One of the fancy things about conferences like IIW is that lots of entrepreneurs and start-up people mingle with each other, which is how came to “poke around” a little. POKEN is a cute little way to give the traditional exchange of the business cards and the following procedure of scanning/creating vcards a tad bit easier…

Dave Brown of POKEN had a little session on how to facilitate the exchange of contact information without the hassle of activating bluetooth, entering data manually or other hurdles. One can get a small (and cute) token  called poken (USB and wireless, sor of NFC) with an individual ID in it and that “connect” to other poken owners just by bringing the two pokens together. Easy as a handshake – especially cute as the pokens look like 4-fingered hands

During this process, the pokens actually handshake and exchange their IDs, which are then stored in the flash part of the device. Once you hook the poken up to your computer, it reads the IDs recently learned and finds the corresponding contact information (in the InfoCard format) online. This InfoCard contains as much information as the related poken owner wants it to contain, enabling one to share a single website, email, phone number or other attribute, or offer full profile information if desired. Fun and useful fact: one can chose between up to three “profiles” depending on the context you meet a poken-person in.

I overheard that the poken could also be put to use as sort of a simple hardware credential, but I will need to investigate further… Meanwhile, if you are interested, check out www.doyoupoken.com. You can connect your personal poken to your profile there and start “pokin´around”.

In spring this year I was accompanying a friend and business partner of mine to shadow him on a visit to one of the “Managed VoIP Service” vendors, as he (my friend) is also running a small System Integrator company. Technology wise, this was quiet interesting as the vendor had some decent developer resources working on their own “linux distro” as core of the VoIP service. After we had gone through all the security detail regarding this approach (which is why I was there, after all!), the discussion turned towards the client and their use of the tool. As with any “messaging” solution introduced lately, the client GUI consisted of a narrow side-panel, to be positioned at the right hand side of the screen. Why do I tell you all this? Bear with me…

Take Skype for an example (not the current beta though! If anybody from the dev group there reads this:  wrong direction guys! The GUI is BAD), the original GUI is nice, it can float, you can resize, tweak, what you like. Better even: TRILLIAN, the multi-messenger tool. Transparency, skins, all available. Well, our friends from the VoIP service vendor were all good down to earth techies. But no “trekkies” for sure – as their GUI looked like it had been designed during the “Windows for Workgroups” design phase and never changed since. For me it obvious, that rock-solid technology is a MUST – but great UI design can be a unique selling point most vendors seem to underestimate.

Now that I came across PINoptic and they showed me what they had to offer (e.g. visual one-time-pads for mobiles) I was very much interested. Not that no one else before had the great idea of using icons and pictures to verify ones identity or to authenticate – tools like these have been available for the PALM III and PALM V as well as for Windows Mobile (almost) ever since! But these guys took a mathematical approach to it and extended the scheme PIN-like scheme with a crytographic backoffice system. So, instead of putting in your in 4-6 digit PIN at the ATM (Geldautomat, for our German readers ) you touch the buttons representing your “story”: man – house – bird – key.  The next time the icons might be mixed thouroughly, showing a totally new number-block, with the icons mapped to other buttons. Actually, a nice way to put in your PIN, and with the use of out-of-band back-channels (use your mobile phone to enter the “derived PIN”!) quite a secure way to authenticate. Hard to explain, with no visual, so go and check out their demo at
http://www.pinoptic.com/ or help them with the “research data verification game” (clever way to do this, despite the fact that I unsure if I would WANT to put in my details for the “lottery” here – anyone seen the “Mercury Puzzle”???).

Anyway, have fun and procrastinate a bit at http://www.pinoptic-challenge.com/

As the Gurus of User-Centric ID Management have discussed here and here, the idea of using CardSpace and special “Managed Cards”, issued through the use of the Microsoft Acrtive Directory, InfoCards could actually become sort of an authentication token not only for your self, but for you being am employee of said issuer of the respective InfoCard. As managed Infocards are designed to be used as sort of community/customer ID, why not use it to verify if somebody IS actually working for the company he claims to work for.

Impersonation still is a threat today. I experienced this during the Microsoft Security Tour that I recently attended in Hanau, Germany. One of the main reasons was, that my successor with the position as Chief Security Advisor, Michael Kranawetter, was about to present CardSpace to the mainly developer-oriented audience. After sharing a coffee or two, Michael stepped up to the stage and prepared for his presentation.

The big surprise came without a single bit of a warning: Michael greeted the audience and said: “Welcome to this session, my name is Sebastian Rohr, and I am the Chief Security Advisor for Microsoft Germany!” Well, there was only one guy in the audience who got puzzled besides myself, my friend Stefan, sitting right next to me! Michael easily showed, that in todays business you should not trust everybody who is wearing a “speaker” badge one should ask for proof of the claims stated.

Anyway, back to the point: using a “Business InfoCard” issued by your employer does not only make it easier to access, say, the company online-store and authenticate yourself. It can also be used in B2B situations, where you hand over your card and your communication partner can easily check that your name, title and affiliation are, in fact, valid. In addition, corporate information such as tax ID, location of the company and the official (and pretty up-to-date!) info on board members and the Chairman could be included. Nice!

Sitting over a nice glass of wine, one could drift off and, as thoughts come and go, get creative. Be it the impact of the heavy Merlot or too much sunshine: IF we have an established technology that offers easy issuing and management of credentials, spiced with corporate information and used in an interoperable environment that supports easy “online check” if the information presented is still valid… and all this cross-company…with an extensible range of re-use… wouldn`t THAT be the dream of all those PKI guys?

Lets face it: PKI has been struggeling all these years to become and remain an important part of the IT infrastructure of all large organziation. Sometimes the struggeling lead to the “near-death”, sometimes PKI managers still hunt for the killer-app that will put their technology investment to use. Even IF the PKI was put to good internal use, leveraging it outside the company was rarely successful. Now, using the above mentioned managed Business Cards, we would really be able to do all the things we failed to achieve with using x509 certificates – well, besides encrypted email maybe!

I am really looking forward to your replies, either to be sure that it WAS too much sun and Merlot, or to kick-off a new thread on mis-using user-centric ID management in the enterprise ID management space!

Have you ever been to SAPPHIRE?

No?

You should!

Despite my young age, I guess here is where you find how the spirit of the IT industry might have been in “those days”, where multi-million dollar Mainframe deals were made. At least, that is the impression you get when you stroll around.
I have been to quite some trade fairs, special meetings and vendor events – all with a rather impressive set of “supporting events” and executive receptions. But recent years have shown a decrease in the investments vendors were willing to spend on these little extras. Looks like SAP still has got some budget to spend…

But let us get back to business – executive business, this is!
When it comes to providing strategic business perspective, coming here as manager or executive you get what you expect: visionary statements, large audience keynotes and a nice overall setup. From a technology perspective though, it is quite surprising that one can only get their hands on a small number of technically versed representatives who are able to show a little more than flashing slides and animated demo screen-shots. Well, one could argue that this is not TechEd, which will take place in autumn here in Berlin and were I will definitly attend also, and one must consider the “business oriented” approach of SAPPHIRE. Point taken, rest assured! But I was NOT talking about a nuts&bolts session on how to configure x and get y out of that interface. I was merely looking for people to tell me just a little bit more about what became of MaxWare, were GRC overall will be going and what the combined strategy for managing identities within (and beyond) SAP will be. I will take those questions home with me, unfortunately…

Given that, I made best out of a session with one of the solution marketing guys, who assured to me that the IP as well as the human resources of the MaxWare acquisition were secured and the now joint teams from Netweaver IdM and MaxWare are working hard to push the integration depth. Nice – and from my point of view obvious – information: SAP will not push their newly acquired IAM technology as an independent offering but will concentrate on delivering added value to existing SAP-centric customers. I will definitly catch up him to extend our late-evening discussions at the Hamburger Bahnhof. Thanks again for the insights!

On a completely different note, the RIM partnership seems to kick-in pretty nicely with a “mobilized” SAP CRM and Blackberry integration, which the RIM representative dared to demonstrate live during the keynote (something which I would not have dared, given my recent experience with reliability of the 3G network connectivity – especially with a few thousand people around you all carrying a mobile phone!)

I will get back to you all with more gossip tomorrow, with news on the Zucchero live perfomance (see budget joking above!) and a special feedback from the Business Objects keynote of CEO, Mr. Schwartz!