While the post mortems of Cardspace and OpenID continue, surely the elephant in the room is the whole federated identity project. Empirically, federated identity has proven to be easier said than done. In Australia alone at least four well funded projects foundered. Internationally there’s been a revolving door of industry groups and standards development, all well intended, but none of them yet cutting through. Like Simplified (nee Single) Sign On, federated identity chronically over-promises and under-delivers.
Aren’t the woes of Cardspace and OpenID intimately connected to the federated identity paradigm? And don’t they bode ill for the National Strategy for Trusted Identities in Cyberspace? We need to make the connections if the grand plans for identity are to succeed.
I call for a more critical appraisal of federated identity. We’ve been mesmerised en masse by an easy intuition that if I am known by a certain identity in one circle, then I should be recognisable by more or less the same identity in other circles. Like many intuitions, it’s simply wrong.
In brief, this is how I see the state of play as it now stands:
OpenID provides an unverified nickname to log on to websites that don’t care who you are. The same trick is achieved by easier-to-use Twitter ids or Facebook Connect, so these are proving more popular for blogs and the like. OpenID would be a mere curiosity except that it’s become the poster child of OIX and NSTIC. The Whitehouse extrapolates from the OpenID model to imagine that once you have an identity from a phone company or university you should be able to use it to log on to your bank.
The weird and wonderful Laws of Identity speak of deep truths about digital identity such as context, and they forcefully make the case for each of us exercising a plurality of identities, and never just one. The Laws expose the abstract roles of Identity Provider and Relying Party in what regular organisations like banks and governments do for their customers. Yet few if any of these institutions have been convinced by the Laws to openly embrace these roles, mainly because nobody has yet worked out a palatable way of allocating liability in multilateral brokered identity arrangements, without re-writing the contracts that currently govern how we buy, bank and access government services.
Cardspace is by turns a wondrous graphical user interface, and an implementation of the Identity Metasystem.
The Identity Metasystem is a utopian vision aiming high to enable stranger-to-stranger e-business. Ironically it’s a lot like the Big PKI of old in that it seeks to establish “trust” online. It inserts new players into what were previously tightly managed bilateral transactions, and changes the roles and risk profiles of conservative businesses like banks. In short, the Identity Metasystem is a radical change to how parties transact.
And finally all these new players and sub-plots are supposed to be parts of an “Identity Ecosystem”, and not merely isolated products & services in the next generation of a growing information security marketplace. The trouble here is that real ecosystems evolve rather than being architected. Artificial ecosystems like tropical aquariums and botanical gardens need constant care, attention and intervention to save them from collapse. Time will tell how the identity ecosystem fares if it’s ever left to its own devices.
I have analysed different parts of the struggle for identity in greater detail elsewhere in my blog. To summarise:
And so in my view, the federated identity effort turns what really are straightforward technological problems — the password plague and identity theft — into intractable business and legal problems.
As the security marketplace absorbs the lessons of Cardspace and OpenID, for sure there will be fresh life breathed into digital identity.