Security/identity · 2007-01-15

Gathering up the claims

Conor already did a much better job than I would have, discussing Dave Kearns’s point in Putting ID all together about “in-the-net” services for storing identity data vs. coordinating local storage of same.

So I find myself with nothing much to add on that point, other than to note that the earliest demonstrations of real-live Liberty Alliance ID-WSF usage, like Radio@AOL, have allowed for personal devices that work as identity services that securely help you customize your online experience. John Kemp has been showing how this works on Nokia phones for the last couple of years (which has always been a big hit at the XML Summer School!).

What I was trying to get at originally was that if a human wants to get assistance in correlating identity information from different sources, she will have to expose information about herself to the “thing” assisting her — whether it’s a local device that has network access, or a service she logs into through some browser or other, or whatever. Otherwise she’s stuck mentally — or “Post-It Notely” — correlating everything herself. The nature of federation is that you have to inform one keeper-of-info that there’s another keeper-of-info in the picture. You can protect yourself from having to give your master list of usernames to all of them by having them exchange fake names (pseudonyms) for you.

I recall Conor and Dick Hardt getting down to cases at IIW2006b on the differences between Dick’s approach vs. Liberty’s, surrounding how many keepers-of-info should be in the picture. Dick was assuming that the user, having chosen an identity provider (in that discussion, an OpenID Provider or OP), would happily entrust everything about themselves to that one OP and wants all relying parties to upload any interesting facts about the user back to the OP; his requirements flowed from this to make the upward provisioning happen. On the other hand, Liberty has a requirement to get attributes from varying master sources depending on where it makes most sense to be the supplier; this has attendant requirements about security, privacy, policy, etc. because there’s a whole transfer infrastructure you need to support this. (I’ll be reviewing some of the details of this at the Liberty 2.0 workshop on January 22.)

If all you’re storing is self-asserted info about you personally, then sure, it’s handy to consolidate all of it in one place over which you have direct control, whether that’s a traditional web app/service, a device you carry on your person, etc. But as soon as you get into information that someone else has the right to own (including mundane things like your employment status, which comes up a lot when you, say, apply for loans), I can’t see their being okay with giving you the “gold copy” to hold. That’s where multi-sourcing really shows its stuff.

(Pat just made a related point about how to manage minimal disclosure of your identity data when relying parties come calling… Don’t miss that.)