Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Unsolved problems in cross-organizational identity protocols (20070720)
After reflecting on the recent IIW, Concordia and Burton Group conferences, I noted several open issues which individuals and organizations deploying cross-organizational identity management had encountered with existing identity protocols. The issues included:
1. View of the past.
There are few proposals and no consensus on protocols for the exchange of historical information about identity-related operations (trace of logins, modifications etc.), in support of auditing, undo, data analysis, or other services.
2. Notifications.
Suppose an application at one organization has authenticated and managed to get an element of identity from another organization. How does the provider implement callbacks across organizational boundaries so that the holder of that data copy can be notified when that or related data changes?
3. Idle timeouts and unified logouts.
Security rules for application developers often state that the application should log the user out after a "period of inactivity". But how to determine inactivity when a user's interaction with an application is via a web browser communicating with a third party web site, run entirely outside of the organization's firewall? If a user has put the application's window 'in the background' or minimized it to work on something else, is it still 'active'?
4. Account linking with records without credentials.
Some traditional federated provisioning protocols assume that a user will be linking their accounts in two systems together, and that this can be accomplished by the user 'logging in' to both systems with the names and credentials in their accounts to indicate the user's ability to access them. Yet the majority of records about individuals, in corporate CRM systems or government databases, have no authentication credentials. Knowledge-Based Authentication and other methods, while limited, aren't well integrated into existing identity management authentication and assertion protocols.
5. Delegation to users outside of the organization.
How can one organization or individual delegate its access rights to another? In the Boeing case study, airlines wished to delegate their rights to read the Boeing maintenance web site to the independent maintenance organizations which work on the planes on behalf of the airlines. An employee or retiree might wish to provide their spouse or someone with power of attorney the right to access their identity attributes which control their direct deposit or retirement account.
6. Long-term user sessions and portfolios.
How does a user build a session and manage their history of activities and interactions with other users and services, and allow this history to be moved between sites?
7. Scaling assumptions.
There's a set of often unstated assumptions each protocol makes on the underlying environment in which it is deployed. For example, OpenID assumes domain names are stable, long-lived identifiers, whereas in ad-hoc networks, domain names could change on a minute-by-minute basis. Directory replication protocols don't work well with high rate of change data, such as a user's location or login history.