It was an interesting several days of discussions at the IIW this week in Mountain View. The event brought together individuals who have been passionate about driving user-centric identity for many years, as well as some of the newer players in the space who bring a more corporate perspective, trying to balance business model with user control.
At a high level, there was much continued discussion on the concept personal data stores (PDSs) which would be completely controlled by the End User and fully portable. Two key challenges remain with this vision: 1) the major identity providers who have the critical mass of users and data, such as Facebook, Twitter, Yahoo, Google, PayPal, etc., are not (yet) interoperable or provide the End User a “copy” of their data, and 2) there is no obvious business model for PDSs that doesn’t include these providers.
At a more technical level, our team had the following key takeaways:
- Google is continuing to do great UX research in the authentication space, and they are toying w/ the idea of using the identity selector concept coded directly into their login page to help users choose the identity they’d like to use to access Google properties.
- #2 OAuth + Standards: There remains LOTS of discussion and opinions about the OAuth 2.0 specification. Some companies (most notably Facebook) implemented OAuth 2.0 while many people feel OAuth 2.0 draft still needs work. Some discussions touched on using OAuth 2 together with SAML. And others about using OAuth 2 for Native Apps. But for all these standards, one person noted there’s always a tension between ease of implementation and security.
- OpenID Connect and OpenID Artifact Binding (AB) may converge at one point, but not in the short term.
- The goal is for JSON Tokens to support integrity checking; integrity checking and confidentiality; non-repudiation; non-reputation and confidentiality; and authenticated public key encryption.
Adding links to other posts as they emerge:
- Mike Jones’ notes from #IIW session w/Microsoft,Google,et al. re: JSON token standard that will inevitably affect OAuth2
- IIW workshop official notes
- IIW Fascinates Me by Darius Dunlap, November 11th
- IIW OAuth Enterprise BOF: Session Management by Phil Hunt, November 10th
- Internet Identity Workshop #11 by Franco Travostino, November 8th
- Google, Dogs, ponies and relying parties by John Fontana, November 8th
- WS-Trust and SAML and OAuth, oh my! by Pat Patterson, November 4th
- Monica Wilkinson’s Activity Streams 101 session at IIW as told by Kevin Marks by Mark Krynsky, Nov 10th
- Internet Identity Workshop Wrap Up by Jan Rain November 5th
- Essential Characteristics of a Personal Data Store by Phil Windley, November 2
- Activity Streams 101 Session at IIW by Monica, November 2
By Kevin White