My friend Farhang Kassaei summarizes Ashish Jain's Paypal Identity Services talk. Farhang raises an important concern (emphasis added):
Too often people responsible for building an identity provider argue endlessly about merits of protocols, compare OpenID to OAuth and talk about how complex SAML is. In the process they miss the much bigger point: what matters is the quality of identity provided not the means by which it is provided.
Who cares how its delivered if the payload is unreliable data?
The reality is what's needed in computer security is not new standards - its better integration and engineering. What matters about, say SAML, is not digital signatures, message encryption, and so on. Those have been around for decades. What matters about SAML is that its better integrated to relying party code like webapps and Web services, and identity providers.
But even here this integration is the beginning not the end. The integration itself needs to be to something with reliable qualities.
Let's take Kerberos, it was built up in the 80s, but as anyone who tried to deploy Kerberos in Unix environments in the 90s it took decades of engineering incremental improvements to get to now where Active Directory can be operated by non-guru IT folks. As much as the industry chases latest and greatest protocols and standards, without integration and engineering to authoritative IdPs and RPs, those dogs won't hunt.
Gunnter,
"What matters is the quality of identity presented"
In what terms?
The first thing security people need to remember is that "identity" is not of necessity that the humans traditionaly consider "identity" (ie of a person).
There are three broad asspects to identity,
1, Access.
2, Consistency.
3, Traceability.
The "access" asspect is to an object, service or role it is what is actually being controled with most identity systems. Thus I could (if the politicos alowed) have an anonymous bank account with a reasonable degree of security, I could anonymously get access to various services such as private health care, or I could be a person who is carrying out a role either individualy or as one of a number of people trusted to carry out the role. In no case does my actuall human identity as a person actually have a need to be known and there may be good reason for this.
The "consistancy" asspect is a little more subtal and it is used to ensure the linkage of "access" over time. For instance I might generate a self signed Public Key that I link to an anonymous name "Fred3r1c" that I use for posting to a moderated blog. The blog moderator does not need to know who I am or even be able to get in contact with me, the anonymous public key just ensures that it is realy the person who controls the anonymous name who is making the post. Thus the moderator may chose because of my past good behaviour to allow my postings through without moderation. It also ensures that as a poster no posts are falsely attributed to my anonymous name, thus readers can have faith in the consistancy of what I might have to say.
The third asspect "traceability" is where the real issues occur. As an individual I actually have many roles and sometimes different names that is "husband", "father", "Club accountant", "Business director", "Contractor", "Employee", "tax payer", "insurance purchasor" etc.
All of these roles can and often should be seperate, and there is no requirment (other than political) for them to be linked together. However the actions carried out should be auditable back to me as the role holder who carried out the action. But importantly it should not be possible to cross link one role to another they should be entirely seperate under the majority of cases.
That is as an employee of company X I should not be linked to the companies bad debts or other misfortunes if I was not (nor could be) responsable for them. Likewise any choice I make as the club accountant (if legal etc) should not be linkable to my employer or business partners etc.
Most identity systems fail misserably in this asspect as they often serve as "single sign on" and thus can be linked and made traceable by third parties over whom as an individual I have little or no control.
Likewise things like web browsers and Email client software has little concept of roles and the contexts pertaining to them.
Untill humans learn to distinguish between the person and the role, most identity systems will have a myriad of hidden issues and failings.
For instance I should in a web browser be able to browse under a role, that is all cookies and other (known) identifing issues should be constrained to the context of that role and not visable in other roles or their contexts. Obviously I should be able to have several contexts open at the same time (different tabs or windows) with each contex clearly identified via a colour or other easily identifiable heading etc.
Posted by: Clive Robinson | November 14, 2010 at 09:24 AM