Saturday, May 22, 2010
Missing Conversations within the Identity Community: IdP Challenges
I was reading Patrick Harding's post on Browser-Based IdP Discovery and felt that while it solves some problems, it is suspect to OWASP-style attacks. Anyway, I am of the belief that a more important challenge exists within the identity community that no one is truly addressing...
Right now, much of the identity conversation is centered around consumerish usage where sites such as Yahoo, Facebook and other time-wasting sites are participants. Identity isn't up to snuff in order to conduct business over the Internet and no one seems to care.
So, let's say that you are CTO for an online stock trading platform where consumers are constantly struggling with their ID/passwords. You believe that modern approaches to identity are needed. Would IdP discovery be on the top of your list of problems to solve? As a CTO, wouldn't you care more about a way of determining the reputation of a particular IdP and discovering its policies?
The online trading platform could not possibly establish a business relationship with every IdP on the planet where they could ask for SAS-70 Type II documents or its equivalents. This however doesn't waive the need for the online trading platform to understand characteristics of the IdP such as their identity vetting process, policies around credential usage in terms of history, expiry and complexity and most importantly is their anyone else that will vouch for their practices.
Wouldn't it be cool to somehow start the conversation and borrow from the PKI community the notion of CP/CPS but only to get it out of document format into something XML schema based such that it can be consumed programatically? Sites such as StackOverflow have figured out how to capture the reputation of users on its platforms. Even email platform providers such as Cisco's IronPort have figured out how to use reputation in order to reduce spam traveling over the Internet. Why isn't the identity community noodling something similar?
A SAS-70 is another form of document that could be converted into an XML schema. Instead of a word document, why couldn't a certifying party somehow sign the identity provider such that this is consumed within either SAML or OpenID interchanges? So far we have gotten a working group on level of assurance which is fundamental to the problem-space but we need to figure out how to put a little bit of non-repudiation behind many of the attributes.
Anyway, for solving the IdP discovery challenge, I believe that Information Cards is the best model publicly available. We simply need to figure out how to create the tipping point so that B2B sites are also full participants in the identity conversation...
| | View blog reactionsRight now, much of the identity conversation is centered around consumerish usage where sites such as Yahoo, Facebook and other time-wasting sites are participants. Identity isn't up to snuff in order to conduct business over the Internet and no one seems to care.
So, let's say that you are CTO for an online stock trading platform where consumers are constantly struggling with their ID/passwords. You believe that modern approaches to identity are needed. Would IdP discovery be on the top of your list of problems to solve? As a CTO, wouldn't you care more about a way of determining the reputation of a particular IdP and discovering its policies?
The online trading platform could not possibly establish a business relationship with every IdP on the planet where they could ask for SAS-70 Type II documents or its equivalents. This however doesn't waive the need for the online trading platform to understand characteristics of the IdP such as their identity vetting process, policies around credential usage in terms of history, expiry and complexity and most importantly is their anyone else that will vouch for their practices.
Wouldn't it be cool to somehow start the conversation and borrow from the PKI community the notion of CP/CPS but only to get it out of document format into something XML schema based such that it can be consumed programatically? Sites such as StackOverflow have figured out how to capture the reputation of users on its platforms. Even email platform providers such as Cisco's IronPort have figured out how to use reputation in order to reduce spam traveling over the Internet. Why isn't the identity community noodling something similar?
A SAS-70 is another form of document that could be converted into an XML schema. Instead of a word document, why couldn't a certifying party somehow sign the identity provider such that this is consumed within either SAML or OpenID interchanges? So far we have gotten a working group on level of assurance which is fundamental to the problem-space but we need to figure out how to put a little bit of non-repudiation behind many of the attributes.
Anyway, for solving the IdP discovery challenge, I believe that Information Cards is the best model publicly available. We simply need to figure out how to create the tipping point so that B2B sites are also full participants in the identity conversation...
