Google's Ben Laurie continues with a post I'd call “Cogent with cloudy periods”:
On further reflection, comparing Live ID with Googleâ€™s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyoneâ€™s word other than their own? In particular, where do Microsoft say theyâ€™re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?
Interesting. Let me explain how I see it. The Windows Live ID whitepaper is about the technical architecture of Windows Live ID, and new capabilities allowing it to be part of a standardized, multi-centered, federated identity fabric. This includes support for Information Cards. Reading the paper, it's easy to see how enterprises or groups of users could gain access to Windows Live services using their native systems federating with Windows Live ID, rather than requiring separate accounts. The business model for this would be totally straightforward.
Now, in terms of how the protocols work, a similar federation relationship could be established between a Windows Live and a Yahoo or a Google. But the business models there are way harder to figure out. You need multiple players to buy in – it needs to be a win/win/win. I don't think anyone has figured this stuff out. Basically, it's a lot easier to change technologies than to change business models.
Still, to me, it makes sense to put a safer, more flexible technical infrastructure in place that offers advantages within current business models while simultaneously laying the groundwork for new approaches as they arise. But let's try to see the two as relatively autonomous.
Eric Norlin says: â€œLots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.â€ But is this actually true? What Microsoft appears to have learnt is that it canâ€™t get everyone to accept its credentials. So, whatâ€™s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps thatâ€™ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoftâ€™s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.
This mish-mashes so many orthogonal ideas together that it gets a wee bit looney. If the following sounds disconnected, it's because the way Ben connected things doesn't make any sense to me:
It's true that a lot of us at Microsoft want to “open the silo”. That doesn't make it easy, or make it obvious what to do.
WS-Trust is not Microsoft Technology, unless IBM is now part of Microsoft – not to mention the hundred or so other companies who have worked on the WS specifications.
Information Cards are not Microsoft proprietary for two reasons: first, the protocols are in OASIS standardization and available royalty-free; and, second, because there is a consortium building real open-source implementations today (OSIS).
I don't understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.
I'm even more mystified at the implication that our Cardspace implementation of Information Cards is a plot. It doesn't offer special advantages to Windows Live ID. Services like those offered by Google get equal billing with services that might come from Microsoft. What is the sin here?
Given the difference between services and open cross platform technology, why call Cardspace “the-passport-nom-de-jour” – except to be naughty?
Anyway, I'm just going to assume Ben had a bad hair day, which everyone has a right to.
Parhaps the flurry of postings made it look like people were ganging up on Google – not at all my intention – I still think that on identity our interests converge and we're all in similar places.
At any rate, Ben concludes thus:
Fred asks: â€œcould you explain why Google shouldnâ€™t allow their accounts system to be accessed by Yahoo credentials?â€
All I can say is what I already said: there isnâ€™t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they canâ€™t. Such decisions have to wait for standardised mechanisms to emerge, in my view.
Dick is â€œsuprised to see this post given conversations we hadâ€. Well, Dick, if the fact that I donâ€™t always agree with you is surprising, then youâ€™d better stock up on soothing music or something.
I think the situation calls for soothing music all around. How about Iggy Pop?