Identity Metasystem – Page 10 – Kim Cameron's Identity Weblog

Ensuring Privacy and Consent

I think many will benefit from Marco Casassa Mont's Research on Identity Management blog. He discusses business-driven identity management – and its foibles.

A recent post invites us to an upcoming Kable conference that I would attend if I possibly could:

An interesting conference is going to take place on July, 9^th in London, UK on â€œEnsuring Privacy and Consent in Identity Management Infrastructuresâ€. It is supported by DTI and free to attend to the private sector and academics. The conference program and online registration form are available here.

â€œThe Department of Trade and Industry (DTI), through the Technology Strategy Board's Network Security Innovation Platform, is working with the Identity and Passport Service (IPS), the Home Office, the Economic and Social Research Council (ESRC) and the Engineering and Physical Sciences Research Council (EPSRC) to develop a work package that will sponsor a £10m, 3-year, research and development programme into how to balance the potentially intrusive nature of identity services and network security with users’ expectations of privacy and consent. This research will be cross-disciplinary, combining social science with technological innovation. â€¦

The aim of this initial workshop on 9 July is to discuss and refine the areas of importance for research, as well as identifying where the research is needed and where the UK has potential to develop world-leading commercial services. The findings of the workshop will lead to the development of projects and proposals using the EPSRC's sand-pit concept at a further workshop to be held in early October.â€

You might want to consider attending if you work in the areas of identity and privacy management â€¦

Paul Madsen leaks internal photo

Despite my repeated requests not to go there, Paul Madsen of ConnectID has published a leaked, top secret, internal Microsoft Identity and Access photo. His post reads as follows:

An un-named source in Redmond sent me this never before seen picture of the first ever infocards assembly line.

In the front you can see a worker inserting secret keys obtained from the bins below (the punch-card calculating machines on which those keys were generated are in another room). Other workers further down the line can be seen inserting attributes before securing the top of the cards with wrenches.

My source tells me that another line is planned.

Luckily, the IP revealed by this photo is part of the Open Specification Promise (OSP). I checked with our operations people to see if the items in the bin really are the secret keys, but apparently they are silver bullets.

PHP managed card provider

Here's a new managed card provider from Patrick Patterson at Carillon Information Security Inc. With commendable understatement, Patrick writes:

I just thought that you'd like to know about a demonstration STS for issuing managed infocards that we've just finished.It's written in PHP, backends into either a database or LDAP, and is easily customizable to accommodate custom claims.

And, since it is written in PHP, it is easily deployable for those that want to experiment with a CardSpace STS, but who may not have either a JSP server to deploy one of the other Java based implementations, or an IIS .NET server to experiment with the one Microsoft has provided.

It is available here.

I'm a sucker for PHP and Ruby on Rails, so I love seeing this support. Beyond that, I'm interested in Carillon's support for certificates.

What is it?

The Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service (STS) compatible with Windows CardSpace and other “infocard” implementations. It has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.

Once installed and configured, the Carillon STS allows a user to authenticate himself, either by password or by X.509 certificate, whereupon he is issued a digitally signed infocard containing some standard identity claims and optionally some customizable identity claims. When he presents this infocard to a Relying Party's (RP's) site, his browser's identity selector requests a SAML token from the Carillon STS. If the authentication information is still valid, a digitally signed token will be issued with the various claims asserted. The browser takes this token, checks the digital signature, encrypts it for the RP, and passes it along. It is the RP's responsibility to decrypt the SAML token, check the digital signature, check the asserted claims, and make an access decision based on this information.

Current Status:

This project has been tested with available releases of Windows CardSpace and the Firefox identity selector plugin. There are several Relying Party (RP) sites on the web to test against; in particular, the xmldap.org RP is able to consume Carillon STS infocards and display their contents.

Version 0.01 is the initial release of the Carillon STS. It is presently under active development.

License:

The Carillon Demo STS is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Carillon Demo STS is Copyright © 2007 Carillon Information Security Inc.

Download:

Note: Please hold down the SHIFT key while clicking on package you want to download to avoid file corruption.

Source: carillon-sts-0.01.tar.gz

I hope to meet Carillon at the next Interopathon. It's really awe-inspiring to see this level of Information Card expertise developing spontaneously in the security and identity communities. Congratulations, folks!

CardSpace and Smart Cards

Over the next few days I will write about some of the Information Card ideas and products I saw at the Burton Group's Catalyst Conference. The Interopathon demonstrated a whole slew of identity provider, identity selector and relying party products written by all kinds of competitors and collaborators. Pretty much all the big software companies were involved, as were a some smart identity industry startups. The next day, the party continued in the Microsoft hospitality suite – and probably other suites as well.

One of my favorite demonstrations was put together by Gemalto, one of the world's largest manufacturers of smart cards, cell phone SIMS and dongles. They collaborated closely with the CardSpace team on a prototype of CardSpace in which Information Cards and the associated metadata and secret keys are all kept on a smartcard or dongle.

Here's the user experience:

You arrive at a machine, and insert your smart card.

CardSpace asks for a password, and when you enter it, you see your CardSpace cards as usual – except they marterialize from the smart card. The system supports both self-issued and managed cards.

Then, when you remove your smart card, all the CardSpace cards go away.

In other words, the system completely solves the roaming and “kiosk” problem. You take your Information Cards with you, and use them wherever you go. A single smart card can transport a whole set of unrelated cards – the “Fist full of dongles” problem is solved.

The Gemalto folks have a demo that makes the ideas completely clear here. Much of the work was done by Kapil – great guy and I have my fingers crossed that he'll start blogging again.

Including the whole spectrum of use cases

Mathew Martin, who writes Mostly Mr. SQL, clearly detests PKI certificates more than almost any living person. He finds CardSpace guilty by association in a piece called GRRRR! CardSpace. What a useless steeming pile…

Ok. Cardspace/Infocard is like OpenId. Password-less access to websites (or password-fewer access).

BUT

1. You must use SSL. Even if you just want to secure your application against your clueless neighbor. That is a minimum of $40.

2. You must decrypt the response on an account with NTFS access to the private key. The NT Network Service account is not likely to have read access to the private key on a hosted account. Good luck explain how and getting co-operation from your hosting provider.

3. Decryption must be done under FULL TRUST. Many hosted accounts only let you run in medium trust and donâ€™t let you create COM+ dlls, put stuff in the GAC, etc.

[Items 2 and 3 might not even be a good idea. If the world at large manages to use your web application to maliciously download your SSL cert, I suppose they could do something evil, like pretend they are you]

4. To get rid of the â€œthe website isnâ€™t secure for banking or ecommerceâ€ you have to spend $1000 on an EV SLL cert. Oh, sure, pocket change.

5. And who is issuing managed cards? I can get an SSL based cert from Thawte that says I am the person that controls my email account, but I canâ€™t find anyone who issues managed infocards anywhere.

Iâ€™ve about realize that Iâ€“a computer profession and programmer, will not be able to implement InfoCard/Cardspace in any form, not for my blog, not for my hobby website, nothing. Either one has $1040 and ones own entire server or nothing.

If only the top 10 biggest websites can overcome the hurdles posed by infocard, what we are going to see is 5 websites accept infocard and everyone else (mom & pop websites) continue to use passwords and user IDâ€™s. InfoCard will have a minimal impact on how authentication is done.

This is going to drive small websites into using OpenId. Consumer will rapidly gain a few dozen OpenId cards. The rising ubiquity of OpenIdâ€“which doesnâ€™t try to be a waterproof authentication methodâ€“will take over the world, relegating InfoCard to â€œthat way you logon to Live.com servicesâ€.

Come on Microsoft, when are we going to be able to run CardSpace/Info card in â€œreal worldâ€ mode?

[Thanks to Self-issued.info for the logo] [Actually, I take that back, it is a Microsoft trademark. The purple box is has a substantial amount of IP self legislation that goes with it. According to MSâ€™s lawyers, I am currently in violation of usage guide lines for the icon. Letâ€™s see how Microsoft silences critics of InfoCard.]

Let's start with the CardSpace requirement that a relying party support SSL. I agree with Mathew that requiring use of SSL and PKI is overkill for the type of blogging and hobbyist use cases he describes. While my identityblog certificate is fairly inexpensive (thanks to godaddy.com), the extra cost associated with it at textdrive (which hosts my system) is around $100.00 per year because of the need to have a dedicated outward facing IP address. I don't mind the cost too much, since I know there are people who will hit on my site and I like the extra protection. But this really isn't appropriate for everyone.

This underlines the fact that identity and the identity metasystem involve a continuum of use cases and technologies – and we have to embrace the whole continuum. By making certificates mandatory, we cut the continuum in half. Luckily, we can fix that before we get into the wide deployment phase.

My conclusion is that rather than hard-wiring the requirements for identification of a relying party into the identity selector, we should have allowed each identity provider to decide what minimal requirements were appropriate.

This ends up having advantages both at the low value and high value ends of the spectrum.

For example, a bank's IP might decide to only release information to a relying party with an Extended Validation (EV) certificate. If so, CardSpace would not illuminate the associated information card if an EV certificate were not in use at the relying party site. [EV certificates are only granted to companies or other organizations after they follow an extensive procedure for proving their legitimacy.]

Meanwhile, a blogging reputation identity provider might be happy to release reputation to any site the user proposes, certificate or no certificate.

Of course, the relying party is always free to use a certificate and gain the extra protection that provides.

This change is actually part of CardSpace 1.1 – which people should be able to start experimenting with very soon now. When combined with the release of great toolkits for all the important languages, I think this will bring quite a bit of lift-off.

As for point 4), let's look at what the CardSpace advisory actually says:

I think there's a big difference between “a major internet business” and a site doing “ecommerce”. When I buy a tee-shirt from Mathew I don't expect him to be EV. If he were trying to sell thousand dollar cameras, I would feel differently. I'd want him to either be well identified, or to work through a site like eBay that would provide another way of establishing his reputation. And in this case, I want to make sure I'm really talking to eBay, so once again would like to see an EV cert.

I don't think any “major internet business” or bank will have any difficulty whatsoever covering the cost of an EV cert. The idea of using the superior certs came directly from them, since they're the ones whose users get phished. I don't understand why, given his earlier rant against the poor validation proceedures in conventional certificates, Mathew rails against our support for EV. Part of his earlier criticism of EV certs is that the browser doesn't show the meaning of the cert properly, a problem CardSpace has solved. Consider this recent Anti-Phishing Working Group report:

As for who is issuing managed cards, you'll be seeing many outfits doing it as we move toward the InfoCard tipping point. We're in the sockets and ecosystem phase of Information Cards, but I can tell you many players get the potential of the technology and are integrating it into product.

As for OpenID versus Information Cards, I don't see them as opposites. Go to signon.com today and you'll see it supports use of Information Cards for OpenID authentication. This is nice because it gets you InfoCard safety along with OpenID long-tail support. Going forward, I think you'll see most OpenID vendors supporting OpenID managed cards that work with OpenID sites.

As for the Information Card Icon, our intention is that it be available to everyone who supports the technology. There has been pushback on the language around the icon, and we'll be figuring out how we can get this thing right. In the meantime, I wouldn't be worried about using it on a teeshirt or to criticise us – but I would be worried about using it at a phishing site.

Catalyst Interopathon reveals sea change

Here are the logos of the projects participating in the Information Card Interopathon at the Burton Group's Catalyst Conference. Beyond that, people told me about at least half a dozen new open source projects (each with a unique mission) that are sitting in the wings getting ready to go public. I'll try to keep you posted on these.

We had a rehearsal for this a couple of months ago at Internet Identity Workshop, but something has changed since then: many of the players seem to have made strides in getting concrete about how the technology would be used in their products. That's the key.

According to the press release:

Participants include projects groups Eclipse Higgins Project, Internet2 Shibboleth Project, The Pamela Project, Ian Brown (OpenInfoCard), XMLDAP, and SocialPhysics and vendors BMC Software, CA, FuGen Solutions, IBM, Microsoft, NetMesh, Novell, Nulli Secundus, Oracle, Ping Identity, Sxip Identity, VeriSign, and WSO2.

The demonstration will be centered on a photo sharing application and will show the breadth and maturity of user-centric technologies by executing a variety of information card-based component capabilities including:

Protocol and wire format interoperability

Card format interoperability

Policy interoperability

Platform interoperability

The interop event was organized by OSIS and identity commons and hosted by The Burton Group. Thanks to all involved.

Dave's mother

During one of the hospitality parties at the Burton Group's Catalyst conference I came across the SXIP folks showing their cool new application service “outsourcing appliance” that lets enterprises outsource HR or mail and calendar to companies like Salesforce.com and Google. When employees are inside the firewall, they can just leverage Active Directory or some other LDAP server or authentication system to automatically create a SAML token that will log them into the service.

One of the requirements SXIP has encountered is for employees to be able to securely access these resources from their homes and hotel rooms without introducing the risk of password leaking.

After all, most companies don't want employees revealing their enterprise username and password to service suppliers – but also don't want to support a separate username/password outside the firewall… SXIP's solution: use Information Cards. It's a very simple and nice solution.

While looking at what they've done, I met David Huska, the incredibly fast and energetic engineering guy behind the project. He started telling me about CardSpace and his mother, and I could see he had a great potential CardSpace “elevator pitch” – meaning a way to explain a technology while riding an elevator up a few stories. So I cut him off, pulled out my phone, and asked him to start again. Here's what he said:

Kim: So you were talking about your mother…

Dave: What were you saying about my mother, Kim? Were you talking about my mother?

Kim: I love your mother.

Dave: Alright. CardSpace is an analogy my mother gets. She doesn't understand what I do in a million years, but CardSpace she gets. She sees the cards. Everything else stops. Everything goes away. She can't do anything else until she chooses a card.

When she pulls our her purse, she sees her cards. And with CardSpace, she sees her cards. She can see what card they want from her. She can see the information they're looking for from her. She can decide what she wants to use, or not – what she wants to approve or not.

It's like being in the supermarket. She can decide which card she wants to give – and if she wants to. It makes sense for her. It's simple. Its a clean UI. It's well done.

Kim: (Referring to SXIP's cool new system – that supports Information Cards.) So has your mother actually seen this?

Dave: Yes, she's seen it running on my test machine. She said, “Oh this is what you do. I finally get it.” And I had to say, “Well, this isn't exactly what I do – it's what another company does.” But you got her closer to understanding what I do than just about anything else I've ever shown her. So thank you.

Dave is great – and I love his mother too. Any thanks should be directed to all the people on the CardSpace team who did all the work and refinement and threat modelling and studies, and who are coming out with a nice update in the very near future.

Control, not nagging

In a piece called Pleading down the Charges, Jeff Bohren of talkBMC refers to the discussion I've had with Conor about invisible redirection as ‘inflammatory’, and adds:

“In subsequent exchanges Kim and Conor plead the charges down from a felony to a misdemeanor. Kim allows that the redirection is OK so long as the IdP is completely trusted, but he is concerned about the case where the IdP is not trustworthy…

It's probably true that my “hand in wallet” metaphor was a bit stark. But how can I put this? I'm doing a threat analysis. Saying everything is OK because people are trustworthy really doesn't get us very far. Even a trustworthy IdP can be attacked; threats remain real even in the light of mitigations.

When we put on our security hats, and look at the security of a system, we try as hard as we can to explore every possible thing that can go wrong, and develop a complete profile of the attack vectors. No one says, “Hey, don't talk about that attack, because we've done this or that to prevent it.” Instead, we list the attack, we list what we do to mitigate it, and we understand the vulnerability. We need to do the same thing around the privacy attack vectors. It is revealing that this doesn't seem to be our instinct at this point in time, and reminds me of the days, before the widespread vulnerability of computer systems became apparent, when people who brought up potential security vulnerabilities were sent to stand in the corner.

Jeff continues:

What is missing from this discussion is the point that “automatic redirection” is not mandated by SAML. Redirection, yes, but automatic redirection is not required. The SP could very well have presented at page to the user that says:

“Your browser is about to be redirected www.youridp.com for the purposes of establishing your identity. If you consent to this redirection, press Continue. If you do not consent, press Cancel….

Correct. This could be done. But information can also be made to fly around with zero visibility to the user. And that represents a risk.

Jeff concludes:

Nobody does this kind of warning because the average user doesnâ€™t want to be bothered and isnâ€™t concerned with it. Not as concerned as, for instance, having a stranger reach into their pocket.

Actually, thanks to “invisible system design”, the “average user” has no idea about how her personal information is being sent around, or that with redirection protocols, her own browser is the covert channel for sharing her identity information between sites. This might be all right inside an enterprise, when there is an implicit understanding that the enterprise shares all kinds of personal information. It might even be OK in a portal, where I go to a financial institution and expect it to share my information with its various departments and subsidiaries. But in the age of identity theft, I'm not so sure she would not be concerned with the invisible exchange of identity information between contextually unrelated sites. I think she would probably feel like a stranger were reaching into her wallet.

To be clear, my initial thinking about the “hand in wallet” came not from SAML, but from X.509, where the certificates described in Beyond maximal disclosure tokens are routinely and automatically released to any site that asks for them without any user approval. SAML can be better in this regard, since the IP is able to judge the identity of the RP before releasing anything to it. In this sense, not just any hand can reach into your wallet – just a hand approved by the “card issuer”… This is better for sure.

Do we need to nag users as Jeff suggests might be the alternative? No. Give the user a smart client, as is the case with CardSpace or Higgins, and whole new user experiences are possible that are “post nagging”. The invisibility threat is substantially reduced.

In my next post in this series I'm going to start looking at CardSpace and linkability.

No SAML bashing intended here

Conor Cahill (Conor's Web log of Esoterica) responds to my discussion about SAML protocol and linkability in a piece called SAML bashing – which is, by the way, absolutely NOT my intent. I'm simply trying to understand how SAML relates to linkability, as I am doing for all the other major identity technologies. I can't take up all the points he raises at this point in the flow, but encourage the reader to look at his piece…

Conor mentions the emerging ideas for a SAML 2.0 Enabled Client/Proxy. I want to make it clear I wasn't analysing these proposals. I was analysing SAML as everyone knows it today – using the “http redirect” and “post” modes that have been widely deployed in portals all over the world, and don't require changes to the browser.

Kim writes about SAML's use of redirection protocols.. To start with, he forgets to mention a few important facts as part of his discussion:

SAML defines a profile for an Enabled Client/Proxy (ECP) which is an evolution of the Liberty Alliance's LECP protocol. This protocol does *NOT* involve redirection, but instead supports an intelligent client directed by the user driving SSO transactions (a similar model to that adopted by Cardspace).
The Browser-Profile that Kim is referring to is one written based upon a use case requirement that the profile work out-of-the-box on unmodified browsers. There is NO other possible solution that will work in this scenario that will protect the users credentials at the IdP.

That said, there are still several statements in Kim's analysis that I feel obligated to respond to. These include:

Note that all of this can occur without the user being aware that anything has happened or having to take any action. For example, the user might have a cookie that identifies her to her identity provider. Then if she is sent through steps 2) to 4), she will likely see nothing but a little flicker in her status bar as different addresses flash by. (This is why I often compare redirection to a world where, when you enter a store to buy something, the sales clerk reaches into your pocket, pulls out your wallet and debits your credit card without you knowing what is going on – trust us.â€)

First off, the user only see's nothing if a) they are already authenticated by the IdP, b) they have previously established a federation with the relying party, and c) they have told the IdP that they don't want to be notified when an SSO with this party takes place. I, for one, want things to work this way for me with providers that I trust (and yes, I do trust some providers). The inability to do this type of automatic operation is one of the shortcomings in Cardspace's implementation that I think will eventually be fixed. There is no need to have repeated confirmations of operations that I say may occur without my unnecessary participation.

Secondly, the analogy is way off base, trying to make this seem like I'm bing pick-pocketed by someone I don't know which Kim knows is absolutely not the case. A more proper analogy would be something along the lines of “I give one of my providers permission to reach into my bank account and withdraw money to pay my bill”. I do this all the with providers I trust, such as my electric company, my telephone company (both wired and wireless) and may other companies.

[Much more here…]

I think Conor is misunderstanding my intentions. I agree that with a completely trustworthy Identity Provider following best practices for end user privacy, Conor's points b) and c) above would likely apply. But we are looking at linkability precisely to judge the threats in the case where parties to identity transactions are NOT completely trustworthy (or are attacked in ways that undermine their trustworthiness.) So arguing that the identity provider will behave properly has nothing to do with what I am exploring: risk. I'll try to build Conor's concerns into my ongoing discussion.

In terms of Conor's point about letting his telephone company deduct directly from his bank account, that's a use case that “rings true”, but there are few companies to which I would want to give this ability. That's my point. We need a spectrum of technologies to handle different use cases and risk profiles.

[Update: Conor later relents a bit in Perhaps not so much Bashing, bringing up a number of points I hope to make part of this exposition.]

Linkage in “redirect” protocols like SAML

Moving on from certificates in our examination of identity technology and linkability, we'll look next at the redirection protocols – SAML, WS-Federation and OpenID. These work as shown in the following diagram. Let's take SAML as our example.

In step 1, the user goes to a relying party and requests a resource using an http “GET”. Assuming the relying party wants proof of identity, it returns 2), an http “redirect” that contains a “Location” header. This header will necessarily include the URL of the identity provider (IP), and a bunch of goop in the URL query string that encodes the SAML request.

For example, the redirect might look something like this:

HTTP/1.1 302 Object Moved Date: 21 Jan 2004 07:00:49 GMT Location: https://ServiceProvider.com/SAML/SLO/Browser?SAMLRequest=fVFdS8MwFH0f7D% 2BUvGdNsq62oSsIQyhMESc%2B%2BJYlmRbWpObeyvz3puv2IMjyFM7HPedyK1DdsZdb%........2F% 50sl9lU6RV2Dp0vsLIy7NM7YU82r9B90PrvCf85W%2FwL8zSVQzAEAAA%3D% 3D&RelayState=0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F% 2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsasha1& Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE Content-Type: text/html; charset=iso-8859-1

The user's browser receives the redirect and then behaves as a good browser should, doing the GET at the URL represented by the Location header, as shown in 3).

The question of how the relying party knows which identity provider URL to use is open ended. In a portal scenario, the address might be hard wired, pointing to the portal's identity provider. Or in OpenID, the user manually enters information that can be used to figure out the URL of the identity provider (see the associated dangers).

The next question is, “How does the identity provider return the response to the relying party?” As you might guess, the same redirection mechanism is used again in 4), but this time the identity provider fills out the Location header with the URL of the relying party, and the goop is the identity information required by the RP. As shown in 5), the browser responds to this redirection information by obediently posting back to the relying party.

Since the identity provider is tasked with telling the browser where to send the response, it MUST know what relying party you are visiting. Because it fabricates the returned identity token, it MUST know all the contents of that token.

So, returning to the axes for linkability that we set up in Evolving Technology for Better Privacy, we see that from an identity point of view, the identity provider “sees all” – without the requirement for any collusion. Knowing each other's identity, the relying party and the identity provider can, in the absence of appropriate policy and suitable auditing, exchange any information they want, either through the redirection channel, or through a “back channel” that dispenses with the user and her browser altogether.

In fact all versions of SAML include an “artifact” binding intended to facilitate this. The intention of this mechanism is that only a “handle” need be exchanged through the browser redirection channel, with the assumption that the IP and RP can then hook up and use the handle to “collaborate” about the user without her participation.

In considering the use cases for which SAML was designed, it is important to remember that redirection was not originally designed to put the “user at the center”, but rather was “intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent… for example, if the communicating parties do not share a direct path of communication.” In other words, an IP/RP collaboration use case.

As Paul Masden reminded us in a recent comment, SAML 2.0 introduced a new element called RelayState that provides another means for synchronizing or exchanging information between the identity provider and the relying party; again, this demonstrates the great amount of trust a user must place in a SAML identity provider.

There are other SAML bindings that vary slightly from the redirect binding described above (for example, there is an HTTP POST binding that gets around the payload size limitations involved with the redirected GET, as Pat Paterson has pointed out). But nothing changes in terms of the big picture. In general, we can say that the redirection protocols promote much greater visibility of the IP on the RPs than was the case with X.509.

I certainly do not see this as all bad. It can be useful in many cases – for example when you would like your financial institution to verify the identity of a commercial site before you release funds to it. But the important point is this: the protocol pattern is only appropriate for a certain set of use cases, reminding us why we need to move towards a multi-technology metasystem.

It is possible to use the same SAML payloads in more privacy-protecting ways by using a different wire protocol and putting more intelligence and control on the client. This is the case for CardSpace in non-auditing mode, and Conor Cahor points out that SAML's Enhanced Client or Proxy (ECP) Profile has similar goals. Privacy is one of the important reasons why evolving towards an “active client” has advantages.

You might ask why, given the greater visibility of IP on RP, I didn't put the redirection protocols at the extreme left of my identity technology privacy spectrum. The reason is that the probability of RP/RP collusion CAN be greatly reduced when compared to X.509 certificates, as I will show next.