Attributes First
RPs are the most important actors. Open identity technologies (OpenID, Infocard, SAML, etc.) will only succeed as websites and apps (aka Relying Parties) adopt them. And since by definition the concept of open identity involves reuse of existing accounts from external identity providers, there will always be more RPs than providers.
RP developers aren’t identity experts we need to create libraries and web services to make it as easy as possible for them to implement all this stuff. This has been widely recognized. But another factor in making open identity tech RP-friendly is to make sure that these libraries, etc. support the semantics that are natural from the RP’s point of view.
What RPs want. An RP wants to rely on some attributes from an external source. Sometimes they only want a single identifier attribute (e.g. Google OpenID)). Sometimes they want more (e.g. the institution that you are a student of, etc.).
Of course the authority asserting the attribute is also important. But this varies by attribute. For example, an RP site may be perfectly fine letting the user self-assert a “ship to” address, or asserting an email address to send a confirmation to. Whereas they’d like a third party like the city fire department to be the provider of an attribute that states that this user a registered fireman and thus should be allowed have access to a federal first responder portal.
Attribute request semantics. If this is what RPs want, then they should be able to express their desires in a natural way. A list of attributes with some extra fields would seem to make sense. How about a list of attribute request tuples each of which holds:
- Attribute – e.g. email, age > 21, GPS location, first name, employer…
- Optional – true if the RP requires v.s desires this attribute
- Authorities – list of authorities that the RP trusts for this attribute (if nil, then self-asserted data by the user is fine). This is essentially the RP’s white list.
Mismatch. Do OpenID, Infocard etc. allow the above semantics to be expressed? The short answer is no. In essense, we can’t express things from the point of view of the RP.
Moving forward. The attributes first principle has grown out of a growing recognition of the critical role RPs play in the adoption of open identity technology. It now influences my thinking about RP identity infrastructure, and is being incorporated into our thinking about “next gen” selectors.
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Paul, I agree with you.
If you speak infocard, the current specification of how the RP asks for claims is not satisfying. In the use cases we work on, it makes sense to ask for the age coming from the government and the bank details coming from …your bank! And all this in one request,please. RP don’t want identity selectors poping two or three times to complete an online transaction.
[Reply]
Comment by Olivier Maas — October 13, 2009 @ 9:54 am