So much is happening in the identity discussion it's hard to keep up with it. Through the miracles of ping-back I came across The Undevelopment Blog by Dmitry Shechtman, and this posting on a new proposal called Identity Manager:
It seems like the OpenID community is currently bothered with the following two questions:
- OpenID facilitates phishing. What can be done about this?
- FireFox 3.0 will have CardSpace and OpenID support. What does that mean?
I addressed the OpenID phishing problem even before it became wildly discussed. Unfortunately, the method wasn’t foolproof, to say the least. Several other suggestions have been brought up, but none seemed to solve the problem without making OpenID unusable.
Kim Cameron of Microsoft has been repeatedly promising to elaborate on how CardSpace and OpenID could converge. Although he has yet to keep his promise, we can make an educated guess. We recently saw the FireFox extension Identity Selector act as an in-browser OpenID-to-InfoCard bridge. That is definitely something CardSpace folks would love to see as a standard browser feature, since it would effectively turn an OpenID into nothing more than a fairly insecure InfoCard.
Of course, OpenID could simply dismiss CardSpace (I was trying to get into the average kool-aid drinker’s shoes). Or it could very well learn from it. The CardSpace UI seems very intuitive:
- A Sign In button on a website
- An identity selection dialog
- Seamless secure login
This is exactly what OpenID needs in order to become both widely used and insusceptible to phishing. And since CardSpace planned support is now a reality, why shouldn’t OpenID be integrated? This is no trivial requirement, but one that can be met with some additions to the browser logic.
The combination of UI and business logic outlined in this proposal is dubbed Identity Manager. The proposal uses informal language (should, must, be and do are used interchangeably); handle with care.
Whenever a web page presents an OpenID sign in option, the OpenID field and the Sign In button are replaced by a single OpenID Sign In button. Moreover, separate OpenID Sign In and CardSpace Sign In buttons are replaced with a Secure Sign In button.
Once such a button is pushed, an Identity Manager window is presented with a list of the user’s identities — OpenIDs, InfoCards or both, depending on what the relying party accepts. The user must be able to decline; we treat this case as trivial. The user must be able to make a persistent selection (e.g. a checkbox with the text Always use this ID for example.com).
(Dmitry's piece continues here…)
I would never characterize OpenID as “nothing more than a fairly insecure infocard”. It is a system where the root of trust is defined to be control over the content at a URL. Folks, this is innovative. I like it as what I call an “underlying identity system” that should live within the identity metasystem. Given its theoretical starting point in terms of trust, OpenID has the security characteristics, good and bad, of the Internet which it harnesses in the name of identity. That makes it very exciting, especially for bottoms up use cases involving public personna.
But “exciting” doesn't mean “good for every purpose.” OpenID won't replace all other forms of digital identity!
Is it necessary to explain further?
I'm fine with blog comments being associated with my URL. But I don't want access to my bank account to be gated by nothing more than the ability to set the header in what a system thinks is https://www.identityblog.com (I'm thinking here about all the potential attacks on DNS as well as the ways in which third parties could gain unauthorized access to my page).
My site is hosted by the good people at http://www.textdrive.com. As administrators of the shared systems there, they could certainly, for example, gain access to my pages.
Are their employees bonded? Do they practice strict separation of duties for access to web pages? Do they have HR practices that will protect them from organized crime? I don't think so! And if they did, wouldn't they turn into the world's most bureaucratic mess as a web hosting service? Their flexibility and personal touch is what makes them so good. I like them just as they are, thank you very much.
So it all comes back to the Laws of Identity. There will be a pluralism of providers and technologies, optimal in different use cases. And, as the potential phishing attacks demonstrate, there remains the requirement of giving users a consistent and controlled experience across these multiple systems.
My conclusion?
Combine CardSpace (insert your favorite replacement identity selector here) with OpenID and you have the best of both worlds. You have the web-based identity system. You have a consistent anti-phishing user experience. And you have continuity between OpenID and other underlying systems in a metasystem. Wouldn't we all want this?
As Dmitry reports, I have promised to share my own technical ideas about how to move forward but haven't come through on my promise yet. So I'm going to do that now. One idea is very simple (and effective) – I'll start with that. The second is in many ways more interesting (at least to me) but I need to explain a bit more about managed cards before I get to it.