Monday, July 23, 2007

Who is in control?

Pat Patterson and Robin Wilton each weighed in over on Network World's web site in response to my recent newsletter, "Setting the record straight on Sxip and patents." Pat claimed: "this model was already well established by the time SAML 1.0 came along in 2001 with the asserting party (==IdP), user and relying party, more than 2 years before Sxip even existed." While Robin chimed in with: "Pat's counterexample can also be significantly pre-dated if you consider that architectures such as Kerberos, RACF Passtickets and others all embody the same principle: a user applies to a trusted third party of some kind for a credential which can be presented to a relying party."

But all that their examples have in common with Sxip's (and OpenID's) tripartite system is that they could be said to stand on three legs!

Kerberos, RACF and their ilk resemble a movie theater scenario - a user gets a ticket from the booth, presents it to the doorman and gains entrance to the theater. The user stores no data with the ticket booth and has no control over the data that's exchanged nor what happens to it after it's presented. It's an authorization scheme, in fact, not an authentication one.

SAML 1.0, on the other hand, was a protocol to exchange federation messages between and among organizations with previously existing (i.e., before a message exchange or transaction) legal agreements. As the Burton Group's Gerry Gebel said: "Before we see a whole lot of federation through SAML ... you have to reexamine business agreements, contracts, and make sure language is right and who's going to accept reliability. How is the trust relationship going to be set up and managed. There's a little bit of uncertainty in what that's going to entail and what best practices will emerge as a template for people to use."

The Sxip/OpenID model (which may well be said to derive from the earlier works) resoundingly puts the user in charge and eliminates the need for previously executed agreements.

Robin went on to say:
"In my view, one of [Dick Hardt's] most interesting ideas has been to challenge the view that there needs to be an established (explicit, formalised) trust relationship between the IDP and the relying party. I happen to think that, for transactions of value, there does need to be such a relationship, but it was still valuable to have someone suggest that alternative approaches might be valid, particularly in other contexts."
I think both Dick & Robin are correct, and I'll elaborate on that in another entry.

In the article you said "It could be said, in fact, that Hardt 'invented' the three-part identity system of Identity Provider, User and Relying Party (RP, or Identity Consumer)." No qualification there to narrow the scope to user-centric or Sxip or OpenID. That was the problem I had. You were saying that Dick invented the whole concept of three legs!
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]