© 2004-2007 Informed Control Inc.

 

Home

Specifications

Schema

Commentary

Mark Wahl


Web Design by
Kristen Lanum

Commentary by Mark Wahl

Organizing principles for systems:
Digital ID World 2005, day 2
(2005/5/12)

Heard a presentation from Chris Ceppi on intersection between federation and web services.

With the "B2C" focus in current federation models, a certain traditional assymmetry appears in the protocol exchange:


 +------+
 | User |
 +------+
    |
+---------+                         +--------+
| Client  |-------- Protocol ------>| Server |
+---------+        WS-* Svcs        +--------+

The client and server can mutually authenticate, and the client can provide the user's identity (as set of claims) to the server, in the format that the server requests.

The server's identity can be validated by the client, but there did not appear to be a means for the client to specify what it wants to know about the 'user' of the server, in a more Peer-to-peer (C2C?) model:


 +------+                            +------+
 | User |                            | User |
 +------+                            +------+
    |                                   |
+---------+                         +--------+
| Client  |-------- Protocol ------>| Server |
+---------+        WS-* Svcs        +--------+

A similar related question from the audience: currently there is no convenient way to handle querying and providing the claims requirements when a third party is providing the authorization check. What is likely to occur is the requestor will say "*" - send me all information about the user and I'll decide what to use.

There was also mention of "claims transformation" - the Microsoft white papers suggest that claims transformation could, for example, map "date of birth" to "age", however most of the claim formats suggested in WS-* are for cryptographic and security tokens (passwords/key/SAML/X.509/OTP/biometric information).

The open question is, how to provide for claims flexibility, to interpret new formats? Attributes such as "height" (must be at least this high to ride this carnival ride). Requiring code to be present on each desktop/phone just to be able to display a particular claim format that's present in an "Info-Card" will be unscalable unless the "card" itself somehow travels with a microprogram.

Kim Cameron suggests that the Identity Provider will be the element which will need to perform the interpretation on behalf of the desktop.

Tags: