Monthly Archives: January 2012

There is always my way out…

Google’s new privacy policy is generating a lot of discussion. The controversial part is that Google is going to cross reference the data it collects on different services for the purpose of tweaking the ads and search results you see.

The creeps a lot of people out. What creeps them out even more is that you can’t opt out.

Of course there is always my way out… (cue lightning flash and creepy James Earl Jone laugh).

Seriously though, don’t use Google services exclusively. Use Bing instead of Google for searching. Use Yahoo instead of GMail. Buy an iPhone, or if you want an Android phone, create a new email account just for phone use. Use Facebook instead of Google+.

If you give one company all your data what do you think they are going to do with it?

You ultimately have control over this in your choice of providers. You can opt out by switching.

Internet Protest Day

You may notice a lot of sites today have “blacked out” or are otherwise protesting the PIPA and SOPA acts being considered in the US Senate and House of Representatives.

If you are not familiar with the acts you really need to be. Please take time to visit the EFF pages on SOPA and PIPA here and in more detail here.

The job you save could be your own.

Thoughts on SCIM

Now that SCIM 1.0 is final and SCIM 2.0 is starting I wanted to share my thoughts. First here is what I like about SCIM:

  • SCIM defined a standard schema in 1.0. I wish SPML had done the same. Not doing so was one of the biggest mistakes we made.
  • SCIM supports filtered and paged searches. That’s a must have in my book.
  • SCIM supports multi-value attributes with the proper modification semantics. You be surprised how many Identity APIs I have seen that don’t get the modification semantics right.
  • SCIM only did what it needed to do, nothing more.

So what don’t I like about SCIM? I don’t really care about the REST vs SOAP aspect. It’s not going to be widely used unless it’s wrapped in an API or toolset. So that’s a moot point. So I can’t really think of anything I don’t like.

But will SCIM be accepted where SPML was not? I don’t know, but I think there is a decent chance. I think announcing the IETF SCIM 2.0 effort so soon may be mistake as it may convince people to just ignore it until 2.0 comes out.

But ultimately the proof of standards is in adoption. For it to succeed it has to be both adopted by the cloud providers as a service and by IT as a client. Each of them wants the other to go first.

My biggest question is will the backers of SCIM implement it in their main product lines. Will SalesForce.com stand up a SCIM provisioning service? Will PingIdentity then add SCIM support to their SalesForce.com offering? We shall see.

Jackson Shaw has some great points to make about it here, but I didn’t really get the parrot reference. He points to this article about SCIM which also makes some great points.

Open Source IdM platforms

Radovan Semančík has put together an interesting list of open source IdM platforms. There are not as many as I would have expected.

Security via obscurity failed… in 1903

This is a wonderful story about the hacking of Marconi’s wireless system in 1903. Marconi touted the security of his system based on a tight (and presumably not publicly disclosed) frequency bandwidth. Of course it was hacked in a public and humiliating fashion.

Security via obscurity, as effective in 1903 as it is today.

Hat tip to Bruce Schneier.

2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

 

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,600 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

Specs, Patterns, and Provisioning

One of the most puzzling complaints I have heard about SPML is the search filter. The complaint is that it requires the service to support search filters of arbitrary complexity. I have never considered it that hard and have posted sample code to demonstrate it.

Still, perception has a reality of its own and search filters are often given as a reason not to support SPML.

So now that SCIM has finalized the 1.0 version, the filter-phobes can breathe easy, right? Not so much it seems. Like SPML, SCIM has a search filter mechanism that supports filters of arbitrary complexity. Which is a good thing for without that capability a provisioning service would be severely limited.

But really this should not be a reason to avoid either SPML or SCIM. This class of problem comes up regularly and provisioning service developers should learn how to handle it (if don’t already). One could argure that it would even be considered a pattern.

Actually it is: the Specification Pattern.