Requirements and Expectations for Identity Systems

Yesterday, Kim Cameron picked up on a recent article Bob Blakley. The central theme is about Stefan Brands’ criticism of OpenID. While Bob sets out to ask the OpenID 2.0 folks some hard questions about what kind of problem they are actually trying to solve, Kim opines that some of the criticism brought forward by Stefan (and Bob) is unfair, since it is out of the scope of what the original intent for OpenID was.

Instead, Kim suggests that there is a spectrum of identity systems which address different needs. Thus, all such systems including SAML 2, WS-Federation and – by extension – the WS-Trust based InfoCard identity system[1] should answer the questions posed by Bob to OpenID 2.0:

“[Bob] argues that the OpenID specification should include an articulation of the constraints on what it is attempting to achieve.

I agree, with the proviso that other protocols, like SAML 2.0 and WS-Federation, should do the same.”

A lofty goal, who could not agree to that: it is most crucial that software architects and designers spend time on defining the boundaries of a given solution. However, prior to limiting and classifying solutions, it would also be neat to actually identify (sic!) the problem/use-case of the solution under examination.

Although I try not to sound like a broken record, I do have to come back to a favorite theme song of mine: Liberty Alliance has done all these nasty and boring use-case evaluations, requirements, and scope definition like privacy and trust evaluations. Interestingly enough, a lot of these often fairly generic assessments is indirectly offered to other identity systems through Project Concordia.

tag: , , , ,

[1] Kim writes: “Popping up a level, we need a spectrum of solutions to identity problems.  Ergo, the identity metasystem.” This is – in my opinion – an obvious example of why the term identity meta-system is very misleading: here it does not necessarily refer to the ‘meta’-system defined by the InfoCard architecture, but rather to what I jokingly referred to as the “Aleph 0 Identity System” – a ‘true’ meta-system of protocols, deployments, etc.
But such a ‘true’ meta-system is not exclusively a WS-Trust based replacement for HTTP Redirect (WSTBRFHR), like the InfoCard identity system .

Leave a Reply

Your email address will not be published. Required fields are marked *