Friday, July 08, 2005

Infocard surprise

In his latest posting about InfoCard, Johannes Ernst agrees that InfoCard itself isn't the "Identity Metasystem" that the popular press seems to think it is, but he raises an interesting question when he states:

"It is not a logical necessity that the identity metasystem will be built on the WS-* stack. Because taking the above to its logical conclusion, the InfoCard interfaces would thus only be a proposal for, rather than "define" the interfaces of the eventual identity metasystem."

I've got to agree. In particular, I don't think that WS-Trust has to be the glue which holds it all together. There are other protocols which, with the aid of an STS (Security Token Service - a WS-Trust entity, but analogs can be built for other protocols), can do the transformations from/to WS-Trust. Microsoft needs to explore those also. The important take-away here is that there are no required protocols in the Identity Metasystem, simply an abstract notion of what service should be required.

Well, I thought that was how it would work (and still think it's how it should work) until I read this post to Kim Cameron's blog, where he states:

"everything SAML users and vendors already had in place could continue to work just as it does now, while with a small incremental effort their systems could embrace the metasystem. Sure, it would mean supporting WS-Trust"

And that's simply wrong. It's no more incumbent on, for example, Sun to support WS-Trust than it is for Microsoft to support Liberty's ID-FF! Saying that SAML/Liberty enabled sites would need to add WS-Trust support because Microsoft would need to add it also, is looking at the world thru Redmond-designed glasses. Token Exchange Services, "Identity Routers" (e.g., a WS-Trust STS) are needed, but should be provided by organizations and vendors who either want to convert to/from their own protocols or by independent organizations who can provide "hub and spoke" services for multiple protocols. That's the only way this will ever become a universal system.

That was exactly my concern expressed in a comment on your post :) --
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]