Back in the mid 1990’s, Fiber Distributed Data Interface (FDDI) was touted as the networking protocol of the future. It could handle traffic of 100 megabits per second (mbps) and was considered far more reliable than Ethernet (which was only 10 mbps, anyway) as it was a deterministic protocol based on the Token Bus architecture (similar to Token Ring). Standard Ethernet protocol was considered to be unable to provide more than 10 mbps bandwidth and – due to its “collision detection” technology – was also considered unreliable. Yet here we are today with most networks tied together by 100 mbps and even gigabit Ethernet! How is that possible?
Simple, really: what we call “Ethernet” today is vastly different from the protocol Bob Metcalfe invented and that we used in the early to mid 90’s.
Ten years ago we were all agog over what became known as “user-centric identity”, which was effectively launched at the first Internet Identity Workshop when a group of people merged their projects: OpenID, Lightweight Identity (LID), Sxip, and XRI. Microsoft’s CardSpace eventually associated with the group, but CardSpace was never subsumed into OpenID, preferring to define transaction points where the two protocols could interact.
Well, you know the rest of the story. Microsoft appears to have abandoned CardSpace. OpenID was co-opted by Google and Facebook who forked the open source protocol to create their own identity systems. Sxip disappeared into the hungry maw of Ping Identity, and XRI development has, essentially, ceased.
But there’s a new lightweight, user-oriented identity protocol rising, and it’s called “OpenID Connect”! And OpenID Connect bears a relationship to OpenID similar to Gigabit Ethernet’s relationship to Metcalfe’s Ethernet. That is, they share a name.
OpenID Connect goes a long way towards solving some of the problems of OpenID, especially security issues, as it includes a binding to the Secure Access Markup Language (SAML) protocol and is built on top of Oauth, while maintaining a semblance of an easy-to-implement system for developers and easy-to-use for users. As a plus, Google is actively participating in its development while Facebook and Microsoft are looking on to see if the effort to join the party will pay dividends in terms of people’s usage.
And, since SAML is part and parcel of most enterprise identity federation schemes (including those that connect the enterprise to cloud-based platforms) the work on OpenID Connect could bridge the divide between Enterprise Identity and that which we called “User-centric”.
But it’s no longer called “User-centric” identity. Today’s term is “Consumer Identity” and it’s part of the movement called the “Consumerization of IT” (CoIT), which has evolved from the Bring Your Own Device (BYOD) movement.
Not only are enterprise users bringing their own device, they’re connecting to “x-as-a-service” (Software aaS, Platform aaS, etc.) entities on their own, which could compromise corporate data as well as the users own safety and security.
Business protocols in the consumer space, corporate consumers acting as their own IT dept., all thrown together by a few simple protocols. See how it’s all interconnected?
Next week at the European Identity & Cloud Conference (EIC) I’ll be moderating a half-day track on Consumer Identity, while BYOD will be the topic of a webinar we’ll be announcing for early May. More on BYOD in the next issue, today let’s set the table for Consumer Identity.
Joining me at EIC are a number of veterans of the User-centric Identity battles including Microsoft’s Kim Crawford, Tony Nadalin (formerly IBM) & Mike Jones, OpenID’s John Bradley & Don Thibeau, XRI’s Drummond Reed and Google’s Andrew Nash. We’ll be joined by a number of others involved in various aspects of consumer identity and CoIT as we discuss three distinct topics.
First off, we’ll do an overview of current trends in Consumer Identity Systems. Microsoft’s Cameron, & OpenID’s Bradley will be joined by Colin Wallis (New Zealand Government), Susan Morrow (Avoco Secure Ltd) and Malcolm Crompton (Information Integrity Solutions) to look at trends in the face of consumer expectations concerning their online experience which is becoming ever more sophisticated. At the same time, the negative aspects of online privacy are becoming better understood and more frequently questioned by those consumers. These issues are impacting the design and development of consumer identity systems and it’s a question of whether our current offerings, such as SAML with OpenID Connect, can provide the type of identity system that will perform to the expectations of this increasingly sophisticated audience in terms of user control, privacy and security.
The second session will be a review of the status of key internet identity protocols including OpenID Connect, OAuth 2.0 and Account Chooser. Here I’ll be joined by Axel Nennker (Telekom Innovation Laboratories) as well as Microsoft’s Jones, OpenID’s Bradley and Google’s Nash. This promises to be a high level overview of the protocols, and an explanation of why major technology companies have standardized on them. One topic we will surely discuss is how the functionality of the OpenID v2 protocol has been re-implemented on top of OAuth to create OpenID Connect. The session will also delve into the security problems of websites that run their own password based login systems, and what they can do to improve their security as well as their users’ experience.
Finally, Microsoft’s Nadalin, OpenID’s Thibeau, & Google’s Nash along with Drummond Reed (Connect.Me), Scott David (K&L Gates LLP) & Jeff Stollman (Secure Identity Consulting) will gather to toss around the topic “Barn-Raising At Internet Scale: Trust Framework Development for Open Identity”.
This will be a fascinating look at how a group of people came together in response to the US Government’s call for development of a safe, secure identity framework for the internet. In April 2011, the US Department of Commerce released its National Strategy for Trusted Identities in Cyberspace (NSTIC) which called for a public-private partnership to create a secure commercial, social, and civic identity ecosystem. The Open Identity Exchange (OIX) has taken the lead in constructing both the rules and tools for the rapid, internet-scale creation of such an ecosystem: the Trust Framework. Other governments have now joined in the call for secure public protocols that protect citizen identities and we’ll touch on those as we see how they relate to NSTIC. The question, then, is two-fold: can these systems be created and be effective, and can various national systems inter-relate and coexist.
As always, it promises to be a group of lively sessions with the occasional difference of opinion that can bring about greater understanding. If you’ll be at EIC, mark these sessions on your agenda. If not, we’ll be writing about the conclusions, at least, in future entries. Either way, this will touch on topics and reach conclusions important to each and every one of you.