Friday, 20 June 2008

Identity Dialtone vs OpenID

Two recent posts of Mark Dixon about Identity Dialtone and eliminating gossipy cousin mabel metaphorically compare the Plain Old Telephone Service with Identity as a Service. Mark Dixon sais IaaS should follow the characteristics of POTS and that IaaS should be User-Centric.
I'm going a step further then Mark and I'm going to put the name OpenID on it an see if OpenID can match up with POTS and its characteristics.
  • Highly available :OpenID at ISPs will provide High availability
  • Highly reliable: The exisitng internet technologies (see further) are working reliable now, so will OpenID.
  • Highly standard: OpenID is an open, decentralized, free framework. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman).
  • Easily recognized: Everybody knows URLs. The OpenID-logo is easily recognizable.
  • Simple to use: Login to your Identity Provider once and start using your OpenID URL
  • Usable: It allows you to login easily. Just use your own URL.
  • Ubiqutous: Here we have a problem.
  • Critical to our daily activities: IaaS itself isn't critical yet, and this is the same for OpenID.
  • So commonplace we take it for granted: URLs are taken for granted.
The ISP could be a good replacement for the Telecom companies as it should only distribute the URLs. There is only one (pretty important) issue regarding this and that's privacy. Should your ISP be in control of all your Digital Identities?

Tuesday, 3 June 2008

Unity in multiple EU eIDs

On itprofessional.be [Dutch] I read an article about a European project to link the systems of all the member states of the EU. The result of this project will be that every citizin of a European country can use his/her eID for eGovernment solutions of a specific European country. The project is called Secure Identity Across Borders Linked and it's created by a consortium of 13 member states and Iceland.

Europe doens't want to force a unified system of eIDs but instead wants an extra layer for this to happen. The first thing that popped into my head was: Federation.

Federation can be the(and I think is the best) solution to this problem. This because it doesn't matter for the Service Provider how the authentication is done by the Identity Provider.
For example, if I would want to make use of and eGov application in the Netherlands, they could use Federation to find my Identity Provider. In my case this would be Belgium. The Netherlands redirects me to the login page of the Identity Provider Belgium. Here I can login with my eID. When the login is succesful I will be redirected back to the eGov application at the Netherlands with an assertion that I'm Stefan and I'm an authenticated Belgian :). Because of the trust relation between the member states of the EU (including Belgium and the Netherlands) the Netherlands will trust this assertion and threat me as an authenticated user.

If they choose for federation then only the eGov applications need to be aware of (some of the) federation protocols. Every member state can use it's own eID login mechanism for authentication and just redirect every other user to his corresponding country (identity provider).