Written by
Oddly, while nothing much is happening in federation in the mass market — I’m no nearer being able to log on to one bank with another bank’s credential than I was a decade ago — there has been some progress in government systems. An example of something that has actually been working in the U.S. is FiXs, or the Federation for Identity Cross Credentialing Systems. The FiXs are a network of government agencies and private sector institutions that have assembled the federally-mandated interoperable authentication between the Department of Defense and contractors. They have created a bridge between government and companies doing business with the government, ensuring that trusted credentials are issued and given appropriate access. Javelin point to this as a prime example of an effective public/private partnership and I wonder if we shouldn’t look at this more bottom-up approach as a way forward. If we somehow facilitate the growth of the interoperability in limited (but potentially large) domains and then look to perhaps interconnect those domains, we may begin to assemble the kind of digital identity infrastructure that was being envisaged in earlier days.
So what domains could we look at for evidence that this might, in fact, be the way the world is going. Well, so far the vast majority of real-world federation roll-outs have been internal or enterprise type deployments: organisations authenticating users to an outsourced service provider (such as a Fidelity 401K, or AOL’s Radio Service). Connor says in that piece that
the time has come for federation and Single-Sign-On to be adopted in a more general fashion.
I think this too, both because as a consumer and citizen I am fed up with managing multiple passwords (the traditional SSO justification) but also because our clients want to do more online, want to move services online, want to deliver more efficiently online but can’t in the absence of an infrastructure. Now, that infrastructure isn’t just about managing passwords: it’s about managing identities, credentials and reputation. This is where it is getting bogged down, since no consensus is emerging about how any of these things should be organised and managed in a mass market.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
I have a smart card “issued” by the United States Government (really Lockheed Martin and Senture), a Transportation Workers Identity Credential. It actually got accepted instead of my driver’s license at an airport (with some cajoling). It follows FIPS 201, has an identity certificate, PIN, finger biometric, and digital photo (though less useful for SSO) it could be chained to the Federal Bridge (separate story), so why can’t I use this for logging onto web sites (I know the technical reasons but humor me).
The problem is that each of the schemes I have run across really seem to be the case where some is trying to own the Federation, aka “just trust me with your data, I’m the most benign, altruistic clearinghouse you will ever run into”.
Am I just too juiced on the kool-aid but jeez, shouldn’t some Federation start looking at what’s out there instead of trying to reinvent the credential wheel.