OAuth enables a very simple type of delegation, a user can delegate permissions between two services that they have accounts on. In other words, OAuth lets a user delegate permission to themself. But full delegation allows arbitrary users of arbitrary services to give permissions to each other. In this article I summarize the two key extensions to OAuth needed to enable it to do full delegation. The first is ’on behalf of’ (e.g. a service saying ”I am making this request on behalf of user X”) and the second is a very simple directory service. The rest of the article tries to use something like plain English to explain how these features could work in OAuth. Continue reading Building full delegation in OAuth – This time in English
Author: Administrator
Thoughts on updating finger services
Having a finger service as a directory to find information about users and services appears to be absolutely necessary if ad-hoc information sharing between people and services is to be possible. But just having a way to finger a person or service is less than 1/2 the battle. The real challenge is making it possible for services to update their user’s finger information in an ad-hoc manner. I explore the issues around dynamic finger update in this article. Continue reading Thoughts on updating finger services
Using OAuth WRAP and Finger for ad-hoc user authentication
The OpenID community has worked long and hard to make ad-hoc logins possible on the web. Part of that process has been experiments with a number of different technologies and approaches. Below I make my own proposal for how to handle ad-hoc logins on the Internet using OAuth WRAP and my own spin on Finger. I offer this up as food for thought. Continue reading Using OAuth WRAP and Finger for ad-hoc user authentication
Thoughts on building a finger service
Those folks of a certain age will remember the finger command/protocol which allowed one to look up information about a person based just on their login identifier. This command was extremely useful even if it had some troubling security and privacy implications. Efforts are underway to create a Web Finger but for reasons I’ve previously discussed I think the underlying technologies for those efforts are sub-optimal. So in this article I propose what I think is a much simpler approach. My motivation for caring is that I think having a finger service will make permissioning systems much more useful (see here and here). Continue reading Thoughts on building a finger service
The outline of a profile for granting permissions using OAuth WRAP
In a previous article I talked about adding a profile to OAuth WRAP that would enable users to ask for or grant permissions to each other. In this article I show that an OAuth WRAP profile to handle granting permissions only needs two request/response pairs. I then show that an OAuth WRAP profile to handle asking for permissions only needs one additional exchange. Continue reading The outline of a profile for granting permissions using OAuth WRAP
Open permissions matter for an open web
The key to an open social web is permissions. There is data we don’t want to share and data we do want to share, permissions let us create the appropriate barriers. Closed networks like Facebook have reasonably rich permission infrastructures but what about open networks? How should Google and Microsoft enable document sharing across Google Docs and Sharepoint Online? Sure WebDAV can handle the actual mechanics of listing out documents, editing, etc. But how do the permissions get put into place in an open manner directly between users of the two services? This is a hole in the standards infrastructure and it’s time to fill it. Continue reading Open permissions matter for an open web
FirstTechPrivacyFailure
For more years than I care to count I have been a happy customer of First Tech credit union. Their website has always been top notch and the service I received from them was the best. But now I find myself looking for a new bank and would welcome any suggestions.
My unhappiness started when First Tech's website was down for 5 days, worse yet, a scheduled 5 days, so they could upgrade their online banking. In this day and age to have a 5 day downtime for an upgrade is unacceptable. This is not the 1990s. This isn't even the 2000s.
Things only got worse when, according to their own notice the upgrade failed because after 5 days of being down they got three times their normal traffic and couldn't handle the load. Huh? You were down for 5 days, what the heck did you think was going to happen? Of course you're going to get a load spike! Their solution was to roll all of their website back to the old website so they could get back up and running while they figured out what to do about the extra load. The planning screw ups this situation called for are, well, concerning.
All of this was irritating but then there was the final straw. Their new on-line bill pay system wouldn't work for me. It kept saying my login failed. I sent mail to their help desk and they quickly responded (still good customer service). Their instructions were for me to reset my browser's security settings to accept third party cookies. What? I have to commit one of the most basic privacy mistakes and let everybody on the Internet trivially track me just so I can use your bill pay service?
This is a bank we're talking about. An institution which is supposed to be all about privacy. And they are so clueless that they think it's o.k. to require third party cookies? Their previous behavior already gave me good reason to question their technical competence but this is just over the top.
So does anyone have a recommendation for a bank with a solid web banking system that has a clue about privacy?
Asset Location for College Savings
Asset location is not so much about what investment to buy as where to locate it. A typical asset location problem is - do I put money in a taxable account or a tax exempt account? In the case of saving for college there are at least four different ways to save money for college that have some kind of tax exemption. Below I explore the five options (taxable and various tax exempt ones) that I could find and explain why we settled on using a 529 savings plan. Continue reading Asset Location for College Savings
The CAP theorem and modern data centers – for now, choose consistency!
The dominance of the commodity machine model for data centers is so complete that one forgets that there was ever any other viable choice. But IBM, for one, is still selling lots of mainframes. Nevertheless the world I live in is built on top of data centers that contain a lot of commodity class machines. These machines have a nasty habit of failing on a fairly regular basis. So when I think about the CAP theorem I think about it in the context of a data center filled with a bunch of not completely reliable boxes.
In that case partition tolerance (which, as I explain below, ends up meaning tolerance of machine failure) is a requirement. So in designing frameworks for the data centers I work with the CAP theorem makes me choose between exactly two choices - do I want consistency or availability?
My belief is that for the vast majority of developers, at least for the immediate future, they need to choose consistency.
Continue reading The CAP theorem and modern data centers – for now, choose consistency!A mac fail? Please Help me with remote desktop
I want to get a mac laptop for my wife but I want to be able to use it as a remote terminal for my iMac upstairs.
There doesn’t appear to be a decent solution for this problem on the mac. VNC is a joke. It will just take my 24 inch iMac screen and shrink it down to the laptop’s screen size. And yes I have played around with smart zoom but it’s really painful.
Isn’t there an equivalent for the mac to Microsoft’s outstanding Remote Desktop Connection application and RDP protocol?
For what it’s worth I signed up to be notified when AquaConnect releases their mac remote desktop product which is based on RDP but they aren’t even announcing dates.
Any ideas or am I just out of luck?