Tag Archives: OpenID

New post: Venn of access control for the API economy

Up on the Forrester blogs, I present a new Venn diagram that compares OAuth, OpenID Connect, and UMA. A number of people contributed to the final form of this one, which we presented in a Google Tech Talk a couple of weeks back. Thanks to all of the following folks (listed in no particular order) for their feedback!

By the way, we’ve got another UMA Twitter chat coming up this Wednesday morning at 9am Pacific. For details, visit http://tinyurl.com/umachat. Spread the word, join us, and get all your questions answered…

New: “Participating In Markets For Portable Identities In The Cloud: What’s The Coin Of Your Realm?”

I’ve got a new post up on the Forrester blogs, discussing a “markets for portable identity” angle on my latest research report (which is full of Venn goodness!), and how SAML, OAuth, and OpenID are “hard currencies.”

You could take this theme pretty far. Does SAML-OAuth bridging have any elements of arbitrage about it? Is assurance leakage in protocol translation like the lousy currency exchange rates at those little van kiosks in airports? Maybe that’s far enough…

New: “OpenID, Successful Failures And New Federated Identity Options”

Though there’s still a creepy fuzzy anonymous head where my picture is supposed to be, I’ve got my first post up on the Forrester Research Security & Risk blog. It discusses the recent 37signals decision to stop using OpenID and the larger “button-based login” environment in which OpenID can be considered a positive influence. As a bonus, it provides a new Venn diagram comparing features of OpenID + attribute exchange, the SAML web browser SSO profile, and OAuth + “connect”-style login.

Later: Neat, it’s been cross-posted to the CSO Online blog as well.

PayPal X Innovate is around the corner

It’s nearly time for the second annual PayPal X Innovate conference — October 26 and 27 at Moscone Center in SF. The PayPal X developer network has not only the coolest domain known to humankind, but it also hosts the Innovate conference, which is all about making the future of money happen.

Praveen Alavilli has slipped me a great discount code for y’all to use: “LETSINNOVATE” will get you $100 off the registration fee.

Ashish Jain and I will be there talking about identity services progress and plans, and also listening intently: we’d love to talk with online retailers and e-commerce developers about how you see digital identity playing a role in your apps and your payment needs.

Folks from Janrain will also be there, discussing social sign-on trends in retail. They’ve posted an excellent roundup of everything you can hear and experience at Innovate, and they also share some news about the OpenID Foundation’s new Retail Advisory Committee.

See you there!

Making identity portable in the cloud

Yesterday I had the opportunity to contribute to BrightTALK’s day-long Cloud Security Summit with a webcast called Making Identity Portable in the Cloud.

Some 30 live attendees were very patient with my Internet connection problems, meaning that the slides (large PDF) didn’t advance when they were supposed to and I couldn’t answer questions live. However the good folks at BrightTALK fixed up the recording to match the slides to the audio, and I thought I’d offer thoughts here on the questions raised.

“Framework provider – sounds suspiciously like an old CA (certificate authority) in the PKI world! Why not just call it a PKI legal framework?” Yeah, there’s nothing new under the sun. The circles of trust, federations, and trust frameworks I discussed share a heritage with the way PKIs are managed. But the newer versions have the benefit of lessons learned (compare the Federal Bridge and the Open Identity Solutions for Open Government initiative) and are starting to avail themselves of technologies that fit modern Web-scale tooling better (like the MDX metadata exchange work, and my new favorite toy, hostmeta). PKI is still quite often part of the picture, just not the whole picture.

“How about a biometric binding of the individual to the process and the requirement of separation of roles?” I get nervous about biometric authentication for many purposes because it binds to the bag of protoplasm and not the digital identity (and because some of the mechanisms are actually rather weak). If different roles and identities could be separated out appropriately and then mapped, that helps. But with looser coupling come costs and risks that have to be managed.

“LDAP, AD, bespoke, or a combination?” Interestingly, this topic was hot at the recent Cloud Identity Summit (a F2F event, unlike the BrightTALK one). My belief is that some of today’s tiny companies are going to outsource all their corporate functions to SaaS applications; they will thrive on RESTfulness, NoSQL, and eventual consistency; and some will grow large, never having touched traditional directory technology. I suspect this idea is why Microsoft showed up and started talking about what’s coming after AD and touting OData as the answer. (Though in an OData/GData deathmatch, I’d probably bet on the latter…)

Thanks to all who attended, and keep those cards and letters coming.

OpenID and OAuth: As the URL Turns

In Phil Windley’s initial IIW wrap-up, he alluded to the soap-opera nature of the OpenID wrangling that went on last week. It’s an apt description.


In the spirit of real ones:

Margo wanted Parker to get an attorney before making a confession but he insisted on telling the truth anyway. Margo quickly called Jack with the latest development so he and Carly rushed to the station. Jack ordered his son to keep quiet but Parker said he was going through with his confession. Carly was brokenhearted that Parker couldn’t be silenced and Margo took Jack off the case. [ATWT]

…I present the soap-opera synopsis of the goings-on:

David showed up at the Mountain View party with OpenID Connect, which had been hanging around with OAuth in a way that seemed promiscuous. Having insisted last year that it was ready to change, OpenID quickly got busy. OpenID Artifact Binding was brokenhearted that its quiet yet effective nature wasn’t enough to get it noticed. UMA and CX couldn’t help putting in their two cents when they heard what the problem was.

The OpenID specs list discussion is now hopping, and so far it’s been relatively free of pique and getting more productive as people understand each other’s use cases and requirements better. Now we just need to come up with a list of in-scope ones…and realize that the best ideas for solving each one could come from anywhere.

So: Can we try and combine the grand vision and breadth of community of the OpenID.next process, the rigor and security of OpenID AB, and the speed and marketing savvy of OpenID Connect — rather than (ahem) the speed and rigor of the OpenID.next process, the grand vision and marketing savvy of OpenID AB, and the security and breadth of community of OpenID Connect?

UPDATE on 10 July 2010: This post has been translated into Belorussian by PC.

The Zen of Venn

“You will never be done with the Venn. That’s your destiny. Accept it.”

So said my colleague Ashish recently, as I agonized over some tweaks to the Venn of Identity diagram. The editing started out as a quick fix to the figure that appears in the IEEE Security and Privacy article of the same name; the diagram text was exactly what Drummond and I had specified — but the graphic emerged from the publication process visually “broken”, with no intersection lines.

But of course technologies and understandings and use cases evolve, and it began to seem like a good time to update the text too. What with the new U.S. federal government effort around Open Identity Solutions for Open Government (and PayPal’s involvement in same), I thought maybe I could do a better job of capturing the main strengths OpenID, InfoCard, and SAML bring to today’s table.

In that Zen-like and Concordic spirit, I hereby present a new — date-stamped — version of the Venn (click for the full-size .png):


I hope this new version can continue to support productive discussions that help solve real-world identity problems.

If you’re wondering whether it’s okay to pick up and reuse the diagram — go for it! Just please note the Creative Commons license below. I’ll keep VennOfIdentity.org pointed to the new Venn category on my blog so that people who see propagated copies can keep up with updates if they like.

Creative Commons License The Venn of Identity – September 2009 by Eve Maler is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

p.s. Thanks to “W.” of the Tech and Law blog for our great email exchange this week on Venn-shaped matters, which sparked even more edits…