474051.post-30557789168936886532014-12-15T05:18:00.002-08:002014-12-15T08:29:43.626-08:00The Italian Digital Identity Initiative: SPIDLast week was published in the <a href="http://www.gazzettaufficiale.it/eli/id/2014/12/09/14A09376/">Gazzetta Ufficiale</a>, the Decree of the President of the Council of Ministers (DPCM 24 ottobre 2014) about the regulations to implement the Italian Digital Identity Initiative, called "<b>Sistema Pubblico di Identità Digitale"</b> (SPID).<br />
<br />
<b>SPID</b> is a set of credentials to access to the public administration online service, and also to private sector online service (i.e. e-commerce company) if they will adhere to the initiative.<br />
<br />
SPID defines a <b>Federated Identity Management</b> system, based on <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security">SAMLv2</a> standard, where are involved Citizens, Service Providers (SP), Identity Providers (IdP), Attribute Providers(AA) and the<a href="http://www.agid.gov.it/"> Digital Agency for Italy</a>, in the role of accreditation and registry authority.<br />
The following picture describes a high level architecture and flow of SPID-ready access to a online service.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz2AX9ITuMrt_dHyVgKPgERGCr6lIbt_RquOwQlKDto4uovP1ncJpfsivEQaERvNbV8yQ16PS_Oiu0WeIsNvOrAWooUQJVK6EYhd8bH9PyadHC80p5VfHQvibX9R2UgA85DTdRmcHrXMA/s1600/SPID_highlevel_architecture.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz2AX9ITuMrt_dHyVgKPgERGCr6lIbt_RquOwQlKDto4uovP1ncJpfsivEQaERvNbV8yQ16PS_Oiu0WeIsNvOrAWooUQJVK6EYhd8bH9PyadHC80p5VfHQvibX9R2UgA85DTdRmcHrXMA/s1600/SPID_highlevel_architecture.jpg" height="292" width="320" /></a><br />
<ol style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<li style="text-align: left;">Access request.</li>
<li style="text-align: left;">Redirect to Identity Provider.</li>
<li style="text-align: left;">Credential request.</li>
<li style="text-align: left;">Authentication.</li>
<li style="text-align: left;">Redirect to the Service Provider with the Authentication Assertion (SAMLv2).</li>
<li style="text-align: left;">Attributes request.</li>
<li style="text-align: left;">Response with verified attributes.</li>
</ol>
<br />
Technical specification and interface (draft) are available <a href="http://www.agid.gov.it/sites/default/files/regole_tecniche/bozza_specifica_delle_interfacce_spid.pdf">here</a> (Italian).<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com5tag:blogger.com,1999:blog-1096994277437474051.post-69307447721742551062014-11-26T05:19:00.000-08:002014-11-26T05:19:09.871-08:00Protecting Personal Data in an IoT Network with UMA<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZxfr-jAm7xpdj6yuHfflK6bgIOQzi1QGInUPEeHePhwnom5uP88IB4aDF6nZHRIfb0xQbDqna-Kj3Ow2XyRTw_v73MgO6XyGs2WGGdouQhyw2jrSzFJBqqkl2HvZzliMhB333Ytn7PgY/s1600/Photo_dublin.tiff" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZxfr-jAm7xpdj6yuHfflK6bgIOQzi1QGInUPEeHePhwnom5uP88IB4aDF6nZHRIfb0xQbDqna-Kj3Ow2XyRTw_v73MgO6XyGs2WGGdouQhyw2jrSzFJBqqkl2HvZzliMhB333Ytn7PgY/s1600/Photo_dublin.tiff" height="238" width="320" /></a>Digital technologies are changing the game of customer interactions, with new rules and possibilities that ware unimaginable only a view years back.<br />
<div>
Networked devices and sensors make up the fabric of the Internet of Things (IoT). Leveraging mobile devices, sensors, and wearables is the future of identity and personal data.<br />
The risk about the use of personal data is the <i>lose of trust</i> between individual and organization.<br />
<div class="page" title="Page 5">
<div class="section">
<div class="layoutArea">
<blockquote class="tr_bq">
<span style="font-size: large;"><span style="background-color: white;">"Fully 78% of consumers think it is hard to trust companies when it comes to use of their
</span>personal data.” </span><br /><span style="font-size: x-small;">Orange, The Future of Digital Trust, 2014</span> <br /><br /> </blockquote>
</div>
</div>
</div>
For balancing between individuals privacy and unlock innovation through the new digital technologies is needed a new approach to protect personal data.<br />
The Word Economic Forum has provided an interesting report about "<a href="http://www3.weforum.org/docs/WEF_RethinkingPersonalData_ANewLens_Report_2014.pdf">Rethinking Personal Data: A New Lens for Strengthening Trust</a>" to address this requirement.<br />
<div class="page" title="Page 1">
<div class="layoutArea">
<div class="column">
</div>
</div>
</div>
</div>
<div>
<br />
<h4>
IoT complexity</h4>
</div>
<div>
<div>
The nature and the complexity of IoT environment is opening interesting discussion about how the authorization and access control mechanisms can be applied to this context. </div>
<div>
In respect of the classic definition of authorization process, which is a process for granting approval to a system entity to access a system resource, in IoT environment we have to consider different aspects and complexities (not exhaustive): limited resources, decentralized and distributed network, relationship between objects and ownership. </div>
</div>
<div>
In order to proof how <a href="https://kantarainitiative.org/confluence/display/uma/Home">UMA (User-Managed Access)</a> can be suitable to address specific IoT requirements we propose a healthcare scenario, which is, for his nature, well known for strong presence of Internet of Things (medical devices), and it combines interesting security and privacy aspects related to patient’s data.<br />
<br />
<h3>
Patient-Centric Use Case</h3>
The following diagram represents a healthcare scenario related to a patient-centric use case.<br />
The doctor (Bob) is a user of Patient Monitor (Resource Server). The patient (Alice) uses is bedside remote as a Client to access to the Patient Monitor. Bob’s electronic stethoscope is a intelligence thing owned by Bob that can be temporarily paired with the patient monitor with Alice’s authorization. For safety, Bob’s stethoscope also has an RFID chip as a proximity sensor (Dump Thing). <br />
<div>
<span style="font-family: Arial; font-size: 15px; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEPRRGyv_q1DvS415LGzU-1SWcmbW1HPHvBntXLAvTgdspYy-qoXXQIg_YgAkUOAcptNyzKdWZWrbccAEKZxoVSz1xYhfYKNpuVd-TRSW9yG3l_eldpcvFS0Om8lQPVwJxP9HnUBl_wog/s1600/UMA_IoT_usecase.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEPRRGyv_q1DvS415LGzU-1SWcmbW1HPHvBntXLAvTgdspYy-qoXXQIg_YgAkUOAcptNyzKdWZWrbccAEKZxoVSz1xYhfYKNpuVd-TRSW9yG3l_eldpcvFS0Om8lQPVwJxP9HnUBl_wog/s1600/UMA_IoT_usecase.tiff" height="208" width="400" /></a></div>
<br /></div>
<br /></div>
<div>
<h4>
Security and Privacy Goals</h4>
</div>
The following diagrams describes the security domains across the whole authorization process and the actors involved in each domain, including IoT.<br />
<br />
In the scenario, UMA provides the fundamental capabilities to prevent unauthorized things connection to the Resource Server (Patient Monitor), and allow to the patient to control and get visibility for authorising and share healthcare data. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyXhyphenhyphenFYyE2bOkx5VvsSup234HZg_S9egT6e-o3wxgXwVYcUigcpHNxm0H3fRyZk7DxZ9tSPIUc-AS3XN90lYzunjQE_P2iBvcBWdgWnomU4HiAbDwrjbWVYtKAlyD8dytVfnkrr1y1S98/s1600/UMA_IoT_sec_goals.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyXhyphenhyphenFYyE2bOkx5VvsSup234HZg_S9egT6e-o3wxgXwVYcUigcpHNxm0H3fRyZk7DxZ9tSPIUc-AS3XN90lYzunjQE_P2iBvcBWdgWnomU4HiAbDwrjbWVYtKAlyD8dytVfnkrr1y1S98/s1600/UMA_IoT_sec_goals.jpg" height="190" width="400" /></a></div>
<div>
<br /></div>
<div>
For more details about the use case and UMA approach, please see the slideshare presentation (below), shown at <a href="http://irmsummit.com/europe/presentations/#Kantara-Initiative-Workshop">Kantara</a><a href="http://irmsummit.com/europe/presentations/#Kantara-Initiative-Workshop"> Initiative Workshop at Dublin</a> the 3rd of November 2014.<br />
<div style="text-align: center;">
<br /></div>
</div>
<div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/42038749" style="border-width: 1px; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="425"> </iframe> </div>
<div style="margin-bottom: 5px;">
<br /></div>
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com3tag:blogger.com,1999:blog-1096994277437474051.post-10933947144059619642014-07-10T03:32:00.000-07:002014-07-10T03:32:07.428-07:00Enterprise Mobility: Secure Containerization<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrCf8f5ANnNRwoxfJzZQjRRY9x227RtVaByBIoVM4vz1zE206SVO5EUhaWzAdf8rPB96plbYQyZOXa9lvwQNauKBAwfz5_1-R2F_IMq29e4AQC0ALnbRHmztKiRPN9N5ry_9OxzJ5RRZc/s1600/LaSapienza_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrCf8f5ANnNRwoxfJzZQjRRY9x227RtVaByBIoVM4vz1zE206SVO5EUhaWzAdf8rPB96plbYQyZOXa9lvwQNauKBAwfz5_1-R2F_IMq29e4AQC0ALnbRHmztKiRPN9N5ry_9OxzJ5RRZc/s1600/LaSapienza_logo.jpg" /></a><br />
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
Last week, I've presented at the event “<a href="http://w3.uniroma1.it/mastersicurezza/index.php/eventi/235-big-data-small-devices-sicurezza-in-un-mondo-senza-fili">Small Device - Big Data: sicurezza in un mondo senza fili</a>” organized by <br />
<a href="http://www.di.uniroma1.it/">department of Computer Science</a> of the Sapienza University of Rome, related to the Master in Information Security.</div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<div style="text-align: left;">
My speech was about the enterprise mobility and Bring Your Own Device (BYOD) paradigm. I’ve introduced the new challenges related the enterprise mobility, the risks associate with devices mobile and the new security requirements that the enterprise needs to address, including the main aspects of the secure containerization: application wrapping, secure communication, encryption at rest and Data Leakage prevention (See slideshare presentation below).</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/36828132" width="476"></iframe>
</div>
<div style="text-align: center;">
<br /></div>
</div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<div style="text-align: center;">
<br /></div>
</div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<div style="text-align: center;">
<br /></div>
</div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
<div style="font-family: 'Helvetica Neue'; font-size: 13px;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-90480950750966313452014-06-23T07:57:00.000-07:002014-06-23T07:57:22.120-07:00User-Managed Access awarded 2014 Best Innovation in Information SecurityI'm happy to announce that <a href="https://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA) </a>has won the 2014 Best Innovation/New Standard in Information Security award from the <a href="http://www.id-conf.com/events/eic2014">European Identity & Cloud Conference (EIC)</a>. More details about the award are available at <a href="https://kantarainitiative.org/uma-takes-home-award-from-eic-2014/">Kantara press release page</a>.<br />
<div>
<div style="text-align: left;">
After almost a year since I've published a <a href="http://identitycube.blogspot.it/2013/06/user-managed-access-for-life-management.html">blog</a> post about how UMA can be applied to the Life Management Platforms (LMPs) concept, last May, I presented, along with Maciej Machulak, Vice-chair at UMA WG (on the right in the picture below), this approach at the European Identity and Cloud Conference (EIC) 2014, in the track session "<i><a href="http://www.id-conf.com/sessions/1268">Standards for an Open Life Management Infrastructure</a></i>", with the title "<b>User-Managed Access: key to Life Management Platforms</b>".</div>
During the session, we have given a complete vision and an architectural approach how UMA fits very well with the new emerging trends related to Personal Clouds and in particularly to LMPs, as authorisation system for online personal data sharing model (see slideshare below).<br />
<br />
<div style="text-align: center;">
I'm very happy for helping the UMA WG to receive the award!</div>
<span id="goog_679028637"></span><span id="goog_679028638"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrjKSirTUbSTajexNgzlQJ52TlBvDIjvkmvq5t677XK4j3W49sxzTbfsmYrMd13QsZTa0HRYx-E2UboyEpbiHYsWJiMXQBOzBvPpQ7kUyz3s-gqRjOOQ-y_U3NCYEL_DvGu_ObM4zMWM/s1600/IMG_2816.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrjKSirTUbSTajexNgzlQJ52TlBvDIjvkmvq5t677XK4j3W49sxzTbfsmYrMd13QsZTa0HRYx-E2UboyEpbiHYsWJiMXQBOzBvPpQ7kUyz3s-gqRjOOQ-y_U3NCYEL_DvGu_ObM4zMWM/s1600/IMG_2816.jpg" height="300" width="400" /></a></div>
<br />
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/34740450" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="427"> </iframe> </div>
<div style="margin-bottom: 5px;">
<br /></div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-20120194433005652222013-06-06T08:20:00.000-07:002013-06-06T08:20:22.628-07:00User-Managed Access for Life Management PlatformsThe concept of Life Management Platform (LMP) was introduced last year in the Kupping-Cole's advisory note "<a href="http://www.kuppingercole.com/report/advisorylifemanagementplatforms7060813412">Life Management Platforms: Control and Privacy for Personal Data</a>".<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYT2FMLHMmn_7wTLvKwtj-usWyVuIs_6JfZsDz392mZkX6XBb1ZmsVHmvviHf-7JpJFetj6Nm1QLaGhkBO_Rs0CodjhwAJyKkcJbGLOwA6vEkCaoAj6Fgs0t9j-2PpHFxT1lM_6eNh_Sk/s1600/iStock_000009445280XSmall.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYT2FMLHMmn_7wTLvKwtj-usWyVuIs_6JfZsDz392mZkX6XBb1ZmsVHmvviHf-7JpJFetj6Nm1QLaGhkBO_Rs0CodjhwAJyKkcJbGLOwA6vEkCaoAj6Fgs0t9j-2PpHFxT1lM_6eNh_Sk/s200/iStock_000009445280XSmall.jpg" width="194" /></a>The platform concept provides the tools to manage the essential information of every person’s life and making it usable for other parties through privacy-enhanced applications, thus meeting the privacy and security requirements.<br />
LMP is about Personal Information Sharing which is an emerging trend for online personal daily life activities, including the interaction with financial credit, insurance, healthcare, etc..<br />
Very similar to concepts like <a href="http://personal-clouds.org/wiki/Main_Page">Personal Cloud</a>, or Personal Data Store (PDS), LMP encourages the individual to control own data and for some aspects close to a <a href="http://cyber.law.harvard.edu/projectvrm/Main_Page">Vendor Relationship Management (VRM) vision</a>.<br />
<div>
<br />
<div>
The key features of this new concept includes:</div>
<div>
<ul>
<li>Secure store of the information</li>
<li>Granular access control for data</li>
<li>Information control remains with individual</li>
<li>Informed Pull and Controlled Push mechanisms for sharing data (see details below)</li>
</ul>
</div>
In the "<a href="http://identitycube.blogspot.it/2012/03/take-control-of-your-personal-data-uma.html">Take Control of your Personal Data: An UMA perspective</a>" blog post, I've explained how <a href="http://kantarainitiative.org/confluence/display/uma/Home">UMA protocol</a> (also see the<a href="http://docs.kantarainitiative.org/uma/draft-uma-core.html"> UMA spec</a>) addresses the individual's privacy requirements in today's data sharing challenges, that includes social network, personal data store, personal cloud and emerging participatory data store.<br />
<i>UMA defines how an individual can control protected-resource access by clients operated by arbitrary requesting parties, where the resource reside on any number of resource servers, and where a centralized authorization server governs access based on individual policy.</i><br />
<div>
For this features, I think that UMA protocol, which is a <a href="http://oauth.net/2/">OAuth</a> profile, is well suitable to be part of Life Management Platform for managing Privacy and Security requirements. (Also see the UMA case study on “<a cloud="" href="http://kantarainitiative.org/confluence/display/uma/Case+Study:+Subscribing+to+a+Friend" personal="" s="">subscribing to a friend’s personal cloud</a>”.)</div>
<div>
<div>
To give you an idea of this approach, the following diagram shows a possible (high level) LMP architecture integrated with UMA protocol. </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7Aq_F3F4X1Cwd0H-vau2BuH7aAOI5PO0kHz3oesHLmANDXp1oMTCdzdqYcMiirIXYj9h-k6fyXVd0-ftXRTfKrdE0m5qV36T0x7XrhYb3pmOo3G-RNS49iWTGQbtsKaItby5Lgs4dBc/s1600/LMP_UMA_Architecture.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7Aq_F3F4X1Cwd0H-vau2BuH7aAOI5PO0kHz3oesHLmANDXp1oMTCdzdqYcMiirIXYj9h-k6fyXVd0-ftXRTfKrdE0m5qV36T0x7XrhYb3pmOo3G-RNS49iWTGQbtsKaItby5Lgs4dBc/s400/LMP_UMA_Architecture.jpg" width="396" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<ul>
<li>The individual (the resource owner) interacts with the LMP for managing own data.</li>
<li>LMP acts as Resource Server for the individual's data, protected by the UMA Authorization Server (AS).</li>
<li>UMA Authorization Server acts as centralized policy decision point where the individual control the authorization of data sharing and service access.</li>
<li>Clients act as data producer and data consumer respectively for "Informed Pull" and "Controlled Push" scenarios.</li>
</ul>
<div>
Apart of secure store of the information which is a specific feature of the platform, the others key features could be aspects of UMA features.</div>
<div>
In LMP scenarios, an individual interacts for sharing life data with parties through two specific way:<br />
<div>
<ol>
<li><i>Informed Pull </i>- LMP allows to consume information from other parties (i.e an individual issues a request for information to a group of banks to obtain the best offer for a personal loan).</li>
<li><i>Controlled Push</i> - LMP is a producer of individual data for other parties (i.e. an individual requestes access to a online insurance service to buy a car insurance, providing personal information and car details).</li>
</ol>
<div>
In the <i>Informed Pull</i> scenario, UMA AS is able to provide a LMP Consumer API protection, forcing the client to be authorized before that the LMP consumes the data published by the client on behalf of a Subject (i.e. a loan offer provided by a bank).</div>
</div>
</div>
<div>
<br /></div>
<div>
In the <i>Controlled Push</i> scenario, UMA AS is able to provide a control about how personal information will be disseminate with which parties in order to access to online service. </div>
<div>
In this case, the authorization process starts when the client on behalf of the requesting party (i.e the insurance company) requests access to individual data which are stored or produced by the LMP.</div>
<div>
<br /></div>
<div>
The authorization process is based on UMA Connection concept (see details about UMA Connection concept <a href="http://identitycube.blogspot.co.uk/2011/07/privacy-control-for-user-managed-access.html">here</a>), by which the client must be identified and invited to negotiate the individual's access policies (they may include trusted claims, individual terms and constraints).<br />
<br />
The following picture shows an example of user interface where is visible the two approaches for managing life connections and life events respectively for <i>Controlled Pull and Informed Push</i> models.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHAlfwO9-8-5SYKz0ZTq0u5RFAawJTHiSHsGsEMoxoUXiP71t6pB7VvczuCMzyyPA8XXMKRSTsUy1ha_kHY9YAiCVbNs-zyCEyXNXXKW8XfeDXel-IkVGiEUSyiU4o1mXy2bVb4mspONo/s1600/UMA4LMP_UI.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHAlfwO9-8-5SYKz0ZTq0u5RFAawJTHiSHsGsEMoxoUXiP71t6pB7VvczuCMzyyPA8XXMKRSTsUy1ha_kHY9YAiCVbNs-zyCEyXNXXKW8XfeDXel-IkVGiEUSyiU4o1mXy2bVb4mspONo/s400/UMA4LMP_UI.jpg" width="392" /></a></div>
<br />
<b>Benefits of UMA approach for LMPs:</b><br />
<ul>
<li>Inspired by <i><a href="http://www.privacybydesign.ca/">Privacy By Design</a></i> concept.</li>
<li>Built on top of OAuth v2 specification.</li>
<li>Provide a centralized and granular access control system.</li>
<li>Interoperable with trusted ecosystems.</li>
</ul>
<div>
<b>UMA Implementations </b></div>
<div>
There are several active UMA implementations in different space of the data sharing models, including Personal Data Store, Life Management Platforms and at enterprise level. For more details refer to <a href="http://kantarainitiative.org/confluence/display/uma/UMA+Implementations">UMA Implementations page</a>.</div>
<div>
<br /></div>
<br />
<br /></div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com3tag:blogger.com,1999:blog-1096994277437474051.post-51889454270124901642013-03-07T13:41:00.000-08:002013-05-07T03:15:28.890-07:00A theoretical approach to the Right to be forgotten<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Imagine a world where individuals can share personal information online with the possibility to control where the information are located, track all the copies of information derived, managing the right to request removal of data and effecting the erasure of removal of all exact or deviated copies of the items. This is called "right to be forgotten".<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghvpzExSZll0_w6-wN0iOnfdFynB3kM7QE1G6L5K3g4rPZzIk2AU97pRhjAg88pzFtSPPGRfZVd3Fk07G1__uFLdIknrk8Ilc95at8Tr1Faxdd7EcUFzUwRX0NrKj9cJ4R6UFucJbkV-A/s1600/delete.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghvpzExSZll0_w6-wN0iOnfdFynB3kM7QE1G6L5K3g4rPZzIk2AU97pRhjAg88pzFtSPPGRfZVd3Fk07G1__uFLdIknrk8Ilc95at8Tr1Faxdd7EcUFzUwRX0NrKj9cJ4R6UFucJbkV-A/s200/delete.jpg" width="200" /></a>The right to be forgotten is included in the proposed <a href="http://ec.europa.eu/justice/data-protection/index_en.htm">regulation on data protection</a> published by the European Commission in January 2012.<br />
<br />
Despite the debates about this topic, related to the fact that in an open system like internet, the right to be forgotten cannot be enforced by technical means alone (see <a href="https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDwQFjAB&url=https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download/fullReport&ei=pyc3UdmxGYy1PYOUgZgG&usg=AFQjCNFkdQKZwfV0NaVjg4GD-VCLsrDlzA&bvm=bv.43287494,d.ZWU">ENISA report about Right to be forgotten</a>), I would like to demonstrate a theoretical model to address this regulation.<br />
The model is inspired by the "<a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2045818">Chain-link confidentiality approach</a>" which can realistically be applied to the <a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA)</a> protocol.<br />
<br />
<i>A chain-link confidentiality regime would contractually link the disclosure of personal information to obligations to protect that information as the information moves downstream.The system would focus on the relationships not only between the discloser of information and the initial recipient, but also between the initial recipient and subsequent recipients. </i><br />
<br />
UMA defines how resource owners (an individual) can control protected-resource (personal information) access by clients operated by arbitrary requesting parties (the recipients), where the resources reside on any number of resource servers (the provider of the personal information), and where a centralized authorization server governs access based on resource owner policy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi988N8RPWbsv5TUCBUFqleSGn2Gn4SIrJkb_WigbC12bi_35iyXwVj7og_qpHR5ectlYQ14El62-wClw0Ac04CzYraqLvw7-TfnfqMHMLrenK3gm_4QFW7bL8s7dwfxUnZfTFrw3RVNIQ/s1600/chain.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi988N8RPWbsv5TUCBUFqleSGn2Gn4SIrJkb_WigbC12bi_35iyXwVj7og_qpHR5ectlYQ14El62-wClw0Ac04CzYraqLvw7-TfnfqMHMLrenK3gm_4QFW7bL8s7dwfxUnZfTFrw3RVNIQ/s200/chain.jpg" width="200" /></a></div>
Applying Chain-link confidentiality approach to UMA, means to enforce the requester (client) to be itself a protected resource. The result is that the Client becomes a resource server for any personal information derived from the initial recipient (resource server), creating a chain of protection.<br />
The assumption here is that the personal information at each chain node are exposed as web resource.<br />
<br />
As result, an individual has the possibility to control where information are stored at the initial recipient, and track all the copies of information derived from it, following the chain of protection.<br />
Through the UMA's Authorization Server, an individual has the possibility to manage the right to remove data from the resource servers, and delete any relationship with them.<br />
<br />
The diagram below show how the proposed model addresses the complexity to represent the relationships and the control on the individual’s personal information distributed among different initial recipients and subsequent recipients. In the example is showed (in dotted line) a chain of protection, where the Bank (resource server) is the initial recipient for bank account information, and the Employer and the Loan Service are requesting parties as subsequent recipients which become protected resources.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAGcgm4Wg5rermFHmeQZ7vEaGBJZiNuWiAZbcRbvOXGqvMnVqalEVO50q3rYiAHB2ew7rmxyzC_AqfMb4CafYn_PMFffZkYg8sk2RpJNrCBNZIXGnT-svbQFvKKHcmNLUsP3ZYkT7b1So/s1600/Right_to_be_forgotten.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="341" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAGcgm4Wg5rermFHmeQZ7vEaGBJZiNuWiAZbcRbvOXGqvMnVqalEVO50q3rYiAHB2ew7rmxyzC_AqfMb4CafYn_PMFffZkYg8sk2RpJNrCBNZIXGnT-svbQFvKKHcmNLUsP3ZYkT7b1So/s400/Right_to_be_forgotten.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com2tag:blogger.com,1999:blog-1096994277437474051.post-70843900019715418312013-01-31T13:08:00.000-08:002013-02-06T05:34:06.162-08:00UMA Approach to Protect and Control Online Reputation<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPdu05N7-2nlVC-08qK4OzEbd8W-e5jCRKKXNOb72YCG9NfiD_PRljine4b9dzU_WuLqWql6l4Lvx4_qKW45QB33cYP57DN3r-i1qiac81_Mo17haiIowLbPYu1MqkZOdZKOl8kZ2XviI/s1600/iStock_000021522616_ExtraSmall.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPdu05N7-2nlVC-08qK4OzEbd8W-e5jCRKKXNOb72YCG9NfiD_PRljine4b9dzU_WuLqWql6l4Lvx4_qKW45QB33cYP57DN3r-i1qiac81_Mo17haiIowLbPYu1MqkZOdZKOl8kZ2XviI/s320/iStock_000021522616_ExtraSmall.jpg" width="320" /></a></div>
Reputation plays an important and crucial role in the today economy. According to the Wikipedia definition, <a href="http://en.wikipedia.org/wiki/Reputation">Reputation</a> of a social entity (a person, a group of people, an organization) is an opinion about that entity, typically a result of social evaluation on a set of criteria.</div>
<br />
<div>
<a href="http://www.rachelbotsman.com/">Rachel Botsman</a> delivered an interesting <a href="http://blog.ted.com/2012/06/28/trusting-in-strangers-rachel-botsman-at-tedglobal2012/">talk at TEDGloab 2012,</a> where she stated that the concept of trust, across multiple platforms, would constitute the currency of a new collaborative economy, asserting that "<i>reputation capital creates a massive positive disruption in who has power, influence and trust.</i>"</div>
<div>
<br />
Nevertheless, Prof. <a href="http://www.eui.eu/DepartmentsAndCentres/Law/People/Professors/Sartor.aspx">Giovanni Sartor</a> in his article "<a href="http://cadmus.eui.eu/bitstream/handle/1814/4202/WPLAW%202006.4%20Sartor.pd">Privacy, Reputation and Trust: Some Implication for Data Protection</a>", analyzes the privacy versus reputation-based trust, where the privacy, as self-determination over one's own personal data, seems to conflict with reliance based upon reputation.</div>
<div>
<br />
In order to mitigate and balance the privacy issues, providing a better control on own personal data and encourage a collaborative economy, it is possible formalize a new approach based on UMA protocol.<br />
<br />
This approach assumes the support of a legal framework for data sharing and data protection, harmonized with the legal requirements and obligations needed for the proposed model. More details about Binding Obligation on UMA participant are available <a href="http://docs.kantarainitiative.org/uma/draft-uma-trust.html">here</a>.<br />
<br /></div>
<h3>
UMA Approach</h3>
<div>
<a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA)</a> is a profile of <a href="http://oauth.net/2/">OAuth 2.0</a>. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA4HwScCTxyg5Iu2n3UlO2b14XfX5ttQsnPhUpIq7IZHgzzysHZk9k4J-n3JXtvQsIM41Npe0K6WxSlb150n-MM9ReKENC3OLO6e6exGIBmX5fJ3bZNsMcUX1OPMN7ZSkNbh8why2mTEg/s1600/UMA_terminologyV10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA4HwScCTxyg5Iu2n3UlO2b14XfX5ttQsnPhUpIq7IZHgzzysHZk9k4J-n3JXtvQsIM41Npe0K6WxSlb150n-MM9ReKENC3OLO6e6exGIBmX5fJ3bZNsMcUX1OPMN7ZSkNbh8why2mTEg/s400/UMA_terminologyV10.jpg" width="400" /></a></div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
Consider the following scenario:<br />
<ul>
<li>Alice (<i>Resource Owner</i>) is an active user of e-commerce sites: eBaj and e-Selling.</li>
<li>Both e-commerce sites (<i>Resource Services</i>) provide a reputation ranking mechanism and the possibility to protect this information with Global Reputation System (<i>Authorization Server</i>) with which Alice maintains the control on her own data.</li>
<li>In her e-commerce experience, Alice has had good and bad experiences, so she has an average reputation ranking for both sites equal to 3 of 5.</li>
<li>Bob is a buyer (<i>Requesting Party</i>), and he would buy a camera from eBaj site (<i>Client</i>), and he finds that Alice is selling that article.</li>
<li>Before adding the article in the shopping cart, Bob want be sure about the seller’s reputation.</li>
</ul>
The picture below shows an example e-Commerce UI that allows Bob to request and view the Alice's reputation ranking.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd-agJHoysDoD6QeaD3Zl7SJrFNhtRnZLOny5jL-nhw7-DQvXN2IcpFTlEMYqdPaYrwwDwmfZNgjmwYL6L4Coh2gtmxKUvjTr-Dz7iko4H4S-azA0mG4zo06nfkn_t5h1q6gaSKsg8XpI/s1600/UMA_reputation_UI1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd-agJHoysDoD6QeaD3Zl7SJrFNhtRnZLOny5jL-nhw7-DQvXN2IcpFTlEMYqdPaYrwwDwmfZNgjmwYL6L4Coh2gtmxKUvjTr-Dz7iko4H4S-azA0mG4zo06nfkn_t5h1q6gaSKsg8XpI/s320/UMA_reputation_UI1.jpg" width="320" /></a></div>
<br />
Bob adheres to Alice’s term of authorization, showing he’s a registered user at the ecommerce site.<br />
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRfC33FKMSnBS6bGbwrq238K9u26QmX-r4ZykFKEokDTU28aWkBbS2vZF-XfPOMNKeTNLx1GCdMTOlMnwWsLg_iinULFFAQ3hUrSD_2gG2hJl5KlfazELGmJF4qJ5N5dT3s7u6WJgSyGc/s1600/UMA_reputation_UI2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRfC33FKMSnBS6bGbwrq238K9u26QmX-r4ZykFKEokDTU28aWkBbS2vZF-XfPOMNKeTNLx1GCdMTOlMnwWsLg_iinULFFAQ3hUrSD_2gG2hJl5KlfazELGmJF4qJ5N5dT3s7u6WJgSyGc/s320/UMA_reputation_UI2.jpg" width="320" /></a></div>
<br /></div>
Bob can view Alice’s global reputation ranking according to Sharing Policy controlled by Alice.<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6SnL7I2LentFW_hA-b-44-cETCmRFuZIAaLcM_pyMLJzpQttBK0fbSBjL25ekhdr3qj3ZbzgA_MScDxQgP7Ate1sUY056GQPVXhaNx6EDp7AZbboRSSaX5yM2igokZ8KBJaCnP_3VwY/s1600/UMA_reputation_UI3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6SnL7I2LentFW_hA-b-44-cETCmRFuZIAaLcM_pyMLJzpQttBK0fbSBjL25ekhdr3qj3ZbzgA_MScDxQgP7Ate1sUY056GQPVXhaNx6EDp7AZbboRSSaX5yM2igokZ8KBJaCnP_3VwY/s320/UMA_reputation_UI3.jpg" width="320" /></a></div>
<br /></div>
<div>
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ6dvVEVHcfxDmkxrQi9o83XJFIdZDq2DeSm68Eaz-sMIePjMvQA2dsZy7hwIMF0LCWYoJcM2idheTspbdzVtfC-WowsxgXtWfrq1ePk_47RmZCN2dbDV9tFssG74Y_a8c2SGNrWm2K04/s1600/UMA_Connection04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ6dvVEVHcfxDmkxrQi9o83XJFIdZDq2DeSm68Eaz-sMIePjMvQA2dsZy7hwIMF0LCWYoJcM2idheTspbdzVtfC-WowsxgXtWfrq1ePk_47RmZCN2dbDV9tFssG74Y_a8c2SGNrWm2K04/s1600/UMA_Connection04.jpg" /></a>Based on UMA approach, the Resource Owner (Alice) is able to control all online reputation info through specific sharing policy or terms of authorization, called <i>connection</i>.<br />
You can find more details about UMA Connection on the study which explores <a href="http://identitycube.blogspot.co.uk/2011/07/privacy-control-for-user-managed-access.html">visualization techniques to enhance privacy control</a> user experience for UMA protocol, as part of my work at <a href="http://www.ncl.ac.uk/">Newcastle University</a>, contributing on the <a href="http://smartjisc.wordpress.com/">Smart Project</a>.<br />
<br />
The following diagram describes an example of the connection structure applied to protect reputation data.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyP7qC8-s30CKjLrhLqit5XGNC0I1crawZEFHMsGm_YRZptHXiHMKmE0vhA522UV8BhmBpjQZ_vPYihia7dmBYvIeZMiVUL9g52H-mfgkKVWY1ViigHB-dWzRWT6EUE8WqLQbwGQhCQo/s1600/UMA_connection_diagram.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyP7qC8-s30CKjLrhLqit5XGNC0I1crawZEFHMsGm_YRZptHXiHMKmE0vhA522UV8BhmBpjQZ_vPYihia7dmBYvIeZMiVUL9g52H-mfgkKVWY1ViigHB-dWzRWT6EUE8WqLQbwGQhCQo/s400/UMA_connection_diagram.jpg" width="400" /></a></div>
<br />
<div>
A Connection includes: <br />
<ul>
<li><i>Protected resource</i> - this is the ranking info end-point, or an aggregation of them if they are available on multiple e-commerce sites (resource servers). </li>
<li><i>Requesting party</i> - is the entity who is requesting to view the ranking. It's possible to define anonymous entities, registered users or users which provides specific trusted claims. </li>
<li><i>Client</i> or App which is allow to request access to the ranking reputation data. </li>
<li><i>Constraints</i> can be used to limit the access to the info, temporary access based, or based on scopes (i.e read review or see only the ranking points).</li>
</ul>
<div>
<br /></div>
<h3>
Benefits</h3>
UMA approach and the meccanism to centralize the policy decision for sharing reputation data provides three main important benefits:<br />
<br />
Firstly, it provides a fundamental <b>alignment with Privacy requirements</b> to determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be. More details about this aspect can be found <a href="http://identitycube.blogspot.co.uk/2012/03/take-control-of-your-personal-data-uma.html">here</a>.<br />
<br />
The second benefit, that can be considered an innovative driver for encouraging a collaborative economy is the possibility and the <b>capability to aggregate reputation data</b> from different service provider to provide a more complete and consistent data.<br />
<br />
The third benefit is related to the <b>analytic capability</b> which provides the ability to create a graph of the trust relationship among the parties involved on reputation data for a better reputation management. For more details about this topic, please see The Role of Data visualization <a href="http://identitycube.blogspot.co.uk/2012/03/take-control-of-your-personal-data-uma.html">here</a>.<br />
<br />
<h4>
About UMA</h4>
<div>
Follow the links below for more info about UMA:</div>
<div>
<a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA) Working Group at Kantara Initiative</a> led by <a href="http://www.xmlgrrl.com/">Eve Maler</a>.</div>
<div>
<a href="http://tools.ietf.org/html/draft-hardjono-oauth-umacore-06">User-Managed Access (UMA) Core Spec.</a></div>
<div>
<a href="http://kantarainitiative.org/confluence/display/uma/UMA+Trust+Model">UMA Trust Model</a>.</div>
<div>
<a href="http://kantarainitiative.org/confluence/display/uma/UMA+Implementations">UMA Implementations</a>.</div>
<div>
<a href="http://kantarainitiative.org/confluence/display/uma/UMA+FAQ">UMA FAQ</a>.</div>
<br />
<ul>
</ul>
</div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com2tag:blogger.com,1999:blog-1096994277437474051.post-89632927909024862002012-10-12T09:25:00.000-07:002012-10-12T09:25:34.842-07:00User-Managed Access for Higher EducationIf you are interested on data sharing challenges about security and privacy, don't miss the next <a href="http://kantarainitiative.org/confluence/display/uma/Home">UMA work group</a> webinar. <div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7xd_uI6qJZVuQx39MqAOmDTBm-kF8ACIzGg2Peu6JRxfSbI6P7EQjWSL_EOjki7BWqWdT59hFFRuLG1HQ8vm7n2ogfVQIHQC0Lf8zqo7M8Bq57p17SgWpkHQVWJsvWibEdeKeeaHQKnY/s1600/uma_webinar.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7xd_uI6qJZVuQx39MqAOmDTBm-kF8ACIzGg2Peu6JRxfSbI6P7EQjWSL_EOjki7BWqWdT59hFFRuLG1HQ8vm7n2ogfVQIHQC0Lf8zqo7M8Bq57p17SgWpkHQVWJsvWibEdeKeeaHQKnY/s320/uma_webinar.jpg" width="320" /></a></div>
<div>
Next week, the 17th of October (8am PT), UMA Work Group will conduct a free public webinar to discuss and provide live demonstrations of UMA’s benefits for the higher education community and other communities where data sharing presents security and privacy challenges. </div>
<div>
<div>
<br /></div>
<div>
It will be show an extensive demo of how students can manage access by a variety of prospective employers to distributed, trusted information about their educational achievements.</div>
<div>
<br /></div>
One UMA implementation, the <a href="http://smartjisc.wordpress.com/">SMART</a> system developed at Newcastle University, is working to help students control the sharing of Transcripts of Records and other personal data hosted on University systems with future employers. Recently, the system was integrated with the UK Federation to provide these benefits to other British universities.<div>
<br /></div>
<div>
Join us!</div>
</div>
</div>
<div>
<br /></div>
Find webex information at http://tinyurl.com/umawg. <div>
Follow the group on Twitter at @UMAWG, hashtag <a href="https://twitter.com/i/#!/search/?q=%23UMAedu&src=typd">#UMAedu</a> for news.</div>
Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-6501741133881724492012-06-26T06:30:00.000-07:002012-06-27T08:08:32.631-07:00UMA at Oracle Community for Security<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">Last week I had the opportunity to spread the word about <a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA)</a> at the Oracle Community for Security in Italy.</span></span><br />
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><a href="http://www.oracle.com/it/technologies/security/partner-171975-ita.html">Oracle Community for Security</a> is an Italian community of qualified Oracle's partners. They have the goal to provide technical and business awareness to the enterprise and for the market. </span></span><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; line-height: 16px;">Last years they contributed on interesting studies (Italian) about the "<a href="http://rosi.clusit.it/">Return on Security Investiments</a>", "<a href="http://fse.clusit.it/">Healthcare Record Management</a>", and "<a href="https://privacycloudmobile.clusit.it/">Privacy on Cloud and Mobile</a>".</span><br />
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">Since in the community there is a convergence of interests on Privacy and Persona Data Protection, I've explained UMA's concepts and benefits in this field, starting from the today's challenges: </span></span><br />
<ul>
<li><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; line-height: 16px;">Privacy in the Social Networks, </span></li>
<li><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">The emerging of the personal cloud, Personal data store (PDS),</span></span></li>
<li><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">The Participatory Personal Data.</span></span></li>
</ul>
<div>
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">All these phenomenas along with the mobile and pervasive computing are the main drivers of personal data collection, processing and data sharing, with a sensible impact for the privacy of the individuals.</span></span></div>
<div>
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">This brief <a href="http://kantarainitiative.org/confluence/download/attachments/17760302/UMA_Sec_Council_June_22_v4.pdf">presentation</a> (see slideshow below) describes these scenarios, and how UMA helps user to manage their personal data and sharing decisions.</span></span></div>
<div>
<br />
<strong style="display: inline !important; margin-bottom: 4px; margin-left: 0px; margin-right: 0px; margin-top: 12px;">Take Control of your Personal Data</strong></div>
<div id="__ss_13472486" style="width: 425px;">
<iframe allowfullscreen="" frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/13472486" style="border-width: 1px 1px 0; border: 1px solid #CCC;" width="425"></iframe> <br />
<div style="padding: 5px 0 12px;">
View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/domcat" target="_blank">Domenico Catalano</a> </div>
</div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-18090108185542090782012-06-07T05:29:00.000-07:002012-06-07T05:38:46.779-07:00Securing Internet Payment SystemsRecently, the European Central Bank (ECB) released a <a href="http://www.ecb.int/pub/pdf/other/recommendationsforthesecurityofinternetpaymentsen.pdf?e716fd2a3404951b68f555745d6e7573">report</a> with a set of recommendations to improve the security of internet payments. The recommendations include:<br />
<ul>
<li>General control and security environment.</li>
<li>Specific control and security measures for Internet Payments.</li>
<li>Customer awareness, education and communication.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMA5rRyeOngGaEtyPfJY4sBTwEX1_r7T_DDcDzteRKZvFX8x6lZX_WBPspIp_UDYE0rDr5TFm3iAuwRWeDxUnNKb4vMSCeuujQBBuR6kBAopYi4VFU4OSImP4wie40hzQaZWpMqTIX1KE/s1600/Internet_Payment.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMA5rRyeOngGaEtyPfJY4sBTwEX1_r7T_DDcDzteRKZvFX8x6lZX_WBPspIp_UDYE0rDr5TFm3iAuwRWeDxUnNKb4vMSCeuujQBBuR6kBAopYi4VFU4OSImP4wie40hzQaZWpMqTIX1KE/s320/Internet_Payment.png" width="320" /></a></div>
<div>
The security measures for the Internet Payments include:</div>
<div>
<ul>
<li>Customer identification</li>
<li>Strong Customer authentication </li>
<li>Enrollment for and provision of strong authentication </li>
<li>Log-in attempts, session time-out, validity of authentication</li>
<li>Transaction monitoring and authorization</li>
<li>Protection of sensitive payment data</li>
</ul>
<div>
The following presentation that I've presented at the <a href="https://www.securitysummit.it/eventi/view/6">Security Summit 2012 (Rome)</a>, shows the Oracle approach for Securing Internet payment systems according to ECB recommendations. In particular, it shows an intelligent model to prevent online fraud, based on <a href="http://www.oracle.com/technetwork/middleware/id-mgmt/oaam11gr1ps1-twp-398160.pdf?ssSourceSiteId=ocomen">Oracle Adaptive Access Manager (OAAM)</a>, a context-aware risk analysis system. Furthermore, it includes a brief introduction to the <a href="http://www.google.co.uk/url?sa=t&rct=j&q=british%20telecom%20mfr&source=web&cd=1&ved=0CG4QFjAA&url=http%3A%2F%2Fglobalservices.bt.com%2Fstatic%2Fassets%2Fpage%2Fbt_security_insights%2FBT%2520Managed%2520Fraud%2520Reduction%2520Overview.pdf&ei=VnvQT8awB4n4rQfWuYmlDA&usg=AFQjCNFwmSZzUCFp36Nlp5a48eS2hRa6KQ&sig2=wUmYehTxiC6srYHZhxYNEw&cad=rja">Managed-Fraud Reduction (MFR)</a> solution based on Oracle and British Telecom experience. </div>
</div>
<div>
<br /></div>
<div id="__ss_13234758" style="width: 425px;">
<iframe allowfullscreen="" frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/13234758" width="425"></iframe> <br />
<div style="padding: 5px 0 12px;">
View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/domcat" target="_blank">Domenico Catalano</a> </div>
</div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com2tag:blogger.com,1999:blog-1096994277437474051.post-82261787809610287532012-04-15T04:56:00.000-07:002012-04-15T09:44:43.042-07:00Introduzione ad UMA. Parte IQuesto è il primo di una serie di post che ha l'obiettivo d’illustrare il <a href="http://kantarainitiative.org/confluence/display/uma/Home">protocollo User-Managed Access (UMA) </a> e le principali esigenze che intende indirizzare.<br />
<div>
<br /></div>
<div>
<b>Che cos'è UMA</b><br />
<a href="http://kantarainitiative.org/confluence/display/uma/Home">UMA</a> è un protocollo progettato per fornire ad un utente web (Authorizing User) un punto di controllo unificato per autorizzare chi e cosa può ottenere l'accesso ai propri dati personali on-line (come attributi d'identità ), il contenuto (come foto) e servizi (come la visualizzazione e la creazione/aggiornamento di uno stato), non importa dove tutte queste informazioni risiedono sul web. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbyxNtkAcRrixnLVPoAJ9YwJ3tdjLONIRte2HEGgbY9Nr9lwtC_EErt5n9QpmM7nvPwauI_RI79de2StYyrUnAOQ0N6qHtMm5UVRGAEua4fiRohRjFP60vHocC4i3syXOtwCBWoNhEOac/s1600/UMA_Personal_data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbyxNtkAcRrixnLVPoAJ9YwJ3tdjLONIRte2HEGgbY9Nr9lwtC_EErt5n9QpmM7nvPwauI_RI79de2StYyrUnAOQ0N6qHtMm5UVRGAEua4fiRohRjFP60vHocC4i3syXOtwCBWoNhEOac/s320/UMA_Personal_data.png" width="320" /></a></div>
<br />
UMA permette all'utente di verificare l'idonietà della parte richiedente (Requesting Party) che riceve l'autorizzazione per l'accesso ai dati personali. Le verifiche possono includere le richieste di informazioni (ad esempio "Chi sei? oppure "hai piu' di 18 anni?") e promesse (ad esempio "Sei d'accordo sui termini di divulgazione di queste informazioni", oppure " puoi confermare che le tua privacy e le politiche di portabilità del dato corrispondono ai miei requisiti?").<br />
<br />
La figura seguente illustra il modello architetturale di alto livello e i principali attori coinvolti nel processo autorizzativo del protocollo UMA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhNmZVo48z_iNRPwFifnyCgAT09uUegybFCAU-cIO7DrOedrUzA7qCQ-LPJLXyNv2azqun51O9yJbKPl-bXJM10_e7uv5wzwh268FyyqbCKzZXFnGAjBwgzpCk4WXnoD6mVd1thD3D_s/s1600/UMA_model.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhNmZVo48z_iNRPwFifnyCgAT09uUegybFCAU-cIO7DrOedrUzA7qCQ-LPJLXyNv2azqun51O9yJbKPl-bXJM10_e7uv5wzwh268FyyqbCKzZXFnGAjBwgzpCk4WXnoD6mVd1thD3D_s/s320/UMA_model.png" width="320" /></a></div>
<br />
<b>Come UMA indirizza i requisiti di privacy dell’utente e di controllo dell'uso dei dati?</b><br />
Le verifiche d’idonietà che l'utente potrebbe voler fare sul richiedente non possono essere risolte solo con sistemi di crittografia e protocolli web, ma è necessario fare ricorso ad accordi ed alla responsabilità delle parti. <br />
<br />
UMA non adotta tecniche come <a href="http://it.wikipedia.org/wiki/Digital_rights_management">DRM</a> (Digital Rights Management), mediante il quale è possibile, utilizzando meccanismi crittografici, restringere l’accesso ai dati prima che i dati vengano inviati. <br />
Più semplicemente e più convenientemente per l’utente finale, UMA pone l’attenzione, anche per una facilità di adozione, sulla visibilità dell’utente e sul controllo dell’accesso ai dati da parte di terzi. <br />
<br />
UMA ha come obiettivo un livello minimo ragionevole di applicazione degli accordi autorizzativi, tali che se la parte richiedente va contro le promesse a cui ha aderito in fase di accesso, allora il soggetto interessato può ricorrere in giudizio.<br />
<br />
<br /></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-42443928633673796222012-03-08T05:54:00.000-08:002012-03-08T08:01:42.020-08:00Take Control of your Personal Data: An UMA perspective<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnpqqGWdDmyGPoD3AJJyqcETgH1gp-Uv9UDA3eCROS2fBMNPSL_kBmRf5WENXuVDiHnQUll2UKDGZwRLoVghEFsHVAHBfIHatXpS0yaMMmx9J5IttN5NMTPCOPNZdVtgPS7TlTpD3Sh3A/s1600/UMA_Privacy_protection.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnpqqGWdDmyGPoD3AJJyqcETgH1gp-Uv9UDA3eCROS2fBMNPSL_kBmRf5WENXuVDiHnQUll2UKDGZwRLoVghEFsHVAHBfIHatXpS0yaMMmx9J5IttN5NMTPCOPNZdVtgPS7TlTpD3Sh3A/s200/UMA_Privacy_protection.jpg" width="195" /></a></div>
Recently, the EU commission reviewed the <a href="http://ec.europa.eu/justice/newsroom/data-protection/index_en.htm">Privacy Directive</a> introducing new rules for the protection of personal data in a data sharing context. The reason is straightforward: the scale of data sharing and collections has increased spectacularly. Online services are increasing and individuals are encouraged to make personal information available publicly and globally. <br />
<br />
Even though privacy is a complex problem with many facets - think about the new Google’s Privacy policy, which provide for combination of personal data across different services, and the <a href="http://www.cnil.fr/english/news-and-events/news/article/googles-new-privacy-policy-raises-deep-concerns-about-data-protection-and-the-respect-of-the-euro/">concern for the compliance with European data protection legislation</a> - there isn't an easy way to address these problems without a legal framework and respect for the individual. <br />
<br />
Nevertheless, state of art technology can help individuals to reduce the risk of losing control of their personal data, empowering the user to control personal data distributed among service providers, using a centralized authorization service.<br />
<br />
At the <a href="http://kantarainitiative.org/confluence/display/uma/Home">Kantara User-Managed Access (UMA) Work Group</a>, headed by <a href="http://www.xmlgrrl.com/">Eve Maler</a>, we are developing specs that let an individual control the authorization of data sharing and service access made between online services on the individual's behalf.<br />
<div>
<br />
<div>
UMA is designed with Privacy in mind, with the goal to address the concept of <a href="http://privacybydesign.ca/">Privacy by Design</a>. UMA is inspired by the paradigm:<br />
<blockquote class="tr_bq">
<span class="Apple-style-span" style="color: #999999; font-size: large;">"</span><span class="Apple-style-span" style="color: #666666;">The goal of a flexible, user-centric identity management infrastructure must be to allow the user to quickly determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be</span>" - <i><span class="Apple-style-span" style="color: #666666;">Ann Cavoukian, Information and Privacy Commissioner of Ontario</span> (<a href="http://www.ipc.on.ca/images/resources/privacyintheclouds.pdf">Privacy in the clouds</a>).</i> </blockquote>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibtY5FskGmRa0Hp6IP4xwnA3jn_w9TTy7H5khU8Uee-ERAKBDf7vAkRoQ66KdGn_eYI57t41WlYTljdt48OtMvLEqpZuOprOWd7k55veE-NTBci0XNMBgqsg-gSvCLrFocWg_0aDDk80M/s1600/UMA_Privacy_target.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibtY5FskGmRa0Hp6IP4xwnA3jn_w9TTy7H5khU8Uee-ERAKBDf7vAkRoQ66KdGn_eYI57t41WlYTljdt48OtMvLEqpZuOprOWd7k55veE-NTBci0XNMBgqsg-gSvCLrFocWg_0aDDk80M/s400/UMA_Privacy_target.jpg" width="400" /></a></div>
<br />
<div>
This approach helps to reduce sensibly the difficulties for individuals to stay in control of their personal data.</div>
A typical scenario involves online registration for websites to allow an individual to access its online service. This scenario may involve an host where the individual stores the personal data, a requester, which is the website that provides the service and the Authorization Manager which provides the authorization decision on behalf of the individual.</div>
<div>
<br /></div>
Let me explain how this scenario matches the privacy paradigm in the UMA perspective: <br />
<br />
<b>What data will be revealed</b><br />
Individuals can control what data will be revealed because they are involved in the protocol. First, the Subject must register the resource which is collecting the personal data with a centralized Authorization Manager. This allows individuals to maintain a centralized view of what data is being collected. <br />
<br />
UMA goes beyond just informing people what will happen if something is shared; it lets them activily control sharing.<br />
<div>
<br /></div>
<b>For what purpose </b><br />
Individuals are an active part of defining the how the personal information will be handled in the data sharing process. With UMA’s centralized Authorization Manager, the Subject is able to define sharing policy (a connection), for what purposes the personal data is shared (or collected) and maintaining of control of it, including the possibility of canceling and disabling connection with service providers (Requester) at any time.<br />
<div>
<br /></div>
<b>With which parties </b><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia2IwhqZnIVHX9AGkC5mOGmQHSsy_Bod2U9C4kNx7dh8_YBStSGjENHemg3SK7Px4-_sOQBVYCQ00jYwQCEKQEnnBVJrBNLguvugk_uQQIagSwiQR-qjqRGkJiA42XICYGlNKRC1tm-h0/s1600/UMA_Consent_mobile.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia2IwhqZnIVHX9AGkC5mOGmQHSsy_Bod2U9C4kNx7dh8_YBStSGjENHemg3SK7Px4-_sOQBVYCQ00jYwQCEKQEnnBVJrBNLguvugk_uQQIagSwiQR-qjqRGkJiA42XICYGlNKRC1tm-h0/s320/UMA_Consent_mobile.jpg" width="183" /></a>Any attempts to access to personal data by any party (Requester), will be intercepted by a policy enforcement point (at the local service provider) and to alert the Authorization Manager, which is in charge of taking an authorization decision. In this specific scenario, the Authorization Manager interacts with the subject for requesting consent to grant the access to the own personal data. <br />
<br />
The following picture shows an individual online consent request based on <a href="http://kantarainitiative.org/confluence/display/uma/User+Experience">UMA User Experience study</a> applied to a mobile context.<br />
<div>
<br />
<br /></div>
<b>The Role of data Visualization </b><br />
Visualization plays a fundamental role in creating an abstraction layer for controlling distributed personal data. Last summer, I had the opportunity to visit the Newcastle University for 4 weeks on the <a href="http://smartjisc.wordpress.com/2011/06/30/domenico-jacek-join-smart/">SmartAM project</a>, which is implementing <a href="http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol">UMA spec</a>, with the goal of studing and contributing to human interface aspects. <br />
<br />
As a <a href="http://identitycube.blogspot.com/2011/07/privacy-control-for-user-managed-access.html">result of this study</a>, we introduced two main concepts to enhance the level of control of personal data. First is the connection which defines the context of a data sharing policy. In other words, it’s a visualization technique that help the individual to define and determine what data will be revealed for what purpose, so it defines an appropriate context. The second one is an analytics feature which helps to maintain control of information which is revealed. <br />
<br />
The picture below shows an example of how the individual would see all of the connections for own Personal data. In the middle of the example, “Personal Data” is shown in different contexts (i.e. Professional, University, Collab, etc.), each context includes Requester (MySelf, Person, Groups, ect.), which have access to the data and Applications which have access on behalf of the requester.</div>
<div>
<br />
<div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilJ8Dv0ydUnt-ujGx5FcHjxxpzIGCysXAy5cBWuTD23ff9TB6D8uFQKz4eDkJLl4Gb_K7TGfhnHS_k-cIh5rfkks_LrQii3C-Cf6z2JRX64BdaR9de89yanAlOqJuoRpZWOlzA6LAon8Q/s1600/NCL_UMA_SmartAM_Analytic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilJ8Dv0ydUnt-ujGx5FcHjxxpzIGCysXAy5cBWuTD23ff9TB6D8uFQKz4eDkJLl4Gb_K7TGfhnHS_k-cIh5rfkks_LrQii3C-Cf6z2JRX64BdaR9de89yanAlOqJuoRpZWOlzA6LAon8Q/s400/NCL_UMA_SmartAM_Analytic.jpg" width="400" /></a></div>
<br /></div>
<b>Building Trust </b><br />
One of the most important and complex aspects for economic development and for encouraging individuals to adopt distributed authorization system is to build a trusted eco-system among Individual, Service Providers and Requester services. UMA WG is also defining a Trust Model in order to provide baselines to build technical and business Trust. At this <a href="http://identitycube.blogspot.com/2012/01/uma-trust-in-distributed-authorization.html">link</a> you can read a blog post that presents a brief introduction of the model.</div>
</div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-12463829545818031272012-02-03T05:12:00.000-08:002012-02-03T05:12:42.828-08:00UMA Tweet Chat<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqc2escXdzNySg35qbsO4Ri3p14im4P2LiiGpFTA3VglPsFIApbNw_4po6Xz4tINxfA7l4mimSH6-l-SM889ZZCHDlBDkI-eCQA-bmyk4EeX2Pv7nB51uxLdyr5XseS5FtSqC6EKuJ8Ic/s1600/UMA_logo_tweet.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqc2escXdzNySg35qbsO4Ri3p14im4P2LiiGpFTA3VglPsFIApbNw_4po6Xz4tINxfA7l4mimSH6-l-SM889ZZCHDlBDkI-eCQA-bmyk4EeX2Pv7nB51uxLdyr5XseS5FtSqC6EKuJ8Ic/s200/UMA_logo_tweet.jpg" width="200" /></a>If you are interested in <a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA)</a> from a technical standpoint, including UMA <a href="http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol">spec</a>, UMA <a href="http://kantarainitiative.org/confluence/display/uma/Implementations">implementations</a>, development advice, best practices and intereroperability testing, don't miss the first-ever UMA Twitter chat on <i>Wednesday, February 8, 2012, at 9-10am Pacific time</i>.<br />
<br />
The hosts will be:<br />
Eve Maler, UMA group chair (<a href="https://twitter.com/#!/xmlgrrl">@xmlgrrl</a>) and<br />
Maciej Machulak, UMA group vice-chair (<a href="https://twitter.com/#!/mmachulak">@mmachulak</a>).<br />
<br />
The chat hashtag is <a href="https://twitter.com/#!/search/%23UMAchat">#umachat</a>. If you write in, be sure to use it! An easy way to follow along is to use <a href="http://TweetChat.com/">TweetChat.com</a>.<br />
<br />
Join us!<br />
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6MTmJP8FY87p-B92hrgFULmoVW8Rf0D0hETgyCKihJ38YrDrX1dew2NQvWdFhs0ddEviEeEY2zLN5KDQAgRDqt0N7D01D70CdhEPlK_EB4IgT07xs-zAyEzssZ9ZgdwQY2j6cS7lvwMw/s400/DSC06889.jpg" width="400" /></div>
<br /></div>
<div>
<br /></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-73303976231797395532012-01-03T14:00:00.000-08:002012-01-03T14:00:18.337-08:00UMA: Trust in a distributed authorization system<div style="color: #575759; font: normal normal normal 13px/normal Arial; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="background-color: white;"> </span></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQswzFXb2vQFVzKEnLRH0HmHYekbaADScL1adXuGOmS18lmza0zTbq4z_EKZ02FLhT32efYH6gwJhQ4_NcCUTZ_51RGfEaXX4ar-iUvSjlkY55EXEVQhP_h9_WtxDRBCls5SJXTl3v7ME/s1600/iStock_000006980385Small.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQswzFXb2vQFVzKEnLRH0HmHYekbaADScL1adXuGOmS18lmza0zTbq4z_EKZ02FLhT32efYH6gwJhQ4_NcCUTZ_51RGfEaXX4ar-iUvSjlkY55EXEVQhP_h9_WtxDRBCls5SJXTl3v7ME/s200/iStock_000006980385Small.jpg" width="200" /></a>During the last <a href="http://kantarainitiative.org/confluence/display/uma/Home">UMA WG</a> Webinar (<a href="http://kantarainitiative.org/confluence/download/attachments/37751312/Webinar-UMA-14Dec2011.pdf">slides</a>) which was focused on multiple implementation demos and <a href="http://identitycube.blogspot.com/2011/07/uma-openid-connect.html">UMA's OpenID Connect relationship</a>, I had the opportunity to explain the current UMA trust model. Here are some descriptive details about this model.<br />
Many literatures try to define the concept of trust. According to the ITU-T X.509, Section 3.3.54, trust is defined as follows: <i>“Generally an entity can be said to ‘trust’ a second entity when the first entity makes the assumption that the second entity will behave exactly as the first entity expects.”</i><br />
UMA trust model is built on the following implications that are based on the UMA features:<br />
<ul><li>Host's Authorization decision is externalized to the Authorization Manager (AM).</li>
<li>There is no relationship between a Requester and the Authorization manager prior to a request for access. </li>
</ul><span id="goog_680855848"></span><span id="goog_680855849"></span><a href="http://www.blogger.com/"></a>Externalizing an authorization decision requires a formal registration process and consequently a delegation of protection of a resource.<br />
Furthermore, because the AM does not know the requester directly, it has to use information from third parties who know the requester better. Normally, the AM trusts these third parties only for certain things and only to certain degrees. <br />
These trust and delegation aspects make UMA's authorization system different from traditional access control.<br />
<div>The following diagram illustrates is an high level representation of the UMA Trust Model which describes the trust relationship. We use a multiple triangles representation because it's useful to represent this complex trust relationship (2 parties + one authority).<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBu5aydSUBr775cIY-wuxbFo4cStzDB3bYiaeqB5SkLmOe1gJOySKvWUVmvY4HlbOgoan-9kLymCTHs32lpCasvytbyiyD4lMAe93IGRzDx7yRJ-PvKo8UN4CUOGmB24eyMf9ow81YwX0/s1600/UMA_TM-02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBu5aydSUBr775cIY-wuxbFo4cStzDB3bYiaeqB5SkLmOe1gJOySKvWUVmvY4HlbOgoan-9kLymCTHs32lpCasvytbyiyD4lMAe93IGRzDx7yRJ-PvKo8UN4CUOGmB24eyMf9ow81YwX0/s1600/UMA_TM-02.jpg" /></a></div><div class="separator" style="clear: both; text-align: center;"><span id="goog_138133816"></span><span id="goog_138133817"></span></div>In the diagram are represented the three main aspects of the trust model: Registration, Trusted Claims and Delegation of Authority respectively related to the UMA functional model which includes: Protect, Authorize and Access (that you can see in the centered triangle). </div><div><br />
</div><div>The Registration aspect describes the Host-AM Trust Relationship, this includes technical procedures (such as private key exchange), legal agreements and policies. <br />
On the left side, the vertex called "Accreditation system" represents a third party (e.g. Registration Authority) that we think could be involved to guarantee an adequate level of trustworthiness about the parties in case of a specific business (i.e. Healthcare, financial credit). It is not about identity exclusively.<br />
<br />
The Trusted Claims aspect describes the AM-Requester Trust Relationship. For this specific aspect we leverage <a href="http://openid.net/connect/">OpenID Connect specification</a> and its levels of assurance to enable an Claim-based authorization system (see slideshare <a href="http://www.slideshare.net/domcat/uma-trusted-claims">here</a>). The SmartAM demo in the webinar showed a case of OpenID Connect-sourced trusted claims.<br />
<br />
Last is the Delegation of Authority aspect which describes the Host-Requester Trust relationship, which is based on a delegation process, specific of the UMA protocol sequence which enables the propagation of trust.<br />
Examples of delegation are:<br />
<ul><li>The Authorizing User delegates rights of protecting its resource to the Authorization Manager.</li>
<li>The Host delegates rights of authorizing decision to the Authorization Manager. </li>
<li>The Authorization Manager delegates rights of the Requester’s proof-of claims’s to a 3rd party Claims Provider.</li>
</ul>For more details about the expectations and responsibilities of various parties interoperating in the User-Managed Access (UMA) context, please take a look at <a href="http://kantarainitiative.org/confluence/display/uma/UMA+Trust+Model">UMA Trust Model document</a> and the approach for <a href="http://kantarainitiative.org/confluence/display/uma/Measuring+elements+of+Trust">Measuring Element of Trust</a>.<br />
See also UMA Trust and Security Implication <a href="http://kantarainitiative.org/confluence/display/uma/UMA+FAQ#UMAFAQ-TrustandSecurityImplications">FAQ</a> </div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com7tag:blogger.com,1999:blog-1096994277437474051.post-67830792359008226342011-07-29T06:02:00.000-07:002011-07-29T06:02:41.429-07:00Privacy Control for User-Managed AccessThis post is about my recent work at <a href="http://www.ncl.ac.uk/">Newcastle University</a> as contributor on the <a href="http://smartjisc.wordpress.com/">Smart project</a>. The study explores visualization techniques to enhance privacy control user experience for <a href="http://kantarainitiative.org/confluence/display/uma/Home">User-Managed Access (UMA)</a> protocol, applied to SmartAM system.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2RP_aRQK1YSooJL-DBreJbRaLWe_T2Dz8ju-9RcJBuNLeSBbXXPfW9-dZ1OfPiq5em6vIfCyUaWNmFqYhEt-wwc6B-B3CrGzW3by7MsV75ic0q5UxsEPDnxpG8-e5-WM7B4djdVBUpWk/s1600/UMA_Connection2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2RP_aRQK1YSooJL-DBreJbRaLWe_T2Dz8ju-9RcJBuNLeSBbXXPfW9-dZ1OfPiq5em6vIfCyUaWNmFqYhEt-wwc6B-B3CrGzW3by7MsV75ic0q5UxsEPDnxpG8-e5-WM7B4djdVBUpWk/s1600/UMA_Connection2.jpg" /></a>The goal is to mitigate risks of lost of privacy and the exploitation of online personal data caused from user difficulty to maintain control, correlate web resources and assign privileges for specific scope in the data sharing process.<br />
The approach (see slideshare presentation below) introduces the concepts of Connection, Control bridge and visualization tools for this purpose.<br />
<br />
<div id="__ss_8673854" style="width: 425px;"><strong style="display: block; margin: 12px 0 4px;"><a href="http://www.slideshare.net/domcat/exploring-visualization-techniques-to-enhance-privacy-control-ux-for-usermanaged-access-8673854" target="_blank" title="Exploring Visualization Techniques to Enhance Privacy Control UX for User-Managed Access">Exploring Visualization Techniques to Enhance Privacy Control UX for User-Managed Access</a></strong> <iframe frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/8673854" width="425"></iframe> <br />
<div style="padding: 5px 0 12px;">View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/domcat" target="_blank">domcat</a> </div></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-53948352011520897032011-07-18T10:53:00.000-07:002011-07-25T03:55:57.171-07:00UMA & OpenID ConnectAs part of my visit at the <a href="http://www.ncl.ac.uk/">Newcastle University</a>, thanks to the <a href="http://smartjisc.wordpress.com/">Smart team</a> and prof. Aad van Moorsel, last Wednesday, I had the opportunity to talk at the Computer Science Group Talk to a group of PhD students and researchers about <a href="http://kantarainitiative.org/confluence/display/uma/Home">UMA protocol</a> and the extension to support Trusted Claims using OpenID Connect. The integration scenario (see slideshare below) shows an user interaction to get access to UMA protected resource with access restrictions based on requester's information/claims (i.e. email address, age, and gender) using OpenID Connect.<br />
Interestingly, yesterday was released a first <a href="http://oauthssodemo.appspot.com/step/1">OpenID Connect demo w/Google</a>. This is very useful for a further investigation about the integration approach and interfaces between UMA and OpenID Connect!<br />
<div id="__ss_8585758" style="width: 425px;"><strong style="display: block; margin: 12px 0 4px;"><a href="http://www.slideshare.net/domcat/uma-trusted-claims" target="_blank" title="UMA Trusted Claims">UMA Trusted Claims</a></strong> <iframe frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/8585758" width="425"></iframe> <br />
<div style="padding: 5px 0 12px;">View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/domcat" target="_blank">domcat</a> </div></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJfxZwJTEBPhJHPgqZG3H4JgxDc3DBieCIViZmbzWdr-gS6kIuYlkvp84EdmSajEINkb1258y2naDULmhdJuGj3TioV0i9so7Lozj_LUo41bkhKia0eZgGBPMU060LeouAE8PInp5YnE/s1600/Smart+Team.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJfxZwJTEBPhJHPgqZG3H4JgxDc3DBieCIViZmbzWdr-gS6kIuYlkvp84EdmSajEINkb1258y2naDULmhdJuGj3TioV0i9so7Lozj_LUo41bkhKia0eZgGBPMU060LeouAE8PInp5YnE/s400/Smart+Team.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Smart team at Newcastle University</td></tr>
</tbody></table>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-28767587133302151912011-07-10T06:19:00.000-07:002011-07-10T06:19:28.336-07:00User-Managed Access (UMA): Power to the people<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8NclBUB_O5IBKxODpn0tAsOv7YEsAeuTBN3aHORJtkA-FEWA6QvPnejfgMyYV55nO_O6ZJ7X5F_MWdqsCf8ZSlOLUOreBYWZEHZGpDsIdCf-vhYyVIr9i0EfG0Dk810-URjL4_8RsgCA/s1600/UMA_logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8NclBUB_O5IBKxODpn0tAsOv7YEsAeuTBN3aHORJtkA-FEWA6QvPnejfgMyYV55nO_O6ZJ7X5F_MWdqsCf8ZSlOLUOreBYWZEHZGpDsIdCf-vhYyVIr9i0EfG0Dk810-URjL4_8RsgCA/s1600/UMA_logo.png" /></a><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">As contributor and member of the leadership team at <a href="http://kantarainitiative.org/confluence/display/uma/Home">Kantara UMA WG</a>, I'm very excited for the </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><a href="http://kantarainitiative.org/wordpress/2011/07/announcing-user-managed-access-uma-gives-data-sharing-power-to-the-people/">announced release of a first draft recommendation for UMA to the IETF for consideration</a></span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">.</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This is a fundamental milestone for the creation of a new generation of authorization system which gives data-sharing power to the people.</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">The approach addresses the emerging issues for data-sharing and identity in the cloud. From a security and privacy perspective, UMA protocol, which is build on top of the IETF </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><a href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0">Oauth 2.0</a></span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> effort, gives the user the capabilities to control what information will be revealed, for what purpose and with which party, indipendently from where the user information are stored. </span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br />
</span></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbcXyarDR2IJz1WZsy_aLyWRJSqoPeBDBUsDxqpIesONwiOJ_C1gvBWrVXQzPI8__ZDEfVKxtq_bjFpGRBrlkO3T-BxekDbaFXCmqBe6lKdBmQkGWSEy9AV0nPBCzje_1tc5ETFQrsHLo/s1600/Newcastle-University.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbcXyarDR2IJz1WZsy_aLyWRJSqoPeBDBUsDxqpIesONwiOJ_C1gvBWrVXQzPI8__ZDEfVKxtq_bjFpGRBrlkO3T-BxekDbaFXCmqBe6lKdBmQkGWSEy9AV0nPBCzje_1tc5ETFQrsHLo/s200/Newcastle-University.jpg" width="200" /></a><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This announce happens meanwhile I'm visiting Newcastle University where I joint the </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><a href="http://smartjisc.wordpress.com/">Smart team</a></span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> for contributing on </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">SmartAM project</span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> (another exciting challenge!!), which implements UMA specification.</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">The Working group will demonstrate UMA's benefits in a public webinar on Wednesday, July 13, at 9am pacific time. Join us. </span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">You can register <a href="https://ieee-isto.webex.com/mw0306ld/mywebex/default.do?service=1&siteurl=ieee-isto&nomenu=true&main_url=%2Fmc0805ld%2Fe.do%3Fsiteurl%3Dieee-isto%26AT%3DMI%26EventID%3D13129823%26UID%3D20430508%26Host%3D036f7a146b08002f031803%26RG%3D1%26FrameSet%3D2">here</a>.</span></div><div><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br />
</span></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-57999046815611492102011-02-21T12:46:00.000-08:002011-02-21T12:46:41.533-08:00Microsoft won't ship CardSpace 2.0<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-size: small;"></span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwoLL8DgBGRYSbRlKIEMpvp7w8DWXhO8YeHIzsvVpDbzF_dIkZfTv9t2lwE212WcpL1B_KAl49F1n1dHBFeSu7i4oFRFWxZ4-uObmeVUfhv0l1umEsxvErOk58QTJMSVMM1Xk7NV5hv2Y/s1600/infocard_300x210.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwoLL8DgBGRYSbRlKIEMpvp7w8DWXhO8YeHIzsvVpDbzF_dIkZfTv9t2lwE212WcpL1B_KAl49F1n1dHBFeSu7i4oFRFWxZ4-uObmeVUfhv0l1umEsxvErOk58QTJMSVMM1Xk7NV5hv2Y/s200/infocard_300x210.png" width="200" /></a></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Last week, at </span></span><a href="http://www.rsaconference.com/2011/usa/"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">RSA Conference</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">, Microsoft </span></span><a href="http://blogs.msdn.com/b/card/archive/2011/02/15/beyond-windows-cardspace.aspx"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">announced</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> not to ship Windows </span></span><a href="http://www.microsoft.com/windows/products/winfamily/cardspace/default.mspx"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">CardSpace</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> 2.0. This decision is very significant because Cardspace was considered one of the most interesting user-centric technologies along with </span></span><a href="http://openid.net/"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">OpenID</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">. </span></span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">The Windows CardSpace software enables people to maintain a set of personal digital identities that are shown to them as visual “</span></span><a href="http://en.wikipedia.org/wiki/Information_Card"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Information Cards</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">”. This approach mitigates phishing attacks and encourages a move away from passwords. </span></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">The card approach combined with the claims-based approach also has some potential privacy benefits.</span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"><br />
</span></span><span class="Apple-style-span" style="font-size: small;"> </span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">It seems that Microsoft is reconsidering the state of art of the identity landscape and the evolution of tools and cloud services and trying to focusing on claim-based identity using new approaches (see </span></span><a href="http://www.identityblog.com/?p=1164"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Kim Cameron's Identity weblog: From CardSpace to Verified Claims</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">).</span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">On the other hand, the claim-based Identity remains one of the vibrant concept to address permissioned data sharing scenarios in the cloud.</span></span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Claim-based Identity is also one of the main interest and priority of </span></span><a href="http://kantarainitiative.org/confluence/display/uma/Home"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">Kantara UMA WG</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> (Trusted Claims), where we are exploring some interesting </span></span><a href="http://kantarainitiative.org/confluence/download/attachments/19660903/UMA_Enterprise_tClaims_V3.pdf"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;">user experience</span></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: small;"> and the relationship with OpenID Connect to provide a claim-based access control spec in order to restrict and personalize access to cloud services.</span></span></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-size: small;"><br />
</span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-size: small;"></span></div><div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><br />
</div><br />
<div style="font: 12.0px Helvetica; margin: 0.0px 0.0px 0.0px 0.0px;"><span class="Apple-style-span" style="font-size: small;"><br />
</span></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com2tag:blogger.com,1999:blog-1096994277437474051.post-13745331543790599862010-12-01T04:23:00.000-08:002010-12-01T04:23:55.586-08:00OAuth, UMA and the Enterprise<div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-family: inherit;">As reported from </span></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://independentidentity.blogspot.com/"><span class="Apple-style-span" style="font-family: inherit;">Phil Hunt</span></a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-family: inherit;"> Blog, a lot of Interest on OAuth applied to Enterprise scenario have emerged at last </span></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.internetidentityworkshop.com/iiwxi-11-in-mountain-view/"><span class="Apple-style-span" style="font-family: inherit;">IIW#11</span></a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-family: inherit;">at Mountain View (</span></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.blogger.com/goog_505530765"><span class="Apple-style-span" style="font-family: inherit;">I</span></a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://independentidentity.blogspot.com/2010/11/iiw-oauth-enterprise-bof-scenarios.html"><span class="Apple-style-span" style="font-family: inherit;">IW OAuth Enterprise BOF</span></a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-family: inherit;">).</span></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcS59bxGMukjs1QYvmqzeuym0KxigmYoCSSgNV1sWVFIheFmYz6hhKmwpml0FnvEDUkdeFroNO3674c0mRIivoCWmUdX_BAj-CLj6xODkbQcFzFlmnfUjL5mqG3N_TUXI-J9fOB9Dcvx4/s1600/UMA_logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcS59bxGMukjs1QYvmqzeuym0KxigmYoCSSgNV1sWVFIheFmYz6hhKmwpml0FnvEDUkdeFroNO3674c0mRIivoCWmUdX_BAj-CLj6xODkbQcFzFlmnfUjL5mqG3N_TUXI-J9fOB9Dcvx4/s1600/UMA_logo.png" /></a></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Starting in 2008, I have worked on the Sun internal project led by </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.xmlgrrl.com/">Eve Maler</a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> that formed the basis for User-Managed Access (UMA), based on OAuth, and later joined the Kantara UMA Work Group, now as Oracle employee, after Sun acquisition.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><div>I've noted with much interest that the discussed scenarios at IIW BOF are very similar to the scenario and use case that I've proposed and then accepted from <a href="http://kantarainitiative.org/confluence/display/uma/">Kantara UMA WG</a><u>,</u> where I'm contributing as leadership team member.</div><div>The scenario that I've proposed is about an <span class="Apple-style-span" style="line-height: 17px;"><a href="http://kantarainitiative.org/confluence/display/uma/loan_scenario">Online Personal loan</a> request that is a use case in which a user apply a request for a personal loan to a financial service.</span></div><div><span class="Apple-style-span" style="line-height: 17px;"><br />
</span></div><div><span class="Apple-style-span" style="line-height: 17px;">In brief</span><span class="Apple-style-span" style="line-height: 17px;">, to approve or reject the loan request, the financial service must verify many pieces of user personal information from different Service Provider/host. For instance, the amount of monthly user salary (i.e. 3 last monthly salary) from user's Employer, user bank account information (account number, net) and need to access to the user credit information (credit history, score, ect.) from the Financial Risk central service.</span></div><div><span class="Apple-style-span" style="line-height: 17px;"><br />
</span></div><div><span class="Apple-style-span" style="line-height: 17px;">The actors in UMA terminology:</span><br />
<br />
<ul><li>User as Authorizing User</li>
<li><span class="Apple-style-span" style="line-height: 17px;">Financial Service as Requester</span></li>
<li><span class="Apple-style-span" style="line-height: 17px;">User's Employer as Host (salary information)</span></li>
<li><span class="Apple-style-span" style="line-height: 17px;">User Bank as Host (user account information)</span></li>
<li><span class="Apple-style-span" style="line-height: 17px;">Financial Risk central service as Host (user credit information)</span></li>
<li><span class="Apple-style-span" style="line-height: 17px;">Authorization Manager</span></li>
</ul></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoax-mhbNk12SofXUBd1HOKP9rPSSL2vG4aY0ixsMft8d8NYfrilrd5Q_x2eluFvpJI_M9A888CO5gIRIcQE6S5dgM-2ZhsteWgB15BYTlazLZEcgb6rNUEXdGFYRw2LhrInpoJejNzW4/s1600/loan_request_scenario.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoax-mhbNk12SofXUBd1HOKP9rPSSL2vG4aY0ixsMft8d8NYfrilrd5Q_x2eluFvpJI_M9A888CO5gIRIcQE6S5dgM-2ZhsteWgB15BYTlazLZEcgb6rNUEXdGFYRw2LhrInpoJejNzW4/s400/loan_request_scenario.jpg" width="400" /></a></div><div><span class="Apple-style-span" style="line-height: 17px;">Distinctive aspects:</span></div></div><div style="font-family: Helvetica;"><ul><li><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The Authorizing User delegates authorization to a Requester to access to Service Providers.</span></span></li>
<li><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">A Requester that needs a collection of information from multiple sources (resource aggregation).</span></span></li>
<li><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">A high-value, privacy-sensitive transaction.</span></span></li>
<li><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Ensuring that information about the user is third-party verified by using the third parties directly as SPs/Hosts.</span></span></li>
</ul><span class="Apple-style-span" style="font-family: Helvetica, Arial, sans-serif;">Through this and other scenarios UMA WG is developing the next generation user-centric access management platform, based on OAuth 2.0 specification, but with the following key differentiators and capabilities:</span><br />
<ul><li><span class="Apple-style-span" style="font-family: Helvetica, Arial, sans-serif;">Provide a Centralized Policy Decision Point functionality based on end-user policy.</span></li>
<li><span class="Apple-style-span" style="font-family: Helvetica, Arial, sans-serif;">Possibility to aggregate protected resources in a single basket to allow the requester to collect data from multiple resources.</span></li>
<li><span class="Apple-style-span" style="font-family: Helvetica, Arial, sans-serif;">Enhance control on user privacy through an analytics dashboard and auditing to control who access to what.</span></li>
</ul><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Furthermore, in order to address specific trust management issue that can be valuable in the Enterprise scenario, at Kantara UMA WG, we are defining an approach to extend UMA access control mechanism to support trusted Claims. </span></div><div style="font-family: Helvetica;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">T</span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">he UMA protocol supports the policy-driven ability of an AM to demand claims from a requesting party before authorization is granted. The claims may be self-asserted or third-party-asserted. In this novel approach, UMA leverages </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> the notion of a Trust Framework (defined by the </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://openidentityexchange.org/sites/default/files/the-open-identity-trust-framework-model-2010-03.pdf">Open Identity Trust Framework</a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> (OITF) Model paper as </span><i><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">“a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information” </span></i><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">and sometimes called a federation).</span></div><div style="font-family: Helvetica;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">For more details see last </span><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://kantarainitiative.org/confluence/display/uma/User+Experience#UserExperience-UMATrustedClaims">set of wireframes</a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> developed to explore a person-to-person data sharing scenario in which the Authorizing User wants to restrict sharing to a specific Requesting Party identity.</span></span></div><div style="font-family: Helvetica;"><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"></span></span><span class="Apple-style-span" style="line-height: 17px;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">It is not complex extend the person-to-person data sharing scenario in a service-to-person scenario, where a Bank service, for instance, to grant access to specific resource to the customers could require specific user-managed trusted claims!!</span></span></div></span></div>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0tag:blogger.com,1999:blog-1096994277437474051.post-81245292841341829182010-12-01T00:44:00.000-08:002010-12-01T00:46:51.282-08:00A new blog siteThis is my new blog site at <a href="http://identitycube.blogspot.com/">identitycube.blogspot.com</a><br />
You can find my previous blogs at <a href="http://blogs.sun.com/domcat">blogs.sun.com/domcat</a>Anonymoushttp://www.blogger.com/profile/03828679426975865343noreply@blogger.com0