Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Digital ID World keynote: Kim Cameron on claims (20070924)
Kim Cameron of Microsoft presents "Why Claims will Change Everything" at the DIDW conference (DIDW2007).
Traditionally, the enterprise identity management system has been a "single source of truth". This capability is limited, however, by the numerous silos: silos by operating system, by application, by enterprise, by services, by networks, and by access control subsystems. Other problems he mentions inherent in this silo/mesh model include:
- that entities such as users
want to obtain a service, not be defined by a service
, - end-to-end policy-based controls are incompatible with silos, and
- needlessly difficult to combine services from multiple systems.
Mr. Cameron proposes applying the "WS-* combinational pattern" to identity. As Dave Kearns wrote earlier on a "toy model",
So by creating a Legonic Identity System (LIS?) we have one which can put together identity data in various ways to fit the conditions of the moment. Relying Parties, Identity Providers and User Agents can work together to construct sets of Identity Claims from all of the available pieces of identity data.
with his goals being
- enabling claims-based application data to cross enterprise boundaries, in which assertions might be detached from the trust infrastructure,
- supporting cross-vendor architectures, and
- meeting requirements for user-centered systems to simplify mashups and transfer of control.
He describes "convertible claims" as an assertion which is in doubt
, as there may be multiple sources of claims being presented at a component, and that through the intervention of claims transformers, some of these claims are converted into "actionable claims", those claims that a component are willing to act upon after an evaluation step.
His taxonomy of claims includes
| static claims | for traditional attribute types |
| relationship claims | indicating connections between entities |
| derived claims | less "leaky" than static claims |
| capability claims | claims for authorization |
| meta-claims | claims about the subject |
The claims vision suggests that claims transformers could perform transformations on the format of claims (e.g., chainging a claim of one form to another (e.g., such as "24 years old" to "over 18"), on their contents, as well as on their trust points (e.g., changing a claim to be sourced by one authority to be sourced by another authority recognized by a relying party).
However, even though these tie into the InfoCard transaction model (in particular that the RP, IdP and Identity Selector components are joining responsible for a transaction, as there are mutual vetos for claims), this convertible claim model is somewhat beyond what is achievable with deployed InfoCard technology. While InfoCard protocols and guideline documents mention the use of Relying Party Security Token Services (RP-STS) agent services on the Internet, these services operate under the control of the Relying Party, and only transform claims on behalf of the Relying Party web server or web service. There is not yet a model in InfoCard for claims transformation on behalf of the identity selector or identity provider services, independent of the relying party.
Furthermore, the claims representation in InfoCard is still very limited as compared to a SAML assertion, in particular that there is not yet standards for the metadata about claim types, or the ability to describe the relationships between claims (e.g., that a claim "am over 18" is derived from a claim "is 24 years old" without needing to reveal the content of the source claim). I also observed that there wasn't a taxonomic category in their slides for dynamic and time-limited claims, so representing dynamic data in the claims format might still be problematic for some time to come.