Security/identity · 2008-01-21

Circles of trust: disaster? or really bad idea?

…or the greatest thing since long-lasting nasal spray (to quote the immortal Dave Barry)?

Given the announcements about OpenID providers (the latest notable ones being Yahoo and the Telegraph), it seems ordinary people have a multitude of OpenIDs to choose from, alongside all their regular “non-decentralized, non-user-centric, non-open” (to coin a phrase) identifiers. Put another way, every week I experience a net gain of about 1 new online identifier, and with the recent OpenID announcements I see the trend continuing.

It’s tantalizing that the Telegraph hints (without confirming anything yet as far as I know) that they’ll accept OpenIDs from other sources. But to the extent that OpenID providers don’t do that, or do it only by carefully vetting other partners and setting up special whitelist relationships with them wherever data of non-zero value might be exchanged, the situation will look an awful lot like it does now: circles of trust getting built through contractual negotiations, accounts being federated either one-by-one (when users request it) or in bulk (where users are okay with this sort of back-channel communication), and so on.

OpenID identifiers may be decentralized in that anyone can create and dereference them, but it’s a lot harder to “decentralize” the building of trust relationships; the world has been trying without a lot of success. So we may eventually be able to get to an ATM-network-of-networks scenario, or a roaming-telephony scenario, where all the parties have worked out all the relationships and you can use your “home” identity anywhere — but I foresee having to do it the hard way, the way the financials and the telcos (and, by the way, the InCommon Federation) have done it.

The question is, does OpenID provide other benefits that outweigh traditional (including SAML!) interfaces for making this happen? In the Identity Provider/Relying Party/User adoption triangle for OpenID, IdPs are extremely heavily weighted at the moment. This is no surprise whatsoever; opening up an OpenID interface to an existing set of accounts is relatively easy and exposes you to lots less risk than accepting arbitrary “foreign” claims. The triangle needs to even out if we’re to see network effects, and for that to happen, OpenID may have to become more and more like the thing some say is antithetical to its design center: an enterprise-class framework that caters to many different trust and privacy needs.

(Jeff Hodges has just published draft 06 of his OpenID and SAML Technical Comparison — this link goes to whatever the latest draft is — and it provides food for thought on the two approaches, particularly if you know one well and want to learn more about the other.)