Rainer Hörbe's blog

EU Data Protection Regulation: Data Minimization has been dropped?

When the Article 29 Working Party published in May 2013 their paper on profiling it was very clear that data controllers would have to have a higher degree of responsibility, including data minimization. Anonymization and pseudonymization were explicitly noted as safeguards.

Identity week in Vienna, 1.-4. Dec. 2014

The international research + education community assembles for meetings on Dec. 1.-2., and a cross-sector open space meeting will follow on Dec. 3.-4. Join this meeting to get hold of the latest trends, learn about challenges in identity federation and the data privacy ecosystem, meet laywers, management and engineers:

https://identityworkshop.eu

Does European Data Protection Law protect against obnoxious data brokers?

Last months Pam Dixon, director of the World Privacy Forum, drew attention in a congressional testimony on data brokers offering sensible social and health information such as mental health diseases, cancer, AIDS, poverty, rape and addiction. European law does prohibit such sad and unethical business practices. But are European consumers safe from those exploits? Not as much as we would like:

Sensitive user attributes in a federation

GPII is working on improved accessibility to the Internet and received an NSTIC grant for this work.

Concern with private information monetization

ISOC Federation across boundaries: Concern with private data monetization is not with abuse by a company, but the dependency on a dominating company. Klaas Wierenga gave the example that a dating service has quite sensitive data, but would be quickly out of business if reselling/using it outside the specified purpose. However, restricting the use of FB because of issues with data usage may have a serious impact on a user's social life.

SSL Arms Race: Talk @ RSA Conference

Digicert's Ben Wilson moderated a panel with very competent members about SSL security with people from Comodo, Mozilla, PhoneFactor and Qualsys.
Last year's threats are still there, although the number of servers vulnerable to the renegotiation bug dropped to 23%. No numbers whether mixed content and weak CA are decreasing. [The problem is that in many cases there are cheaper attack vectors available].

SAML 2.1: Join OASIS SSTC Webinar on Sep 25, 2012 17:00-18:00 CET

This webinar  shall give an overview on the achievements sind the publicationof SAML 2.0 in 2005, both in specification and deployments, and an outlook on the planned work on SAML 2.1.


The recording may be downloaded here.
 

Federation is not about 1:1 relationships

Craig said in Vail (see http://prezi.com/pys_d3ysqbmb/api-economy-update) that federation does not scale in the API economy because it deploys a 1:1 relationship, and we need to move to a hybrid cloudy model. Then he jumps to the conclusion that SAML==Federation, hence SAML does not scale, and underlies this with an enterprise-type scenario.
Besides his unorthodox use of the term Federation this is ignoring a number of facts:

Craig Burton: SAML is dead

(cross-post from eustic.net)

 

Craig (@craigburton) said at the Cloud Identity Summit (#CIS2012) that SAML is dead. He argues:

Proposal for a SAML-WebSSO profile with enhanced privacy

Identity Federations having B2C-type and sometimes other use cases need to prevent the collection of user data across services for privacy and business case reasons. This draft proposes a new SAML profile with improvements in respect to un-traceability, un-linkability and non-disclosure.
[Updated June 15]

Syndicate content