Running for IDESG Plenary Vice-Chair

Next step on the journey into the world of Online Identity – I’m running for Vice-Chair of the IDESG Plenary. For those of you who don’t know, IDESG is a newly-formed non-profit whose mission is to achieve part of the US National Strategy for Trusted Identity in Cyberspace (NSTIC). The working groups of the Plenary are hard at work characterizing the future online identity world and collecting bits and pieces that will be necessary to achieve the vision.

I’ve been very active in a couple of the core committees, committed to helping the organization make progress.

It’s a very complex problem space and organization with an incredible range of priorities, agendas, opinions and viewpoints. In other words, exactly the kind of challenge I like to take on.

Fingers crossed that folks voting agree.

Portable Identity Information and Interoperable Credentials: How will we shift the burden of complexity away from your mom’s keyboard?

Often-cited target states for federated identity and credential solutions include statements like: “Credentials must be interoperable”; “Identity Information must be portable”; “Users must have choice in number, type and source of credential”; “User must have control over disclosure and use of identifying information”; “Usage of credential must not be traceable back to the user, if the user requires it”.

It occurs to me (and I’m certainly not the first person to realize this) that there is a heavy burden of complexity and risk inherent in solution spaces for those kinds of requirements.

Let me explain:

Today’s nasty conglomeration of multiple username/password silos, 2-step authentication systems, 2-factor authentication systems, attribute verifiers (a.k.a. data brokers) and nascent federated credential solutions actually satisfies many of the requirements statements above.

We are witnessing the rise of the “mega-ID Provider”:  Google, Amazon Web Services, PayPal, Salesforce, Facebook, Twitter and other massive companies are turning up authentication interfaces for consumption by other eService Providers and Relying Parties. They are not particularly interoperable – the NASCAR user interface used to pick your Authentication Provider is proof of this. (Sidebar: I was just informed that the NASCAR is called the NASCAR because of the long line of logos streaming down the UX – I found this tragic and funny at the same time)

What solutions are being promoted to shift the burden of complexity and non-secure credentials away from your mom? (this list is not pure – I’ve shifted some definitions to suit my purposes)

Hubs: an interconnection point that does protocol and information format conversions between many Relying Parties and many ID Providers. This might possibly be IDaaS.

Brokers: a Hub that also offers anonymizing services – directed identifiers provided to RP and IDP in a way that makes it very difficult to capture a comprehensive picture of where a user credential has been used, even with some collusion.

Federated Credentials: IDP and RP using a commonly-agreed set of protocols, policies and trust rituals. Very Enterprise-y where a user is bound to an IDP but in return is able to authenticate anywhere in the Federation.

Active User Agents: User Centric solutions that keep the keys, authorization policies and other complex stuff close to the user. User Agents could collect up a bunch of different ‘identities’ and credentials for use in whatever pattern the user desires.

Personal Clouds: Bits of Personal Cloud functionality could be the Active User Agent role, but cloud based.

So what’s it going to be?

Is the price of convenience and security for you as an Online Consumer-Citizen going to be a transfer of the ‘hard parts’ and complexity over to big Broker/Hubs that promise to do no harm? This might address the harder problems of discovery and provisioning – centralizing integration points is easier to deploy.

Or, will the complexity simply be shifted just a little bit further away from your chair into a User Agent that is under your direction? This gives you more (apparent) control, but makes it harder to get seamless, simple services connected when and where you want them – and decentralized integration will be prone to the problems of today with provisioning, deprovisioning and broken linkages.

UMA and OpenID Connect plugins for Apache Server

The crowd-sourced funding campaign to create an UMA and OpenID Connect plugin for Apache server was successful. Mike from reports that progress on the OIDC plugin is good, and the UMA plugin will begin soon.

To commemorate the success of the campaign, Mike commissioned a local Austin artist JP Verdijo (JP’s Facebook page) to create paintings. I asked JP to create a smaller version that would fit in my office – so he made a photo transfer which is now hanging on my office wall.

It’s a great piece to commemorate an event that hopefully will transform information sharing on the internet. Fingers crossed.