The OpenID community is still wrestling with how to deliver a first-time login experience that is acceptable to mainstream users. Research indicates we need something less open-ended than typing into a blank URL field, but neither is it desirable to push users to choose from a few (or worse, many) pre-selected identity provider logos. One approach for solving this problem is called (for lack of a better term) the Active Identity Client, or AIC (similar to what I previously called a Chamberlain). An AIC boostraps the identity selection process at a new website (aka Relying Party, or RP) by storing some amount of identity information on the user's home computer. The AIC uses that identity to access a persistent record of the user's interaction with multiple sites and identity providers (IdPs) to negotiate and streamline future such interactions. This (in theory) allows the user, rather than the RP, to prioritize which providers to use. A number of such AICs were demonstrated at last week's Internet Identity Workshop. Rather than attempting to standardize on a single AIC, a group of us discussed developing a common infrastructure that might enable a broad spectrum of AICs to innovate and compete. Specifically, we attempted to identity conventions, best practices, and extensions to existing standards that would support both "native" and "in-browser" AICs. This article is my idiosyncratic attempt to synthesize what we discussed into a coherent vision for Active Identity Clients. It may not fully reflect the opinions of any given participant, and certainly does not represent the views of our respective employers. Rather, it is a subjective snapshot of a still-evolving problem space, and is intended to provide a concrete starting point for further discussion, critique, and clarification.
Chamberlain: A User-Serving Model for Identity Management
The following is a hypothesis I am exploring for the Nov 2009 Internet Identity Workshop. Most proposals for open identity management on the Internet use the 'wallet' metaphor, where the user is expected to choose from amongst a variety of disjoint identities when accessing a given website. Rather than thinking of identity as something manually managed by the user (like cards in a wallet), I believe the vast majority of users want identity to be something that is managed *for* them -- the way a chamberlain in a palace might keep keys to all the rooms, and control who was allowed to go where in accordance with royal policy. The potential payoff is an architecture that would work reasonably well with the web as it is today, and scale cleanly to support more elegant mechanisms in the future. While my initial proposal below is unlikely to achieve all those goals, hopefully it will at least provoke others to come up with something even better.
OpenID: The RESTful approach to Single Sign-On
Been spending a lot of time on regular work, but a friend recently suggested I check out OpenID -- the de facto distributed authentication standard for Web 2.0. I think of it as "Decentralized Kerberos for the Internet", in that provides the ability to do Single Sign-On without the need for everyone to agree on... Continue Reading →
iHack, therefore iBlog 