The nitty-gritty of information cards and OpenID interoperability

* A look at the paper 'Analysis of a User-Centric Interoperability Event'

Sometimes an idea occurs simply because it's time for it to occur. It occurs to multiple people in multiple places at, roughly, the same time. Often those ideas, brilliant though they may be in their own right, are simply the extension of the ideas of others - a synthesis of many thoughts to arrive at a new conclusion. That appears to be happening in identity right now. The last two issues have talked about the grand unified theory of so-called "enterprise-centric" and "user-centric" identity. Now comes a paper talking about the interoperability of the two major user-centric models: information cards and OpenID.

Pamela Dingle, from Nulli Secundis has just released a white paper called "Analysis of a User-Centric Interoperability Event". This is an objective look at the OSIS I3 Interop. Open Source Identity Systems (OSIS) is a meeting place/clearinghouse for those working on identity issues in the open source community. From late 2007 through the RSA conference in April 2008 OSIS conducted its third user-centric identity interoperability event (I3). Pam’s white paper is an analysis of that undertaking.

To paraphrase the introduction to the paper: I3 was a five-month “event” in which organizations, individuals, and projects working in the areas of information cards and OpenID collaborated to define and demonstrate their ability to transact successfully regardless of differences in hardware or software platform. Participants worked within each area to define and test acceptable behaviors for various situations that crop up when loosely coupled solutions communicate with each other via open protocols. Interop participants created results within two different matrices: feature test results which recorded adherence to acceptable behavior when explicitly tested, and cross-solution results which recorded overall interoperability between solutions with complementary roles. Combined, the participants recorded more than 1,200 mostly successful results.

The paper is very thorough – 30 pages of closely reasoned discussion including well documented looks at architecture, protocols and the “nitty gritty” of the two very different approaches to open source, user-centric identity. But Dingle’s own words say it better than mine:

“The true impact of this Interop, however, is not how exciting the result is. What has impressed the participants more are the discussions around lesser-known parts of the protocol; the initial failed tests, resulting code changes, and subsequent successes; and even the ongoing process of deciding what situations constitute the Interop.

In the Information Card world, the Interop illustrated that although the most common scenarios are consistently implemented by a great number of solutions, there are many areas that have not had widespread focus yet – areas such as auditing cards, rich client interaction, and authentication methods other than username/password.

In the OpenID space, a large number of Identity Provider/Relying Party combinations were not applicable due to the number of protocols that fall under the umbrella of OpenID and the variation in support by the participants. Where solutions combinations were applicable, however, results were extremely positive.”

Read this paper. It’s important.

Join the discussion
Be the first to comment on this article. Our Commenting Policies