I like and greatly respect Intel's Conor Cahill.
That's why it is so &#*^%$@*& sweet to be able to point out whenever he makes a mistake.
Phil Windley describes an identity panel on which Conor (and other identifiable luminaries) sat.
Conor is quoted (loosely) as saying:“thereâ€™s no large eCommerce implementation of Liberty. SSO hasnâ€™t been adopted outside the enterprise”
Au contraire my Irish friend.
I could give Conor the benefit of the doubt and choose to believe that his comments were misinterpreted. But that's not how friendship works is it?
Connor responds as follows:
That wasn't an exact quote, but pretty close. The point I was trying to make was in response to a question along the lines of “why don't we see liberty everywhere since it's been around like forever (4 years)”.My answer was along the lines of “while you don't see Liberty implemented all over the place in an ecommerce type environment you do see it in a large number of enterprise environments, especially enterprise reaching out to relying parties” (again, not a direct quote as I can't remember exactly what I said minutes ago, much less hours ago).
I also went on to explan that in my opinion the reason that you don't see it (or any other SSO solution including MS's Passport or AOL's SNS) everwhere is that SPs didn't see a significant benefit from it and were afraid to let someone else (the IdP) potentially get in the middle of their relationship with the customer.
This is changing now because of the need for strong authentication and anti-phishing/IDentity Theft. SPs are much more interested in this stuff nowadays then they were 3 or 4 years ago.
It was the first time I had met a number of the people on the panel, including Conor, and though Phil Windley describes the event as being “tutorial in nature”, I thought it was more than that. Arnaud Sahuguet, formerly of Bell Research Labs and now at Google, laid the groundwork by posing a number of wickedly insightful questions to intensify the discussion. One of them asked why Liberty hasn't caught on more since it has been around for almost five years.
Not knowing Conor I might have imagined he would sidestep the issue with marketing gloop. I've seen more than one presentation equating deployment of a federation service somewhere on a network with delivery of the whole network, all of its resources and all of its users into the brave new world of federation… If only this were true! And my suspicion is that such claims engender false expectations which lead inevitably to the question Arnaud poses.
But Conor didn't go there. He spoke very thoughtfully about what the real issues are. He talked about the problem of intermediation – the reluctance of many relying parties to lose their “sticky” relationship to customers – an example of the Third Law of Identity rearing its club. He spoke also about concerns of liability on the part of identity providers. He called on us, without saying so explicitly, to look beyond our aspirations as technologists, to understanding that technological progress is driven by business decision points.
Conor and Arnaud also talked about the role in which Liberty has been prototyped or adopted – connecting a portal to its wholesalers and partners. Indeed, this is the “circle of trust” scenario – refering essentially to a circle in which the portal is at the center.
Meanwhile, I spoke about (surprise!) InfoCard – largely in a tutorial way since it was new to the audience. But I think it was fairly clear to all that the central problem addressed by InfoCard, of allowing users to manage their identities and connections with portals, and the problems addressed by federation, as discussed by Conor, are basically orthogonal. This is the nub of my thinking when I say InfoCard is not positioned against federation, but solves related but complementary problems.
I think if Paul had been present at the session he would actually have appreciated what Conor had to say. Objectivity and realism in sizing up deployment blockers, and transparency in setting expectations, is what will lead to success.