Get the best cybersecurity science, research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.

Walking the certification high wire

Walking the certification high wire

Certification of capabilities and services as a prelude to procurement, especially in the public sector, is an interesting high wire act.

It often pits two perspectives against each other:

  • The acquirer (business owner) seeks a minimum viable product that is certified to a baseline criteria and is focused on results and outcomes.
  • The certification authority which utilizes auditors and evaluators who, with very rare exceptions, are not focused on outcomes but on a yes/no/checkbox approach.

It is a minor miracle and an occasion for celebration when something useful actually comes out the end of a certification pipeline.

++ Kantara Initiative Awards SUNET CSP Trustmark Grant at Assurance Level 1 and 2. Don't believe they used the FICAM extensions to their trustmark profile for this approval, but this is a great start to cross-jurisdictional trust.

++ The User-Managed Access (UMA) Version 1.0 specifications, which is a profile of OAuth 2.0, have been finalized as Kantara Initiative Recommendations.

Financial pixie dust

GOV.UK Verify added 5 new companies as certified Credential Service Providers.

++ The financial sector is the most natural source of credentials for consumers but they tend to be motivated by the transaction flow volume in their primary business line, and minimizing account opening risk - not by public sector authentication payment pixie dust.

++ The addition of Barclays and Paypal to GOV.UK Verify, which gives excellent reach into an established population, is probably motivated by some additional transaction volume opportunity or access to the GOV.UK Verify document checking service

cyberforge: random and relevant

++ Nice video introduction and demo of the GOV.UK Verify Service

++ Identity Libraries in .NET and ASPNET, and updated OpenID Connect and OAUTH2 support.

++ OpenID Connect Certification OP Test Tool Configuration.

++ Google detected and blocked unauthorized digital certificates for several Google domains.

++ Privacy pilot funding opportunity from the NSTIC NPO.


 Tweet  Share  Share  Share  Pin  Email


Get the best cybersecurity science, research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.