Monday, December 12, 2005
Thoughts on bloggers and Federated Identity
Figured the best way to make my point would be to ask these same bloggers to respond in their own blogs, answers to the following questions:
- The Liberty Alliance is a wonderful organization that is working towards interoperability but doesn't have as a charter the notion of community formation as this typically occurs within a specific industry vertical. Examples include the SAFE initiative in pharma and Securities.Hub on Wall Street. Do bloggers who work for software vendors have any duty to enable (or at least talk about) the notion of best practices around community formation at an industry vertical level? If so, do they strictly talk in terms of case studies of what has occured in the past or provide guidance to verticals that haven't yet walked this path?
- Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them). Do they think that federations also need the notion of attestation? If so, don't you think this will become an impediment to corporate adoption of federated identity for many verticals?
- SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?
- The Liberty Alliance can only point to a handful of Fortune 100 enterprises (non-software) that have joined. Its primary makeup is most of software vendors. Maybe you could tell us why an Enterprise Architect that works for a Fortune 100 enterprise would request for next years budget the annual dues for membership vs spending it in other areas?
- Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML? If consolidation is a good thing, why wouldn't it be a good idea to consolidate identity within Active Directory?
- Should SXIP, LID and SAML exchange tokens from one system to those in another or should they continue to do their own thing with their own tokens? If the later, could this really be considered an identity metasystem according to Kim Cameron's laws of identity?
- If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?
- Acknowledgement that not all problems are technology related and consider asking the Liberty Alliance to take on social / governmental issues related to identity in the same way that Richard Stallman does for the Free Software Foundation. Examples include mechanisms that will allow an industry vertical to form communities without the appearance of collusion. What about certain countries such as Italy that create laws that violate current thinking on identity? Have you seen this article?
- More thinking on how identity changes based not on the person but their interaction? Examples may include the notion of "six degrees of separation" or minimally the practice of role affliation?
- How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.
- Should we have a mechanism for discovery of capabilities for various identity systems? Should it be YADIS? Something else?
- Any thoughts on how federated identity can integrate with Digital Rights Management?
- Any thoughts on how Liberty Alliance can embrace the notion of a Virtual Personality?
- What if we decided to externalize identity and put it on a spacecraft headed to pluto? Dont take this question seriously.
- How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?