SWXG 2010.6.9 v2

A few thoughts on the state of the art of identity
W3C SWXG - 9 June 2010
Paul Trevithick
v2

Why is identity a hard problem?
Short answer: It is being worked on by many communities with differring perceptions of the requirements

Language varies by community
Identity := globally unique identifier + attributes
And a single user can have multiple GUIDs and differring sets of attributes
Identity := a set of attributes [may include an identifier]
One user can have multiple sets of attributes, some of which may include identifier attributes
Communities that adhere to this perspective consider it a significant conceptual advance over the identity:=identifier framing
Most of us avoid the word identity—too overloaded to be useful
One of a hundred examples: “A fundamental requirement for enabling privacy on the Web is that publishers need to be able to control who as access to their information resources”1.
What’s a publisher? Don’t you mean user?
[1] http://esw.w3.org/PrivacyAwareWeb
3

Requirements vary by community
Levels of assurance (LOA) (4 NIST levels, etc.)
RPs need higher LOA >1 in some use cases
Challenge is that this is considered a “long tail” requirement and thus considered out of scope by many who are focusing on social web (high transaction volume, low value transactions)
Verfied third party vs. self-asserted attributes
Most social Web use cases require only self-asserted attributes [WebID]
Other use cases require verified attributes from third parties (e.g. payment use cases)
Attribute aggregation
Some use cases make a distinction between an identity provider and an attribute provider. RPs need attributes from N>1 sources
4

Requirements vary by community
Linkability
“Identifier has to be universal and linkable”1
“A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handle”2
Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens). Requires tech such as uProve (Microsoft) or Idemix (IBM)
Levels of protection (for the user)
Have user-agent/RP exchanges involve signed contracts
Support accountability not just secrecy
[1] http://esw.w3.org/PrivacyAwareWeb
[2] http://www.identityblog.com/?p=352 - Cameron’s Laws of Identity
5

Proliferation of communities
Identity Commons (2005) http://idcommons.net
Best known for IIW unconference 2/yr.
OpenID Foundation (2007) http://openid.net
At a crossroads: strong internal competition: OpenID Connect (OAuth-based) and OpenID V.Next
What problems are we trying to solve? Federated login from a centralized IdP (e.g. Facebook)? User-managed identity with a distributed architecture?
DataPortability.org (2007) http://dataportability.org
Has been an advocacy organization; now looking at data sharing policies
Information Card Foundation (2008) http://informationcard.net
Really should be called the active client foundation
First generation: defined by Microsoft’s CardSpace and the OASIS IMI protocol
Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)?
6

Proliferation of communities
Kantara (2009) - http://kantarainitiative.org
Strategically positioned to be the cross-protocol “center”; not fully realized
Absorbed and replaced the Liberty Alliance
Does work in areas of “trust frameworks” (IAF), certification, eGovernment, User-Managed-Access (UMA), cross protocol login user experience (ULX), VRM, etc.
OpenIdentityExchange.org (2010) - http://openidentityexchange.org
Foster trust framework (“rules”) layer above the tech (“tools”)
Jointly formed by OpenID Foundation and the InfoCard Foundation initially to serve the US Federal government’s need for a trust framework, now broadening to other areas.
RPs won’t pay money for attributes/identities without trust frameworks in place
XAuth.org (2010) – http://xauth.org/info/
Attempts to solve the NASCAR (discovery) problem (without requiring an active client)
Introduces a central server but cookies are stored on the browser’s [HTML5] local storage
7

OpenID roadmap is being debated
Legacy OpenID 2.0 - http://openid.net/developers/specs/
Completed in 2007; supported by the OIDF (openid.net)
Claim 50,000 RPs and growing
Useful for low assurance use cases (e.g. LOA 1)
OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home
Proposed by Nat Sakamura and others in early 2009
Similarities with OpenID Connect, OAuth-like access token, etc.
OpenID Connect - http://openidconnect.com
New (May 2010) proposal by David Recordon and others
Layers over and leverages OAuth 2.0
User’s identifier now decoupled from their “profile URL”
Breaking change from OpenID 2.0
OpenID V.Next
WG within OIDF chaired by Dick Hardt
Assumption is that it will handle a wider set of use cases than 2.0 and Connect
Breaking change from OpenID 2.0
8

Personal opinion
Efforts continue to create the “one protocol to rule them all”
SAML…Infocard/IMI…OpenID…OpenID-Connect…OpenID-V.Next…WebID…
Meanwhile
UN/PW isn’t going away anytime soon
And neither are the previous attempts to overthrow it–each have their adherents
We have learned that we need to make the tech easy to adopt by RPs
E.g. cross-protocol libraries & services
We have learned that users don’t care about protocols
They need an easy to use, consistent user experience irrespective of protocol
We have learned that we need a “better with” strategy for active clients
Active clients (aka to some as “identity in the browser”) must be optional
The reaction of the market to the current chaos of “open” identity tech is “wait and see” (although proprietary solutions (mostly Facebook) are being rapidly adopted)
The open identity community is not organized to meet the above needs
It may be time for some rethinking, consolidation and restructuring
9

Two Social Web Issues

Identifiers and UX
In the beginning OpenID said: “type in your OpenID URI”
Users didn’t get it
Then OpenID said: “click on a button” (NASCAR popup)
Better UX & conversion rates
Tyranny of the mega-brands +…
Recently some are saying “type in your email address” and we’ll use that to discover your IdP [e.g. see webfinger.info]
Even better UX & conversion rates so far
Tyranny of the mega-brand email providers
Now XAuth says “click on a button from a personalized list”
Probably the best UX possible (without an active client)
11

Attribute schemas
RDF (FOAF, vCard…)
Portable Contacts
ActivityStrea.ms
OpenID AX
ICF Schemas WG
SAML attributes
Facebook OGP
etc.
Personal opinion: we need to make consuming attributes easy for RPs by providing them with schema mapping services that eliminate the need to commit to each IdP’s schema.
12

Questions & Comments

http://www.incontextblog.com	599
http://www.slideshare.net	100
http://facebook.slideshare.com	1
http://static.slidesharecdn.com	1
https://www.incontextblog.com	1
http://translate.googleusercontent.com	1
http://dashboard.bloglines.com	1

SWXG 2010.6.9 v2

by Paul Trevithick

Accessibility

Categories

Upload Details

Usage Rights

7 Embeds 704

Statistics

SWXG 2010.6.9 v2 Presentation Transcript