EPIC produced a thoughtful analysis of current (bad) DRM systems and proposal on what featrues future (hopefully good) variants should possess.  10:45:11 PM    

Phillip Windley blogs on single sign-on for his e-Government applications. Interestingly I dipped my toes into somethinq similar here in the UK and it is interesting to see the differences.

1. Phillip mentions the need to support Screenname and Passport alongside his own internal authentication. Passport is not terribly popular on this side of the ocean, which in e-government applications may have something to do with the fact that it has been investigated  for potential data protection bugs by European Comission. AOL is not as big here as in the US and on top of that it has not signed for Safe Harbor and therefore -  no Screenname supported.

2. Instead of using outside authentication services with dubious security, the Govt has pioneered a thing called Government Gateway, which, amongst other services, provides single sign on for all e-government applications. Gateway is quite innovative and unique service. US administration is considering the development of such a service (I can't find the link from the last week) whole two years after it was launched here.

Gateway developers and the secrity authority has gone great lengths to provide appropriate security (username/password or certificate/password can be used). However, after two years of experimentation it has turned out that usability and adoption are bigger problem than security. What a secure service is good for when nobody uses it? So instead of security, government departments, that have target numbers of users to attract before 2005, are pondering over ways to make e-government applications easier to use and provide them through non-traditional channels such as banks, accounting software packages, commercial portals etc. And into this world Passport fits much better. So it is quite possible that after MS corrects data protection issues and connects it to VISA payment authorisation network, citizens of both countries will meet at MSFT's doorstep.

3. The distiction between authentication and authorisation seems to be clear on both sides of the pond. You can use extrenal authentictation service, but with the current state of technology authorisation details need to be hold in-house. Funny thing that it requires virtually the same infrastructure (i.e. directory) as authentication and so you don't save anything using external service. What's more, external authentication requires substantial integration effort with the only small outcome - single sign-on.

  9:36:27 PM    

Yes, it's good old pervasive computing.

In this presentation Peter Burger defines pervasive computing as "numerous casually accessible, often invisible network access devices; user accessible anywhere; instant or casual access to network servuce delivered by smart network". He also outlines three successive stages of pervasive computing:

• "Multi-channel - many Devices, many Contexts (one per channel)
• Cross-channel - many Devices, one Context (available to all channels)
• Impromptu networking, any Devices, one Context as an Aggregation of many Services."

As soon as we want to move from stage 1 to stage 2 we need mutually something to maintain context. For this we need to know user identity. Because the content is actually aggregation of many services, we need to interface to many security namespaces. If the aggregated services are paid, we also may, especially in non flat-rate payment models, need to pass the user details back and forth for the billing purposes.

  8:31:05 PM