Infinite Diversity in Infinite Combinations

We all encounter online identity issues fairly often in our daily lives – from phishing attempts to frustration on forgetting your username/password for a particular site. The internet’s underlying TCP/IP framework –now more than 20 years old— was never meant for things like secure financial transactions where proof of identity would be a necessity. ISO’s OSI 7 layered model for networks sort of provides for identity/security policies as part of the Presentation layer but implementation never really caught on.  So it’s no wonder that a myriad of standards and frameworks to manage your “digital” or “online” Identity have been proposed or are in the works. I keep an eye on this space as an end-user and also since part of my responsibilities at AOL concern our Identity and Name Space initiatives. With our 20 million+ subscribers in the US plus millions of visitors to the various AOL-owned web properties, Identity solutions are a key part of AOL’s strategy. At the same time, AOL continues to take aggressive action against known spammers and phishing rings.

I’ll be able to talk more about specific releases in the near future but suffice to say that AOL is a Management Board Member of the Liberty Alliance Project  along with IBM, Oracle, Intel, Sun and other key players. The SOA-based platform that AOL is building complies with the Liberty identity based interaction model and several architects from AOL participated in a Liberty Interoperability testing session in the first week of February. The Liberty specs define Network Identity as “the global set of attributes that are contained in an individual's various accounts with different service providers. These attributes include such information as name, phone numbers, social security numbers, addresses, credit records, and payment information”. Liberty’s key concept is that of “Federation” which essentially means you can have single sign-on between “trusted” sites that can share your identity. Liberty proposes use of SAML (Security Assertion Markup Language) – an XML based standard to be used for exchanging security tokens between identity providers and services. There are other sub-committees part of Liberty as well that are focusing on various identity related issues -- e.g. providing Strong Authentication guidelines in the ID-SAFE (Identity Strong Authentication Framework). It is interesting to note that AOL already partners with RSA  to provide two-factor authentication called AOL Passcode to members (as an additional service).

Microsoft is also working on an identity framework called InfoCard and an Identity Metasystem. The chief architect, Kim Cameron, explains the tenets of the metasystem as the “Laws of Identity” and its aim to be a "ubiquitous digital identity solution for the Intnernet" – the missing layer 6! Pretty ambitious especially considering Microsoft’s earlier shot at identity (Passport) never really took off but they seem to have applied the lessons learned from that fiasco to InfoCard. For example, unlike Passport, Infocard will not store your identity credentials in a Microsoft server somewhere. InfoCard will ship with Vista and IE 7. Kim keeps a blog with several whitepapers on InfoCard and he professes to be an admirer of  Liberty but was ambiguous on SAML (though some of InfoCard's IE 7 integration code samples use SAML1.0 assertions). I have yet to go through the InfoCard specs in detail so cannot really comment on how it compares with the Liberty specs but from initialimpressions, Liberty seems to be more focused on Federated authentication than InfoCard. It may be possible that Liberty and InfoCard end up complementing each other. There is, however, a direct Open Source competitor to InfoCard that IBM and Novell launched recently as part of the Eclipse project: the Higgins trust framework. Other smaller efforts are out there as well such as I-Name but it will be interesting to see how the two or three big proposals evolve over the next year or so and how well they’re adopted in the industry.

|  Add to del.icio.us |  digg this