Wednesday, October 07, 2009

Nothing fishy in Denmark (except the herring)

The Danish National IT and Telecom Agency recently released profiles of a number of identity specs for enabling 'identity-based web services'.

The term identity-based web service in this context means web services that act on behalf of a user or are personalized with the user's data in contrast to normal web services which do not execute in the context of a particular user.

Denmark took a buffet (dare I say smorgasborg?) approach - picking and choosing from available specs and profiling them as necessary, defining:
  • OIO WS-Trust Profile
  • OIO WS-Trust Deployment Profile
  • Liberty Basic SOAP Binding
  • OIO Bootstrap Token Profile
  • OIO SAML Profile for Identity Tokens 
The scenarios document makes for great reading on the different use cases currently targeted.

I do wonder why the discussion of the identity-based model (ie where the identity of the user is captured in a security token within the web services call) doesn't contrast this model with the so-called 'password anti-pattern'? Presumably its not the scourge in eGovernment applications that it is in Web 2.0.

3 comments:

Gerald said...

Ah - you might want to take a look at the NSA/DISA NCES profiles then, also (released in 2008):

http://www.nsa.gov/ia/guidance/standards_profiles/index.shtml

Paul Madsen said...

Gerry, thats interesting and all but Im not sure what it has to do with me and my family getting a holiday in Copenhagen?

Please try to stay focussed

Paul

Gerald said...

Darn - I thought you *were* talking about baking goods... I will have to read things more carefully.