RSA Conference 2010 -- Day 1

| | Comments (2) | TrackBacks (2)
This year, I'm attending my second consecutive RSA Conference. Just like last year's show, I will be blogging about each day's happenings.  Today, I started things off by attending the day-long Kantara workshop. Like I mentioned last year, Kantara is a grassroots effort to bring together the OpenID, Information Card, and SAML communities to find a way to provide digital identity solutions in both the enterprise and consumer space.

During the workshop, various folks from CA, Google, PayPal, MEDecisions, NTT, Ping Identity, et al. spoke about what the group has been doing since its kick off last year at RSA.  Trent Adams, of the Internet Society, started by explaining what Kantara is, ways to get involved, etc.  Four important things that he said were:

  • Any individual can become a participant for free and become a voting member for a nominal fee (~$100/year) -- more for companies
  • Kantara is not a standards body but an incubator for them
  • The User-Managed Access (UMA) working group, chaired by Eve Maler of PayPal, is the most active of all groups
  • Kantara has been granted provisional status by the US government as a Trust Framework Provider (or something) that basically means that Uncle Sam thinks they're doing pretty important stuff ;-)
Andrew Nash of PayPal spoke next about how we as an industry are a couple billionths of a second after the "big bang" of identity, meaning we are on the absolute forefront of creating an identity metasystem for the Internet.  Given its early days, it's helpful to use the framework presented by Matthew Gardiner of CA to see what initial identity-related capabilities are needed to enable cloud computing:


By these labels, Gardiner means thus:

  • Enterprise to Cloud Providers - Needs of enterprises who are trying to leverage SaaS or cloud services
  • For Cloud Providers - Needs of cloud/SaaS providers themselves
  • Cloud Providers for Enterprise - Needs of cloud/SaaS providers who are targeting large enterprises
As a market researcher, I would be jazzed to know that this industry leader believes that what big businesses who are trying to adopt cloud computing need right now is data loss prevention, user authentication and federation, and log management services. Good time to be an aspiring entrepreneur who knows a bit about cloud computing, SAML, WS-Trust, and WS-Federation :-)

Paul Madsen (@paulmadsen), of NTT, then explained about what's been happening in the identity space with regard to the various specs and protocols. He said that most of the work these days is on creating new profiles for the various protocols (e.g., the XSPA profiles for WS-Trust, SAML, etc.).  He also mentioned OAuth WRAP which Eric Sachs of Google also talked about.  Not surprisingly Sachs was very positive about it, but so was Madsen.  It was notable to me because I got the impression that the community was in a tissy about WRAP, but those of the community that I heard from today weren't.  I caught up with Sachs on the exhibition floor and we chatted over a messy sandwich about how WRAP's purpose was to make OAuth simple to implement.  I've never tried, but Sachs said that OAuth is just too difficult for many developers to do right.

Also in the exhibitor hall, I met up with Sridhar Muppidi and Craig Forster of IBM. This architect and engineer told me about how their STS, which is a part of Tivoli Security Policy Manager (TSPM), has implemented the XSPA profile. Muppidi also said that their STS conforms to WS-Trust 1.3 but that 1.4 is on their road map.  He said that most of their customers are still using 1.2, so 1.3 is still relatively new and that customers aren't even thinking about 1.4 yet.  When they do implement the new versions though, he said that they intend to support not only ActAs but also the new challenge and response stuff.  Awesome!  They do challenge/response now in their STS in a proprietary way, Muppidi went on to say.  What they do is fault and include a subcode and info about the challenge that the user needs to answer to continue the token issuance process.

There's more I could say.  Unfortunately, I left my time stopper and a person replicator at home though, so I have to leave it here for now.  You can get all the slides from all the presentation from my stash.  If you have questions about anything I've written, add a comment below or get in touch with me.  Also, if you're at RSA and want to hook up, call, text, or DM/mention me on Twitter.