1.MEDIA – Bank Technology News – 7/30
United Nations of Identity Management

2.MEDIA – Network World – 7/30
Catalyst Conference tackles terminology

3.MEDIA – Computer Weekly – 6/27
UK firms sign up to identity credential scheme

4.MEDIA – IT Pro Japan – 7/29
Kantara Initiative

5.MEDIA – RedOrbit (press release) – 7/22
Kantara Initiative Announces Judging Panel for the 2009 IDDY Awards, Call for Nominations Ends August 3

6.BLOG – J.Trent Adams – Blank (Media) Slate – 7/22
User-Managed Identity Starts at Home
This focus helps solve the root problems: privacy protection starts at home, and it’s not a simple matter of more/better cyber-security and encryption. For more information, and to become involved, I highly recommend following the open standards development relating to user-managed identity: Kantara Initiative,
OpenID Foundation, Information Card Foundation, OAuth / IETF Working Group
And, of course, the Internet Society Trust & Identity Initiative. Tell them I sent you.

7.BLOG – Eve Maler – 7/20
ProtectServe news: User-Managed Access group
After a few weeks’ worth of charter wrangling, I’m delighted to announce the launch of a new Kantara Initiative work group called User-Managed Access (UMA). Quoting some text from the charter that may sound familiar if you’ve been following the ProtectServe story.

8.BLOG – Kantara Initiative Blog – 7/27
Winners of the 2009 IDDY Award will be in good company…
IDDY winners have showcased applications that increase security and privacy for people, help organizations better meet a variety of interoperability and compliance goals, and provide new conveniences to deployers and users. Since 2006, IDDY winners have been at the forefront of addressing some of the most challenging technology and policy issues in the global identity sector.

9.BLOG – Kantara Initiative Blog – 7/20
Blogs and Tweets from the 2009 IDDY Awards Judging Panel
Kantara Initiative announced the judging panel for the 2009 Identity Deployment of the Year Awards yesterday. This year’s judging panel consists of an impressive group of respected identity experts from around the world, each with deep experience in the technology, business and policy aspects of digital identity management.

10.BLOG – Bare Identity – 7/22
Home – WG – User Managed Access – Kantara Initiative
“The purpose of this Work Group is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.”

11.BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 7/31
Kantara Initiative Tweets via the comm team

12.BLOG/SOCIAL MEDIA – Kantara Initiative Mentions @ Twitter – W/E 7/31
Kantara Initiative Community Tweets
Kantara Initiative #Kantara

The IDDY Award was designed to shine a spotlight on the individuals and organizations responsible for developing identity-enabled applications and services that deliver real benefits to enterprises, governments, organizations and people.  Previous recipients of the IDDY represent a wide range of vertical sectors such as government, telecom, healthcare and financial services, with each winner delivering unique benefits to the marketplace.

IDDY winners have showcased applications that increase security and privacy for people, help organizations better meet a variety of interoperability and compliance goals, and provide new conveniences to deployers and users. Since 2006, IDDY winners have been at the forefront of addressing some of the most challenging technology and policy issues in the global identity sector – a few examples:

Aetna – Aetna received an IDDY in 2008 for an externally hosted online provider portal used for linking healthcare providers with health plans. The application has allowed Aetna to increase its offerings of tools and features that help providers conduct simplified administrative transactions, reduce paper-based communications, and access clinical decision support tools.

Citi – Citi’s Global Transaction Services also received an IDDY in 2008 for providing managed identity services that help institutional clients utilize digital credentials and signature technologies in a comprehensive and legally binding manner. Citi is both a Credential Service Provider and a Relying Party as defined in the Identity Assurance Framework (IAF).

Deutsche Telekom AG – Deutsche Telekom is a two-time winner of the IDDY, having won the award in 2006 and 2008. In 2008 Deutsche Telekom won a Multi-Protocol IDDY Award for its identity application designed to lower implementation barriers when it comes to the delivery of Online/IP-based services to consumers.

Other recipients of the IDDY include eBIZ.mobility; EduTech; NTT Labs; Rearden Commerce; the UK Government Authentication Gateway; UNINETT and the New Zealand Government. Now that the IDDY Awards program has been expanded within Kantara Initiative, there are even more opportunities for all individuals and organizations to nominate an identity-enabled application. And with only one week to go before the call for nominations for the 2009 IDDY Award comes to a close, there can be no doubt that recipients of this year’s award will be in good company as the list of IDDY Award winners continues to grow.  The list and descriptions of all of the applications that have won IDDY Awards to-date is available here http://tinyurl.com/6dekb8

Nominate your favorite Deployment or Proof-of-Concept application — by Monday, August 3 –  here http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009

Kantara Initiative announced the judging panel for the 2009 Identity Deployment of the Year Awards yesterday. This year’s judging panel consists of an impressive group of respected identity experts from around the world, each with deep experience in the technology, business and policy aspects of digital identity management. These are important industry credentials as the IDDY program expands within Kantara Initiative to include nominations that can be based on any open identity technology and as the identity industry moves to embrace a “multi-protocol world” where harmonization and interoperability play a critical role.

The call for nominations for the 2009 IDDY Award ends on Monday August 3. Judges will begin reviewing deployment and proof-of-concept submissions on August 4, with winners receiving the IDDY on stage at DIDW in Las Vegas on September 15. Check out blog posts and tweets by the judging panel to see some of the insight this team is bringing to the 2009 IDDY Awards program. With new categories, more options for submissions and some of the best-of-the-best in the identity industry on the judging panel, this year’s IDDY Awards program promises to uncover some of the most exciting identity-enabled applications in the global marketplace today.

J. Trent Adams, trust & identity outreach specialist, Internet Society and chair of the Kantara Initiative Leadership Council — Twitter: @jtrentadams

Mike Beach, CISSP, chief security designer, information security, The Boeing Company

Bob Bragdon, Publisher, CSO Magazine

John Fontana, senior editor, Network World — Twitter: @JohnFontana

Gerry Gebel, VP & service director, identity and privacy strategies, Burton Group —Twitter: @ggebel

Paul Madsen, chair of the Kantara Initiative ID-WSF Evolution Work Group and identity standards researcher, NTT — Twitter: @paulmadsen

RL Bob Morgan, senior technology architect, University of Washington

Nat Sakimura, senior researcher, Nomura Research Institute (NRI) — Twitter: @_nat

Toby Stevens, director, Enterprise Privacy Group — Twitter: @tobystevens

Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president Oracle Identity Management

Phil Windley, founder and chief technology officer, Kynetx —Twitter: @windley

More information about the 2009 IDDY Awards – including nomination forms and a picture of the IDDY is available at: http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009

Identity experts to evaluate nominations for the Identity Deployment of the Year Award

 July 22, 2009 – Kantara Initiative, the global identity community working to solve harmonization and interoperability challenges among identity-enabled enterprise, Web 2.0 and Web-based applications and services, today announced the judging panel for the 2009 IDDY (Identity Deployment of the Year) Awards. The program features Deployment and Proof-of-Concept categories and has been expanded within Kantara Initiative to recognize applications built using any open identity technology. The call for IDDY nominations ends August 3, with awards presented on September 15 at CSO magazine’s Digital ID World 2009 in Las Vegas, NV.

 Judges are: J. Trent Adams, trust & identity outreach specialist, Internet Society and chair of the Kantara Initiative Leadership Council; Mike Beach, CISSP, chief security designer, information security, The Boeing Company; Bob Bragdon, Publisher, CSO Magazine; John Fontana, senior editor, Network World; Gerry Gebel, VP & service director, identity and privacy strategies, Burton Group; Paul Madsen, chair of the Kantara Initiative ID-WSF Evolution Work Group and identity standards researcher, NTT; RL Bob Morgan, senior technology architect, University of Washington; Nat Sakimura, senior researcher, Nomura Research Institute (NRI); Toby Stevens, director, Enterprise Privacy Group; Roger Sullivan, president of the Kantara Initiative Board of Trustees, president of Liberty Alliance and vice president Oracle Identity Management; and Phil Windley, founder and chief technology officer, Kynetx.

“With the 2009 IDDY Awards program growing to reflect the Kantara Initiative mission of fostering cross-protocol harmonization and interoperability, we’re excited to have a panel of judges consisting of some of the world’s most respected identity experts, each with deep experience in the technology, business and privacy aspects of digital identity management,” said Brett McDowell, executive director, Kantara Initiative.

About the IDDY Awards

The IDDYs were launched by Liberty Alliance in 2006 to recognize excellence in digital identity management. Now within Kantara Initiative, nominations can be based on any identity technology such as Activity Streams, APML, CX. IGF, ID-WSF, iNames, Information Cards, MicroFormats, OATH, OAuth, OpenID, OpenSocial, OPML, PKI , Portable Contacts, RDF, RSS, SAML, WS*, XACML, XDI, XRD, XRI, XMPP extensions, etc. Previous winners include Aetna; Citi; Deutsche Telekom AG; eBIZ.mobility; EduTech; NTT Labs; Rearden Commerce; the UK Government Authentication Gateway; UNINETT and the New Zealand Government. Nomination forms are available at http://kantarainitiative.org/confluence/display/GI/IDDY+Awards+2009

Over the weekend, prompted by a message from @wendyg, I had another go at checking whether my details are on 118800, the UK online directory of mobile phone numbers which has excited so much comment over the past few months. Their website was down, though, and according to this article in today’s Guardian, it had been laid low by the number of people trying to unsubscribe.

Well, I think that tells us what we need to know.

1 – if the sheer weight of “negative demand” is enough to crash the site, it should seriously call into question whether the subscribers (who are, after all, the data subjects here) want this service to exist;

2 – it should certainly raise serious doubts – not least with the Information Commissioner’s Office (ICO) – about whether it’s acceptable for a service like this to be established on an “opt-out” basis, rather than making it the default that people should have to opt in if they want to be included in the directory.

To me, this suggests that 118800′s operating model is broken, not just their website.

In their defence, I expect that 118800 will make two points: first, that they don’t disclose the data subject’s phone number: they only offer to connect the caller, and that only if the data subject consents to receive the call. Fair enough, but I’m afraid my reaction the first time I receive one of those requests will be to decline it and request that they take me off the system.

Second, they will probably repeat that the numbers they hold are inthe public domain alreday, having been obtained from (among others) market research companies and list brokers. The issue here, to my mind, is one of informed consent. I can honestly claim that I have never knowingly disclosed my mobile number for the purpose of having it listed in a directory enquiries service.

That, if nothing else, should give the ICO some basis on which to look at the legality of the system, under the second Data Protection Principle:

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

I think mobile subscribers could also expect the ICO to give a view on whether the proposed 118800 service represents good practice, whether or not they consider it to be legal.

I blogged back in February about Chris Paget’s successful attempts to read US-issued RFID credentials while simply driving past their owners… so I was a little surprised to see the same “news” cropping up in this article from Saturday’s LA Times. However, by the fourth paragraph they did acknowledge the date of Paget’s experiment, so I read on – and there’s plenty in the rest of the article to make that worthwhile.

I owe @haroonalrasheed, by the way, for the link to the LA Times article, and I regret that, like him, I am quite unable to come up with a sensible interpretation of this quotation from the CPO of the Dept of Homeland Security:

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at Homeland Security, but rather “to verify that the identification document holds valid information about you.”

There I was thinking that the clue was in the acronym.

The article is particularly interesting on the subject of read distance. It seems that each time the implementing departments publish a figure, researchers have consistently succeeded in reading the cards from much further away – whether that’s a yard instead of 4 inches, or 30 feet instead of a yard (1 metre, 10 cms, 10 metres respectively, if you are decimalised).

Those are just the numbers for trying to read the chip directly. In another experiment, the researcher went for the communications link between the chip and the reader instead, and is reported as having intercepted that traffic successfully from 160 feet away (50 metres). I haven’t tracked down the research paper in question, so can’t check, for instance, whether that was direct interception or whether, as proposed in this 2005 paper by Hancke and Kuhn, it makes use of ‘relays’ to extend the distance between the eavesdropper and the chip. Bear in mind, though, that in the most common places you would expect to show your passport – that is, at an airline check-in counter or at an airport security check, there is generally somewhere within 160 feet where it is perfectly legitimate for someone to be using a laptop…

(If anyone has a link to the “160 foot intercept” paper, perhaps you could include it in a comment).

Apart from the continuing bickering over read distance, then, what conclusion can one draw? Principally, I think, that any form of remote reading raises significant and legitimate concerns over user awareness and therefore consent. It’s clear that the confidentiality of embedded RFID chips has to reside in factors other than distance – and equally clear, from the article cited, that different implementations are being designed with different levels of protection against interception. I have yet to see one, though, which offers the user any information about or control over when the chip is read, and I think that is a fundamental design flaw.

[This is a syndicated post from the Future Identity blog - hence the reference to an earlier post in that blog - RW]

Just a quick post to confirm that the Privacy and Public Policy Work Group (P3WG) has had its charter approved, and will hold its first conf. call next week (I will post precise details as soon as the participants have voted for their preferred time).

Here are some links to help anyone who is interested in getting involved:

1 – P3WG home page: http://kantarainitiative.org/confluence/display/p3wg/Home

2 – Where to go to register for the Work Group: http://signup.kantarainitiative.org/?selectedGroup=8

3 – Where to go to subscribe to the mailing list for P3WG: http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

This is the address for the P3WG mail list: wg dash p3 at kantarainitiative dot org

Please note that registering for the WG does not automatically subscribe you to the mailing list… you need to do that.

Also, please bear in mind the Home Page is still very “raw” – I’m hoping we will quickly and collectively populate it with compelling material, and it’s also possible we will tweak the layout to suit the content. Please bear with me as the WG’s Home Page takes shape and evolves.

I look forward to having you participate and contribute!

http://www.xmlgrrl.com/blog/archives/2009/07/14/consumerizing-it-at-catalyst/

The Burton Catalyst conference being held in San Diego in a couple of weeks is one of those don’t-miss events. If you’re going (I said it was don’t-miss, didn’t I?), you’ll want to get into town in time for the free Project Concordia workshop being held on the Monday. Our theme is Use Cases Driving Identity in Enterprise 2.0: The Consumerization of IT. This link gives you the agenda and instructions on how to register — it’s not too late.

We Concordians are excited to have Mike Gotta and Alice Wang of Burton Group on hand on Monday to present Relationships and Identity: Two Sides of the Social Networking Coin. We’ll also deep-dive on authorization standards progress and the evergreen “levels of assurance” topic (see the Concordia mailing list for huge volumes of discussion on it). And we’ll even review some potential ProtectServe use cases.

The workshop also makes a great companion to the Cloud SSO Interop Demo being run later in the week, in which Sun is participating. And and come visit me and my colleagues at the Sun hospitality suite on Wednesday night! I hear our own Smoking Monkey might be decked out in special attire…

1. MEDIA – CSI Security – 7/10
Kantara Initiative: Another Effort to Get Identity 2.0 Out of the Starting Blocks

2. MEDIA – Dark Reading – 7/6
Kantara Initiative: Another Effort To Get Identity 2.0 Out Of The Gate

3. MEDIA – Help Net Security – 6/30
Q&A: The Kantara Initiative and the global identity landscape

4. MEDIA – Network World – 7/7
Five datasets of the personal data store

5. MEDIA – Window’s IT Pro (France) – 7/3
Kantara : une alternative à l’interopérabilité des gestions d’identités

6. MEDIA – Econtent Magazine – 6/28
Kantara Initiative Launched

7. MEDIA – IT Media (Japan) – 6/28
ライバルも協調！ クラウド時代のID管理

8. MEDIA – RedOrbit – 6/30
Call for Nominations for the 2009 IDDY Awards Now Open

9. MEDIA – FreePressRelease.com – 6/25
Gluu joins Kantara Initiative

10.BLOG – RSA Kantara Initiative Blog – 6/26
Iain Henderson – The Personal Data Eco-System
This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

11.BLOG – Roger Sullivan – 6/30
Bridging the Identity Divide (Roger Sullivan Blog)
Another new and fresh approach to the traditional way of doing thing is taking place in the identity management space. A group of companies and organizations representing public and private deployers, implementers, government agencies from around the world have recently come together to create a new initiative. This alliance is called the Kantara Initiative.

12.BLOG – IdM Network Blog NL – 7/9
OpenID-plus and Kantara
I do not twitter much, but my last tweet: “[Jaap] works on Levels of Assurance for the Dutch OpenID-plus initiative. https://www.surfgroepen.nl/…” got me an instant reaction from Brett McDowell. I guess this is what networks are for. We had a brief discussion on the “OpenID-plus” initiative in The Netherlands.

13.BLOG – Stephen.Wilson, IdTrust XML.org – 7/8
The challenge for Kantara — It’s not for nothing we call ‘em “silos“!
I hope Kantara will be different but I have yet to see an “identity interoperabiity” initiative that properly articulates the real probelm it’s trying to solve. A wise person once said something along the lines that the question is sometimes more important than the answer. So we need to start with a precise framing of what it means to have “interoperability” of identities.

14.BLOG – Datonomy – 6/30
The Personal Data Eco-system
This group plans to develop and deploy open technical standards around the concept of the personal data store – a VRM concept designed to build information management capabilities on the side of the individual.

15.BLOG – Kantara Initiative Blog, Robin Wilton – 7/9
Kantara Initiative » An accurate (non-biometric) picture
At last, there’s an article which thoroughly exposes some of the nonsense which has been talked about ICAO (International Civil Aviation Organisation) ‘requirements’ and biometric passports. It’s by John Lettice, writing in The Register, and was rightly tagged as “UK ID article of the week” by the folks at Privacy International.

16.BLOG – Kantara Initiative Blog – 6/30
Call for Nominations for the 2009 IDDY Awards Now Open
This year’s IDDY Award (IDentity Deployment of the Year) program features deployment and proof-of-concept categories and has been expanded within Kantara Initiative to recognize identity-enabled applications and services built using any open identity technology.

17.BLOG – Kantara Initiative Blog – 6/27
Iain Henderson – The Personal Data Eco-System
This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

18.BLOG – HitachiSystems – 7/9
カンターラ・イニシアティブ(Kantara Initiative)とは
カンターラ・イニシアティブ(Kantara Initiative)は、これまで複数の業界が個別に標準化を進めてきたアイデンティティ管理について、業界横断的に規格策定、相互運用を推進するための団体。

19.BLOG – RSA Kantara Initaitive Blog – 6/26
The Personal Data Eco-System
This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

20.BLOG/SOCIAL MEDIA – Kantara Initiative @ Twitter – W/E 7/10
Kantara Initiative Tweets via the comm team

21.BLOG/SOCIAL MEDIA – Kantara Initiative on YouTube – W/E 7/10
http://www.youtube.com/user/KantaraInitiative

Posted on 10th July 2009

At last, there’s an article which thoroughly exposes some of the nonsense which has been talked about ICAO (International Civil Aviation Organisation) ‘requirements’ and biometric passports. It’s by John Lettice, writing in The Register, and was rightly tagged as “UK ID article of the week” by the folks at Privacy International.

While John’s primary purpose was to compare the stated policies of the 3 main UK political parties on ID cards and the National Identity Register, in doing so he offers a lucid and compelling analysis of the difference between what ICAO requirements for travel documents are intended to achieve, what they actually mean for the UK, and what we have been being told about them.

The reason this is worth drawing attention to (and the reason it exercises me so much) is that for several years now, UK policy statements have been made which go roughly like this:

“We understand (but don’t necessarily care) that proposals for the capture and storage of citizen biometrics excite distrust and concern, but our hands are tied… we’re just doing what ICAO requires”.

Rather than try to re-hash John’s excellent analysis, I will simply recommend that you read the article.