Tuesday, July 24, 2007

Six degrees of assertion

The CardSpace/OpenID/User-centric identity model stands on three legs - the user (in the middle), the relying party (RP - the site which the user wishes to access) and the Identity/Openid provider (IDP/OP - the site providing the authentication on behalf of the user). There's variations between the CardSpace model and the OpenID model, with OpenID being the much simpler one. This cartoon from stikis.com captures it's essence.

In yesterday's post, I noted a quote from Robin Wilton: "In my view, one of [openid's] most interesting ideas has been to challenge the view that there needs to be an established (explicit, formalised) trust relationship between the IDP and the relying party. I happen to think that, for transactions of value, there does need to be such a relationship." I disagree.

It is necessary, I believe, for the RP to be able to trust the IDP, that is to assess the risk in accepting the IDP's assertion about the user's identity. But there doesn't need to be a formal, explicit, pre-defined and signed agreement between the RP and the IDP for this to happen. Consider an analogy to FOAF, the "friend of a friend" project. Or see it as a "web of trust," a de-centralized certificate verification scheme started by the PGP folks to counteract the strict, hierarchical certificate authority system of traditional PKI.

In the "six degrees" method for OpenID, any RP who wishes to do a risk assessment on a newly presented IDP/OP asks it for authentication data. That IDP/OP then becomes the user and points the RP to its own IDP/OP for authentication. If the RP knows of this IDP/OP, then it can make a risk determination. If not, the cycle begins again with the new IDP/OP becoming the user. This recycling could, in theory, go on indefinitely so after n iterations the RP should call a close and make a determination. Each RP would determine the exact number of iterations based on its own criteria (such as the value of the transaction).

In time, as enough IDP/OP sites come on-line, there could even develop a new category of service - a reputation service for IDP/OP sites. With a standardized protocol and transport, they could exchange information about the IDP/OP sites and RP's could subscribe to their service.

No pre-requisite legalspeak necessary.

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]