Sunday, April 01, 2007

rfi User-Centric Identity and Conor Cahill’s Take


Prepare for run-ons and re-runs.

Awakened in the middle of the night by a call from the Louvre….young girl in distress…lost, scared….quickly resolved with a few calls to others in and around Paris….not Audrey Tautou….nobody you’ve ever heard of….no colorless clerics….no conspiracies….no holy grail or anything remotely metaphysical….just me paternally PO’d pale and sleepless six time zones to the west…having completed all the household chores the day before, I had taken me a pleasant self-guided walking/driving/jamming tour of DC yesterday…new ballpark going up in no-mans-zone southeast….passed by my old waterfront haunt, now vacant and awaiting the eventual and much-needed wrecking ball…saw the startling neighborhood transformation going on near the Navy Yard…followed M Street to what I could see of the Anacostia…huge vacant fenced away abandoned 60s project….will these new 00s project seem as forlorn in the 2040s?....then up through Capitol Hill…Mall….DeVotchKa, Shins, Peter Bjorn & John….call from the going-on-20 boy….Cherry Blossom Festival….tons of out-of-town tourists….parked in the West End….walked the C&O canal in mid-60s springtime solitude and serenity…tripped down that ancient red-brick Georgetown interior waterway….galleries….historical smokestack in/above the new Ritz-Carlton….empty office buildings….second-floor gallery overlooking a single alleyway blossom tree…then up to mainline M, along/above Rock Creek Park…quiet traffic…full of early spring potentialities…then stayed up late to catch the rerun of SNL with Arcade Fire….I bought “Neon Bible” last week….on SNL, they were great (wish the comedy had been up to par)….”Intervention” “Keep the Car Running”…live they came off just as intense and sprung as their recordings…Win smashed his acoustic guitar at the end….bravo bravissimo.…anyway, now, involuntarily adrenalized and semi-boggled I’m figuring I might as well rattle off the latest installment in this thread….good thing Starbucks opens early…belatedly writing up another phone chat from a week and a half ago with somebody just one county over here in northern Virginia.

Where was I? Oh, yes…Conor Cahill….identity architect with Intel, who’s been working with Liberty Alliance from the start. In March, it took us a few weeks to hook up, but I’m glad we did. He has an interesting perspective on user-centric identity. I used my interview questions as a rough track for our discussions, but primarily I asked Conor to deliver his take in whatever order he wished. According to Cahill (I’m putting these loosely paraphrased points in a slightly different order from my raw semi-illegible-even-by-my-own-lax-personal-standards notes):

  • User-centric identity is great marketing term, referring to identity systems that give users control over their identity info
  • Most users don’t want to be in every identity transaction…once I federate with a relying party, should implicitly set up auto-sharing (identity, credentials, attributes) rule that executes upon each return visit
  • Most enterprise federated IdM implementations give users some control over the sharing of their identity info with service provider/relying parties, but not complete control
  • User-centric identity is central to SAML and Liberty Alliance initiatives, which have addressed permission-based attribute control from early on
  • User-centric identity is to some degree supported in most commercial SAML-enabled IdM products---in the sense that the IdP is allowed to ask users which of their attributes should be disclosed to federated relying parties—though this feature is not explicitly called out in the SAML standard protocol(s) and may not be implemented by users in many real-world SAML deployments
  • OpenID is great for low-value transactions, such as blog posting authentication, but not beyond that, due to need for legal agreements between IdPs and relying parties, under which domains agree on risk and liability for inappropriate authentication etc.
  • OpenID is user-centric identity in the limited sense that the user directs the relying party to an IdP that the user explicitly selects, but 1.0 doesn’t implement permission-based attribute sharing (that’s in attribute exchange service in 2.0)
  • OpenID assumes user wants to know they’re using OpenID, and willing to type in long URI, hence enabling easy IdP discovery for benefit of relying party, whereas SAML does IdP discovery through the common cookie mechanism, and Liberty through Discovery Service specified in standard
  • OpenID like SAML and Liberty in that it makes use of dumb browser (though Liberty goes it one better by specifying Liberty-enabled client)
  • OpenID lacks disconnected client support, a feature integral to Liberty’s advanced client
  • Possible future Liberty integration of Oracle-contributed IGF specs into ID-WSF is exciting to enable users to exercise life-cycle control/expiration/shredding of attributes that they choose to disclose to relying parties
  • CardSpace is first stage beyond dumb browser, has great user experience, adds more value to SSO than to attribute sharing
  • Surprised that when CardSpace came out, with Vista availability, that Microsoft didn’t announce any CardSpace relying parties right off the bat (Passport redux?)
  • Real driver will be strong authentication, which CardSpace has

Without much prompting from me, Conor tied together lots of themes/concerns that I’ve heard from others and also things I’ve posted to this thread from the top of my noggin. Still, I think his statement that most commercial SAML implementations support user-centric identity is provocative….and I’m not sure I agree with it….I mean, if a feature (e.g., permission-based attribute sharing) is purely implementation-specific and is not explicitly called out or defined in the underlying standard, can we legitimately attribute it to the standard?....or simply to the fact that this is an important requirement that necessitate that IdM vendors commercially color outside the SAML lines until the standard (inevitably) evolves (through mashup with ID-WSF, OpenId 2.0, IGF, etc.)?

Coffee's drained. Me too. Up against the wall of consciousness. Need a nap. And a PB&J. Baby went to Amsterdam….she put a little money into traveling….now it’s so slow…so slow…baby went to Amsterdam…four or five days by the big canal…now it’s so slow…so slow.