• United States

And so, to the yacht club

Aug 25, 20033 mins
Access ControlEnterprise Applications

* Flying the flag of your identity

It might seem like we’ve been going around and around for months about persona, identity, roles, credit cards and identifiers but it has only been a couple of weeks and it really is important the issue of identity management. Also, for the past couple of issues, I’ve been dangling the “yacht club scenario” in front of you as an enticement to come back for the next issue. Today we’ll look at the yacht club and next issue we’ll cover the real reasons why I’ve been harping on these concepts.

A while back, I spoke with Roger Sullivan, president at Phaos Technology, about the work his company was doing to implement services that leverage the Liberty Alliance specification. I asked Roger to differentiate among the Liberty spec, the WS-Federation specification and the Shibboleth specification. It was in reference to Shibboleth that Sullivan used the phrase “yacht club scenario.”

The reference is to the arrangements made between and among yacht clubs to extend hospitality to each other’s members. If I belong to the Bay City club, for example, I can gain entry and most member services from affiliated clubs simply by flying the Bay City burgee (that’s a pennant or flag identifying your “home” yacht club).

In the Shibboleth system, you are authenticated by your “home” service (typically an institution of higher learning). Credentials are issued to you that are accepted on trust by other participating institutions. Another analogy could be the Windows NT Domain system and its trust relationships. The major point, though, is that in the Shibboleth system you need to have an account with only one entity.

This contrasts markedly with the Liberty Alliance “circle of trust” scheme in which you need to establish a relationship with each member of the circle you wish to have contact with. The WS-Federation specification has less to say about trust, relying instead on a separate, but related, specification called, not surprisingly, “WS-Trust.” In essence, WS-Federation requires “tokens” for authorization which can be granted by various systems. In practice, this resembles parts of Shibboleth melded with parts of the Liberty spec.

The yacht club scenario also resembles the American Express scenario I mentioned a few issues back in that it relies on a “home system” (your yacht club, your charge card issuer) to vouch for you, as it were, to a third party who – not knowing you – relies on agreements with the vouchsafing organization to extend authorizations to you.

It sounds a bit anti-climatic after the big buildup, but it is a concept which will play a major role (gee, there’s THAT word again!) in the wider identity management arena. Come back next issue and we’ll go into why this is all so important.