Geoff Arnold added a comment to an earlier piece that helps tease out the issues around delegation:
In otherwords, there is no user-absent scenario. There is a user is present and delegates authority scenario. After all, how can a user delegate authority if she isnâ€™t present???
That's fine as long as one of the rights that can be delegated is ability to delegate further. And I'm guessing that that's what Eve is really talking about. Not delegating 100% of her rights to some agent, but delegating sufficient rights that the agent can act as a more-or-less first class entity, negotiating and delegating on her behalf.
In fact the only (obvious) right that I should not be able to delegate is the right of revocation….
OK. So delegation is recursive. If we accept the notion that services operate within their own identity when they do something a user has asked them to – then if they want to delegate further, they need to create a Delegation Token that:
- asserts they have the right to delegate in some particular regard; and
- defines exactly what they want to delegate further, and to whom.
They need to present this along with the user's authorization. One ends up with the whole delegation chain – all of which is auditable.
In this scenario, the user's identity remains under her control. That's one of the things we mean when we say, “user centric”. By issuing an authorization for some service to do something, she actually asserts her control over it. I think this would be true even if, given a suitable incentive, she delegated the right of revocation (there are limits here…)
Multiple tokens to capture these semantics
CardSpace is built on top of WS-Trust, though it also supports simple HTTP posts.
One of the main advantages of WS-Trust is that it allows multiple security tokens to be stapled together and exchanged for other tokens.
This multi-token design perfectly supports strong identification of a service combined with presentation of a separate delegation token from the user. It is a lot cleaner for this scenario than the single-token designs such as SAML, proposed by Liberty, or the consequent “disappearing” of the user.
I guess I find Eve's contention that, “By contrast, Libertyâ€™s ID-WSF was developed to support both the ‘human present’ and ‘human absent’ modes” a bit triumphalist and simplistic.
Going forward I'll write more about why I think WS-Trust is a step forward for these delegation scenarios. And about why I think getting them right is so very important.