It seems that history is about to repeat itself: after Liberty formed, a lot of people wither felt left out or did not understand what all this ‘identity stuff’ was good for. Granted, Liberty was in 2002 about 5 years ahead of the rest of the market. At the time, I thought that this perception problem could be attributed to some abysmally bad marketing – I guess that this was only partially correct.
Today, the same complete lack of understanding is about to hit the “user-centric” identity community as well: Take a look at a post by Brian Huff and compare that with this post from Tim Bass (via James McGovern).
It seems astounding to me that both authors (who claim to be working in ‘SOA’) have so little understanding of the problems, technologies, and solutions in the identity space. Granted, I am a geek working in this area, but both Tim and Bex claim to be architects and decorate themselves with shiny titles (CTO, CISSP, Oracle ACE Director). They should know better.
Both advocate (in so many words) ‘a simpler identity system’ (heard that one before) and ‘authentication – and that’s it’. Both paint existing standards in a very bad light, describing them as ‘immature, confusing and less-than-proven security standards’ or asking ‘Makes you wonder why people bother to call them “standard,” doesn’t it?’.
Ok, guys you do not understand identity – get over it and hire someone who does. The good old days where everyone was getting ready for the global directory and its PKI are over. It’s not only about authN and authZ in these days, but about the much bigger business and regulatory issue like trust or identity theft.
It seems that the larger identity community (Liberty, InfoCard, OpenID) is about to experience the same pushback that Liberty was facing initially. Let us hope that our joint communication efforts today will help to get over this ‘perception gap’.
Here are a few comments regarding Brian’s post:
1. CardSpace, OpenID, SXIP, (parts of) WS-*
Are not even by the widest possible definition standards, but rather a collection of protocol specifications. Some of these are even proprietary, IPR protected technologies (e.g. SXIP) that are not even covered by a NAC. Also, why are you not including real identity protocols by industry consortia, that are free to implement like e.g. ID-WSF?
2. SPML, XDAS
These OASIS standards have – per se – nothing to do with identity. They *touch* upon identity and security, but are not core to it. Otherwise you should also include HTTP, IMAP, SOAP, and even TCP.
3. LDAP, SAML 2, (parts of) WS-*, XACML
The are (in a wider sense) identity and security related standards. But so are many, many others (Kerberos, X.509, WSPL, XML-Enc, etc.) that you chose to omit. And interestingly enough, most of these standards build on each other or are complementary. So where is the issue?
4. The API issue
There is no unified, standadized API to all these protocols? For starters, only protocol organizations typically create protocols, not APIs (one notable exception is the GSS-API). If you want to create a ‘standard’ identity API, go to the JCP and suggest a JSR. That organization is probably the body with the biggest amount of standardized APIs, and it is – by most standards – fairly open today. On the other side, if you take the contract-first approach serious, every WSDL or SOAP profile is a reasonable API documentation. In fact this approach allows you select your platform of choice.
Regarding Tim’s post:
His list of immature protocols is simply ridiculous: SAML – well established since 2001: go ask the Shib folks, who are running the larger chunk of the academic environment on this protocol. XML Enc and Dsig – yes, there are a few problems (authenticated encryption or key exchange), but none of these problems are insurmountable and have been solved for a long time.
Apparently I wasn’t clear enough: that list of security standards and protocols was taken from Nishant’s presentation, its not my creation. You can call him a "neophyte" who doesn’t understand identity if you wish… but his experience in the field is comparable to yours.
Is that list exhaustive? No. Is everything there the same kind of standard? No. Did I ever claim either? No. Did I ever say I wanted ‘authentication – and that’s it’? No. Did I talk about ‘authentication and authorization services’? Yes.
The overall point was to think of the developers. GSS-API is great, but does it do everything? No. We need a new kind of loosely-coupled services based API that wraps existing, complimentary, competing, and yet-to-be-invented standards.
Anyway… I like how Oracle’s plan digests a bunch of complex security rules from multiple systems, and spits out a simple list of "roles" after authentication. Lowest common denominator? Yes… but with a good naming convention you can do just about everything with a tokenized list of roles. And its VERY easy to develop against.
Agree or Disagree?
Hmm, maybe it’s just me, but when you were talking about the ‘at least nine identity "standards"’ it sounded like this was your point of view. And further down you expressed again some disdain for "standards".
Am I upset about this? Not really, but it gets a little tedious to do the "Why protocol standards matter" song and dance every few years. So when I saw your post and Tim Bass’ piece I had a nasty sense of deja vu: here we go again to explain why interoperability and interchangeability are impossible without properly documented protocol standards.
I saw Nishant’s slides, and it seems to me that he is elaborating on Bob Blakely’s of the Identity Oracle. I agree with you (and Nishant) that a grand API for all things identity would be nice. Pick your vendor, learn it once, and finally get over this silly identity thing. As much as I would like to see this too, it’s not going to happen:
Firstly, you’ll get vendor and/or technology lock-in (at least as long the API is proprietary). You could take that API to a standardization organization, like the IETF or OASIS, or even the JCP. That would solve some issues, but it will probably take only about 2 internet years (4 real weeks) until someone feels left out and starts his own gig. This seems to be particularly true for the identity ares. Back to the start. Also, it will take only a few real years after that until a new group of folks takes a look at security and identity, and they will certainly re-invent the wheel (network security folks, web people, now SOA guys).
So, I sympathize with you desire for the grand unified API, but that one cannot substitute for a solid foundation of open, interoperable (and complex) protocols. It’s the icing on the whole-grain pumpernickel bread.
PS: I found the reference to SXIP more entertaining than annoying.
I see this as a pendulum swing…
First, came the open protocols of the web. Lots of them. All with their own way of handling logins.
Then, we need identity management! Enter proprietary APIs like Site Minder. Nobody cares about vendor lock-in, because there aren’t enough vendors doing it to matter.
Then enough vendors do it, and people clamor for a standard. Enter LDAP. Rotten little protocol, but it works. Active Directory proliferates (with kerberos+), other systems follow.
Well, LDAP doesn’t do enough, so people make SAML, OpenID, CardSpace, etc… confusion abounds.
The solution? Wrap all the "open protocols" in a universal connector. Be it proprietary, or open-source. I don’t really care, but what the world needs now is an easy-to-use connector; not another standard.