UMA and OpenID Connect plugins for Apache Server

The crowd-sourced funding campaign to create an UMA and OpenID Connect plugin for Apache server was successful. Mike from reports that progress on the OIDC plugin is good, and the UMA plugin will begin soon.

To commemorate the success of the campaign, Mike commissioned a local Austin artist JP Verdijo (JP’s Facebook page) to create paintings. I asked JP to create a smaller version that would fit in my office – so he made a photo transfer which is now hanging on my office wall.

It’s a great piece to commemorate an event that hopefully will transform information sharing on the internet. Fingers crossed.



NSTIC ID Ecosystem – A Conceptual Model v03

Thank you for your thoughtful comments and feedback. Here’s the 3rd version of the Conceptual Model slide deck.

Please feel free to contact me with comments, feedback and concerns.

And, if you feel that I have this all wrong or am repeating the path of initiatives past – I’d like to hear about it to learn more.


A Conceptual Model for the NSTIC ID Ecosystem v02

Thank you all for your feedback and comments about v01 of the ID Ecosystem Conceptual Model slides.

I’ve made some changes to the deck to make them more clear and focused.

One piece of future work will be to develop some high level ‘walkthrough’ scenarios that illustrate the experience of an individual trying to get online services. What barriers will they encounter? How can IDESG establish enablers and remove friction from the system?

Let me know what you think of the changes

(This is actually now v03 of the presentation – thank you all for feedback to improve it)

A Conceptual Model for the NSTIC ID Ecosystem

Having spent the last year living and breathing federated identity and credentials, trust frameworks and the like, and the greater part of a decade consulting in the security, privacy and identity management fields, I think I have come up with a few ideas.

This slide deck is an attempt to start describing a Conceptual Model for the NSTIC ID Ecosystem.

The IDESG is working on articulating what the ID Ecosystem and ID Ecosystem Framework actually are – this deck is my opinion of what they are.

This is the first draft of the material – please comment [Ed. it’s the third version now]

I’m particularly keen to hear from those of you who think this is mostly wrong & a mischaracterization of what NSTIC’s Vision is. To me, this feels right – but that’s just me.

There’s a ton of further refinement needed to make this kind of concept model understandable – for example doing ‘user-centric’ walkthroughs to discover the kinds of interactions a person or service would see in a real implementation.

Also, it should be a mechanical exercise to take an existing online community, discover all the relevant structures and objects they use, and label them as ‘Term of Service’, ‘Fulfillment of Term’, ‘Community Rule’ and so on.

If real implementations cannot be broken down and explained using this model, then the model needs to be adjusted. In this way, it may be possible to use the concept model as a ‘Community Dowsing Rod’ – to discover hidden communities in unexpected places and enable us to recognize them and bring them into the wider ecosystem.

I look forward to the discussion.

The PowerPoint deck is here:
(This is actually now v03 of the presentation – thank you all for feedback to improve it)

Fear, Uncertainty and Liability Or: How I Learned To Stop Worrying And Love the Trust Framework

I read an excellent White Paper on The Vocabulary of Identity Systems Liability, published by OIX, The Open Identity Exchange. The lead authors are Thomas Smedinghoff, Mark Deem and Sam Eckland.

Liability is often named as the unknowable threat to the viability of federated identity arrangements. The  uncertainty around liability is partially caused by lack of understanding of the term and how it is applied in law.

This white paper uses accessible language to walk the reader through definitions, common concerns, methods to assess and contain, and how liability is handled in General Public Law, ID-Specific Public Law, and Contracts (Private Law).

It is a must-read for anyone involved in policy for trust frameworks, federations or other related structures.

For the ‘liability’ that many think of, the actual term may be “Fault-Based Liability” – where one party is ‘at fault’ for losses incurred by another party.

The four conditions that must be met (quoting from page 7 of the white paper):
1) The business had a legal duty to the other party to act (or to refrain from acting) in a certain way;
2) It breached that duty;
3) The other party suffered an injury or loss; and
4) The business’ breach of duty was the ‘proximate’ (i.e., legally recognized) cause of that other party’s loss.

The paper then goes on to elaborate and also discuss how damages are treated.

Excellent work and, I hope, widely circulated to help inform legal and identity practitioners.