Monday, June 20, 2005

Identity metamagic

Johannes Ernst worries about Microsoft's use of the phrase "identity metasystem" as a descriptor for the InfoCard project.

He's quite right to worry about it.

The Microsoft document describes this as:
Given that universal adoption of a single digital identity system or technology is unlikely ever to occur, a successful and widely employed identity solution for the Internet requires a different approach—one with the capability to connect existing and future identity systems into an identity metasystem. This metasystem, or system of systems, would leverage the strengths of its constituent identity systems, provide interoperability between them, and enable creation of a consistent and straightforward user interface to them all.

The definitive reference on "meta," though, is Douglas R. Hofstadter's Godel, Escher, Bach: An Eternal Golden Braid. This seminal work (published in 1979) correctly treats "meta" as meaning "about" rather than "containing." Thus if we have a system b the metasystem B would be a system to talk about system b but would not (necessarily) include system b within itself. In his book, Hofstadter does then go on to create self-referential systems which can do things as well as talk about how they do things, but that's beyond what we need in this discussion.

The Microsoft language appears to be derived from one viewpoint of a metadirectory, such as Microsoft Identity Integration Server. Since the metadirectory engine is used to tie together different identity repositories, someone - in writing the Microsoft paper - thought to use "meta" to describe a container. But in the sense that Microsoft uses "meta directory" (inherited, along with the foundations of MIIS, from ZOOMIT Technology), the "metadirectory" consists of descriptions (i.e., "talking about") other identity silos and containers.

A identity metasystem, then, is not a superset of identity systems, but a self-referential description of identity systems. It appears Microsoft marketing had too much to do with this paper and tried to tie it to the MIIS product much to the consternation and befuddlement of people who do understand identity systems.

I read several posts from Julian Bond highlighting his concern about interoperatbility between various now existing identity management systems and protocols ( Liberty, SAML, LID, SXIP) in a metasystem domain and I agree with him upto a large extent.

Microsoft talks about "Encapsulating Protocol" and "Claims Transformers" as conceptual components of an Identity Metasystem that they are proposing. I think Microsoft is missing some good points in this discussion or atleast are we as readers.

Liberty Alliance and SAML, for example, have their own set of protocols and bindings but would it be possible for two systems in an Identity Metasystem to honor the complete protocol lifecycle (talk Liberty or SAML) sitting on top of a whole another stack of protocols called WS-*.

I understand that parties supporting Liberty or SAML have to perform a series of steps (that form the protocol) before they get hold of a token(s).How would this be possible in a identity metasystem domain if the parties in this domain have to talk to a claims transformer instead of the direct endpoints (IDP or SP in Liberty parlance). Won't this kind of break the protocol ?

Even if that is made possible, the encapsulating protocol as discussed in Microsoft's vision paper would then be responsible for carrying messages that form part or whole of another type of protocol. Isnt it ?

SAML do support some bindings and profiles for WS-* inteoperability but that is not everything that SAML has to offer. I feel that an Identity Metasystem as proposed by Microsoft today would seriously hamper the nature of the other Identity Systems by limiting the number of use cases that they are now capable of supporting.
The "claims transformers", that is the STS engines exist to do away with the need for any single point to speak to either endpoint of a transaction. Think of this as analogous to the way a packet traverses the internet or (even better) the way a UUCP packet used to get from point A to point B with transformations occuring all along the way. Transformation engines are used in Identity transactions all the time - think provisioning and synchronization.

It also helps if you consider that what Microsoft is preaching is A system, not the system.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]