What is old is new

By Kenneth Graf (Intel) (6 posts) on June 26, 2008 at 5:47 am

In the last few days there have been a number of announcements related to the "latest" in digital identities. Is this just a rehash of the old SAML, Liberty Alliance, Identrus, Microsoft Passort conflict? Or something really new?

I wish I was smart enough to pick a winner or tell you when a dominate approach will emerge. What I can tell you is the new efforts have learned from past mistakes. Vendor centric, heavy computational and policy unaware solutions were not deployable.

What I know for sure is the new approaches are XML centric and rely heavily on WS-SecurityPolicy, WS-MetadataExchange and WS-Trust. For these "new" approaches to be successful they will require simple APIs to create client components and high performance server components to allow large volumes on secure transactions.

Hmm, fast and easy XML processing! Where have I heard that before? ;-)

The recent announcements:

June 23rd, Liberty Alliance Releases Identity Assurance Framework. http://www.projectliberty.org/liberty/news_events/press_releases/liberty_alliance_releases_identity_assurance_framework

June 24th, Technology Community Forms Information Card Foundation to Simplify Secure On-Line Digital Identity. http://xml.coverpages.org/ICF-DigitalIdentity.html

June 25th, IETF released an updated vCard Format Specification. http://www.ietf.org/html.charters/vcarddav-charter.html

June 25th, Eclipse released Ganymede with its "Higgins" or user-centric identity framework. http://www.eclipse.org/

Categories: XML Software

Comments (4)

June 26, 2008 10:27 AM PDT

Josh Bancroft (Intel)
Total Points: 2245
Status Points: 2195
Brown Belt
Interesting that in all this talk of digital identity, there's no mention of OpenID, which, in my perspective, not only seems like the best choice for managing your identity online, but is already well along the deployment process - thousands of people are using OpenID every day now - including myself. Big online companies, like Google, AOL, etc. can act as OpenID providers, or you can choose a different one (I use Vidoop). You can "federate" your identity using your own URL, so instead of me being "http://jabancroft.myvidoop.com", I'm "http://www.tinyscreenfuls.com".

What are your thoughts on OpenID, and how it fits into the needs and realities of managing our digital identities?
June 26, 2008 4:04 PM PDT

Kenneth Graf (Intel)
Josh, There are many others and OpenID is one of the more popular. OpenID does also use XML (yeah). I am not convinced that about the security model yet. For me it is fine for sites that logins are just used for customizing my session. I am not so sure about using OpenID for my banking.

JISC is due to release a review of OpenID soon: http://www.jisc.ac.uk/whatwedo/programmes/programme_einfrastructure/reviewofopenid.aspx.
They are looking at "deployment of OpenID beyond the obvious minimal applications of blogs and wikis".

Thanks for the comment, OpenID does have a place.
June 26, 2008 6:24 PM PDT

Michael Shadle (Intel)
Total Points: 110
Status Points: 60
Green Belt
I read something and am fuzzy on the specifics but I believe IBM was named, and it could have been related to this:
http://news.zdnet.co.uk/itmanagement/0,1000000308,39236488,00.htm


They've got something they've been pushing for too, federated IAM (identity and access management) - maybe that was it.

I wish I would remember more details when I read things. :P
June 27, 2008 3:44 AM PDT

Kenneth Graf (Intel)
The article you referred to IAM is related. The "problem" (like there is only one) is vendors often present their idea as "the solution" when the reality is what they offer is part of the solution.

A good analogy is your use of electricity in your house. You need devices(e.g. TV, laptop), interfaces(outlets), protocols(wiring) and a provider(power company).

It seems there is an unlimited number of devices, and in our security context this is the application. We what a lot of freedom in application design but the application must consider how it plugs in and consumes security. I started this thread talking id protocols which is the wiring component, helping to move the id bits around the house. The IAM piece is how the application “plugins” into the id protocol bits coming off the wire.

So, who becomes the power company? Without this part we are all just sitting in the dark.

The IBM article wants a global authority. The OpenID creators believe in the power of people. And generally the protocol vendors believe some private enterprise will deliver.

All three approaches are valid. Determining what I want to do with my security device will determine which type of provider I need.


Leave a comment

Name (required)

Email (required; will not be displayed on this page)

Your URL (optional)


Comment*