Tuesday, March 18, 2008

Share and share alike

Ashish lists different sharing models - and categorizes identity protocols accordingly.

What clashes for me in Ashish's post is that, as I see it, he conflates sharing of attributes, the decision to do so with a given requestor or not rightfully belonging to a user, with the trust models that the different identity systems typically get deployed into (these decisions belonging to the providers).

The decisions providers make in selecting federation partners, determined by assessment of risk, liability, and business realities, is not the same decision that individual users make with regards to sharing their attributes - although they are related.

For example, in its infancy (things are changing), OpenID was deployed in a wide-open trust model, RPs and OPs were expected to be indiscriminate in selection of their partners. This partner trust model (e.g. an open white list, or a null black list) consequently placed no constraints on the trust between user and RPs that would dictate the policy over attribute sharing. If a user wants to define policy over the sharing of their attributes, they have to consider all possible RPs - this because the list is not cut down by their OP.

On the other hand, SAML, Shib, ID-WSF etc are typically deployed in a trust model where partners exercise more care in selecting partners, either directly (e.g. whitelists, blacklists) or indirectly (e.g. assurance frameworks or reputation). If the providers themselves have made decisions about whom to do business with (effectively choosing some subset of all possible partners), then their constituent users will themselves have a more constrained decision to make regarding sharing within that subset.

OpenID purists would reject the idea that an identity provider has any right to constrain the set of possible service providers that a user might choose to share their identity attributes with. It's user-centric after all.

A SAML purist (if they exist) would agree with the principle, and then make sure the spec supports whitelists.

1 comment:

ashish said...

I meant it from the providers and not from the individual users perspective. Hence I was implying metadata and not necessarily user attributes. And "trust" would have been a better choice of word (but I was having a too much trust day :-)).
Anyway, to your other point, SAML deployments are normally 1-1. Based on what I gather about Shib/Incommon, there is a common place/file that hosts the metadata for all participants. The various entities goes through a validation process to be listed in the common file...and hence 'Shared with a selected few'.