[WG-UMA] Carlos Trigoso: introduction

Eve Maler eve at xmlgrrl.com
Tue Oct 23 10:45:28 EDT 2012


Carlos, welcome to the group!

It certainly sounds as though the use case Susan describes (very glad to see you able to contribute on the list again!) is a great match for an AXN+UMA solution. I'm hoping that Maciej and others will have a lot of chances to work through the implications of this hybrid approach while at #IIW this week.

To add another data point to this thread, I gave a short talk (slides) to the XACML TC last week in which I compared UMA and XACML approaches, and we discussed ways in which they could borrow from and bridge with each other. It was suggested during the call that if UMA were used with a token profile that provides something less than hard authorization data, then the UMA host could turn around and become an XACML PEP, providing the input it did get from the UMA AM and asking for a decision from a PDP. I also learned about an effort to experiment with XACML+OAuth in the OpenAz open source project, which may give us food for thought.

	Eve

On 23 Oct 2012, at 6:32 AM, Dave Coxe ID <DCoxe at iddataweb.com> wrote:

> Keith, Susan,
>  
> We are one of the NSTIC Pilot awardees (see attached announcement), and our pilots will be operating on an Attribute Exchange Network (AXN) web services platform that uses UMA as part of the core transaction framework.  The AXN generates a federated User Managed Admin console that is only accessible to  the user for managing which attributes have (or can) be shared with participating RPs.  The AXN generates what we call a Personal Data Service (PDS) that is an encrypted token where the user attributes are stored with the user’s IDP or at another location of the user’s choosing.  The PDS is to be used by the user to manage their online account relationships via the User Managed Admin console and to simplify creating an account with another RP.
>  
> We’ve architected three types of PDS tokens in the AXN for user attributes including user Pii, RP specific preference attributes, and enterprise attributes (some of these attributes may be controlled by the enterprise with which the user is affiliated).  We’ll be sharing results from the pilot implementation during Q1 2013. 
>  
> Regards,
>  
> Dave
>  
> David Coxe, CEO
> ID/DataWeb, Inc.
> DCoxe at IDDataWeb.com
> 571-332-2740 cell
> 571-723-4310 office
>  
> From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of Keith Hazelton
> Sent: Tuesday, October 23, 2012 8:29 AM
> To: wg-uma at kantarainitiative.org
> Cc: scalepriv-ad-hoc-tac at internet2.edu
> Subject: Re: [WG-UMA] Carlos Trigoso: introduction
>  
> Susan,
>  
> I'm very interested in this hybrid architecture as well.  I'm involved in the SAML-based US higher ed and research identity federation, InCommon.org, and am currently doing privacy work around the evolving NSTIC initiative in the US (http://www.idecosystem.org/).  If your paper is publicly released, I would very much appreciate receiving a copy.
>  
>        Thank you in advance,  --Keith Hazelton
> __________________
> On Oct 23, 2012, at 07:00:48, Susan Morrow Avoco Secure wrote:
> 
> 
> Absolutely couldn’t agree more – I see a ‘hybrid’ architecture emerging which offers both the consumer and the enterprise employee all of the features they need to perform the task on hand. And yes UMA is needed to permission the parties in  a nice user controlled manner – hav you read this paper on dat privacy and what the consumer expects:http://www.dma.org.uk/toolkit/data-privacy-what-consumer-really-thinks
>  
> Is an interesting research point for thinking about the design of such systems and incorporating what people want in terms of control of data sharing
>  
> And I guess this whole BYOD/BYOI will also dictate how enterprise directories, etc. are incorporated into the whole sphere
>  
> I’ll find out if the paper is allowed out to others, I think it must be and I’ll send you a copy once released.
>  
> Best
>  
> Susan
>  
> From: carlos.trigoso at accenture.com [mailto:carlos.trigoso at accenture.com] 
> Sent: 23 October 2012 12:10
> To: susan.morrow at avocosecure.com; wg-uma at kantarainitiative.org
> Subject: RE: [WG-UMA] Carlos Trigoso: introduction
>  
> Susan,
>  
> Thank you for your message. Yes I remember the sessions with the DWP security architect J
>  
> I like what you say regarding the value of UMA for any claims based system/protocol. Once you publish this paper I would like to comment on it if possible.
>  
> From my current work, I still see a gap between public and private solutions, but my prediction is that this will not be the case in the future. In my view, if anything, citizen authentication from the beginning was facing the challenge of the lack of a perimeter, a challenge that national and global organisations confront now.
>  
> For sure, major organisations have large customer bases, but important segments of users outside of the perimeter are not “consumers”  and actually operate as close collaborators of the enterprise. UMA has a fantastic role in this space.
>  
> Regards,
>  
> Carlos Trigoso
> Accenture -  Security Practice
> 30 Fenchurch Street, London, EC3M 3BD, United Kingdom
> Mobile: +44.7824896060
> Email: carlos.trigoso at accenture.com
> Blog:http://carlos-trigoso.com
> This message is for the designated recipient only and may contain confidential, privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this email by you is prohibited. Communications with Accenture or any of its group companies (“Accenture Group”) including telephone calls and emails (including content), may be monitored by us for the purposes of security and the assessment of internal compliance with company policy. Accenture Group does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Accenture means Accenture (UK) Limited (registered number 4757301), Accenture Services Limited (registered number 2633864), or Accenture HR Services Limited (registered number 3957974), all registered in England and Wales with registered addresses at 30 Fenchurch Street, London EC3M 3BD, as the case may be.
>  
> From: Susan Morrow [mailto:susan.morrow at avocosecure.com] 
> Sent: 23 October 2012 10:57
> To: Trigoso, Carlos; wg-uma at kantarainitiative.org
> Subject: Re: [WG-UMA] Carlos Trigoso: introduction
>  
> Hi Carlos,
>  
> We met at the DWP technology WG a while back.
>  
> I have been involved with UMA for a while, but have had to bow out due to ill health in recent months.
>  
> I agree entirely that UMA can be an important component of other protocol bases systems such as SAML. In fact I am writing a paper at present as a deliverable for a UK Gov, Technology Strategy Board project, that proffers UMA as a user led policy engine component of a system that ties SAML based identities (or in fact any claims based ID system, including OpenID Connect) with personal data stores. 
>  
> The current project is nearing its end so we don't have time to actually do an implementation, unfortunately, but this paper will suggest this is done as a possible future extension.
>  
> Best
>  
> Susan
>  
> Susan Morrow
> Head of R&D
> Avoco Secure Ltd
> @susiemorrow
>  
> E.  susan.morrow at avocosecure.com 
> W.  http://www.avocosecure.com 
>  
> Avoco Secure are providers of Cloud Identity, Security and Privacy solutions.
>  
> Registered Office: Avoco Secure Ltd., 16 St. Martin's-le-Grand, London EC1A 4EE. Company number : 04778206 - Registered in England and Wales.
>  
> This email including any attachments is confidential and may be legally privileged. This email is  intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error, please advise the sender IMMEDIATELY by return email and then DELETE it from your system. The unauthorised use, distribution, dissemination, copying or alteration of this email is strictly FORBIDDEN.
>  
>  
> From: <carlos.trigoso at accenture.com>
> Date: Tue, 23 Oct 2012 08:34:57 +0000
> To: <wg-uma at kantarainitiative.org>
> Subject: [WG-UMA] Carlos Trigoso: introduction
>  
> Hello,
>  
> I just joined the UMA initiative work group. As you will see from my affiliation (I work for Accenture), I come from the technology consulting industry. I discovered UMA through the work from Eve Maler.
>  
> A fundamental reason for approaching this Kantara work group is direct experience with evolving requirements in the industry, where we see the need to complement/extend the standard federation patterns with user-centric capabilities.
>  
> My reading of the UMA papers and specifications tells me that this is the way to go. I hope to adopt the UMA patterns, test them in my own projects and perhaps contribute to this initiative with some interesting implementations.
>  
> The goal is to investigate the viability of implementing the UMA protocol outside of the OAuth authorisation transfer model, and also independently of the OAuth technology itself. I know that this may sound strange but my sense is that  UMA can and should stand alongside and complete/complement “old” standards like SAML and XACML.
>  
> I hope that this makes some sense to the UMA team.
>  
> Thank you and congratulations for your excellent initiative.
>  
> Regards,
> Carlos Trigoso
> Senior Manager
> Accenture -  Security Practice
> 30 Fenchurch Street, London, EC3M 3BD, United Kingdom
> Mobile: +44.7824896060
> Email: carlos.trigoso at accenture.com
> Blog:http://carlos-trigoso.com
>  
> This message is for the designated recipient only and may contain confidential, privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this email by you is prohibited. Communications with Accenture or any of its group companies (“Accenture Group”) including telephone calls and emails (including content), may be monitored by us for the purposes of security and the assessment of internal compliance with company policy. Accenture Group does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Accenture means Accenture (UK) Limited (registered number 4757301), Accenture Services Limited (registered number 2633864), or Accenture HR Services Limited (registered number 3957974), all registered in England and Wales with registered addresses at 30 Fenchurch Street, London EC3M 3BD, as the case may be.
>  
>  
>  
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
> 
> Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
> 
> ______________________________________________________________________________________
> 
> www.accenture.com
> _______________________________________________ WG-UMA mailing list  WG-UMA at kantarainitiative.org  http://kantarainitiative.org/mailman/listinfo/wg-uma
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
>  
> <NSTIC Pilot Grant - 9-24-12.docx>_______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20121023/0e18a6c8/attachment-0001.html 


More information about the WG-UMA mailing list