Friday, January 14, 2005

imho Identity service bus the key to universal federation


Identity self-empowerment is the central theme underpinning recent blog discussions by Cameron, Lewis, Ernst, Powers, Kearns, Windley, Burton, and others. How can individuals self-assert their identities, self-register their identities into federated communities of trust, self-host their identity information, self-publish their identities to authorized parties, and self-police disclosure to and use of their identity information by relying parties?

It seems to me that LID, Identity Commons, SxIP, FOAF, XRI/XDI, and other industry initiatives revolve around these core self-empowerment themes. There seems to be a general belief that identity/trust brokers of all sorts are a bad thing because they violate Cameron’s “law of fewest parties.” The fewest possible parties in a distributed IdM environment are two: 1) identity-asserting entity and 2) the identity-relying entity.

If we accept all that, then all this identity self-empowerment requires a conducive middleware fabric: one that deeply supports peer-to-peer identity interactions without need for any intermediary identity registrar, authority, or broker. Identity interactions are just one category of traffic traversing the increasingly peer-to-peer enterprise service bus. The minimal environment consists of the peer doing the asserting and the peer doing the relying.

Fundamentally, self-empowering federation depends on an “identity service bus” that implements the emerging stack of WS-* standards (the basis for the broader enterprise service bus) in peer-to-peer fashion. Why not define a peer-to-peer trust environment in which individual publish and subscribe to (hence control disclosure of) identity information via WS-Notification and WS-Eventing (or whatever consensus pub/sub standard emerges from current industry discussions)?

What is identity federation, at heart, if not a pub/sub and event notification environment? After all, an authentication assertion is simply a notification of (really, a voucher from a trusted party concerning) an event: that someone has successfully logged in. An attribute assertion vouches for the existence of another type of event: prior registration of various attributes, such as roles, with an authoritative attribute store (such as an LDAP directory). My autonomous identity domain (the IdP) vouches for the existence of these identity event(s), and your autonomous domain (the SP) relies on those vouchers (aka "assertions").

Where today's federated identity schemes go wrong is in re-inventing the wheel: defining their own request/response messaging protocols that don't leverage the emerging WS-* standards for pub/sub and event notification. Why should SAML or Liberty Alliance or any other federation protocol use a different event-notification messaging protocol from that used for other Web services interactions? As I said, identity is just another type of interaction over the enterprise service bus--it shouldn't require its own distinct robust app-to-app messaging protocol.

I get heartburn when I see new IdM initiatives—such as LID and SxIP—that don’t compose fully into the emerging stack of consensus WS-* specifications. Actually, why single them out? I'd like to see SAML, Liberty Alliance, and WS-Federation re-architected to support peer-to-peer identity self-assertion, -registration, -hosting, -pub/sub, and -policing. And also to support WS-Notification/Eventing natively. Obviously, it would take a few years for the industry to turn the SAML ship around in this direction, considering that SAML 2.0 is well-advanced toward ratification.

The only way to establish a universal identity service bus is to leverage the middleware standards that every peer endpoint implements everywhere. And, where universality is concerned, the growing WS-* stack is "it." Or, should I say, IT?

Assuming that the industry converges around a common vision of the identity service bus, I don't expect universal, peer-oriented self-federation over a universal WS-* middleware backplane to become a reality for another 10 years, at the earliest. It will take at least that long for the enabling middleware standards to mature and be adopted widely. It will take even longer--perhaps an eternity--before identity authorities everywhere are willing to cede control over the IdM backplane to their suddenly self-assertive serfs--er, subjects--ummmm.....people.