Friday, November 10, 2006

We need an IIW in Panama

Hypothesis - the level of promiscuity of an SP/RP (measured by its willingness to engage in identity transactions with IDPs) will demonstrate a strong negative correlation with the level of security that SP/RP expects for such transactions.

Highly promiscuous SPs/RPs will expect/require less security, selective SPs/RPS will require more (so, amongst other things, they can be sure they are dealing with the IDPs they think they are). What insight!

A consequence of the above is it's possible to combine 1) high security and promiscuous behaviour and 2) low security and discerning partner selection. Possible but not very logical. For the first combination, you are paying for security you don't need; for the second, you probably have insufficient security for your risk model.

I think OpenID and SAML have successfully found the right (but different) mixes of promiscuity and security. OpenID has focussed on promiscuous providers with an appropriate level of security, SAML on the opposite pairing. This is shown graphically below. Along the horizontal is SP selectivity (the opposite of promiscuity), along the vertical a measure of security.

So, both SAML and OpenID seem to have discovered distinct and valid islands. Nice. But, seems to me that both of late are exploring moving beyond these domains. OpenID is allowing for additional security options to OpenID 2.0, SAML to allowing for less security through the proposed SimpleSign binding.

Problem is, while OpenID is adding security, there is less evidence of that community defining mechanisms in support of less promiscuous partner selection (at least in the core spec and not deferred to extensions). Likewise, while SAML is allowing for security to be more a deployment decision, no mechanisms in support of more promiscuous SP/RP behaviour are being defined in the SSTC (like URI-based IDP discovery or something akin to OpenID's association mechanism). Consequently, OpenID appears to be expanding directly upwards into a zone of 'Pointless Overkill', and SAML straight down into a zone of 'Insufficient Security'.

We need an isthmus stretching from lower-left to upper-right - it's there that the "sweet spot" of convergence lays (and which keeps us well clear of the dangerous shoals threatening to tear a hole in the hulls of each ... blah blah blah).


Anonymous said...

Paul, you have OpenID straddling blacklists. Nothing specifies a blacklist, but I have suggested that RPs may actually make use of blacklists and whitelists for various reasons. However, you have whitelists a little too far to the right for OpenID to reach.

Shoulda used donuts.

Jason said...

Where do you think OAuth would fit in here?