Interoperability, Open Identity and Identity Brokers


These are some notes from my session. I didn't capture it all and may have mischaracterized things. I didn't try to record who said what. If I've missed something or misstated something, feel free to leave a comment.

There's a problem with interop, namely the huge anthropological problem around identity that wasn't there with internetworking. There are too many deep, philosophical discussions that can happen when you start talking about identity. We need language and social interop--conceptual interop--to get technical interop.

Identity brokers provide the role of interchange between protocols.

Common user experience is important in identity because people are involved, so it's more than protocols and interop.

How to Higgins, CardSpace (what has been known as InfoCard), and XDI relate to each other? Are they competitors, complimentary services, etc.?

Higgins is a framework that supports multiple identity protocols. CardSpace should function in Higgins out of the box. The goal is functional equivalence. CardSpace is architected to accept different identity technologies without changing the code.

In an interaction between a relying party and an identity provider, what's the role of the identity broker?

Card-based identity is different than universal address identity (i-names, OpenID, LID, etc.). Physical cards typically have addresses on them. That's one of the claims. Addressable identity elevates that claim to the identity itself. Addressable identity requires that users have a service provider. The broker is that service provider.

Identity brokers can also help users store and manage identities. Drummond gives the example of dropping your wallet in the lake and the trouble you go through to recover those credentials. If your machine goes down you may be in the same situation with respect to your card-based identities. Identity brokers can help solve that problem.

What are some of the new businesses that might spring up because of interoperability in the identity space?

There are several kinds of new businesses. An identity provider (or issuer) is one, and the identity broker is another. Also there will be people creating businesses around verifying claims and even making assertions about identities.

Opinity is an example of a reputation business that is working now. Their business is making assertions about people based on publicly available information.

Will companies embrace this model or will their proclivities toward hoarding customer data keep user-centric identity from launching?

Companies are almost universally bad at managing customer data. They talk about it being a competitive advantage, but few of them put the money into it to make it really work. There's opportunity for other companies to put together good data, in a user-centric way, and then service other companies by providing good data.

We are all identity providers (Drummond holds up a business card). When ever we create usernames and passwords at various sites, we are providing identity information. Relying parties who want to accept user generated identities in a interoperable way, can do so now with OpenID, LID, i-names, and so on.

What are the incentives to getting companies (both identity providers and relying parties) to adopt this?

This is disruptive technology. It won't likely be the big players (like Amazon) that adopt it first. It will be the smaller bookseller looking to compete.

How does all this affect enterprise identity and single sign-on?

Enterprises frequently manage identities across multiple systems. They are not as concerned with identity tokens as they are with identity attributes and being able to use them interoperably.