Identity Gang at Catalyst


I spent yesterday afternoon in an identity BOF meeting in San Diego. (See pictures at Kaliya's Flickr site.) As you might expect, there's plenty of people with an interest in identity systems at Burton Group's Catalyst conference and so we took the opportunity to have a face-to-face discussion with about a dozen people who care about identity metasystems.

The topics today were far ranging and difficult to summarize, but there were some interesting issues.

There seems to be big disagreement (surprise) around whether HTTP, SMTP, and the like are completely broken from an identity standpoint or whether they can be salvaged. If not, then Microsoft's move to SOAP-based protocols for the identity metasystem is a necessary first step for any transactions where identity is important.

To put this in perspective, banks and other financial institutions have pretty much been forced to abandon email as a means of communicating with their customers because of phishing. This is a problem even with things like SSL that allows, but doesn't require that, users check the integrity of the sites that they visit.

Moving to different protocols requires different clients, or at least changes to existing clients to understand the new infrastructure. Of course, InfoCards (Microsoft's proposed digital identity system) includes such a client, buried deep in the OS.

Kim Cameron believes that we can't ask humans to manage multiple systems at the experiential level as well as manage the trust decisions, and everything else we need from them. This is a little bit of a "one client to rule them all" strategy, but there's some sense to it. The browser is a great example of how a UI standard provides a common UI experience (at least to some degree) regardless of the vendor.

Another issue I found interesting had to do with auditing and transparency. One critical requirement for enterprise identity systems is auditing in order to ensure compliance, etc. For an Internet wide infrastructure there are other auditing requirement. For example, the user may want to disable auditing for privacy reasons. Of course, you may not be obligated to provide service without auditing enabled. The policy negotiation requirements in such a system boggle the mind.

Related to that is the need to provide human readable equivalents of machine readable tokens and assertions and to ensure that they are confluent. The microformats discussion that's caught my eye lately seems suited to that requirement. I wonder if microformats can meet other requirements as well (and what they might be).

Fourth party auditing of actions provides checks and balances to protect entities from abuses by authenticating gatekeepers or asserting identifiers. Many times these fourth parties would be courts operating in widely varying jurisdictions. The metasystem can't enforce these actions, only provide for them with proper transparency and auditing.

Another point of contention seems to be the very name "identity metasystem" itself. I think it was coined by Microsoft innocently enough to describe an identity system that ties other identity systems together. I think some would prefer it was called a "network" or something else. The work "system" implies there's a there there, but in reality, it's more about protocols and interop.

I think that we need to get this group, along with others together for a more formal discussion where we can get to the heart of what we can all agree on, find out where we really disagree (that's not clear), and use that as an underpinning to understanding proposals. I'd like to see the various proposals laid out with philosophical beliefs, understand how those beliefs influence architectural choices, and then dive into whether we can agree that specific architectures support those various philosophies. I'm thinking of organizing a workshop in October (in the slot Digital ID World used to use) to do just that.