In Context

The open identity landscape today is semi-organized chaos. At an organizational level is perceived of as Kantara vs. ICF vs. OIDF vs. OIX vs. Identity Commons vs. …. At a tech level it is perceived of as OpenID vs. I-Cards vs. SAML vs. passwords vs. OpenID vNext vs. Oauth vs. UMA vs….  Some have buzz. Some have security. Some have maturity. There’s been lots of great work, and lots of progress. But all the same, we’re at an inflection point.

What our experience with open tech has taught us is that no single approach can address all of the use cases, security levels, levels of convenience, etc.  The fact both OpenID and I-Cards are underway with next generation efforts that will introduce at least some breaking changes speaks for itself. And username/password isn’t going away either. Heterogeneity is here to stay.

Let me illustrate. If you just look at authentication, and you ignore hardware-based solutions and look at cost (where cost means the hard dollar cost per user that an organziation will have to pay including help desk, user education, systems integration, operating costs, fees, etc.) plotted against the level of security required, my intuition is that the tradeoffs look roughly like this:

Or here’s another way to frame the issue. Different tech is suitable for different “volume” vs. long tail use cases:

If you need a third perspective, consider certification and the need for trust frameworks. The OIDF and ICF both jointly created the OIX organization to meet this (clearly cross-protocol) need. Yet there is still confusion about how this relates to Kantara’s IAF. Clearly certification and trust frameworks cut across the existing lines. Every technology needs a certification listing service. Every technology needs interoperability testing.

Based on just these examples of cross-cutting realities, I contend that most of the non-profits as we know them have outlived their usefulness in their current form:

• High overhead. Each spends money duplicating the resources, executive directors, infrastructure, etc. The result is that less work gets done promoting, say, OpenID, than it could otherwise.
• Lack of coherent messaging. In the enterprise market, for example, the louder each non-profit shouts the more the buyers sit on the fence and say “let’s wait and see which cat emerges from the bag.”
• Poor and inconsistent UX. The user experiences of each isn’t great. Try putting two or three together and the result is nonsensical.
• Not enough focus on relying parties. Relying parties are who adopt this stuff. We need clear messaging and we need great enabling libraries and services. After all, Janrain can only do so much!

The next step is consolidation

Creating a new consolidated non-profit for open identity that would combine existing groups and thereby create something quite different and new is an obvious and unoriginal idea. The question, as ever, is one of timing. Is now the moment? Kantara tried to pull this off a couple years ago, but that was too early. As my fellow board members on the ICF can attest, my sense of timing on this topic is too hurried. But all the same I can’t shake the feeling that now is the time to try to make some kind of progress. So I continue to have private conversations with friends and colleagues.

To protect the innocent I won’t name names, but I get generally supportive reactions. A recent plum was, “Good idea Paul, we’ll sit on the sidelines and watch you run around getting arrows in your back; we might even pull one out for you.”  For the moment and the record, I’m doing this without being duly authorized by Identity Commons, ICF, Kantara, or any other board I sit on.

Beyond reducing duplication and waste the most compelling argument for NewCo (what Bob Blakley might call IDTBD 2.0) is that we have no place to work on critical projects including:

• Cross protocol analytic framework (and common messaging). We need an analytic framework that helps RPs decide what open technology is right for what use case, cost target, LOA, etc. For example, I think we need a project team put together that takes my sketch of cost vs. security and calibrates it to actual “all in” costs and security levels by studying real world deployments. Let’s move away from the religious wars over whose tech is better.
• A consistent UX across technologies. The Kantara ULX group is doing good work but lives in a silo beside the OIDF’s efforts.
• A set of cross-protocol RP libraries and enabling technologies.
• R&D on active clients. A consensus has emerged. An active client has to build on, and work with OpenID (and other protocols) and not compete with it(them). I think an active client must also be a password manager. An active client must be optional; things should work without it and work “better with” it. The ICF is supposed to support active clients, yet work on OpenID v.Next goes on at the OIDF. This makes no sense to either organization.

Lastly, from a marketing point of view a startling amount of energy would be created by consolidating several websites into one. Of course true alignment will take years, but the perception of alignment even if we just start at the top would be powerful.