The Other Path to Internet Identity
Editorial | Microsoft's recent demonstrations of WS-Federation and Liberty Alliance's responses show that their approaches to federated identity are very similar. In fact, as Digital Identity World editor Phil Becker comments: "It's a shame that the demos of WS-Federation being put forth don't really show why the protocol is different from Liberty Alliance in any significant way."
Mr. Becker goes on to explain the primary differentiation between them: "The battle shaping up between the WS-* protocol stack and the Liberty & SAML specifications is one primarily of a use-case driven specification vs. an architectural approach. One gets you out of the blocks fast to solve known problems (which is why you can buy SAML and Liberty-enabled software today.) The other intends to create a framework in which both known and as yet unknown problems can be solved to create a better, more flexible long term solution."
While the merits of these respective approaches can be argued, the larger picture is often lost in this debate. What does Internet-scale identity infrastructure actually require? Does the current "federated identity" paradigm, regardless of whether it is WS-* or Liberty Alliance, actually meet these requirements?
Internet-scale identity infrastructure has four key requirements that all remain outside the scope of either the WS-* or Liberty Alliance approach:
1) True user-controlled identity. In the WS/LA paradigm, personal identity only exists in the context of institutions. The very concept of "federation" is that two or more institutions link their identifiers for you in order to enable automatic data sharing. Liberty Alliance calls these institutions "Identity Providers", largely because they are responsible for the identifiers assigned in this process. Due to the obvious privacy concerns, both WS-Fed and LA are careful to support pseudononymous identifiers, and to provide the opportunity for users to control account linkages. But none of this addresses the core issue of user’s control of their own identity.
What's missing in this worldview is the idea of individuals as their own first class "identity providers" with sovereignty and control of data equal to that of institutions. In an alternative approach, individuals would be able to choose their own digital identifiers, open their own data sharing accounts with "data brokers", choose the data sharing federations they wanted to join, and be directly in control of when, where, and how their data is shared.
This model of user-controlled data sharing has many parallels with banking. Data brokers are analogous to banks: they exist to serve the customer, and might make a profit by offering services to assist customers in data sharing and linking transactions (single sign-on, auto-fill, dynamic address books and calendars, filtering, etc.) Data sharing federations might be expected to operate like Visa and Mastercard: they exist to facilitate trusted data sharing between data brokers operating all over the world.
2) Portability. In the WS/LA paradigm, there is no such thing as identity portability. Users don't control their own identifiers, since the entire federation infrastructure is designed to only share data between institutions.
In a user-controlled identity paradigm, users control their own identifiers and data and can port them between brokers just as domain names can be ported among DNS registrars today. As with wireless phone number portability, such a change would not affect any existing data sharing relationships because the identifiers follow the customer, not the broker.
3) Peer-to-peer data sharing. In the WS/LA model, data sharing agreements are all made between institutions. These institutions can and do give users opt-in control over the sharing of their data. But the options for whom to share with and under what terms are all set only by the institutions, not by the users. It's like having a credit card that only works at one mall.
In a world of user-controlled identity, data sharing is done using an open peer-to-peer protocol just like the Internet (TCP/IP) or the Web (HTTP). Anyone can form data sharing relationships with anyone else under any terms they both agree to. Matters will get much simpler, of course, with the formation of data sharing federations that standardize common data sharing agreements, much as credit card associations did for the banking industry in the 1960s. The result will be more like Visa or Mastercard: automated user-controlled data sharing "everywhere you want to be."
4) Community-based data sharing dictionaries. The WS/LA protocols rely on published XML schemas to define all of the profile attributes that can be shared. These are "extensible" by federated identity service providers, but only at the level of classic XML schema extensions.
This will simply never work in the real world. We already live in a global world of peer-to-peer data sharing between individuals and institutions of all types. Imposing a limited set of data sharing schemas would be like a dictionary publisher trying to dictate the English language. Real-world dictionaries operate the other way around: they record the rich and varied vocabulary constantly evolving from the cultures which are using it.
A dynamic peer-to-peer data sharing protocol enables the same approach. It can solve the n-to-n problem of mapping "what I call it to what you call it" by allowing everyone in the community to contribute to and map from a shared dictionary of "what the community calls it." Most importantly, being dynamic, the map can keep evolving as the community does.
The Third Path to Internet Identity
If these are truly the requirements for Internet-scale identity infrastructure, then a third approach is needed. Although much less visible than WS-* or Liberty Alliance, a group of companies and individuals have been working on this at OASIS. Starting with the problem of universal portable identifiers, they produced the XRI (Extensible Resource Identifier) specification in January. They are now working on the XDI (XRI Data Interchange) specification for dynamic, peer-to-peer data sharing, linking, and synchronization, expected to be ready in the fall.
XRI/XDI is already capturing the attention of non-profit communities and open source developers. The first public demonstration of XRI/XDI identity infrastructure will be shown at the Planetwork Conference June 5/6 in San Francisco. Sponsored by the Identity Commons federation, participating communities include Planetwork, Blue Oxen, GoLightly, and NeoSociety, with data brokering services provided by 2idi.
Although only an early alpha, it shows that a user-controlled identity infrastructure is possible and already in play. The next step is the opening of global registry services for personal XRIs, called "e-names", that will provide the first way to share an address on the Web with no fear of spam or other privacy violations.
Only time will tell which of these paths will be successful. WS-* is backed by the two largest software companies in the world, and Liberty Alliance by a coalition of the world's most powerful consumer brands. Compared to these, XRI/XDI is a pure grassroots effort. But if the Internet and the Web has taught us anything, it’s that adoption prefers the level playing field of open, peer-to-peer protocols in which everyone is a first-class citizen. This is doubly true for identity and data sharing protocols, where the issue at hand is who gets to define who we are.