This discussion is going on and on and people are talking about it from all points of view (including Kim, Pete, Dave, Paul, and Eve, who apparently started it all in a conversation with Jim). The conversation seems to be arguing about technical issues, but in reality it is mostly a semantic argument rather than a technical one.
From what I can gather, I think all of the parties agree that:
- The user can give permission to an entity to do "something" for the user at some later point in time.
- When this "something" occurs, the entity initiating the "something" needs to be identified as well as the user for whom the "something" is taking place.
- When this "something" occurs the user does not need to be physically present, online, or otherwise directly involved.
The points of disagreement seem to be in the area of how to refer to this taking place and whether or not this is supported by one protocol or another. I'm not married to the terms "user-not-present" (which is, physically true, by the way) nor the term "on behalf of", although I do think that both apply to this case. I'm also OK with the term "delegation".
One thing that hasn't been clearly discussed here is the case of real impersonation. There are real world cases where impersonation takes place, such as when an administrative assistant performs some tasks in the name of his boss (like sending flowers to my wife :-) ). I certainly don't want those flowers to indicate that they came from my admin. However, I still think that case is rooted in my admin authenticating as himself to a provider where I have granted permission for him to act in my name (perhaps for a particular set of tasks), so this seems like the same ultimate use case (me defining permissions on some resource I control).
So the last part in the discussion is onto the protocols. I can state unequivocally that Liberty ID-WSF does in fact fully support this use case and has explicit definition of all the parties involved in a transaction. Liberty also provides for the means for collection of the permissions necessary for the transaction as well as a means for an entity to indicate to the service provider that they intend to invoke a particular request later in a context where the user will no longer be present (so that the service provider can prompt for any necessary permissions from the user). At Liberty, we painstakingly walked through the entire use case and all of its related messages to ensure that the system would work in that case.
I do not understand how this same (or similar) sequence would be done using the WS-* family of specifications. I am sure it could be done, but I believe anyone doing so would be doing a one-off solution that would not interoperably work with anyone else's one-off solution as the protocols don't dictate a standard way to do this (yet). I would like to be wrong here and call on the WS-* guys to stand up and point out how this could be accomplished in a standard way that is expected to be interoperable.