Progress Report toward Independent Identity
Last September's cover story examined the Identity Metasystem, proposed by Kim Cameron and his team at Microsoft, in support of personal identities that are independent of any vendor's silo. Microsoft's inaugural member of the Identity Metasystem is an identity selector called InfoCard and is due for inclusion in Vista when that operating system arrives in 2007. (It will be back-implemented for XP as well.)
Since then, the Identity Gang has grown in number, and it has held a series of meetings and workshops where progress has been dramatic and encouraging. In a meeting at Harvard in December 2005, Paul Trevithick of Social Physics introduced Higgins, a framework for building user-centric identity-enabled services. At the Internet Identity Workshop in January 2006 in Berkeley, creators of OpenID, LID and XRI/XDI joined various pieces to create Yadis: a new and simple combined lightweight identity system. At the Mountain View IIW in May 2006, a large conference room was packed with participants from Red Hat, Higgins, Identity Commons, XRI/XDI, the IETF, LID, Novell/SUSE, VeriSign, Tucows, OpenID and other interested parties, to engage Kim Cameron and Mike Jones of Microsoft—and to talk about open-source implementations of InfoCard.
That conversation has since been formalized in a series of phone calls and a mailing list called OSIS (Open Source Identity Selector). A report on the first of the weekly OSIS conference calls began with this:
We reaffirmed that the initial goal of the project is to build InfoCard selector implementations for non-Windows platforms that are compatible with the Microsoft implementation, with targets possibly including GNOME, KDE, Mac and mobile devices.
We agreed that the goal is to move quickly, enabling deployment of interoperable implementations by the time that Windows Vista ships.
Since then, progress has been so rapid and varied (within and between different participants) that it's hard to follow exactly what's going on. When I asked Paul Trevithick to summarize it for Linux Journal readers, he wrote back:
The situation is extremely fluid. The Red Hats, Novells, independents and others are all bouncing around trying to understand what's really going on.
There are now at least three efforts afoot that as either a total or a partial goal include creating an open-source capability to interoperate fully with Microsoft's InfoCard system and especially the specific ways that it uses WS-Trust and related protocols:
1) OSIS: effort appears to be defined as a clone of Microsoft's InfoCard software but for Mac and Linux.
2) Higgins: one of the highest priorities is to provide full interoperability with Microsoft's InfoCard and thereby to provide equivalent functionality on non-Windows platforms. (Higgins also has goals that are beyond authentication and security, and it will support other protocols.)
3) The UNC Lab of Information Integration, Security and Privacy Project (www.sis.uncc.edu/LIISP) under Dr Gail-Joon Ahn, which was presented at IIW2006.
...and there may be others. Kim has stated that Microsoft will provide technical support to any and all groups to enable them to achieve interoperability.
Two additional points. First, Dr Ahn's implementation is ready in advance of Microsoft's own. (To an enthusiastic reception by Microsoft folks at the May 2006 IIW, where the system was demonstrated.) Second, I know of at least one commercial InfoCard-compatible implementation, which should be ready by the time this issue is published.
Phil Windley, author of Digital Identity (O'Reilly, 2005) and an organizer of the Internet Identity Workshops, said:
For us to have a metasystem, we need identity selectors for Linux desktops, Macs and other platforms. It's impressive that the identity community accepts Kim Cameron's vision—that there needs to be interoperability. It's Kim's political acumen that enables this. He just put out the Laws and said, “Here's a system that obeys these, and it's open.” It's important that InfoCard isn't Microsoft Kool-Aid. If Microsoft stopped, all this other stuff could keep working.
I've been impressed, all through this process, at how committed all these different development projects are to staying open toward each other, in the general directions where they might converge. For example, InfoCard and Yadis are solutions to different problems, yet there are design decisions both communities can make today that will be interoperable at some point in the future when their uses overlap.
As we know too well, being open source doesn't prevent market-halting incompatibilities and failures to interoperate. Why, other than adherence to principles of niceness, are all these projects working to keep things from breaking as they grow in converging directions?
Phil Windley says there may be a couple of subtle reasons. First, “Sometime early last year, the competing participants got to the point where they said, 'We don't have to be enemies. We can work together.'” Second:
Some of the developers realized that relying parties—say, any Web site that has to rely on an identity credential from an identity provider—don't have to support different systems. It's the identity provider—the Amazons and Googles and eBays of the world—that will have to play in all those systems, if they want to be in the game. They have the incentive, as well as the ability, to interoperate. If you're Amazon, and want your customers' identities to be useful across a lot of Web sites, you have an incentive to interoperate. Now look at it the other way around. If the relying parties needed this, and not the identity providers, interop would always be “someday”.
Instead, I think we're likely to see user-centric “independent” identity in widespread use sometime in the next two years.
Doc Searls is Senior Editor of Linux Journal.