Kapil also asks a question about the relationship between Liberty and the Identity Metasystem I have been proposing. First he quotes from the Identity Metasystem whitepaper:
“Participants in the identity metasystem can include anyone or anything that uses, participates in, or relies upon identities in any way, including, but not limited to existing identity systems, corporate identities, government identities, Liberty federations, operating systems, mobile devices, online services, and smartcards. Again, the possibilities are only limited by innovators’ imaginations.”
Then he says,
If I have a Liberty ID-FF or SAML 2.0 enabled IDP which use SAMLRequest and SAMLResponse for security tokens [the WS-Trust] architecture does not help.
My understanding is that this identity meta system is for service providers, identity providers and client machines (infocard system) which are based on WS-Trust and so saying that other participants such as Liberty could participate in this meta system may not be correct.
Perhaps I should have been clearer that Liberty or SAML products would need to add some technology to support the proposed identity metasystem (as would related Microsoft products, for example). I was really trying to point out that everything SAML users and vendors already had in place could continue to work just as it does now, while with a small incremental effort their systems could embrace the metasystem. Sure, it would mean supporting WS-Trust – a protocol designed for metasystem purposes: exchanging one security token for another different security token. But the people who've built SAML systems will have little difficulty going this extra step.
The truth is, to get to a metasystem, it wouldn't only be Liberty or SAML implementors who would have add the token exchange capability – changes would be required in all the systems asserting corporate and government identities; in operating systems, mobile devices, online services, smartcards; and in every other technology mentioned in our whitepaper. No one, including Microsoft, has WS-Trust rolled out at this point in time, so everyone would have to take the plunge.
From what I can see, most people interested in identity see WS-Trust as being a protocol that can really take us forward. But to commit to it, they need to see WS-Trust and its related specifications living in standards organizations. So now, the ball is in our court. We have to deliver.
