Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Burton Group Catalyst survey of the state of the metasystem (20070627)
The Wednesday afternoon identity track at the 2007 NA Burton Group Catalyst conference started with a presentation by Bob Blakley on "New School Metasystems", with a presentation style somewhat inspired by the contract scene of the Marx Brothers' A Night at the Opera
(Chico) "Ay...Look, why can't the first part of the second party be the second part of the first party? Thena you got something!"
After a comparison of the cross-organizational relationships and dependencies implicit in traditional (e.g., SAML) and emerging (e.g., OpenID, WS-Trust) architectures, the presentation enumerated some of his concerns with the OpenID deployment model, such as
- the user does not (directly) provide the name of their identity provider to the relying party,
- (as I had mentioned in February) there's no practice statement from identity providers, so that a relying party can't tell what users are in the scope of an identity provider's service (what provider should be authoritative for a user?), and
- there's a possibility of overlap and potentially conflicting token statements about a user
He then proposed addressing the asymetry of the { user - identity provider - relying party } triangle by adding a relying party agent, with a resulting architecture more closely resembling the traditional 'four corners' model, and replacing the identity provider with an identity oracle.
Next, Dick Hardt of Sxip summarized the state of the "user-centric identity" ecosystem with a report card
| Current | Predicted for 2008 |
|
|---|---|---|
| Industry Support | A | A |
| Standardization | C | B |
| Interoperability | B | B |
| Deployments | C | B |
| End-user utilization | D | C |