Musings on Digital Identity

Month: September 2007

The Popularity of OpenID and How It Relates To “Home Realm Discovery”

Andy Dale recently made a great post titled “Adopting Evolution” in which he asked the question:

Why has OpenID grabbed so much popularity while SAML, a much more mature, academically respected, ‘robust’ specification has been largely ignored by the cutting edge web 2.0 community?

I’ll encourage you to read his post for his insightful answer.

His question reminded me of another answer to the same question that I gave during the recent Concordia meeting at DIDW: OpenID solves the “Home Realm Discovery” problem that all Federation protocols face; that is, figuring out where the person’s authentication information should come from.

There’s lots of ways this problem can be solved, many of which involve potential identity providers being pre-configured by system administrators as possible choices for specific services. Some systems have even dictated the use of a particular identity provider. OpenID’s solution to this is elegant in its simplicity: Let the user decide. When I type in an OpenID URL such as https://mbj.signon.com/ I’m telling the relying party where my identity provider for this interaction is — thus solving the “Home Realm Discovery” problem. As elegant as this is, of course, the potential downside of this solution is that it assumes that people will remember their OpenID identifiers and will faithfully type them in when a page prompts them for an OpenID.

OpenID 2.0 actually allows i-names such as =mbj or =Mike.Jones to be used as OpenIDs as well. I-names then use their own lookup protocol to discover the identity provider behind the i-name typed. This is arguably better (and is the kind of OpenID I personally use), but still relies on the user to reliably enter their OpenID identifier when prompted.

In this discussion at Concordia, others pointed out that using an Identity Selector (such as DigitalMe or CardSpace) is another means of solving the problem. Like OpenID, it also lets the user decide, but in this case, by clicking on a visual Information Card, rather than typing in a string. I personally believe that this will be an easier metaphor for many people to use once it’s commonly available than typing in an OpenID identifier.

I’ll also point out that it’s not a one-or-the-other choice between OpenIDs and Information Cards when letting the user decide. As was recently demonstrated, OpenID Information Cards can be used to deliver the OpenID identifier to the OpenID relying party, rather than having the user type it.

In conclusion, while it may seem esoteric, solving the “Home Realm Discovery” problem is essential to working digital identity deployments. And the usability of the solution chosen matters a lot. Using Andy’s terminology, I believe that its solution to this problem both accounts for some of “the juju that OpenID has” and may result in usability problems for less technical audiences that will need to be addressed if it’s to break out beyond just us geeks.

New CardSpace Team Blog, New CardSpace Features

I’m pleased to announce two great developments. First, the CardSpace team just established a team blog. The blog will provide a direct voice for the team members to communicate about their work.

Second, on the blog they’ve started a series of posts about new features to come in the .Net Framework 3.5, which will ship with Windows Vista Service Pack 1 and be available as a free download for Windows XP and Windows Server 2003. The first post in the series describes the ability to use Information Cards at relying parties over http connections, without requiring a SSL certificate. This was a feature a number of you had asked for and the team responded.

Subscribe to the blog and read the series! Also, check out Vittorio Bertocci’s useful commentary on the no-SSL feature.

Seeing the LiveID Information Card Beta and DigitalMe in Action

Kim and I had fun with this video but we’re seriously pleased to be able to show you both using LiveID with Information Cards and DigitalMe in action together. Check it out!

DigitalMe Identity Selector for the Mac

Today Andy Hodgkinson announced a binary release of the DigitalMe Identity Selector for Mac OS X. Now Mac users can use Information Cards with just a drag-and-drop install! This release builds upon the earlier success of their binary release for SuSE Linux.

As Andy wrote: “I would encourage anyone interested in using information cards on the Mac to install DigitalMe and the Firefox plug-in.” I’ll second that. Go check it out!

Congratulations again to the Bandit team!

DigitalMe Mac screen shot

Powered by WordPress & Theme by Anders Norén