OpenID and OAuth: As the URL Turns

In Phil Windley’s initial IIW wrap-up, he alluded to the soap-opera nature of the OpenID wrangling that went on last week. It’s an apt description.

In the spirit of real ones:

Margo wanted Parker to get an attorney before making a confession but he insisted on telling the truth anyway. Margo quickly called Jack with the latest development so he and Carly rushed to the station. Jack ordered his son to keep quiet but Parker said he was going through with his confession. Carly was brokenhearted that Parker couldn’t be silenced and Margo took Jack off the case. [ATWT]

…I present the soap-opera synopsis of the goings-on:

David showed up at the Mountain View party with OpenID Connect, which had been hanging around with OAuth in a way that seemed promiscuous. Having insisted last year that it was ready to change, OpenID quickly got busy. OpenID Artifact Binding was brokenhearted that its quiet yet effective nature wasn’t enough to get it noticed. UMA and CX couldn’t help putting in their two cents when they heard what the problem was.

The OpenID specs list discussion is now hopping, and so far it’s been relatively free of pique and getting more productive as people understand each other’s use cases and requirements better. Now we just need to come up with a list of in-scope ones…and realize that the best ideas for solving each one could come from anywhere.

So: Can we try and combine the grand vision and breadth of community of the OpenID.next process, the rigor and security of OpenID AB, and the speed and marketing savvy of OpenID Connect — rather than (ahem) the speed and rigor of the OpenID.next process, the grand vision and marketing savvy of OpenID AB, and the security and breadth of community of OpenID Connect?

UPDATE on 10 July 2010: This post has been translated into Belorussian by PC.

The Zen of Venn

“You will never be done with the Venn. That’s your destiny. Accept it.”

So said my colleague Ashish recently, as I agonized over some tweaks to the Venn of Identity diagram. The editing started out as a quick fix to the figure that appears in the IEEE Security and Privacy article of the same name; the diagram text was exactly what Drummond and I had specified — but the graphic emerged from the publication process visually “broken”, with no intersection lines.

But of course technologies and understandings and use cases evolve, and it began to seem like a good time to update the text too. What with the new U.S. federal government effort around Open Identity Solutions for Open Government (and PayPal’s involvement in same), I thought maybe I could do a better job of capturing the main strengths OpenID, InfoCard, and SAML bring to today’s table.

In that Zen-like and Concordic spirit, I hereby present a new — date-stamped — version of the Venn (click for the full-size .png):

I hope this new version can continue to support productive discussions that help solve real-world identity problems.

If you’re wondering whether it’s okay to pick up and reuse the diagram — go for it! Just please note the Creative Commons license below. I’ll keep VennOfIdentity.org pointed to the new Venn category on my blog so that people who see propagated copies can keep up with updates if they like.

The Venn of Identity – September 2009 by Eve Maler is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

p.s. Thanks to “W.” of the Tech and Law blog for our great email exchange this week on Venn-shaped matters, which sparked even more edits…