Tuesday, November 07, 2006

Nudge nudge wink wink

Lately, I've more and more heard the OpenID trust model described as 'promiscuous' - this because the default assumption (seemingly under examination as that community explores the relevance of blacklists and whitelists) in OpenID is that IDPs and SPs are able to engage in OpenID authentication without necessarily 'knowing' each other beforehand (where 'knowledge' here means the two having some existing trust and/or business relationship).

This sort of SSO promiscuity is often contrasted with SAML's model - where typical use cases more often presume that the two providers will 'know' each other, if not through some direct legal relationship, at least through some shared trust framework by which some level of confidence in the other can be established.

Far be it for me to criticize promiscuity - some of my own key formative experiences were heavily dependent on that model of social interaction - but it only gets you so much. It's great for the bar scene, OK for a date to the prom, but isn't at all suited for marriage (attempts to the contrary notwithstanding).

That is of course just fine. There are many valid use-cases where promiscuity is appropriate (or at least providers with more discerning rules for their partners aren't necessary). Providers should be able to choose partners based on whatever criteria they feel is appropriate (and of course under the guidance of their parents and religious advisors).

An 'easy' provider will empower its users with more choices for other providers as candidate SSO (or other identity application) partners. If the provider doesn't care with whom it partners, why not partner with any provider the user indicates is desirable. Sounds very user-centric - the user can effectively tell its providers with which others to engage in relations.

But of course, the user will have this power only until such time as the providers 'just say no'. As soon as the risks associated with such promiscuous activity outweigh the associated 'pleasures' (e.g. keeping users happy) - providers will quickly see the attractiveness of a more guarded approach to personal relations. And if that means the provider losing the ability to call its system 'user-centric' because the user's wishes are no longer the sole criteria for partner acceptance - so be it.

Additionally, while SAML may not define mechanisms specifically in support of promiscuity, that's not to say that it couldn't be deployed in a promiscuous manner. After all, at the end of the day, it's up to the IDP to decide from which SPs it accepts AuthnRequests from, and up to the SP to decide from which IDPs it will accept Assertions. SAML does not dictate a particular business model on either side.

I take the following from this essay:
  1. For providers, as for young adults, the trick is finding the right balance between promiscuity and the other extreme.
  2. Providers will allow users to drive the partners with which they engage in identity transactions until such time as they choose not to.
  3. An identity protocol, OpenID or SAML, should not be conflated with the trust model of systems in which that protocol gets deployed. Put another way, SAML, if appropriately liquored-up, could be as much a whore as Brittany Spears before Kevin and the babies.
Austin Powers had this to say on the subject

"as long as people are still having promiscuous sex with many anonymous partners without protection while at the same time experimenting with mind-expanding drugs in a consequence-free environment, I'll be sound as a pound!"

No comments: