Posts filed under ‘interop’
From the perspective of a person keen to see identity federation the norm, a single federation protocol is the best thing. That allows a focus on the real challenges of federation- the business and process challenges. It relegates arcane discussions about SAML and WS-Federation to the few people who really want to talk about the nuts and bolts.
In reality, that’s probably unachievable. If nothing else, that was the biggest lesson from the ODF vs. OOXML saga.
The next best thing is true interoperability between protocols with standard products supporting multiple protocols out of the box. This doesn’t take away all the costs, complexity, and risks but is still an acceptable outcome.
The next best thing to the next best thing is a major vendor promising to move towards the next best thing. To that end, Microsoft’s announcement that the beta version of Geneva will not only support SAML 2.0 as a token format but also as a single sign-on protocol is very welcome. Geneva is Microsoft’s future identity platform, replacing ADFS (Active Directory Federation Services).
Specifically, Geneva will support the SAML 2.0 Lite/Web SSO profile. Happily enough, it will also support the US Government’s GSA profile which seems to be an attractive offering for US Government agencies.
So, come 2010 or whatever the usual announcement-to-real world deployment cycle takes, deployers of federation can increasingly focus on benefiting from identity portability rather than the underlying technical challenges.
I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.
Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.
First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.
A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.
It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.
Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.
The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.
Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.
So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.
But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.
All in all, interesting times and much thinking…
As the last post for the year, there was a temptation to look back and reflect on the past year. All that changed after I heard a recording of Jon Udell interviewing Dick Hardt in IT Conversations. It made me realise how the real opportunities and challenges lie ahead of us, not behind.
In the interview, Dick talks about the work being done for the Government of British Columbia, Canada (BC) to develop a claims-based identity metasystem. Essentially, the work is an Identity 2.0 and Info Cards rendition of traditional government to people interactions.
New Zealand’s approach, GOAAMS delivered under the “igovt” banner, is perhaps best understood from the 2007 IDDY Award webcast. Both the slides and the webcast recording (needs WebEx Player) are now available.
The drivers that Dick articulated for BC are the same for NZ:
- better service delivery that requires information held across various government departmental and organisational silos to somehow be brought together in a secure and privacy-protective manner; and
- giving citizens better access to the information held about them by government.
However, the implementation paths are different. The BC project is based on Info Cards while the NZ one will probably go down the Liberty Alliance’s specs path but allowing Info Cards as an optional UI.
One thing everyone will agree with is that both implementation paths have their own pros and cons. Over time, hopefully differences will not matter too much but given the current state of interoperability, they do. And that translates into substantial differences in architecture, customer experience, the “mental model”, requirements on information providers, ability to join up service delivery, and the uptake strategy.
While the similarities in outcomes between the BC and NZ approaches are important, it is the differences in implementation that provide a great insight into the opportunities and challenges for both governments. Work on comparing and contrasting the two should throw up areas that both governments need to consider in their respective efforts.
To me, that is a very important piece of work to do next year.
In the meantime, it’s time to get the barbie (BBQ) going and break out the beer. I hope you have a great holiday and, like me, come back refreshed and ready for a cracker year ahead.
One of the two new projects that the Microsoft New Zealand Innovation Centre is funding involves integration of Windows CardSpace with SAML 2.0.
The project is to make the Authentication Programme’s all-of-government shared services, called “igovt”, accessible via CardSpace. According to Microsoft, “this technology will enable users to safely provide their digital identity to online services.”
Working on the project will be Microsoft’s Mark Rees together with Kiwi IT firm Datacom over the next four months. Igovt is based on SAML and the Microsoft-funded project will go some way in implementing CardSpace-SAML interoperability.
CardSpace and igovt make a great combination.
CardSpace provides an intuitive and natural user interface for people to manage their identity and authentication to online services. As CardSpace (and other identity selectors) progress towards the tipping point and CardSpace itself gets refined, a new paradigm for accessing secure online services is brewing.
On the other hand, igovt provides people with the option to verify their identity to NZ government agencies, online and in real-time, to a high level of confidence. In addition, igovt lets people use a single logon (password, token, etc.) to access all online government services. All of this with the highest levels of privacy protection.
When people verify their identity, one of the core design principles of igovt is for people to fully understand and view what identity information is being sent to the agency (Service Provider). In addition, active consent is a critical element of privacy protection. Currently this requires a browser re-direct to the igovt website, something that CardSpace will admirably eliminate, without any reduction in user control or privacy protection.
The areas that were identified as A-priority tasks represent some major issues facing deployers and are worth listing (details are available in the meeting notes):
- IdP discovery
- WS-Federation/SAML metadata lessons
- WS-Federation/SAML metadata distribution and lifecycle
- Interop endpoints
Already there has been some progress in the telecon of 9 October. So, for people interested in interoperability issues, it’s worth keeping an eye on the work.
A colleague presented a use case at the September workshop covering the work being done in New Zealand. One of the interesting things, from my perspective, was to see how the roadmap has evolved to cover a wider range of identity attributes with parallel increase in use of the Liberty Alliance specs.
I thought the final slide was interesting as it examines the case for convergence over interoperability. Both Concordia and the industry in general has settled for interoperability but my colleague made some excellent points why the goal of convergence still remains important to deployers:
- “Interoperability solves a business problem today, but…
- Ongoing fight against divergence
- Requires Interop elements (explicit or implicit)
- Creates future work to manage
- Difficult to manage across organisational boundaries
- Convergence prevents business problems tomorrow…
Having said that, it’s probably fair to say that out-of-the-box interoperability between identity protocols is a difficult enough (but worthy) immediate objective.
Currently, every virtual world requires a player or user to go through the process of creating an avatar that will act as their proxy in that online environment. Typically, an avatar created for one world, be it a game or a system like Second Life, cannot move between these different virtual spaces.
A project started by IBM and Linden Lab aims to eventually create a universal character creation system so people only have to create a digital double once.
While the character’s appearance may change depending on where it is taken, its basic characteristics, such as looks and underlying personal data, would be retained. The hope is to boost interest in virtual worlds as well as make them easier to navigate.
The link between avatars and identity has been studied from many angles. One interesting presentation is from Dr Angela Thomas, including this lovely quote from Aimee Weber, “The avatar is a direct telephone line to the soul.”
If so, then the project by IBM and Linden Lab is akin to unbundling the local loop.
Two stories in Computerworld caught my eye today.
First, it seems that Kiwis are going to have to wait longer before the banks roll out smartcards. Blame it on the head start that New Zealand has on minimising credit card fraud using PINs instead of signatures. Another reason is probably the fact that charging credit cards is typically by connecting to backend systems in real time rather than processing paper later.
All of this means that the business case for banks to introduce chip & PIN cards is much harder than in other countries.
It also means that interoperable authentication credentials of the sort I mentioned in a previous post are still far away. That’s not good for anyone.
Secondly, an article quoting Statistics NZ which towards the end mentions, “While only 7% of people completed the census online in 2006, up to 50% have indicated they will be willing to do so in 2011… Feedback from those who did complete online has been very positive.”
That’s quite an impressive prospect- half of the country’s population completing the census online. What a great win for e-government and the Internet that would make!
In my previous post about interoperable authentication credentials, I had referred to news from Australia in which ANZ Bank is piloting how its business customers can use their bank-issued smartcards with government.
In light of the FinancialTech Insider article, in retrospect I should have mentioned that the smartcards issued by ANZ use the IdenTrust certificate for authentication with the government. This re-emphasises the efforts being made by IdenTrust to breathe new life into banks’ PKI infrastructures.
The article makes a good point that, “IdenTrust is the only bank-developed identity authentication platform and unlike other digital ID solutions, it emphasizes the interoperability of its digital certificates and their ability to function cross-border.”
This might just be enough to give the banks an edge as a global-scale identity player.
Still, it is hard to overlook the troubled history of PKI. Much has been written about the problems with PKI. One of the good ones is by security guru Peter Gutmann called “Everything you Never Wanted to Know about PKI but were Forced to Find Out.”
With a title like that, it’s an insightful but very long read!
It’s hardly surprising that 61% of the 102 IRS employees tested improperly disclosed their usernames and passwords. I suspect they are people after all and therefore prone to social engineering. Sadly, it seems they didn’t even get a chocolate in exchange.
Passwords of course continue to have a role to play in online authentication. But, they need to be limited to transactions where the identity-related risk is truly low.
It would be so much easier if two-factor authentication was ubiquitous. One way to get there quicker is to have interoperable authentication credentials.
It was therefore good to see news coming out of Australia that ANZ Bank has struck a deal with a government department to pilot a way for bank-issued smartcards to also be used as authentication credentials with the government.
This is part of the VANguard program which “will provide validation, authentication and notary services to facilitate online business with government agencies.”
A downside of using smartcards online and yet making use of the digital certificate is the need for a smartcard reader of some sort. That doesn’t however seem to be a problem for ANZ’s business customers as they are already using them for a range of Internet-based banking services.
This is great- one interoperable authentication credential for banks and government, one step closer to ubiquitous two-factor authentication.