Pete Rowley of RedHat has to win the Witty Title Award for “The umpire delegates back“:
Recently Kim Cameron has been defending CardSpace against various assertions that it won’t work offline. As I pointed out some while back, that is pure nonesense. I’ll let you read Kims blog for the details of how such a system might work with CardSpace, but I’ll just say it has to do with delegation. And that’s just a big word for access control, in this case user centric decentralized access control.
There really is no big secret to how this stuff is possible – at some point in time an offline user will be online, and during that time instead of ceding their credentials to the service in the sky (or worse, it happens without choice), they spend the time granting access specific to the service that needs access. That’ll be a statement along the lines of “Pete’s blog is allowed to view this flickr photoset.â€, not “here’s my password dude, do as you willâ€, or indeed “hey, IdP, see that service? That’s me that is.†I have to agree with Kim on the notion of impersonation – at no time should anybody give the required access level for impersonation of themselves, on or offline.
There be dragons.
Pete has a fascinating blog and it's really worth following his People In The Policy series. This is good stuff.
I confess I'm puzzled by this “argument”, since in fact most of ID-WSF is about profiling WS-* and SAML to support, umm, delegation so that services authenticate as themselves but can act on my behalf if I grant them permission.
So, I guess you've succeeded in explaining very nicely why I think Liberty ID-WSF is fairly important and not “a step we've moved beyond”, or whatever the phrasing was.
If you want WS-* to work, you can use Windows on both ends, pay IBM consultants a fortune, or use ID-WSF. Or more likely just reinvent it again. But people should read it so they know what to reinvent.
I fully expect more convergence around profiles of WS-* specs and SAML assertions to come about, but in the meantime, these aren't competing efforts. We're just not willing to wait for the tdibits of interop some vendors are willing to let us have.