Wednesday, February 07, 2007

Speak now or forever hold ...

My marriage counselor says that a good marriage is one in which the partners complement each other - where one is weak, the other is strong and so forth (she also said something else about listening closely and being attentive but I can't recall the specifics).

The same is true of identity systems. If you integrate them together, the 'marriage' is much stronger if their respective strengths address weaknesses and limitations of the other.

Consider the following table. It attempts to lay out (very coarsely) the relative scope of 4 key identity systems, SAML, ID-WSF, Cardspace, and OpenID. Each system is characterized by whether or not they have something to say regarding 3 different interactions:
  1. that between the user and the IDP (i.e. how the user authenticates to the IDP)
  2. that between the SP and the IDP (i.e. how identity attributes are communicated/requested from one to the other)
  3. that between the SP and some other AP (i.e. how the SP finds and invokes sources of identity information other than the IDP)
SAML and Liberty Alliance ID-WSF are in a marriage, and you can see why it's a strong one. The interactions that SAML covers (e.g. between IDP and SP) are those that ID-WSF doesn't and vice versa. The two are like those old couples who are able to successfully ignore each other and stay together forever (SAML's drinking is admittedly a problem but it is getting help).

Cardspace and OpenID got engaged yesterday and, based on the table above, it should be a beneficial arrangement for both. It was the first column that motivated getting hitched - namely that Cardspace authentication could serve to address OpenID's vulnerability to phishing. Maybe the third column might be relevant in the future as well, this would involve a Cardspace RP using OpenID Attribute Exchange to get attributes not availableo from the Cardspace IDP.

But, if I was an 'identity system therapist', it would be the second column that might give me concern and have me set aside some 2 hour sessions for serious counselling. Both Cardspace and OpenID define mechanisms by which the assertions an IDP makes with respect to a user can be communicated to the RP - essentially, they both 'do' SSO. So, when is it appropriate to use OpenID, and when to use Cardspace?

One way for the two newlyweds to reconcile this overlap would be 'Well honey, OpenID is the right choice for low value transactions, and Cardspace for more sensitive applications' (I think this is how Jessica and Nick lasted as long as they did).

Ignoring questions of who decides what is valuable etc, this model might work - until such time as OpenID sees a self-actualization episode on Oprah and decides that it needs to 'grow spiritually'.

In the mean time, SAML and ID-WSF have been known to 'swing' - if you catch my drift.

No comments: