A brief history of identity protocols
by Eric Norlin, Digital ID World
Mon, 2007-05-07 14:13

The story circulating around the circles of the "identirati" (that is, those of us obsessed with identity) is about WS-Federation becoming an OASIS technical committee.

Actually, that's not quite right: the story is more about James McGovern predicting that (emphasis mine) "WS-Federation will become more important than SAML within the next two years and will invalidate all the hard work already done by the Liberty Alliance." This has the identity blogosphere all a-twitter (what can I say, we're a strange bunch).

To really grasp this, it is important to have some contextual history. However, the history is deep and storied, so I'm going to give you The History of Identity Protocols in a nutshell (and with some levity):

1. Early days: x509; directories; things get unmanageable; meta-directories (via Kim Cameron); LDAP.

2. Customers demand a web SSO protocol that isn't proprietary. Two different vendor groups form to build this. Phil Schacter (of Burton Group) publicly slaps both groups around. SAML (the "security assertion markup language") is formed inside of OASIS.

3. Microsoft creates Passport. The internet FREAKS OUT. Some big companies call Sun demanding a protocol that allows them to *not* have to hand over their customers to Microsoft -- the Liberty Alliance is born.

4. Liberty creates a whole bucketload of protocols - most of which the normal human being can never grasp. It contributes one of its earliest pieces of work (IDFF -- that's the identity federation framework) to OASIS for inclusion in SAML 2.0.

5. In the meantime, the mad scientists at Microsoft, IBM and a host of other companies are busy creating the WS-* specs. Unbelievably, these protocols are even more numerous than what Liberty has done. Analysts actually become sick to their stomachs trying to understand the array of WS-* specifications.

6. One of those WS-thingies is WS-Federation. Another is WS-Trust. Remember WS-Trust, it'll become important later (if I remember to get around to it).

7. Burton Group's Catalyst and Digital ID World are busy holding identity conferences before the rest of the copycats - er - conference producers wake up and realize that's a good idea. In between those two shows, Kim Cameron (see Meta-directories) starts writing the "7 laws of identity." Nearly all of the identirati miss the whole "natural law" connotation and go along for the ride.

8. Out of the miasma that is the conversation around what became known as the "the laws" is borne the "identity gang."  This group includes people like Dick Hardt, Johannes Ernst, Drummond Reed and Kaliya Hamlin. A bunch of meetings happen where seemingly nothing occurs, while in reality a LOT is occurring. The "user-centric" identity movement takes shape. Its purpose: to build an internet-scale identity protocol -- which is another way of saying, "something not secure enough for enterprises to adopt." OpenID is born.

9. OpenID gets traction. Kim's work inside of Microsoft (did I mention Kim works for Microsoft?) gets traction (its called, the metasystem, then InfoCards, then CardSpace -- and succeeds in confusing everyone even *more* than the dizzying array of WS-* specs). Higgins is born (don't ask). Bandit happens (again, try to stay focused).

10. OpenID realizes it needs to interact with the "enterprise protocols," which if you're keeping track, now include SAML 1.0, SAML 1.1, SAML 2.0, WS-Federation, WS-Trust AND about 30 different Liberty Alliance protocols. Meanwhile, Kim Cameron says some things about OpenID's security that gets everyone's undies in a bundle. But that's okay, because they all have a few more meetings and voila (!) we now are sitting at the moment we're at today, where it appears that everyone is on the verge of maybe sorta coming close to inter-operating with everyone else.

Got all of that?

I didn't think so.

Here's the important part: SAML got great traction inside of the enterprise. Liberty got great traction with the telcos. OpenID is getting traction with the "blogosphere" crowd. And the work that Kim Cameron (and Mike Jones, and countless others) did around CardSpace is about to reap Microsoft huge benefits.

What should you pay attention to? That depends on who you are. But know this -- while it is always fun to make bold predictions like James McGovern did, identity's history shows us that things will most likely be messy.

And if you remind me someday, I'll try to explain why the idea of "claims transformation" (WS-Trust) is so - well - transformative.

--Eric Norlin

» read more from Eric Norlin | post a comment
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
WEBCAST
Gartner Video: Best Practices for Web Application Security and Compliance

Cenzic Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?

» View this Webcast

WHITE PAPER
Email Continuity: Don't Know What You've Got Till it's Gone

MessageLabs Today, more email is being sent and attachment sizes are becoming larger. This means that security, archiving, and continuity systems must be able to scale easily. Learn to manage your email better…

» View this White Paper