"Loosely Coupled" reinvents Passport
The
Loosely Coupled blog authored by Phil Wainewright published an entry on
Identity as a service yesterday.
What Phil says here makes a lot of sense:
One of the things that's becoming evident as organizations deploy service-oriented architectures is that identity management (access control, user authorizations) has to be implemented as a service. Anything else rapidly becomes too unwieldy to maintain and manage as the number of discrete application services increases.
What's true within a single enterprise infrastructure surely holds true even more in the WorldWide Web. But at the moment, each separate service provider (Google, Amazon.com, eBay, Yahoo!, etc) either has their own identity management stack — if not several — or else it has none at all (eg, every site that publishes an RSS feed).
It's true, there is a need for an open, interoperable, vendor-independent infrastructure for delivering identity which puts the user in control. This is the objective of Kim Cameron's
7 laws of identity and the
identity metasystem - basically to do for identity what TCP/IP did for networking.
But then he goes on:
That's why identity as a service is the killer app. Not as a service offered in its own right to individuals, but as a service to websites and providers that have no workable identity management infrastructure of their own to offer their users. Restricting access on a named-user basis to individual URLs — RSS feeds, screencasts, PDF files or web service URIs — is the key that would enable such sites to realize value from those assets. At present it's not a viable option because of the cost and/or hassle of maintaining their own secure identity management system. But if the site owner could sign up to a third-party identity service, and have an embedded sign-up process that meant the service provider would take care of allocating rights to the user profile and then authorizing access to the relevant URLs — perhaps with options to measure or limit usage over a certain period — it opens up a whole new world of possibilities. Make it cheap enough — no more than a dollar a month per ID — and at a stroke the fabled thousand flowers would bloom as businesses found new ways to monetize information flows and online services by restricting them to named users, whether they be employees, customers or even other websites and service aggregators.
Hmmm - Phil, haven't you just invented
Passport? ;-)
The challenge isn't really about technology - it's about trust (which is something that Microsoft
fell over with Passport and "
Hailstorm"). Who is going to be trusted by the various stakeholders to actually manage identities? Government? (The UK identity card furore would suggest otherwise.) Financial services companies? (The identity theft furore around credit card data is not a good sign.) Lastly - any such solution would ultimately require co-operation between such service providers since no one organisation is big enough.
