Existing Identity Solutions (Getting to Where We Want to Be from Where We Are Today)

Existing Identity Solutions ("Getting to Where We Want to Be from Where We Are Today")

If you are a corporate developer, then likely you will be intimately familiar with the world of pain that is Single Sign-On. The amount of time spent getting applications to accept a corporate standard authentication mechanism is astounding. Although there seems to be a trend for enterprises to consolidate around Active Directorythe twin lures of Exchange Server and Group Policy proving too strong to resistit will be many years, if ever, before one directory service becomes a de facto standard.

Regardless of which directory an organization standardizes on, the entries in that directory are best limited to the employees and resources of that organization. We really don't want to have to maintain a directory entry for every single employee of every business partner we deal with. The right way to do it is via identity federation.

Microsoft's Active Directory Federation Services (ADFS) uses WS-Trust and WS-Federation to build a bridge between two companies' Active Directories. In effect, Company A is set up to trust certain security tokens from company B and/or vice versa.

To give a concrete example, Microsoft has a company store where you can buy gorgeous Microsoft-branded merchandise such as mugs and umbrellas. Employees can order these collectors' items via a hosted website run by an outside companywith its own directory. In the past, Microsoft employees have had to be issuedand worse, had to remembera separate username and password for this site. By setting up a trust relationship between an account ADFS server on the Microsoft side and a resource ADFS server on the hosting company side, Microsoft employees can now authenticate using their habitual AD credentials, seamlessly gain access to the company store website, and buy 10 mugs and a cordless mouse to celebrate.

The separation of responsibilities here is entirely logical. Microsoft maintains its directory of employees and their spending limits. The hosting company concentrates on processing orders without the hassle of maintaining a shadow account for every Microsoft employee who buys a T-shirt. The employees, meanwhile, have the pleasure of a seamless experience and the untold joy of one fewer username and password to remember.

Federation is a powerful solution for cooperating businessesbut what about identity outside of corporate domains? What about identity for Internet users?

As I mentioned before, there is no identity infrastructure built into the Internet and thus no way to know who you're dealing with. Attempts at a solution have been ad hoc kludges, difficult to understand, hard to automate, and vulnerable from a security point of view. Furthermore, every new solution creates another identity silo we have to connect to.

Our digital identities end up locked into these silos. There is no way for me to move my Amazon book-purchasing history or my Netflix movie-viewing history to, say, Barnes & Noble or Blackwells. My excellent reputation with eBay is hard earned; I would like to be able to use it with other sites.

Obviously, what we really need is for everyone to agree on just one solution. Fat chance, I hear you say, but the industry has a history of moving away from proprietary siloed technologies such as X.400 and Token-Ring toward standardized, simple, open protocols like TCP/IP, HTML, and SMTP. The WS-* protocols have broad industry support; why can't we just devise an identity system for the Internet and have done with it?

Although this would be a great relief for everybody, it is important to realize that each of the technologies available today has its compelling use cases, its merits, and its faults. In short, it is an extremely difficult task to select a single identity technology that can satisfy all existing scenarios and, furthermore, anticipate every single future one.

There are two classic approaches to complex computing problems like this. One is to have a very simple system with an extensibility mechanism so that it can be adapted to each problem domain (for example, SOAP); the other is to add a level of indirection that provides a consistent experience and hides multiple underlying technology implementations (for example, TCP/IP over Ethernet and Token-Ring).

But before we decide on which fundamental approach to takeand each has its advocatesit would be wise to examine previous efforts at solving the identity problem. We can learn from their successes and their failuresboth technological and sociologicalin a range of contexts. From that analysis we hope to identify the characteristics that our identity system must possess in order to be successful.

Although there have been a number of efforts in this area, the two that spring to mind are Microsoft's (much-maligned) Passport and Public Key Infrastructure (PKI).

What prevented the Passport identity system from being successful? Well, that question's a bit harsh: There are currently more than 250 million Passport users and more than a billion Passport logons per day. So it is a success as an identity provider for MSN. However, as an identity provider for the Internet, it simply didn't cut the mustard.

The problem is that Microsoft is the identity provider for every transaction. Regardless of whether you trust the companyor believe it to be the very incarnation of evilthis arrangement is not always appropriate or desirable. When I disclose my digital identity, only those parties whose presence is truly justified should be involved. We can formalize this requirement as follows:

Digital identity systems must be designed so [that] the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

This is the law of justifiable parties and it is one of seven "laws of identity" published and refined online at www.identityblog.com. The ability of identity experts to directly influence the formation of these laws via the "blogosphere" has produced an industry-wide consensus that the laws are sound, accurate, and complete. These laws are the best tools available to us for evaluating new and existing identity systems.

I will uncover the rest of the laws in a moment, but first let's take a look at PKI.

PKI, as many of those immersed in it will tell you, is a wonderful technology that is set to take the world by storm. Unfortunately, PKI's advocates have been saying this for a long time! There is no doubt that it is an extremely powerful and useful technology, but it can be costly, it can be complex to manage, and it is overkill in simple contexts.

Despite its flaws, PKI is the nearest we have to a universal identity system today. It is PKI that provides us with the security backbone of the Internet. It is SSL certificates that allow us to conduct secure transactions over the Web. If we are to build an Internet identity layer and are not averse to a bit of reuse, it might be prudent to take advantage of this existing infrastructureprovided it doesn't cause us to fall afoul of the laws.

It is revealing that even a strong technology like PKI, with a choice of vendors and identity providers (namely, the certificate authorities), has not been universally deployed. Without being overly pessimistic, there probably isn't a "one size fits all" identity solution.

It is this point, combined with the reality of a large existing installed base of identity silos, that helps us decide whether the "simple and extensible" or the "level of indirection" approach is most likely to gain traction and succeed.

In short, the indirection method has the greater potential. What's more, it has the advantage of not precluding the simple/extensible approach. Nascent identity technologies can evolve naturally under the all-encompassing wing of indirection. Perhaps, over time, a simple/extensible solution will become dominantbut it will still be able to interoperate with legacy technologies.

Therefore, what we require is an identity metasystem, or system of systems, that provides that level of indirection, encompasses existing identity technologies, and obeys the laws of identity.

And now to the rest of the laws.…