Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
SWXG 2010.6.9 v2
1. A few thoughts on the state of the art of identity W3C SWXG - 9 June 2010 Paul Trevithick v2
2. Why is identity a hard problem? Short answer: It is being worked on by many communities with differring perceptions of the requirements
3. Language varies by community Identity := globally unique identifier + attributes And a single user can have multiple GUIDs and differring sets of attributes Identity := a set of attributes [may include an identifier] One user can have multiple sets of attributes, some of which may include identifier attributes Communities that adhere to this perspective consider it a significant conceptual advance over the identity:=identifier framing Most of us avoid the word identity—too overloaded to be useful One of a hundred examples: “A fundamental requirement for enabling privacy on the Web is that publishers need to be able to control who as access to their information resources”1. What’s a publisher? Don’t you mean user? [1] http://esw.w3.org/PrivacyAwareWeb 3
4. Requirements vary by community Levels of assurance (LOA) (4 NIST levels, etc.) RPs need higher LOA >1 in some use cases Challenge is that this is considered a “long tail” requirement and thus considered out of scope by many who are focusing on social web (high transaction volume, low value transactions) Verfied third party vs. self-asserted attributes Most social Web use cases require only self-asserted attributes [WebID] Other use cases require verified attributes from third parties (e.g. payment use cases) Attribute aggregation Some use cases make a distinction between an identity provider and an attribute provider. RPs need attributes from N>1 sources 4
5. Requirements vary by community Linkability “Identifier has to be universal and linkable”1 “A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handle”2 Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens). Requires tech such as uProve (Microsoft) or Idemix (IBM) Levels of protection (for the user) Have user-agent/RP exchanges involve signed contracts Support accountability not just secrecy [1] http://esw.w3.org/PrivacyAwareWeb [2] http://www.identityblog.com/?p=352 - Cameron’s Laws of Identity 5
6. Proliferation of communities Identity Commons (2005) http://idcommons.net Best known for IIW unconference 2/yr. OpenID Foundation (2007) http://openid.net At a crossroads: strong internal competition: OpenID Connect (OAuth-based) and OpenID V.Next What problems are we trying to solve? Federated login from a centralized IdP (e.g. Facebook)? User-managed identity with a distributed architecture? DataPortability.org (2007) http://dataportability.org Has been an advocacy organization; now looking at data sharing policies Information Card Foundation (2008) http://informationcard.net Really should be called the active client foundation First generation: defined by Microsoft’s CardSpace and the OASIS IMI protocol Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)? 6
7. Proliferation of communities Kantara (2009) - http://kantarainitiative.org Strategically positioned to be the cross-protocol “center”; not fully realized Absorbed and replaced the Liberty Alliance Does work in areas of “trust frameworks” (IAF), certification, eGovernment, User-Managed-Access (UMA), cross protocol login user experience (ULX), VRM, etc. OpenIdentityExchange.org (2010) - http://openidentityexchange.org Foster trust framework (“rules”) layer above the tech (“tools”) Jointly formed by OpenID Foundation and the InfoCard Foundation initially to serve the US Federal government’s need for a trust framework, now broadening to other areas. RPs won’t pay money for attributes/identities without trust frameworks in place XAuth.org (2010) – http://xauth.org/info/ Attempts to solve the NASCAR (discovery) problem (without requiring an active client) Introduces a central server but cookies are stored on the browser’s [HTML5] local storage 7
8. OpenID roadmap is being debated Legacy OpenID 2.0 - http://openid.net/developers/specs/ Completed in 2007; supported by the OIDF (openid.net) Claim 50,000 RPs and growing Useful for low assurance use cases (e.g. LOA 1) OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home Proposed by Nat Sakamura and others in early 2009 Similarities with OpenID Connect, OAuth-like access token, etc. OpenID Connect - http://openidconnect.com New (May 2010) proposal by David Recordon and others Layers over and leverages OAuth 2.0 User’s identifier now decoupled from their “profile URL” Breaking change from OpenID 2.0 OpenID V.Next WG within OIDF chaired by Dick Hardt Assumption is that it will handle a wider set of use cases than 2.0 and Connect Breaking change from OpenID 2.0 8
9. Personal opinion Efforts continue to create the “one protocol to rule them all” SAML…Infocard/IMI…OpenID…OpenID-Connect…OpenID-V.Next…WebID… Meanwhile UN/PW isn’t going away anytime soon And neither are the previous attempts to overthrow it–each have their adherents We have learned that we need to make the tech easy to adopt by RPs E.g. cross-protocol libraries & services We have learned that users don’t care about protocols They need an easy to use, consistent user experience irrespective of protocol We have learned that we need a “better with” strategy for active clients Active clients (aka to some as “identity in the browser”) must be optional The reaction of the market to the current chaos of “open” identity tech is “wait and see” (although proprietary solutions (mostly Facebook) are being rapidly adopted) The open identity community is not organized to meet the above needs It may be time for some rethinking, consolidation and restructuring 9
11. Identifiers and UX In the beginning OpenID said: “type in your OpenID URI” Users didn’t get it Then OpenID said: “click on a button” (NASCAR popup) Better UX & conversion rates Tyranny of the mega-brands +… Recently some are saying “type in your email address” and we’ll use that to discover your IdP [e.g. see webfinger.info] Even better UX & conversion rates so far Tyranny of the mega-brand email providers Now XAuth says “click on a button from a personalized list” Probably the best UX possible (without an active client) 11
12. Attribute schemas RDF (FOAF, vCard…) Portable Contacts ActivityStrea.ms OpenID AX ICF Schemas WG SAML attributes Facebook OGP etc. Personal opinion: we need to make consuming attributes easy for RPs by providing them with schema mapping services that eliminate the need to commit to each IdP’s schema. 12