Identity in the Browser (IDIB) – More Complexity than Meets the Eye
A few days ago, I mentioned that Identity in the Browser (IDIB) was emerging as an interesting Identity Management topic. After following a somewhat spirited internal email thread on the subject, I compiled a list of twenty issues that should be addressed as this topic is explored:
- Can a general approach be defined that would work in all the commercial browsers?
- Impact on mobile web, not just desktop/laptop web
- Ease of use for broad range of Internet users
- Security of authentication process
- Phishing resistance
- Security of browsers as a focal point for Identiy
- How does this support cloud computing
- Use of or interaction with standards or emerging standards 9e.g. SAML, OpenID, OAuth)
- Hosted vs. client-based Identity selectors
- Support for multiple identities or personae
- Support for multiple identity providers
- Matching what service providers (SP) want with what Identity providers (IP) and attribute providers (AP) can deliver
- Accommodating self-registered and organization-registered identities and attributes
- Complexity issues with federation (e.g. multiple sessions, timesouts and logouts)
- Policy enforcement across multiple organizations and entities
- Audit/compliance/governance
- Applicability of certificate based authentication
- Impact on InfoCard/CardSpace approach
- Impact on Higgins approach
- Licensing fees for use of specific technologies
I’m sure this list isn’t exhaustive, nor is it even prioritized. It does illustrate, however, that any new approach must cover much ground if it is to be effective.
It will be interesting to monitor progress as these topics are discussed in more detail.
Technorati Tags: IDIB, Identity, Identity Management, Digital Identity, Browser
For an example of Identity in the browser see my post on doing this using foaf+ssl in the iPhone
http://blogs.sun.com/bblfish/entry/howto_get_a_foaf_ssl
You can’t get simpler user interface wise.
As it uses well established open standards, such as TLS and foaf, which have no licencing issues as far as I know, are widely implemented and implementable, a lot of your above problems are dealt with. It works well with OpenId as I mention in another post of mine
http://blogs.sun.com/bblfish/entry/join_the_foaf_ssl_community
It is very simple on the client side, though it requires more on the server (and even that can be serviced somewhat).
It also has the advantage over a number of other such services that it is fully distributed, making it therefore idea for cloud computing services.
Comment by Henry Story on April 7, 2009 at 2:40 amOops, the first link above is pointing to what is perhaps the more complex piece of what needs to be done – though this could be simplified by adding support for the <keygen> tag to the Safari browser on the iPhone. In any case that needs to be done only once.
The easy part I wanted to point to is this:
http://blogs.sun.com/bblfish/entry/one_click_global_sign_on
Comment by Henry Story on April 7, 2009 at 3:04 am