Video Screencast Help
Authentication (User) Blog
Showing posts tagged with Trust
Showing posts in English
nicolas_popp | 06 Sep 2010 | 1 comment

It is clear that high assurance identity on the internet is going to require identity proofing. With more than 1 Billion Web users, and 3 Billion mobile users increasingly connected to the Internet, scalability is going to be essential. If high assurance identities become the norm, digital identify verification services that do not require in-person proofing could therefore turn into a significant market opportunity

Most folks in the industry would tell you that credit bureaux, and financial institutions ought to be primary beneficiaries as the new business emerges. However, the convergence of Internet, mobile and telecommunication driven by iPhone and Android could attract new market players. Mobile network operators (MNOs) have a wealth of identifiable data about us. They are also uniquely positioned to bring to market multi-channel solution. In fact, an MNO-operated ID proofing service could easily support voice and web, for brick and mortar as well as online service...

nicolas_popp | 02 Jun 2010 | 0 comments

I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on the Open Identity stack. The second is more enterprise cloud focused; it is driven by the Cloud Security Alliance (CSA). The CSA is developing a more SAML-oriented technology blueprint within OASIS. The technology protocols are different but the risk controls are similar. Therefore, I am hopeful that both trust frameworks will converge (I will certainly try to help them converge).

But let us re-hash the motivation of the industry that sponsors these efforts. A trust framework is necessary to enable policy...

nicolas_popp | 10 May 2010 | 0 comments

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook...

nicolas_popp | 05 Apr 2010 | 0 comments

This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the...

nicolas_popp | 16 Mar 2010 | 0 comments

I could not resist the temptation. Trust Seal, the Trilogy is now on Youtube.

The first act is strictly business, but you may not want to miss act II and act III with Snikko the hacker. Rest assured. I have already promised the marketing team that there would not be a sequel.

nicolas_popp | 03 Mar 2010 | 0 comments

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical...

nicolas_popp | 23 Feb 2010 | 1 comment

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

SEAL.JPGSetting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between...

nicolas_popp | 16 Feb 2010 | 1 comment

As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were essential to the exploit.

For security folks, this was a meaningful event. The level of sophistication of the attacker was unprecedented. The attack was carefully crafted. The breach was severe. For tomorrow's cyber historians, however, the breach may prove to be a tipping point. In fact, it may even change the way the world approaches cyber security and cyber warfare. So, what makes the Google hack such a game-changer? Could it be the magnitude of the attack, the significance of the targets or even the...

nicolas_popp | 03 Nov 2009 | 0 comments

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance...

nicolas_popp | 08 Mar 2009 | 0 comments

There is no doubt that mashups will be an important construct of the next Internet. The ability to "compose" distributed Web services into one single aggregate service or view is a significant enabler. The lightweightness of HTML and JavaScript speak to the simplicity of a successful programming model. Add to this the emergence of open standards like OAuth, and the need to distribute functionality across screen boundaries (PC, mobile and IP TV), and the picture becomes very clear; mashups and widgets are likely lead the componentization of the Web and become an important distribution mechanism.

For mashups to become ubiquitous, a trust infrastructure is needed. To establish trust between a widget aggregator (a consumer portal, the enterprise portal or your homepage or TV screen), and a widget provider, protocols like OAuth essentially rely on the exchange of shared secrets. This works well when there are only a few big portals serving as aggregators. However, because they...