It seems that history is about to repeat itself: after Liberty formed, a lot of people wither felt left out or did not understand what all this 'identity stuff' was good for. Granted, Liberty was in 2002 about 5 years ahead of the rest of the market. At the time, I thought that this perception problem could be attributed to some abysmally bad marketing - I guess that this was only partially correct.
Today, the same complete lack of understanding is about to hit the "user-centric" identity community as well: Take a look at a post by Brian Huff and compare that with this post from Tim Bass (via James McGovern).
It seems astounding to me that both authors (who claim to be working in 'SOA') have so little understanding of the problems, technologies, and solutions in the identity space. Granted, I am a geek working in this area, but both Tim and Bex claim to be architects and decorate themselves with shiny titles (CTO, CISSP, Oracle ACE Director). They
should know better.
Both advocate (in so many words) 'a simpler identity system' (heard that one before) and 'authentication - and that's it'. Both paint existing standards in a very bad light, describing them as 'immature, confusing and less-than-proven security standards' or asking 'Makes you wonder why people bother to call them "standard," doesn't it?'.
Ok, guys you do not understand identity - get over it and hire someone who does. The good old days where everyone was getting ready for the global directory and its PKI are over. It's not only about authN and authZ in these days, but about the much bigger business and regulatory issue like trust or identity theft.
It seems that the larger identity community (Liberty, InfoCard, OpenID) is about to experience the same pushback that Liberty was facing initially. Let us hope that our joint communication efforts today will help to get over this 'perception gap'.
--
Here are a few comments regarding Brian's post:
1. CardSpace, OpenID, SXIP, (parts of) WS-*
Are not even by the widest possible definition standards, but rather a collection of protocol specifications. Some of these are even proprietary, IPR protected technologies (e.g. SXIP) that are not even covered by a NAC. Also, why are you not including real identity protocols by industry consortia, that are free to implement like e.g. ID-WSF?
2. SPML, XDAS
These OASIS standards have - per se - nothing to do with identity. They *touch* upon identity and security, but are not core to it. Otherwise you should also include HTTP, IMAP, SOAP, and even TCP.
3. LDAP, SAML 2, (parts of) WS-*, XACML
The are (in a wider sense) identity and security related standards. But so are many, many others (Kerberos, X.509, WSPL, XML-Enc, etc.) that you chose to omit. And interestingly enough, most of these standards build on each other or are complementary. So where is the issue?
4. The API issue
There is no unified, standadized API to all these protocols? For starters, only protocol organizations typically create protocols, not APIs (one notable exception is the GSS-API). If you want to create a 'standard' identity API, go to the JCP and suggest a JSR. That organization is probably the body with the biggest amount of standardized APIs, and it is - by most standards - fairly open today. On the other side, if you take the contract-first approach serious, every WSDL or SOAP profile is a reasonable API documentation. In fact this approach allows you select
your platform of choice.
Regarding Tim's post:
His list of immature protocols is simply ridiculous: SAML - well established since 2001: go ask the Shib folks, who are running the larger chunk of the academic environment on this protocol. XML Enc and Dsig - yes, there are a few problems (authenticated encryption or key exchange), but none of these problems are insurmountable and have been solved for a long time.
tag: identity, saml