Friday, January 19, 2007
OpenID, InfoCard and Web SSO Products
Usually a discussion on standards starts with business requirements and use-cases. I have contributed pages of this stuff and how identity needs to take into consideration relationship, authorization and attestation with pretty much zero interest from many of the participants.
One take may be that I simply didn't do a good enough job of explaining in detail the scenarios provided. If this is the case, then I would hope others would step up and start asking more questions of me. The funny thing is that I got a sense that I am running into a very different problem, one that folks will not articulate.
My BS detectometer tells me that many folks are focused solely on identity because it is easier to develop and the stuff I am talking about in order to use it in a business context is on order of magnitude a lot harder. I can understand that folks are sometimes lazy. Likewise, there is also a camp that is essentially attempting to reuse whatever products their employer currently offers and only desires to put a thin veneer over it to support OpenID. If there product didn't support authorization, modeling of relationship or attestation constructs then to support the use cases would require them to kinda publicly acknowledge weaknesses in the products they hoped to have shimed.
Lots of folks in the identity field are following the lead of Kim Cameron of Microsoft who has been missing in action when it comes to OpenID. Sure, he can demonstrate integration with OpenID but I think will avoid demonstrating an implementation of OpenID which would be more meaningful. Likewise, the need for incorporating relationship, authorization and attestation into the Cardspace UI also would need to occur for user-centric identity to be useful within a business context but I suspect that this conversation will never occur in the blogosphere.
In terms of OpenID vs InfoCard, several of the questions I have been noodling is in figuring out not only who else should be paying attention but how they should contribute. For example, I would love to see the folks from Voltage figure out how to merge the OpenID specification with the notion of Identity Based Encryption. This is too obvious to not attempt. Besides, the discussion is somewhat PKI oriented and we need some new thinking. Within a business context, one may also need to consider some sort of consistent audit approach especially since it is heavily distributed. I wonder if the folks over at LogLogic would consider sharing their insights?
Prateek and Mark over at Oracle have released the CARML and AAPML specifications which also could add value to OpenID and make it better, but they haven't yet joined the conversation. Likewise, there are a variety of Web SSO products such as Oblix CoreID, Tivoli Web Access Manager, Netegrity Siteminder and even OpenSSO. How difficult would it be for them to out of the box minimally support a login page where a card is requested? Are there any industry analysts out there that know if these companies have put OpenID support on their roadmap?