Your SlideShare is downloading. ×
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SWXG 2010.6.9 v2


Published on

A few random thoughts on the state of the identity space. Missing mention of the oStatus stack among other things.

A few random thoughts on the state of the identity space. Missing mention of the oStatus stack among other things.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A few thoughts on the state of the art of identity
    W3C SWXG - 9 June 2010
    Paul Trevithick
  • 2. Why is identity a hard problem?
    Short answer: It is being worked on by many communities with differring perceptions of the requirements
  • 3. Language varies by community
    Identity := globally unique identifier + attributes
    And a single user can have multiple GUIDs and differring sets of attributes
    Identity := a set of attributes [may include an identifier]
    One user can have multiple sets of attributes, some of which may include identifier attributes
    Communities that adhere to this perspective consider it a significant conceptual advance over the identity:=identifier framing
    Most of us avoid the word identity—too overloaded to be useful
    One of a hundred examples: “A fundamental requirement for enabling privacy on the Web is that publishers need to be able to control who as access to their information resources”1.
    What’s a publisher? Don’t you mean user?
  • 4. Requirements vary by community
    Levels of assurance (LOA) (4 NIST levels, etc.)
    RPs need higher LOA >1 in some use cases
    Challenge is that this is considered a “long tail” requirement and thus considered out of scope by many who are focusing on social web (high transaction volume, low value transactions)
    Verfied third party vs. self-asserted attributes
    Most social Web use cases require only self-asserted attributes [WebID]
    Other use cases require verified attributes from third parties (e.g. payment use cases)
    Attribute aggregation
    Some use cases make a distinction between an identity provider and an attribute provider. RPs need attributes from N>1 sources
  • 5. Requirements vary by community
    “Identifier has to be universal and linkable”1
    “A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handle”2
    Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens). Requires tech such as uProve (Microsoft) or Idemix (IBM)
    Levels of protection (for the user)
    Have user-agent/RP exchanges involve signed contracts
    Support accountability not just secrecy
    [2] - Cameron’s Laws of Identity
  • 6. Proliferation of communities
    Identity Commons (2005)
    Best known for IIW unconference 2/yr.
    OpenID Foundation (2007)
    At a crossroads: strong internal competition: OpenID Connect (OAuth-based) and OpenID V.Next
    What problems are we trying to solve? Federated login from a centralized IdP (e.g. Facebook)? User-managed identity with a distributed architecture? (2007)
    Has been an advocacy organization; now looking at data sharing policies
    Information Card Foundation (2008)
    Really should be called the active client foundation
    First generation: defined by Microsoft’s CardSpace and the OASIS IMI protocol
    Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)?
  • 7. Proliferation of communities
    Kantara (2009) -
    Strategically positioned to be the cross-protocol “center”; not fully realized
    Absorbed and replaced the Liberty Alliance
    Does work in areas of “trust frameworks” (IAF), certification, eGovernment, User-Managed-Access (UMA), cross protocol login user experience (ULX), VRM, etc. (2010) -
    Foster trust framework (“rules”) layer above the tech (“tools”)
    Jointly formed by OpenID Foundation and the InfoCard Foundation initially to serve the US Federal government’s need for a trust framework, now broadening to other areas.
    RPs won’t pay money for attributes/identities without trust frameworks in place (2010) –
    Attempts to solve the NASCAR (discovery) problem (without requiring an active client)
    Introduces a central server but cookies are stored on the browser’s [HTML5] local storage
  • 8. OpenID roadmap is being debated
    Legacy OpenID 2.0 -
    Completed in 2007; supported by the OIDF (
    Claim 50,000 RPs and growing
    Useful for low assurance use cases (e.g. LOA 1)
    OpenID-AB [Attribute Binding] -
    Proposed by Nat Sakamura and others in early 2009
    Similarities with OpenID Connect, OAuth-like access token, etc.
    OpenID Connect -
    New (May 2010) proposal by David Recordon and others
    Layers over and leverages OAuth 2.0
    User’s identifier now decoupled from their “profile URL”
    Breaking change from OpenID 2.0
    OpenID V.Next
    WG within OIDF chaired by Dick Hardt
    Assumption is that it will handle a wider set of use cases than 2.0 and Connect
    Breaking change from OpenID 2.0
  • 9. Personal opinion
    Efforts continue to create the “one protocol to rule them all”
    UN/PW isn’t going away anytime soon
    And neither are the previous attempts to overthrow it–each have their adherents
    We have learned that we need to make the tech easy to adopt by RPs
    E.g. cross-protocol libraries & services
    We have learned that users don’t care about protocols
    They need an easy to use, consistent user experience irrespective of protocol
    We have learned that we need a “better with” strategy for active clients
    Active clients (aka to some as “identity in the browser”) must be optional
    The reaction of the market to the current chaos of “open” identity tech is “wait and see” (although proprietary solutions (mostly Facebook) are being rapidly adopted)
    The open identity community is not organized to meet the above needs
    It may be time for some rethinking, consolidation and restructuring
  • 10. Two Social Web Issues
  • 11. Identifiers and UX
    In the beginning OpenID said: “type in your OpenID URI”
    Users didn’t get it
    Then OpenID said: “click on a button” (NASCAR popup)
    Better UX & conversion rates
    Tyranny of the mega-brands +…
    Recently some are saying “type in your email address” and we’ll use that to discover your IdP [e.g. see]
    Even better UX & conversion rates so far
    Tyranny of the mega-brand email providers
    Now XAuth says “click on a button from a personalized list”
    Probably the best UX possible (without an active client)
  • 12. Attribute schemas
    RDF (FOAF, vCard…)
    Portable Contacts
    OpenID AX
    ICF Schemas WG
    SAML attributes
    Facebook OGP
    Personal opinion: we need to make consuming attributes easy for RPs by providing them with schema mapping services that eliminate the need to commit to each IdP’s schema.
  • 13. Questions & Comments