Hi Melvin,
On Oct 4, 2012, at 4:49 PM, Melvin Carvalho wrote:
> I think the aim is to have an identity system that is universal. The web is
> predicated on the principle that an identifier in one system (eg a browser)
> will be portable to any other system (eg a search engine) and vice versa.
> The same principle applied to identity would allow things to scale globally.
> This has, for example, the benefit of allowing users to take their data, or
> reputation footprint when them across the web. I think there is a focus on
> WebID because it is the only identity system to date (although yadis/openid
> 1.0 came close) that easily allows this. I think many would be happy to use
> another system if it was global like WebID, rather than another limited
> context silo.
I think there is a lot of confusion about the difference between identifier and
identity. You also seem to confuse them.
Here is the difference:
$ Identifier: A data object that represents a specific identity of
a protocol entity or individual. See [RFC4949].
Example: a NAI is an identifier
$ Identity: Any subset of an individual's attributes that
identifies the individual within a given context. Individuals
usually have multiple identities for use in different contexts.
Example: the stuff you have at your Facebook account
To illustrate the impact for protocols let me try to explain this with OpenID
Connect.
OpenID Connect currently uses SWD (Simple Web Discovery) to use a number of
identifiers to discover the identity provider, see
http://openid.net/specs/openid-connect-discovery-1_0.html
The identifier will also have a role when the resource owner authenticates to
the identity provider. The identifier may also be shared with the relying party
for authorization decisions.
Then, there is the question of how you extract attributes from the identity
provider and to make them available to the relying party. There, very few
standards exist (this is the step that follows OAuth). The reason for the lack
of standards is not that it isn't possible to standardize these protocols but
there are just too many applications. A social network is different from a
system that uploads data from a smart meter. Facebook, for example, uses their
social graph and other services use their own proprietary "APIs" as well.
This is the identity issue.
You are mixing all these topics together. This makes it quite difficult to
figure out what currently deployed systems do not provide.
Ciao
Hannes
