Monday, December 04, 2006

Identity Triangle

Today, at the first day of the Internet Identity Workshop 2006B, Kaliya included a diagram of the identity landscape in her presentation. Later, Johannes wrote that this was an older diagram and posted his own updated image:

I have a number of issues with this diagram, including:

  • The diagram uses a fairly small feature of the different technologies to classify them: IdP Discovery. URL based Identities for OpenID is just the portion of OpenID where the Relying Party discovers the Identity Provider for the user. Card Based Identities for Cardspace does a similar thing (although MS also adds data in the card).
  • I have no clue what it means for SAML/Liberty to be "invisible" in this diagram. Having been involved in Liberty since its founding and in SAML during the 2.0 process, the discussions of IdP Discovery always revolved around 3 methods:
    • User specifies the IdP, either directly (like typing in a URL) or by selecting an Icon on the SP's login web-page. This is similar to the model used by OpenID.
    • The user's client has the capability of directing the request to the appropriate IdP following a local interaction in the user (the LECP profile in ID-FF and the ECP profile in SAML) - this is similar to the model used in Cardspace
    • A common-domain cookie is used to store the list of recently used IdPs and the RP uses this information as a hint for finding the IdP.

    ALL 3 of these are fully supported by both SAML and by Liberty ID-FF.

  • If "Primary Adoption Vector" is meant to indicate how the various technologies are being adopted, the statement that Liberty/SAML adoption is driven by "internal IT needs for the enterprise" is wrong. Yes there has been a lot of IT adoption, but that has mostly been for identity federation to external providers rather than internal enterprise work. In addition, the vast majority of identities that have been rolled out (on the order of one billion) have been user facing identities. Take a look at the Adoption pages at Liberty's web site for more detailed information.
  • The "user-centric" ellipse around OpenID and Cardspace is misleading. The protocols for OpenID, Cardspace and Liberty all support user-centric implementations equally well. The ellipse, if there really should be a circle around all 3 of them (which probably makes it useless for this diagram).

To me, a better set of vectors to examine should be along the lines of privacy, security, anonymity, etc. -- the real measures of how acceptable an identity system will be both to businesses and to consumers.

Tags : / / / / / / /

No comments: