Stopping at interoperability has some unfortunate consequences for each of the parties in the identity transactions.
Identity Provider: Must implement multiple protocols. This isn't so bad for IdP's because there are relatively few of them and they can get a fair amount of value for their effort because it means more people will want to use their IdP (why Paul selected ProtectNetwork over AOL).
Relying Party: Must implement multiple protocols based on the services they provide. This is much more invasive because there are a lot more RPs than IdPs. Getting lots of RPs to support multiple protocols will be difficult unless it is made extremely easy through available toolkits. Developers (people?) are inherently lazy and spending time writing the equivalent of a TCP/IP stack by hand is not something they want to do. You can also apply these same consequences to web service providers.
Users: Must have multiple identities from different IdPs and know when to use them. This is the one that will kill the internet identity layer if we don't figure out a way toward better convergence. Here is my reasoning (corrections greatly appreciated)...
- Web site will need to implement multiple identity systems in order to take advantage of services available on the web
- Supporting multiple identity systems means that the bootstrap problem must be solved (how to exchange my OpenID authentication for a WS-Trust binary security token)
- Solving the bootstrapping problem is most easily done at the IdPs
- Not all IdPs will support all the necessary bootstrapping mechanisms
- Therefore, users will need to have identities at the "right" IdPs in order to use certain web sites
- Those web sites will have to figure out how to inform the user that their single-sign-on identifier doesn't work at their site.
As we work toward convergence, we need to be mindful of the impacts on users. If we don't make it easy for them, the coolness of the technology doesn't matter.
Tags: Identity, Convergence, Liberty Alliance, OpenID, Cardspace