October 20th, 2006
A tipping point?
Way back in the early mists of identity time, I was speaking with Bryan Field-Elliott (then CTO of Ping Identity) about the earliest drafts of the Liberty Alliance protocols, and whether or not they could be used for what we then called "internet identity." (Note: "internet identity" is now called "URL-based identity," or even more broadly and less accurately "user-centric identity.") Bryan told me that while SAML or Liberty *could* be used for "internet identity" (theoretically), they never would be. They never would be because web developers are their own breed — they don't gather at hotels, "spec out" requirements, and engage architects to build an elegant solution. Instead, web developers stumble upon something that excites them, pull in disparate pieces, kludge something together, get a big guy or two to buy in, and start using it.
Bryan was, of course, right. He also knew what he couldn't then predict — that something like OpenID would come from the grassroots in an attempt to solve the internet identity problem. Yesterday, Technorati announced that it would support OpenID — and in the blogosphere, compiling SixApart and Technorati and WordPress into the same boat gets you pretty close to critical mass.
So the question remains: Is this a "tipping point?" Have we solved the "internet identity" problem? I'd say that its far too early to say that. There's still a dizzying array of "user-centric" stuff coming down the pipe, but if you have to isolate the major players at this point, you'd say OpenID, CardSpace and Higgins (where Higgins is more development environment, than user-centric stuff).
Johannes Ernst, one of the primary drivers behind OpenID, is wagging his finger a bit at those that have argued that url-based identity systems are "toys" compared to "real" identity systems. While he's right to savor the current small victory, its still important to realize that SOAP-based systems of identity (SAML and WS-Federation) are still much more adept at maneuvering through high-risk transactions that take place online.
