[pcf] Digital ID round table
Andre Durand of PingID says that there are three tiers of ID:
Tier 1: Personal identity: Me. Myself. Possibly I.
Tier 2: Corporate identity: An ID issued to let me into their space
Tier 3: My marketing identity: The buckets companies sort us into for marketing purposes, e.g., a Platinum Frequent Flyer.
We have lots of IDs. “Identity inflation.” Most of our identities are T2. Andre himself has over 100 identities. He’s given up on keeping track. The trajectory isn’t sustainable. Already we generally only have a few passwords. The idea behind federation is that identity in one domain should be transferable across domains. E.g., if I have an account at Company A and click through to Company B, my identity automatically gets transferred, with permission. I could have one place for my address book, I could make it my address authority and it would transfer data to other domains and apps.
There are three protocols: SAML (Security Assertion Markup Language), Liberty Alliance, WS Federation (IBM and Microsoft).
Nikolaj Nyholm has a problem with federation. People here are thinking about a perfectly engineered, IT world. Federation is part of the equation but not the way it looks today. The way it stands, if federation were in place, if you put a new SMTP on the Net, it wouldn’t be able to send email to anyone.
Dick (Panelist): The web of trust won’t extend very far. It’ll work if it’s United talking to Hertz, but not more widely…
Eric Norlin: Liberty Alliance sits between authentication servers.
Dave Sifry: It’s software we run on our sites that says that we trust, say, LinkedIn, etc. From a business perspective, it means that there’s some subset of these companies that agree to trust one another’s authentication systems and will use the same middleware to accomplish this.
Andre: Why can’t I use the protocols to link to my social connections? We should be talking about this.
Nikolaj: I have no sense of “home” in the Liberty Alliance…
Ted: Nikolaj is right. The nerve Microsoft hit with Passport was: Who’s going to control my ID?
Andre: Here’s one possible outcome of federation. In large enterprises, they have created ways to handle the redundant ID’s in multiple directories. They create a virtual directory. Now, if you add up all the account info with all the companies you interact with, that’s your useful digital ID today. Suppose I had a dashboard running on my PC, like the enterprise’s virtual directory. It’s likely a p2p client will exist on my PC or cellphone that gives me control. I don’t have to move all the information onto my own computer.
Doc (moderator): Do the protocols for enabling that exist today?
Andrew: Yes, I think they do. I’m describing an application layer on top of the protocols.
Steve Pelletier (Sun): The consumer vision is great, although it’s early. But the world is full of ID systems that will never merge. You need something that enables all those identity repositories to be integrated if only for business reasons. And you need protocols to extend this to customers. That’s what federation does: cross repositories and cross schemas.
Doc: I hate the word “consumer.” I’m a customer.
AOL guy: Before we can do federated ID for social networks, the social networks have to figure out what their business model is.
Isabel Walcott (The Research Board): We’ve discussed ID federation with F100 companies. The way I see it, this is about access control. Companies haven’t figured it out. If social networks could solve this problem, it could go into the corporations. There is no “god” at these big companies saying who can have access to this or that part of the DB. It happens on a peer-to-peer basis: Someone’s boss says which field or part of the DB you have access to. How do you manage access control at the object level? It has to be in some sort of p2p fashion.
Someone: There are legacy solutions that won’t be displaced. You have to layer on top of them, like PingID.
Jeremy: It’s not just the pain of sign-on. It’s also the pain of registering for a new service. A few cases: Company B allows customers of Company A to become registered customers, dynamically, moving my profile. The social networks could be a home base for relevant attributes about me. A federation of those in which my attributes could be relied upon by other online services would be appealing to me. I.e., I can dynamically become a cars.com user using my social network ID and profile. You could do that now with the existing standards.
Nikolaj: Today we have an ID where we can reach other: email. But it has no other attributes. You can’t authenticate itself. Or, your credit card uniquely identifies you. You can even use it to exchange info through a proxy like PayPal. And that’s what we’re looking for.
Someone: Do we have a schema for the info that we think is useful? No, we don’t. The metadata around my demographics and psychographics. Will people create a common tool across social networks so I have a single user experience?
Andre: Jeremy’s comment may have uncovered a business model. If the social networks glommed onto these protocols and built a service for users that allowed them to store the info…
Brian Dear: How about FOAF?
Nikolaj: There’s no layer of authentication.
Jeremy: It’s an attribute.
Someone: We may not want to connect social networks. E.g., one’s for business and the other is personal.
Reid Hoffman of LinkedIn: I’d only do federation if I had a business case justifying it.
Categories: Uncategorized dw