There has been some confusion on what is meant when we talk about how user-centric identity provides “scale”. In order to easily operate at Internet Scale, an identity system ideally should allow:
- someone to setup an Service Provider without coordinating with third parties
- the user to use one Identity Agent today, and another tomorrow
- the user to acquire claims from many Identity Issuers and present them to any Service Provider
In order to do the above, the following follow from the above:
- separation of Identity Provider into Identity Agent and Identity Issuer
- the Service Provider and the Identity Agent don’t have a relationship prior to or post the transaction
- the Service Provider trusts the Identity Issuer that issued a claim, but the Identity Issuer may have no knowledge of the Service Provider
- the users identifiers are independent of Identity Agent
A big benefit that comes from this is:
- user has control over when identity data flows, and choice of Identity Agent
Let me know what you think!
As I have thought many times since experiencing Dick Hardt’s talk on the subject at OSCON 2005, it sounds almost too good to be true / possible.
The whole point is summarized in the benifit you list – the user has control and can choose the Identity Agent he trusts.
Should Google one day choose to go this way many would undoubtedly choose them as their Identity Agent. Just a thought.
It would be great if Google chose to be people’s identity agent. Many people have wanted to leverage the Google accounts on their sites. Another benifit of Identity 2.0 is that it is a useful tool in fighting phishing.
Sounds right. One question: Do you need to seperate the concept of Identity Provider and Identity Agent. I understand that Identity Provider/Agent and Identity Issuer need to be seperate concepts. Also, I’m new to this discussion and am curious if there are any implementations of sxip occuring in .Net?
BTW, my first impressions of sxore can be summed up as "It rocks hard, Dick".