Eric Norlin responds to the Ben Laurie post I addressed here:
Ben Laurie, an employee of Google who is quite clear about the fact that he does not represent Google itself, is responding to my earlier post contrasting Google and Microsoft. Ben's pushing back on my contrasting of Google's Account Authentication versus Microsoft's Live ID, and my treatment therein. Specifically:
1. Ben states that “everyone knows” that Google only annnounces what they've already done (as opposed to what he sees as Microsoft's urge to announce what its going to do).
2. There is no “mature, reliable, secure identity federation mechanism” that's widely used (thus, implying that there's nothing for Google to use).
3. That the release of Google Account Authentication does NOT deepen the existing internet identity silo.
4. That I have (somehow) fallen into the “newspaper trend” of writing articles that are “critical regardless of facts.” (ouch)
Let me try to respond:
1. I guess that subconsciously I knew that Google only announced what it had already done, but that really wasn't the point of my piece. My piece was a contrast meant to highlight an observation that I was making — namely, that Microsoft had learned a lot of important lessons from Passport; lessons that companies like Google may not have learned. Now, at the end of the day, I'm dependent upon my ability to observe based upon my available information. Since Google's PR department is — shall we say — a little opaque, most of us journalist-blogger types are left to discern what we can from what Google has done or is doing (precisely as Ben says). Furthermore, since no one from Google contacted me to correct me about my observations regarding Google's Account Authentication (I'd be glad to be officially corrected), and since Google has not changed what they're doing in any significant way, then I have no new information to change my mind.
2. Ben's right that there is no “internet scale” identity federation mechanism. SAML has gained widespread adoption, but is not suited for “internet scale.” Same goes for Liberty. There are, of course, a TON of people working on this problem — OSIS, YADIS, Sxip, the identity gang, Microsoft, etc., but I won't argue with Ben on this — there isn't a mechanism that's widely used.
3. We disagree on point number 3 — and Dick Hardt presents why. In response to Ben's statement – “What kind of credential did you expect to present? Your Yahoo login?” – Dick responds, “Uh, actually, yes.” This points out the fundamental problem at the heart of all of this “identity 2.0” stuff that I've been talking about: the existing silos (Google, Yahoo!, eBay, etc.) have *no* immediate business reason for opening their identity silos (at least, not that they can see). Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport. At the end of the day, Google is reinforcing its identity silo. That was the ultimate point of my post – and the one that I wish Google would respond to openly and directly.
4. I actually don't think I have fallen into some “newspaper trend.” If anything I am (and Digital ID World is) a member of the larger identity community. My post relied solely on the facts that Google has given me. If they change the facts (i.e., correct me), then I'll change my observation. At the end of the day, this is a communal exercise, and if I somehow have a misperception of what's going on (from Google's or Ben's point of view), then I'd bet that *lots* of people in identity have the same misperception. And if that is true, then its Google's PR department's job to change it.
Let me close with this: I'm not trying to start some “vendor war,” or make Google “evil,” or take shots at the big kid on the block, or anything. We started Digital ID World because we knew that identity was a huge problem that crossed all boundaries, and we wanted it to turn out okay. It could go badly. It could not turn out okay. Its quite possible that the silos only get deeper, the walled gardens return, identity never has its “browser moment” (where it explodes into common usage). Do I want to see identity succeed? You bet I do. I don't think I've ever hidden that. As such, I try to call things as I see them.
Bottom line: I'd love for someone who does represent Google publicly to correct my horrible misperception of what they're doing in identity. In fact, they can come be on the Digital ID World keynote panel — “What do the largest internet sites think about identity?” –and make sure the entire identity community understands them (that's an open invite). Google, will you join us and set us straight?
Meanwhile, Dick Hardt says:
Ben Laurie from Google responded to my post on Google Account Authentication: two steps forward, one step back. A few comments that I’d like to respond to:
Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?Uh, actually, yes. That is the idea behind Identity 2.0, that I could use my Yahoo login to authenticate to Google and to access Google services.
How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?Yes, I did read with great interest what the services do. As for why this deepens the identity silo, these new identity APIs make it easy for non-Google applications to consume Google services, but it is tied to the user’s Google credential, increasing the value of that Google credential, but creating a bigger barrier to services similar to Google’s, and increasing the users reliance on the Google credentials. Good for Google, but starts to reduce user’s options.
As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used?Ben is correct, there is no mature, reliable, secure identity federation mechanism that’s widely used. But that has not stopped Microsoft from working to create one and announcing that they will be using it in their products in the future. Google could participate in defining Identity 2.0 architectures and make them widely used because they are Google.
