swxg 2010.6.9 v2
TRANSCRIPT
A few thoughts on the state of the art of identity
SWXG - 9 June 2010
Paul Trevithick
1
Why identity is a hard problem
Short answer: It is being worked on by many communities with differring perceptions of the requirements
2
Language varies by community
• Identity := globally unique identifier + attributes
– And a single user can have multiple GUIDs and differring sets of attributes
• Identity := a set of attributes [may include an identifier]
– One user can have multiple sets of attributes, some of which may include identifier attributes
– Communities that adhere to this perspective consider it a significant conceptual advance over the identity:=identifier framing
• Most of us avoid the word identity—too overloaded to be useful
• One of a hundred examples: ―A fundamental requirement for enabling privacy on the Web is that publishers need to be able to control who as access to their information resources‖1.
– What’s a publisher? Don’t you mean user?
3
[1] http://esw.w3.org/PrivacyAwareWeb
Requirements vary by community
• Levels of assurance (LOA) (4 NIST levels, etc.)
– RPs need higher LOA >1 in some use cases
– Challenge is that this is considered a ―long tail‖ requirement and thus considered out of scope by many who are focusing on social web (high transaction volume, low value transactions)
• Verfied third party vs. self-asserted attributes
– Most social Web use cases require only self-asserted attributes [WebID]
– Other use cases require verified attributes from third parties (e.g. payment use cases)
• Attribute aggregation
– Some use cases make a distinction between an identity provider and an attribute provider. RPs need attributes from N>1 sources
4
Requirements vary by community
• Linkability
– ―Identifier has to be universal and linkable‖1
– ―A universal identity system must support both ―omni-directional‖ identifiers for use by public entities and ―unidirectional‖ identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handle‖2
– Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens). Requires tech such as uProve (Microsoft) or Idemix (IBM)
• Levels of protection (for the user)
– Have user-agent/RP exchanges involve signed contracts
– Support accountability not just secrecy
5
[1] http://esw.w3.org/PrivacyAwareWeb
[2] http://www.identityblog.com/?p=352 - Cameron’s Laws of Identity
Proliferation of communities
• Identity Commons (2005) http://idcommons.net
– Best known for IIW unconference 2/yr.
• OpenID Foundation (2007) http://openid.net
– At a crossroads: strong internal competition: OpenID Connect (OAuth-based) and OpenID V.Next
– What problems are we trying to solve? Federated login from a centralized IdP (e.g. Facebook)? User-managed identity with a distributed architecture?
• DataPortability.org (2007)
– Has been an advocacy organization; now looking at data sharing policies
• Information Card Foundation (2008) http://informationcard.net
– Really should be called the active client foundation
– First generation: defined by Microsoft’s CardSpace and the OASIS IMI protocol
– Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)?
6
Proliferation of communities
• Kantara (2009) - http://kantarainitiative.org
– Strategically positioned to be the cross-protocol ―center‖; not fully realized
– Absorbed and replaced the Liberty Alliance
– Does work in areas of ―trust frameworks‖ (IAF), certification, eGovernment, User-Managed-Access (UMA), cross protocol login user experience (ULX), VRM, etc.
• OpenIdentityExchange.org (2010)
– Foster trust framework (―rules‖) layer above the tech (―tools‖)
– Jointly formed by OpenID Foundation and the InfoCard Foundation initially to serve the US Federal government’s need for a trust framework, now broadening to other areas.
– RPs won’t pay money for attributes/identities without trust frameworks in place
• XAuth.org (2010)
– Attempts to solve the NASCAR (discovery) problem (without requiring an active client)
– Introduces a central server but cookies are stored on the browser’s [HTML5] local storage
7
OpenID roadmap is being debated
• Legacy OpenID 2.0 - http://openid.net/developers/specs/
– Completed in 2007; supported by the OIDF (openid.net)
– Claim 50,000 RPs and growing
– Useful for low assurance use cases (e.g. LOA 1)
• OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home
– Proposed by Nat Sakamura and others in early 2009
– Similarities with OpenID Connect, OAuth-like access token, etc.
• OpenID Connect - http://openidconnect.com
– New (May 2010) proposal by David Recordon and others
– Layers over and leverages OAuth 2.0
– User’s identifier now decoupled from their ―profile URL‖
– Breaking change from OpenID 2.0
• OpenID V.Next
– WG within OIDF chaired by Dick Hardt
– Assumption is that it will handle a wider set of use cases than 2.0 and Connect
– Breaking change from OpenID 2.0
8
Personal opinion
• Efforts continue to create the ―one protocol to rule them all‖
– SAML…Infocard/IMI…OpenID…OpenID-Connect…OpenID-V.Next…WebID…
Meanwhile
• UN/PW isn’t going away anytime soon
• And neither are the previous attempts to overthrow it–each have their adherents
• We have learned that we need to make the tech easy to adopt by RPs
– E.g. cross-protocol libraries & services
• We have learned that users don’t care about protocols
– They need an easy to use, consistent user experience irrespective of protocol
• We have learned that we need a ―better with‖ strategy for active clients
– Active clients (aka to some as ―identity in the browser‖) must be optional
• The reaction of the market to the current chaos of ―open‖ identity tech is ―wait and see‖ (although proprietary solutions (mostly Facebook) are being rapidly adopted)
• The open identity community is not organized to meet the above needs
– It may be time for some rethinking, consolidation and restructuring
9
Social Web Issues
10
Identifiers and UX
• In the beginning OpenID said: ―type in your OpenID URI‖
– Users didn’t get it
• Then OpenID said: ―click on a button‖ (NASCAR popup)
– Better UX & conversion rates
– Tyranny of the mega-brands +…
• Recently some are saying ―type in your email address‖ and we’ll use that to discover your IdP [e.g. see webfinger.info]
– Even better UX & conversion rates so far
– Tyranny of the mega-brand email providers
• Now XAuth says ―click on a button from a personalized list‖
– Probably the best UX possible (without an active client)
11
Attribute schemas
• RDF (FOAF, vCard…)
• Portable Contacts
• ActivityStrea.ms
• OpenID AX
• ICF Schemas WG
• SAML attributes
• Facebook OGP
• etc.
• Personal opinion: we need to make consuming attributes easy for RPs by providing them with schema mapping services that eliminate the need to commit to each IdP’s schema.
12
Questions & Comments
13