The global higher education IT community is doing something pretty amazing. They’re weaving together a trust fabric to allow shared services via robust federated authentication and attribute-based authorization (see: InCommon, UK Access Federation, GakuNin, EduGAIN, REFEDS, many others).
At any scale, it’s hard to extend trust from “my tribe” to “your tribe”- but once we’ve done it, the return on the trust is almost magical. With federation in higher education, suddenly services and projects a school would be hard pressed to support on its own become easy to leverage.
So how does this scale beyond higher education? Trust is the basis for lowering barriers to collaboration and lubricating the machinery for an effective economy (See Paul Zak’s fascinating TED talk on Oxytosin). I think this suggests that higher education is once again leading the way in building a framework for increased global trust, global research collaboration and global wealth production.
Did Google Authenticator have a seed compromise or something? I just got kicked out of my 2FA session and forced to download a whole new app…
The archived session and slides of my IAM Online talk on security Active Directory Domain Services for InCommon Silver, are now available.
Adobe Connect Session
There are still frontiers out there, if you know where to look.
A friend of mine, who was doing fun pioneering work in computers and networks in the wild and wooly days of the 1980s and early 1990s lamented once, “I wish you had been around then, it was so different. It wasn’t like now, now it’s a business.”
Although enterprise computing is now run like a business, there are still frontiers, there’s still room to explore if you look in the recesses of the IETF / ISOC repositories, Google mailing lists and GitHub, interesting people’s YouTube channels and Twitter feeds.
Take for example Moxie Marlinspike – he’s trying to solve a real problem with the current state of SSL and Certificate Authorities, and he’s doing amazing things there.
There are the tens of thousands of active participants in international higher education identity and access management, figuring out how to federate access to campus resources like wireless networks, web applications and research cyber infrastructure. They are paving the way for a future when we don’t have to remember more than one password- or even any at all.
There are still frontiers at the fuzzy edge of the network, and I’m excited to see them and be able to participate in them, even just a little.
For more than a year, I’ve been leading an effort within the Committee on Institutional Cooperation (CIC – the academic wing of the Big 10, plus The University of Chicago) and a number of other InCommon participants, to define an approach to mitigating risk within Active Directory Domain Services, with the goal of achieving InCommon Silver assurance. The work on that cookbook is now largely complete. You can take a look at it here: https://spaces.internet2.edu/x/w56KAQ
Whew. That took a while to do. I hope that at some point some school actually achieves Silver using it.
Here is a Windows Powershell function I wrote to call a generic stored procedure that will rebuild all indexes in a database. (I found the stored procedure here: http://www.wisesoft.co.uk/scripts/t-sql_defrag_indexes_for_database.aspx) This turns out to be extremely useful for rebuilding indexes on a SQL Server-based connected directory at the end of each run of a Microsoft Forefront Identity Manager (FIM) MA that has undergone a lot of changes.
$log.debug(“Run-RebuildIndexes for MA=”+$ma.MAName +” DBName=”+$DBName)
$SqlConnection.ConnectionString =“Data Source=”+$SQLServerName+“;Initial Catalog=”+$DBName+“;Integrated Security=True”;
$SqlCommand.CommandText =“DECLARE @return_value int EXEC @return_value = [dbo].[USP_REBUILD_ALL_IDX] SELECT ‘Success’ = @return_value”;
$SqlCommand.CommandType = [System.Data.CommandType]‘Text’;
if ( $nRecs-gt 0 )
$log.Debug(“Index rebuild result code: “+$rec.Success);
T-SQL stored procedure:
/****** Object: StoredProcedure [dbo].[USP_REBUILD_ALL_IDX] Script Date: 01/05/2012 14:14:21 ******/
SET ANSI_NULLS ON
SET QUOTED_IDENTIFIER ON
— Author: <Nicholas Roy>
— Create date: <Jan 5, 2012>
— Description: <Rebuild all indexes in database>
CREATE PROCEDURE [dbo].[USP_REBUILD_ALL_IDX]
— SET NOCOUNT ON added to prevent extra result sets from
— interfering with SELECT statements.
SET NOCOUNT ON;
DECLARE @SQL NVARCHAR(MAX)
SELECT @SQL =(
SELECT N’ALTER INDEX ALL ON ‘ + QUOTENAME(s.name) + ‘.’ + QUOTENAME(t.name) + N’ REBUILD
FROM sys.tables t
JOIN sys.schemas s on t.schema_id = s.schema_id
FOR XML PATH(”),TYPE).value(‘.’,‘NVARCHAR(MAX)’)
So in the course of my evening of NFC/ISO 14443 smartcard/platform/API “literature” review, I put Steve Yegge’s rant together with an analysis piece about what Google thinks about NFC, and came to an unfortunate conclusion. Google’s lack of NFC APIs, combined with them being the current best hope for getting NFC-enabled, ostensibly open smartphones into the mainstream, does not bode well. My project must be tempered with realism.
“The Golden Rule of Platforms, “Eat Your Own Dogfood”, can be rephrased as “Start with a Platform, and Then Use it for Everything.” You can’t just bolt it on later. Certainly not easily at any rate — ask anyone who worked on platformizing MS Office. Or anyone who worked on platformizing Amazon. If you delay it, it’ll be ten times as much work as just doing it correctly up front. You can’t cheat. You can’t have secret back doors for internal apps to get special priority access, not for ANY reason. You need to solve the hard problems up front.” -Steve Yegge, from his now famous accidentally public-facing Google+ rant on platforms
For some time, I have argued that spending the time to do a good service-oriented architecture is the right thing to do, especially in the identity management space. It takes a very long time to do this right, and the QA, health checks and iteration become more time-consuming than defining and writing the initial service. The monitoring for a good SOA becomes the unit tests, mocks, etc, and you end up doing right by your customers by eating your own dogfood. The problem is, in academic higher ed, a lot of time, there seems to be no extra time to spend. You have to do what you can with the time and resources you have. So you try to do the best job you can, and you try to use exiting service frameworks where you can, and make your own where none exist, if you can find the time to do it. That’s one of the reasons I like working where I do- I think people get why services and platforms are good, which you might think is truly amazing to find in a state-funded higher ed institution. The more amazing thing is that I think a lot of state-funded R1 universities get this, and they are getting it more all the time. See: Shibboleth, Grouper and COmanage.
It’s interesting that Google, Facebook, Amazon, Apple and even Microsoft seem to be doing “sexy” things that get a lot of attention. But the academic research institutions are doing a ton of work here, too, and while it’s not glamorous, it’s changing the world for the better.
I’ve been wanting to get a Galaxy Nexus phone for a while- as soon as I found out it was coming to Verizon. This summer I almost ditched Verizon for Sprint to get a Galaxy S 4G with an NFC chip in it, but held off because I knew this newer Nexus was just around the corner. I want to mess around with the NFC feature and see if I can make it store X.509 certs and act as an ISO 14443 smart card for things like workstation logon and door access. The secure element in the Galaxy Nexus is an NXP chip which supports a lot of different NFC protocols, but Google has been pretty open about their non-support for card emulation. This means there’s not a built-in way to handle this stuff yet. But then I found this: http://code.google.com/p/seek-for-android/
For a while I was hoping that InfoCard would be a champion for identity selection and user-centric identity. Now I hope it’s smartphones. We’ll see how well this turns out. I’ll be happy if my wallet can go away at some point. It would be great to have payment, drivers’ license, passport, work login/door credentials, etc, all on the phone. Some people probably think that’s a terrible idea and maybe slightly Orwellian (Dvorak: http://www.pcmag.com/article2/0,2817,2395071,00.asp) but I think it just makes sense. The secure elements in these phones truly are secure, until they aren’t any more. By that time we’ll have other things to replace them, and probably lots of other things to worry about.
In 2005, Kim Cameron published his Laws of Identity. I have a few ideas for some laws of identity management. Here’s the first one:
Given a defined IdM problem, the set of all good solutions will always be almost identical, varying only in the dialect of mutually incompatible XML-RPC that they speak.