Archive for June, 2008

RSC Eastern Technical Managers Forum Meeting

Thursday, June 12th, 2008

I was fortunate enough to be invited to the above by Thomas Rochford and it was great to see how much interest there is amongst FE colleges on the subject of identity management.  We had a lively debate on the findings of the Identity Project and specific identity challenges within FE.  There were certainly intakes of breath over some of the findings and particularly those that related to how much money and how many staff there were estimated to be to deal with identity in HE institutions.  All in all, I think we have a good deal more work to do in FE on identity but it’s also potentially an area where we could quickly learn lessons that have more general applicability to other areas.  As I said at the event I would welcome comments on this blog about topics that would be of interest to explore and my colleague Nicole Harris’s blog entry on the future of access and identity management is also now open ahead of the event on 30th June that will look at future development areas.

Key topics from the conversations were:

- Outsourced identity management and how that could work with existing institutional processes and systems;

- OpenID – what could it be used for?

- Guidance on best practice;

- How you determine and prove that a member of an institution is that member;

- The balance of risk and reward in identity management – how do I determine whether the risk I take on releasing additional functionality is worth the reward that my users get?

Slides from the event are due to be published soon so I’ll link through to those or pop them up on Slideshare.

Posted in Access Management, Identity Management, JISC | No Comments »

Too OpenID?

Tuesday, June 3rd, 2008

I had a recent conversation with David Chadwick from Kent, who got an OpenID from a major provider of OpenIDs that also provides services. Now that he’s withdrawn from using their services he can no longer use his OpenID and he thinks it will probably be recycled (as per the OpenID 2.0 spec), raising a few issues over security. Others are equally concerned. All of this raises the very good question of what happens when you get a set of identity credentials from a provider and what your contract with them is not to use those credentials when you finish using their services. OpenID’s response to this problem is to now have a globally unique ID that you can have that is separate to your OpenID but how secure are you in the knowledge that that won’t be recycled too? Personally, I use MyOpenID and I’ve had no problems but all they do is provide OpenIDs and I have fairly limited use of it anyway.

This also raised the question of what you would use OpenID for if you knew that your OpenID could be recycled. I suspect each person would have their own answer for that.

From the JISC perspective, OpenID is a topic of interest as we start exploring user-centric identity and try to get to the bottom of the eternal question of what people in education would use OpenID for (see here for the review, which will be out early next month). It seems to be one that is coming to a head overall as the identity community start asking who is going to provide services and not just IDs. Some of this is being resolved as sites such as SourceForge quietly sign up and I’ve seen that you can now add comments on Blogger blogs with an OpenID. Let’s hope that there is sufficient trust in OpenID to ensure that as we’re starting to get useful services, users have the confidence in their OpenID to use them.

Posted in Identity Management, JISC | No Comments »