[cap-talk] Any hope in RSA 2008?

Karp, Alan H alan.karp at hp.com
Sat Apr 12 23:52:05 CDT 2008 

I just returned from RSA 2008 and can answer that question with with a resounding "Sort of".

There was still the usual nonsense.  "User identity needs to flow freely between services.", is only one example of many.  On the plus side, there was an undercurrent running through most of the conference, managing fine-grained rights.  It was in Art Caviello's keynote (http://www.rsaconference.com).  Even Craig Mundie said some intelligent things about access control, but I think they were accidental.  The same theme appeared on the show floor, with many of the booths at least mentioning the problem.  Of course, nobody had a clue of how to do it, but at least they're aware it's a problem.

I made a point of talking to someone technical at every booth that mentioned Identity and Access Management or Single Sign On (SSO).  Everyone understood me when I explained the dangers of SSO.  One small company from Singapore actually knew of the problem and required a user click on the first use of a new authentication.

I attended the session on voting systems with David Wagner on the panel, which was fun.  Ping's thesis got a plug, and not from David.  I also attended the Groundhog Day panel session, which was a disappointment.  Their proposed solution was to react faster and write better code.  When I pointed out that's what we've been saying for 30 years and shouldn't we try something different, they looked at me like I was speaking in tongues.

I spent most of my time in the identity and SOA sessions.  (Hey, masochists have rights, too.)  There was surprisingly little nonsense, even in the Liberty Alliance session.  That's probably because there was little about federating identities and more about provisioning them.  For example, the session on Role Management was about roles as a management tool, not an access control mechanism.

Several of the talks included examples of service composition, variants of Alice invokes Bob who invokes Carol.  In each case I asked whose rights got used on the call to Carol.  The answer was always Alice's.  I then asked what prevented Bob from abusing Alice's rights.  The answer was always that there was nothing that could be done.  I then put in a plug for my talk.

Speaking of my talk, it went well.  They kept me around for 30+ minutes asking a bunch of questions.  Some were skeptical.  I ran into one guy the next day who said, "I left your talk thinking this is fecockteh (Yiddish for screwed up).  Walking in this morning I stopped on the sidewalk, slapped my head, and realized that of course it's right."  That's a typical reaction.

Of course, there were a couple of fun keynotes.  Michael Chertoff, Malcolm Gladwell (Blink and Tipping Point), and Al Gore.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list