The Venn of identity

My SAML parfait diagram experiment went pretty well. I heard from a number of people who found it helpful, and one fellow even asked for the source (OpenOffice.org, need you ask?) so he could try tweaking it to highlight one profile/protocol to which I’d given short shrift.

At around the same time, some people who came across the SAML (and Liberty)/OpenID/CardSpace Venn diagram that appears in the RSA talk I did with Liberty Alliance director Brett McDowell asked me to post it because they thought it was generally useful. I’m definitely not the artistic type, but I guess I can draw boxes and lines — and bubbles — well enough! The following version isn’t quite as pretty as the RSA one because that was done by a professional graphic artist for the occasion, but I’ve continued to fiddle with the wording a bit so I needed my own copy. (You really do need to click to enlarge this one, to read it properly.)

Giving credit where it’s due: The main author of this diagram is really Paul Madsen, who sketched an early version during the discussion of the identity triangle diagram that Johannes Ernst put together, so Johannes deserves a hat-tip for his original series. And the title of the post is stolen shamelessly from my former Sun colleague Gary Ellison, who used it for a presentation to the JA-SIG on federation, identity, and web services back in 2003.

In the spirit of some of Gary’s diagrams but at a higher level, I recently did another Venn diagram to flesh out my “convergence touchpoints” material in the RSA slides, providing a view that stretches across federated identity and web services. I can’t credit/blame anyone but myself for this one. Really, it’s slightly more than a Venn because the shapes of the bubbles hint at horizontal applicability. (Again, click to enlarge.)

Let me know what you think…

Movin’ right along

I’ve been traveling a fair amount lately, constructing mini-vacations out of quick visits to various family members and pals. In Colorado I found myself…

…yes, bowling with my sister and her kids. Not that rock ‘n’ bowl stuff, just POBO. One of my nephews is now a giant of a young man; those are size 15 shoes he’s got on, and at 6’4″ he’s fond of patting his mother on the head and calling her a dwarf.

And in Los Angeles I got reacquainted with the Fairfax neighborhood where I spent the first few years of my life, only to find that…

…the quaint old Farmers Market I remember has been colonized by Starbucks and now features just-about-mandatory valet parking. Like, wow.

I also visited the Back Door Bakery and Cafe, whose proprietress is a lifelong family friend and very (make that extremely) good at what she does. If you’re in that part of the world, it’s a must-visit — even my London-based travel guide (also highly recommended) said so.

But now I’m home again and have turned my full attention back to more workaday matters…

Identity, Jim Kobielus, and coffee

Hmm, I wonder if I’d had too much coffee before getting on the phone with Jim yesterday. I have a habit, acquired from my dad, of pacing all over the place while talking on the phone, and I do have an awful lot of stuff going on all at once, so I’ll buy “rushed and frazzled”! (I always think of Worf saying, through gritted teeth, “I am calm.”) It was good to catch up with him. His skillful questioning about privacy did lead me to a new realization about two thoughts I’ve often had separately, which he captured well in his post.

Jim reported my saying that “OpenID 1.0 has a vulnerability in that it leaves users’ identities open to possible correlation by unauthorized third-parties.” To head people off at the pass who might incorrectly take “vulnerability” to mean something about “security” rather than something like “design consequence”, here’s more detail on what I meant.

OpenIDs are designed to be publicly known identifiers, which turns out to be a very handy property. However… While you can still have many of them, the “profile” capabilities of things like MyOpenID help you manage different subsets of information about you within a single one, and obviously having fewer logins is easier to deal with than having more. And while some new features in OpenID around “directed identity” may help you keep your real OpenID secret from the relying party, the architectural bias of OpenID’s design is public accessibility of the identifier. (This is something I commented on a bunch over the last few months, and the progression of “interesting identity problems” in my Moose Camp notes hint at it.) Also, despite the “pseudonymous” nature of an OpenID identifier, if you do own your own domain, there’s ways of looking you up. And so on.

And regarding the (only loosely and metaphorically) “opposite” problem in CardSpace, Jim points out a real question I have. Today, I’m used to logging in to (say) this blog by means of my laptop, my husband’s iMac, my Treo, random SunRays… Web authentication may not be hella secure a lot of the time, but it’s convenient. If I were to install a card in a CardSpace on my laptop for logging in here, how much trouble will it be to make it portable and/or install similar cards elsewhere? What are the consequences of developing client-bound context for each of these interactions? Is this issue being worked somewhere?

Having consumed my customary two cups (freshly ground beans in a Mr. Coffee) in the writing of this, I feel well fueled to tackle my day. Jim, if you come out this way, we can meet at the place I call the Lake Street office and the coffee will be my treat.