Blogger: Gerry Gebel
For an interesting discussion of identity provider business models, privacy, and user centric identity, please check out the transcript of an interview of Bob Blakley did with Dave Witzel of Forum One Communications. He was also interviewed for the inaugural Bandit podcast. Check it out!
Blogger: Bob Blakley
Yesterday Denise Caruso took up the LLP torch in a New York Times technology section article entitled “Securing Very Important Data: Your Own”. The article nailed the definition of the LLP, quoting Mike Neuenschwander thus:
To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing. Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said.
Melissa Lafsky, the Times’ Freakonomics blogger, has added Denise Caruso’s article to her “FREAK-est” links list under the title “Identity data: the newest hot commodity for businesses”.
To go beyond self-congratulation for a moment, we’d like to call your attention to another quote in the Times’ article, because Denise Caruso has made a very important point. She quotes Drummond Reed, who says “The myth is that companies have to know all this information about you in order to do business with you ... [b]ut from a liability perspective, the less I know about my customers the better.” Drummond might as well be reciting the headlines himself here: it was just last Thursday that the National Retail Federation issued an open letter to the credit card industry asking them to stop putting retailers on the horns of a dilemma by requiring them to store personal data, but then turning around and penalizing them when the stored data is stolen.
LLPs can help protect individuals by giving them identities which contain only a limited amount of personal information. But they can’t help protect relying parties like retailers who collect, store, and (to some degree) protect personal information. What’s needed is a whole system of legal constructs and new entities geared toward reducing identity and privacy risk for all parties. The LLP is part of this equation. Other parts of the equation are Identity Oracles (which allow relying parties to reduce transaction risk without collecting identity information; we wrote about them here) and a Relational Continuity Sockets Layer (which allows multiple parties to bring only the information and resources which are actually required for a transaction into a controlled environment which is fair and safe for all parties; we wrote about the RCSL here). If you’ve read the Times article and you want to go into more depth, you can see our original LLP coverage here, and we’ll be writing and speaking more about LLPs, Identity Oracles, and the RCSL during the coming months.
Blogger: Bob Blakley
Paul Madsen, commenting on my recent post regarding the Catalyst user-centric identity interop, argues that the event didn’t demonstrate the existence of a metasystem. Robin Wilton agrees with him, as does Gerald Buechelt, who adds his criterion for what would constitute a metasystem:
“Even though there have been a number of different products and projects that successfully worked together, this technology is a far cry from being an identity meta-system. Multiple-protocol interop on the wire would be a true metasystem, and is a goal that various systems -- Liberty, OpenID, and Windows CardSpace included -- would need to work on together. Concordia is (probably more than) a first step towards this goal.”
Even if it were true that there was only one protocol demonstrated on the wire at the Catalyst interop event (which it is not; for example, a variety of different protocols were used to authenticate Identity Selectors to IDPs), I reject the assertion that you can’t have a metasystem without protocol diversity.
It was not a longing for different bitstreams on the wire which gave rise to the desire for an identity metasystem – it was a real honest-to-God human need: “I want to be able to visit different sites without having to create a new account at every site, and I want to do this in a way which doesn’t involve publishing everything about myself to everybody in the world”.
Meeting this need required the identity community to invent at least one set of protocols which enabled different identity systems (not “protocols”) to work together to allow users to carry their identity information around with them.
The fact that it ties multiple systems together is why it’s called a meta-system. Notice that it’s not called a “meta-protocol”.
At the Catalyst interop event we saw users exporting managed cards from different Identity Provider systems into the same Identity Selector system. We saw users using cards from the same Identity Provider system with different Relying Party systems. We saw users authenticating to different Identity Provider Systems with the same (OpenID) credential. We saw several configurations of these components working together with no Microsoft CardSpace components involved at all.
If the Liberty community and the WS-* community want to keep arguing with one another about whose protocols need to be in the mix before we call that mix a metasystem, I suppose there’s nothing that can stop them from doing that. But the argument doesn’t help actual people or actual businesses get any interesting work done.
The participants in the Catalyst interop did help actual people and actual businesses get interesting work done. That’s why OSIS is organizing more interops in the future; bringing Liberty-compliant components to these events and working with the other participants to make them interoperate with everyone else’s technologies would be much more useful than whining about how many protocols must dance on the head of a pin before we’re allowed to call it a meta-pin.
Incidentally, as both Gerald and Jeff Bohren note, the Catalyst interop was the second such event OSIS has organized. I mentioned the first – held at IIW 2007a – in my initial posting. I participated in the IIW inteorp and did not summarize it here only because Dale Olds has already posted an extensive and excellent writeup of the event.
