Friday, March 30, 2007

rfi User-Centric Identity and Da Ping Paper


Ping Identity has weighed in on the topic of Internet-scalable identity systems. It published a whitepaper in February right around the time of the RSA Security conference.

One of the most useful aspects of the Ping whitepaper is its heterogeneity-embracing “conversational model,” which outlines, for an identity metasystem, the key entities and relationships, including user/client, IdP, RP/SP, identifiers, attributes, authentication, identity flow, trust model, and discovery.

This isn’t an exhaustive model, but the good folks from Ping use it to crisply analyze the differences between SAML, Liberty ID-WSF, OpenID, and CardSpace, and to highlight their respective strengths. Then they present two convergence/coexistence use cases that tie together SAML, OpenID, and CardSpace (somehow, ID-WSF is left out of the hypothetical cases, though it could be inserted at the risk of adding even more heterogeneity).

What Ping’s scenarios have in common is the following, per my model:

  • Abstraction: assume card/browser/portal/REST as principal elements of user-experience abstraction
  • Heterogeneity: assume assertion-based identity/attribute interchange amongst users, IdPs, and RP/SPs with various IdP discovery approaches (URI-based authentication initiated at RP/SP vs. IdP-initiated authentication) as the principal domain-interaction impedance-matching mechanism for heterogeneity
  • Mutuality: assume cross-domain federation (a la SAML) and PKI (a la digitally signed SAML assertions exchanged cross-domain) as backbone of mutual recognition, assurance, risk, restitution, and responsibility across all users and domains

The paper ends on an ambiguous note: the authors aren’t quite clear on whether we should push for true convergence among these approaches (where, ostensibly, SAML, ID-WSF, OpenID, and CardSpace mash up into some grand unification standard) or settle for uneasy coexistence among persistently separate approaches over the long haul. Here’s their closing statement:

  • “The Identity Metasystem is the promise of a secure, privacy enabling Internet-scale identity system comprised of heterogeneous technologies operating together in a compatible and cohesive manner. Such coexistence implies determination of the areas in which current identity systems like SAML, OpenID, Windows CardSpace and ID-WSF are duplicative in functionality and scope – this is necessary to determine where and how these systems can be compatible. This white paper demonstrates that these systems have unique characteristics and strengths – and suggests some representative scenarios in which these strengths complement rather than compete. These identity systems will coexist and they all offer sufficiently unique capabilities that will allow them to flourish independently to some extent. Notwithstanding the unique capabilities, there is a significant degree of duplication of functionality between the various systems. Convergence between the systems would eliminate such duplication and result in a simpler identity landscape.”

Simpler, yes, but ipso facto better? If we converge the periodic table down to just hydrogen and helium, it would be simpler universe, for sure, but not quite as scalable, or as rich with potential.