We’ve just released a draft version of the “Secure sharing of Higher Education Achievement Reports (HEARs) at Newcastle University using SMART” document. Our goal is to propose improvements to existing processes at Newcastle University and integrate SMART with some of the applications, as discussed. Please feel free to send your feedback.
You can also check out SMART white paper - single page that describes the problems in Higher Education that SMART AM solves.
The end of 2010 was very intense and interesting for the SMART project. We have attended three big events: Internet Identity Workshop 11, Devoxx and Middleware 2010 Conference. It was a great opportunity to get feedback on our current work as well as hear news from the Internet identity and the developers world.
At the beginning of November we went from windy and rainy Newcastle to Mountain View for the 11-th Internet Identity Workshop (IIW). Even though it takes about 15 hours to get there, we never regret meeting great people and hearing what new things are happening at Facebook, Google, Yahoo and within the whole identity ecosystem. Among many interesting presentations, personally I really liked the Janrain’s talk about social login and sharing for online retailers as well as Google’s presentation of results of their research on OpenID usability. Of course there was Eve Maler presenting User Managed Access. I am very happy that with every next IIW there are more people asking about UMA. We definitely need to speed up with our prototype implementation. Together with Maciej we did a session on our Java implementation of OAuth 2.0 – leeloo library. We discussed how to use leeloo to build OAuth clients, authorization and resource servers. Apart from that, there was a really great discussion with session attendees about good patterns of building OAuth enabled applications.
We hardly had time to rest after IIW because just a week later we went to Antwerp. This Belgium city hosted Devoxx, the biggest in Europe and world’s second conference for Java developers. With more than 100 speakers and 3000 attendees it is great place to discuss technical issues and hear opinions on UMA from the developer community. The SMART project did two presentation describing the UMA flow and showing prototype of UMA/j - a Java framework for building UMA compliant Web applications.
UMA/j framework was also a topic of our paper: Implementation of User-Managed Access Framework for Web 2.0 Applications that has been accepted for the Middleware for Service Oriented Computing (MW4SOC) Workshop at Bangalore, – the Sillicon Valley of India. Bangalore is a really crazy city, completely different from what I’ve seen in US or Europe. I made there a presentation, as well as showed a poster, explaining design and main components of the UMA/j framework. There were many people interested in how UMA tries to solve a problem of authorization and data sharing in the cloud.
We’re looking forward to 2011 when we hope to have at least the same amount of opportunities to present our work, get feedback and learn new things that will be beneficial for our research and the SMART project.
Last Friday, I presented the paper that I wrote with Prof. Aad van Moorsel on User-Controlled Access Management (aka User-Managed Access Control) at the ICDCS-SPCC 2010: The First Workshop On Security And Privacy In Cloud Computing. The workshop took place in the beautiful city of Genoa in Italy. I didn’t know what to expect from the event but it turned out to be very good! It started with a keynote by Prof. Pierangela Samarati (University of Milano) on “Protecting confidentiality in external data storage” followed by other really good presentations and the “New Research Directions of Security and Privacy in Cloud Computing” panel by Krishna Kant (Intel Research & NSF), Sabrina De Capitani di Vimercati (University of Milano) and Jack Brassil (HP Labs).
After the workshop I had a chance to talk to Prof. Samarati about her recent paper “”. We discussed the proposed approach to including credentials in access control policies. Most importantly, we talked about dialog management for which support within XACML has been discussed extensively. User-Managed Access supports dialog management with claims (see “Claims 2.0” specification). However, it leaves unspecified few crucials things that we need to discuss and incorporate into the specification. What I like in the approach that Prof. Samarati describes in her paper is that anyone can specify required attributes within access control policies but the types of these attributes may not be necessarily communicated to the Requester (and eventually Requesting Party). For example, the policy may define that anyone who can prove themselves to be over 18 years old should be able to access a particular resource. However, this information may not be communicated to the Requester. Rather than that, the authorization server may ask “What’s your age?” and decide based on the provided information. It can even ask “Hey! Tell me about yourself.” and then make an access control decision. The SMART team is planning to look at these features closely and to contribute to the Claims 2.0 specification. And of course, we’ll implement that! :)
BTW, the slides from my presentation and the final draft of the paper are available here. Want to provide feedback? Let me know!