Saturday, February 10, 2007

rfi User-Centric Identity and the Convergence of Paradigms


Carrying forward this request for interaction (thanks, Bob...I'll contact you shortly, and thanks Andre, for yesterday, and for those couple of days in early December 2004...and Craig Burton, wherever you are....ironic to finally meet you at that particular point in my life...).

One thought that's occurred to me is that this new focus on "user-centric identity" is a bit of 2001-2002 redux. Early in this decade, when the topic of identity management (IdM) was just heating up, the industry was grappling with the issue of Microsoft-uber-alles (Passport, i.e., identity aggregation) versus uber-our-dead-bodies (SAML, Liberty Alliance, etc., i.e., identity federation). Now, here in 2006-2007, it's once again Microsoft (taking the lead, implementation-wise, in this new twist, user-centric identity, with another bold initiative, CardSpace, that's a bit ahead of the eventual standards, and may or may not be the ultimate approach that Microsoft and others settle on when the industry dust clears in, let's say, 2013) versus the rest of the industry (e.g., Higgins, Bandit, OpenID, Yadis, OSIS, LiD, iNames, mIDm, SXIP, etc.).

But, of course, the "versus" is a softer, more collegial thing this time around, considering that Microsoft has just declared (through the still somehow in the game though he sorta said he was retiring Bill Gates) that it will implement OpenID 2.0 in CardSpace...and Kim Cameron being just about the most hyper-collegial human on the planet. Close to 2 years after they were more or less finalized, Kim's "identity laws" and "identity metasystem" are still the most concise definition of what's come to be known as "user-centric identity." And they are a seminal statement of the core principles that have driven the work that many people are doing around the world in this very exciting new branch of the IdM space.

Trying to get my own head around the rapid evolution that's taking place in the IdM space, it appears that three paradigms are jostling for dominance, or at least harmonious convergence, in the emergence of user-centric identity:
  • URL-based identity: This is founded on the notion that users have the ability to provision their identity as a URL/URI construct. Drummond Reed , Cordance, and the XRI community kickstarted this notion with their i-numbers/i-names, and people such as Johannes Ernst of NetMesh, pushed it forward with LID, and now we have OpenID, Yadis, and other projects that are developing it into a potentially universal infrastructure.
  • iCard-based identity: This is founded on the notion that users have the ability to present the identity (and user-selected credentials/attributes thereof) that works best for them in the context of an interaction, to a relying party, in the form of a standard structure known as an iCard. The primary example of this is CardSpace.
  • Assertion/claims-based identity: This is founded on the notion that users have the ability to request, upon successful authentication, that their identity provider (authentication authority and attribute authority) present their identity (and IdP and/or user-selected credentials/attributes thereof), in standards-based assertion/claim structures, to relying parties under established trust relationships (IdP-to-RP). The primary example of this is Liberty Alliance ID-WSF 2.0 (if memory serves).
From what I can see, Liberty ID-WSF's primary use case--"permission-based attribute sharing"--is also the primary use case for the new "user-centric identity" space as well. That, plus "privacy protection," "anti-phishing protection," "IdP discovery," and "identity self-provisioning." In other words, the agenda items that the SAML and Liberty specs developers discussed to varying degrees but, quite rightly, decided to defer to a later date (and to latter-day developers) rather than bog down their core 2001-2002-2003-2004 agenda.

That's a huge cool new exhausting exhaustive scope. All of it is quite orthogonal to the core, mainstream federated identity use case that has driven SAML/Liberty to pre-eminence: "cross-domain single sign-on." Also, from what I can see, the new URL-based and iCard-based approaches are orthogonal to SAML in that they rely on REST approaches (URLs, HTTP, etc.) whereas SAML, Liberty, WS-Federation rely on SOA approaches (XML, WSDL, SOAP, etc.).

Or perhaps those are overstatements. Or wrongheaded generalizations. The tendentious ramblings of an old guy who has far too much memory, and perhaps needs to unlearn various things in order to stay fresh.

You tell me: