Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Identity is dead! Long live identity!

While the post mortems of Cardspace and OpenID continue, surely the elephant in the room is the whole federated identity project. Empirically, federated identity has proven to be easier said than done. In Australia alone at least four well funded projects foundered. Internationally there’s been a revolving door of industry groups and standards development, all well intended, but none of them yet cutting through. Like Simplified (nee Single) Sign On, federated identity chronically over-promises and under-delivers.

Aren't the woes of Cardspace and OpenID intimately connected to the federated identity paradigm? And don't they bode ill for the National Strategy for Trusted Identities in Cyberspace? We need to make the connections if the grand plans for identity are to succeed.

I call for a more critical appraisal of federated identity. We’ve been mesmerised en masse by an easy intuition that if I am known by a certain identity in one circle, then I should be recognisable by more or less the same identity in other circles. Like many intuitions, it’s simply wrong.

False intuitions

In brief, this is how I see the state of play as it now stands:

OpenID provides an unverified nickname to log on to websites that don’t care who you are. The same trick is achieved by easier-to-use Twitter ids or Facebook Connect, so these are proving more popular for blogs and the like. OpenID would be a mere curiosity except that it’s become the poster child of OIX and NSTIC. The Whitehouse extrapolates from the OpenID model to imagine that once you have an identity from a phone company or university you should be able to use it to log on to your bank.

The weird and wonderful Laws of Identity speak of deep truths about digital identity such as context, and they forcefully make the case for each of us exercising a plurality of identities, and never just one. The Laws expose the abstract roles of Identity Provider and Relying Party in what regular organisations like banks and governments do for their customers. Yet few if any of these institutions have been convinced by the Laws to openly embrace these roles, mainly because nobody has yet worked out a palatable way of allocating liability in multilateral brokered identity arrangements, without re-writing the contracts that currently govern how we buy, bank and access government services.

Cardspace is by turns a wondrous graphical user interface, and an implementation of the Identity Metasystem.

The Identity Metasystem is a utopian vision aiming high to enable stranger-to-stranger e-business. Ironically it’s a lot like the Big PKI of old in that it seeks to establish “trust” online. It inserts new players into what were previously tightly managed bilateral transactions, and changes the roles and risk profiles of conservative businesses like banks. In short, the Identity Metasystem is a radical change to how parties transact.

And finally all these new players and sub-plots are supposed to be parts of an “Identity Ecosystem”, and not merely isolated products & services in the next generation of a growing information security marketplace. The trouble here is that real ecosystems evolve rather than being architected. Artificial ecosystems like tropical aquariums and botanical gardens need constant care, attention and intervention to save them from collapse. Time will tell how the identity ecosystem fares if it's ever left to its own devices.

I have analysed different parts of the struggle for identity in greater detail elsewhere in my blog. To summarise:

  • 1. The evidence plainly shows that federation is harder than it looks; the reason is probably sheer legal novelty.
  • 5. The major problem in cyber space is prosaic and does not merit re-imagining how we conduct business; it is simply that the perfectly good identities we already have lose their pedigree when we take them casually from real world to digital.
  • 7. And we probably need a fresh frame for understanding how identities evolve in extant natural social ecosystems, so that we do a better job telling which identities are amenable to federation across contexts and which are best left alone in their current ecological niches.

And so in my view, the federated identity effort turns what really are straightforward technological problems -- the password plague and identity theft -- into intractable business and legal problems.

As the security marketplace absorbs the lessons of Cardspace and OpenID, for sure there will be fresh life breathed into digital identity.

Posted in Federated Identity, Culture, Identity


Craig BurtonThu 24 Feb 2011, 12:35pm

Steve, these are good observations but are misleading.

You clearly have collapsed the CardSpace implementation of the Identity Metasystem with the Identity Metasystem itself.

Whether CardSpace is "over engineered" or not is irrelevant. The selector abstraction makes the details of an implementation hidden. This architecture makes the amount of engineering involved a non-issue.

As usual, the apparent complexity of identity allows us to get all wound up in the beauty or ugliness of the algorithm instead of focusing on a design that lets us move ahead regardless of these details.

If you separate the details of the CardSpace implementation with the metasystem specification you can have just that. For example, the Higgins and Bandit selectors didn't use PKI or Web* services at all.

On top of that, why collapse the conversation of Federated Identity into this matter?

Stephen WilsonThu 24 Feb 2011, 1:06pm

Thanks Craig. You may be misreading me. I don't think Information Cards are over-engineered; on the contrary they are a very elegant GUI that gives exactly the right impression of my different guises and how those guises are relevant or not to my various counterparties. And I agree with you that Infoccards very usefully hide the underlying authentication and authorization technologies.

What I said was that the Identity Metasystem is over-engineered, and I mean that relative to the higher priorities in e-commerce. To authenticate payments, e-health, e-government and most teleworking, we only need to take the perfectly good identities we already have in those different contexts (there aren't very many of them) and render them in a non-replayable digital form. The relevant identities are anticipated in each context. There are no strangers here. So we do not need to insert third party IdPs, and we do not need advanced new zero knowledge technologies to convey unanticipated assertions.

I deliberately fold federated identity into this debate -- and indeed urge everyone to take a step back and re-consider federation -- because my first hand experience of four failed metasystem-style schemes shows that the fatal problem is legal complexity. Usability, corporate support and company politics haven't helped the Cardspace cause (as Mike Jones, Doc Searls, Kim and you have all said) but I'm arguing that even if we solve these problems, we still won't have a good solution, because the very basis of federated identity and the identity metasystem is overwrought.

This is the nub of the take-up problem: If you convince a bank's CEO that the Laws of Identity show an exciting future for their business as IdP and/or RP, and if you then convince the CTO that the Identity Metasystem is the way to go (be it Higgins or Microsoft or anything), you still need to convince the CRO and the lawyers. I have seen this play out several times now. I have seen new schemes work out the new contracts and liability allocations that will transform transactions from bilateral RP-Subject arrangements to multi-lateral RP-IdP-Subject arrangements. But when these new contracts go to the lawyers for IdPs and RPs, they say "Wow, we've never seen this kinda contract before. Leave it with us; we'll call you back". These are not the words you ever want to hear from a commercial lawyer. The CEO finds out the lawyers don't just have misgivings but they don't really know how to proceed, and the CEO pulls the plug on the federation initiative.

Tom BiskupicThu 3 Mar 2011, 12:47pm

I agree with your assessment of the Identity Metasystem but I just wish I could have a smaller wallet.

Really OpenID gives you nothing more than an authentication service and not really an ID. Given it is password based and can't authenticate messages it isn't even a strong authentication service!

I agree your identity varies by context. During the rise of Attribute certificates somebody postulated that the lifetime of a digital certificate was inversely proportional to the number of fields in it. The argument being that the more identity attributes you stuff in their the more likely the certificate will need to be updated. Trying to bundle everything into a single uber identity is harder than maintaining multiple.

The utopia of a single card wallet could be attained by simply outsourcing authentication rather than outsourcing (or centralizing) the management of identities which as you say are tied to a context. It would then be up to the bank etc to associate their ID for you with your (otherwise meaningless) identifier provided by the authentication service.

This doesn't solve the tedium of the 100 point check however. Certainly I could see some common bits of identity information being provided by a TTP and linked to you via the authentication service identifier. I imagine this is where the liability discussion gets interesting. Also, while there is some attraction to streamlining customer registration by getting their name and address etc magically after authenticating them with a smart-card plus thumb-print (or whatever) why would the vendor want a system that make customer churn easier?

B2B would benefit from a common authentication service rather than relying on the peer organisation for this. They would still need to tie the authenticated user identifier to the corporate identity of the peer entity however which comes back to our present federation challenges. That problem isn't made easier by centralizing the identity.

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "Long" (without the quotation marks) below*