Privacy Control for User-Managed Access

This post is about my recent work at Newcastle University as contributor on the Smart project. The study explores visualization techniques to enhance privacy control user experience for User-Managed Access (UMA) protocol, applied to SmartAM system.
The goal is to mitigate risks of lost of privacy and the exploitation of online personal data caused from user difficulty to maintain control, correlate web resources and assign privileges for specific scope in the data sharing process.
The approach (see slideshare presentation below) introduces the concepts of Connection, Control bridge and visualization tools for this purpose.

Exploring Visualization Techniques to Enhance Privacy Control UX for User-Managed Access

View more presentations from domcat

UMA & OpenID Connect

As part of my visit at the Newcastle University, thanks to the Smart team and prof. Aad van Moorsel,  last Wednesday, I had the opportunity to talk at the Computer Science Group Talk to a group of PhD students and researchers about UMA protocol and the extension to support Trusted Claims using OpenID Connect. The integration scenario (see slideshare below) shows an user interaction to get access to UMA protected resource with access restrictions based on requester's information/claims (i.e. email address, age, and gender) using OpenID Connect.
Interestingly, yesterday was released a first OpenID Connect demo w/Google. This is very useful for a further investigation about the integration approach and interfaces between UMA and OpenID Connect!

UMA Trusted Claims

View more presentations from domcat

Smart team at Newcastle University

User-Managed Access (UMA): Power to the people

As contributor and member of the leadership team at Kantara UMA WG, I'm very excited for the announced release of a first draft recommendation for UMA to the IETF for consideration.

This is a fundamental milestone for the creation of a new generation of authorization system which gives data-sharing power to the people.

The  approach addresses the emerging issues for data-sharing and identity in the cloud. From a security and privacy perspective, UMA protocol, which is build on top of the IETF Oauth 2.0 effort, gives the user the capabilities to control what information will be revealed, for what purpose and with which party, indipendently from where the user information are stored. 

This announce happens meanwhile I'm visiting Newcastle University where I joint the Smart team for contributing on SmartAM project (another exciting challenge!!), which implements UMA specification.

The Working group will demonstrate UMA's benefits in a public webinar on Wednesday, July 13, at 9am pacific time. Join us. 

You can register here.

Microsoft won't ship CardSpace 2.0

Last week, at RSA Conference, Microsoft announced not to ship Windows CardSpace 2.0. This decision is very significant because Cardspace was considered one of the most interesting user-centric technologies along with OpenID. 

The Windows CardSpace software enables people to maintain a set of personal digital identities that are shown to them as visual “Information Cards”. This approach mitigates phishing attacks and encourages a move away from passwords. The card approach combined with the claims-based approach also has some potential privacy benefits.

It seems that Microsoft is reconsidering the state of art of the identity landscape and the evolution of tools and cloud services and trying to focusing on claim-based identity using new approaches (see Kim Cameron's Identity weblog: From CardSpace to Verified Claims).
On the other hand, the claim-based Identity remains one of the vibrant concept to address permissioned data sharing scenarios in the cloud.

Claim-based Identity is also one of the main interest and priority of Kantara UMA WG (Trusted Claims), where we are exploring some interesting user experience and the relationship with OpenID Connect to provide a claim-based access control spec in order to restrict and personalize access to cloud services.