Justin du Coeur (jducoeur) wrote,
Justin du Coeur

[PROGRAMMING] Microsoft on Identity

Found from this weekend's MSN Flash: yep, it's steam-engine time for identity. The latest is a pair of intriguing articles from Microsoft.

The first is the "Laws of Identity", an excellent analysis of what identity means in the online context, and more importantly how identity is used in that context:


This analysis is a fine counterpoint to MS' old Passport-centric attitude, and indeed, explicitly rebuts Hailstorm in several respects. One of the major topics of the article is "Why have previous attempts at Internet-wide identity management failed?", and they don't exempt Passport from that question; indeed, one of the conclusions of the paper is that a single-source identity system can't work for all cases. This unusual openness is probably in part due to the article's close relationship to www.identityblog.com, which was apparently the source of many of the ideas -- indeed, all of the main points of the article link back to related discussions. So while there's a definite agenda, it's at least been subject to some debate.

They wind up enumerating seven Laws of Identity -- "Laws" in the sense of "it is experimentally demonstrable that breaking these laws will cause a system to fail as a global identity-management system". The analysis is subtle at times, but rings very true, hitting often-missed rules like Directed Identity: the fact that I may not want to expose the *same* identity to all viewers. It even calls out a specific "law" -- Human Integration -- that the identity system must be clear to the human users, a rule which might seem obvious but which most existing systems violate.

I doubt that the analysis is comprehensive yet; it's still early days, and the subject is still subject to vigorous debate. And I'm sure that much of this is restating existing ideas. But it's a significant milestone, and well worth reading. I would bet good money that most of its main concepts will be commonplace within three years.

Towards that end, they have a second paper, outlining an "Identity Metasystem":


There are no real surprises here. About half of this is analysis, talking about the elements required to implement the Laws of Identity, and the rest describes their proposals. It's all WebServices based; that's inefficient, but reasonably standard by now. Of course, Microsoft's agenda here is that they want everyone to buy into the general architecture so that they can race forward and implement it themselves. They're playing the standards game pretty transparently: having established the problem, they want to create a de facto standard. That seems reasonable in this case -- while it's clear that they want to play first-among-equals here, they're at least playing the game correctly this time.

I'm by no means sure how this is going to play out. But with OpenID coming in from one direction, and this Identity Metasystem from the other, it's clear that everyone is rapidly converging on agreement that *some* kind of standards need to exist for managing online identity in a decentralized way. I suspect that OpenID will be adopted much more quickly, but its intentionally limited scope will keep it from becoming any sort of universal solution. The underlying principles of the much more general Identity Metasystem seem about right, and I think they'll eventually wind up broadly implemented, whether it's through MS' WebService-centric proposal or some other...

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded