James McGovern posted a number of questions and thoughts on Federated Identity and Authorization (the most recent installment is here), and challenged a bunch of us to respond. Well, here are some answers from my point of view:
Hopefully, Johannes and Kim can tell me if Cardspace as a user interface and open ID as a protocol will be extended in the future to support authorization or should some other standards body start a similar initiative. Of course being able to specify via Cardspace the relationship between me and my daughter and whether I can see her medical records would be cool. I would assume that OpenID would support carrying XACML?
I can’t answer for Microsoft, and leave it to Kim to answer that part of the question. The thing to keep in mind about OpenID is that OpenID is an open community that has no central planner who says "this is what is on the roadmap and this is what isn’t". So I can’t answer the question about what OpenID as a community will or won’t do — nobody can. That is a feature, not a bug, by the way ;-)
What is clear, however, is that authentication isn’t very useful if it can’t be connected to authorization, and all OpenID implementations (including ours at NetMesh) have some support for authorization. There aren’t any standard protocols, however, and authorization support is still baked into applications instead of being interchangeable. Looking ahead, I would consider it entirely possible though that somebody in the community builds another Yadis service type for XACML of some kind, demonstrates how useful it is in the context of OpenID, and it moves into the OpenID process. (James, would you like to do that? That’d be really cool … the nice thing about an open-source-style community like OpenID is that anybody can innovate within it, no permission required.)
To date, the discussion and more importantly the reference implementations have all been done in either Java or .NET. Should Ruby on Rails and Smalltalk become second-class citizens in this regard?
That isn’t quite true for OpenID: Ruby has been supported as a first-class citizen for some time. I haven’t heard of Smalltalk support, however.
Anyone have thoughts on how federated identity should work against RACF?
It most certainly should work with it. I personally don’t have the expertise to say how, but I think we have a customer who has actually done that integration for URL-based identity, so it presents an OpenID user experience on the front and uses RACF on the back.
Enterprises nowadays have a preference to buy vs build. So this begs the question of whom in the identity space is working with … software vendors …? Or are we hoping that they [enterprise software vendors] will take their own initiative to get it themselves and simply build in?
That is already happening in some internal projects, for basic protocol support. I would fully expect, however, that a new range of products will show up on the market that employ user-centric identity in novel ways and that do not map on product categories as they are known today. Those new products will likely not be developed by the incumbent vendors.
Is it possible for a NON-Sun employee to tell the world why anyone would want to join Liberty Alliance if your primary business model isn’t technology? It seems as if those whose primary business model isn’t technology is outnumbered by at least twenty to one. Even the industry analysts no longer talk about the Liberty Alliance which hints that it is no longer relevant…
Admittedly, some Liberty folks got a bit blindsided by the newer stuff that is going on, like CardSpace, OpenID, OSIS, Higgins etc. However, many of the Liberty folks are engaging in the community, are trying hard to understand why some of those technologies have popped up and what they are trying to accomplish, and how to integrate with the many good things Liberty has created already. I think we should give them credit for working hard to stay relevant, and there is a no reason to believe Liberty doesn’t have a continuing role to play.