Ben Laurie blathering

Identity 2.0 – Apples and Oranges

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.


  1. Given that SAML seems to be becoming widely deployed, and is seen as safe, secure and reliable (maybe even mature?) by many enterprises (including Google for its search appliances, and Microsoft for its Infocard technology) can you explain why you believe that SAML is /not/ “widely-used, mature, reliable or secure”?

    Comment by John Kemp — 23 Jul 2006 @ 16:57

  2. I said it wasn’t widely used, mature, reliable and secure.

    Comment by Ben — 23 Jul 2006 @ 18:25

  3. And to be clear, “seems to be becoming widely deployed” != “widely deployed”.

    Comment by Ben — 23 Jul 2006 @ 18:27

  4. […] Google’s Ben Laurie continues with a post I’d call “Cogent with cloudy periods”: […]

    Pingback by Kim Cameron’s Identity Weblog » Soothing music all around — 23 Jul 2006 @ 19:05

  5. Yes, these are Apples and Oranges. That is the point we are all making. Google and Microsoft did different things. Microsoft is making sure they don’t create an identity silo. Google is deepening the one they have. What Google did make it easier for users to consume Google services from other sites. An Identity 2.0 vision would be great to see.

    If there is not enough standardization, the Google could participate. Oddly enough, there is enough standardization for Microsoft to support Identity 2.0

    btw: I don’t expect you will always agree with me. I would expect you would tell me you disagree when we are discussing it!

    Comment by Dick Hardt — 23 Jul 2006 @ 21:24

  6. I’ve been trying to find a way to word this comment that doesn’t sound like somebody stole my coffee.

    Dick – it seems to me that you’re upset about what Google hasn’t done. I agree that having Google take the lead in implementing Identity 2.0 would drive deployment speed up dramatically. This doesn’t seem to be something that they’re interested in doing.

    What Google does seem to have done from what I can see is make life easier for themselves by providing a clean, rather more secure API for developers to use to access individual Google services. It’s something that most of us probably wouldn’t have noticed if it had been done by anybody other than Google – a convenience.

    Perhaps I’m misreading the service descriptions, but it seems to me that there’s confusion between an identity framework such as SXIP or Infocard, and an enterprise specific API like Google Account Authentication, which I’d expect to see manipulated by an identity framework – whatever that framework turns out to be, in the end.

    Is all of this fuss actually a concern about what Google may end up doing in the future, rather than what they’re doing currently?

    Comment by cat — 23 Jul 2006 @ 22:14

  7. I stole Cat’s coffee. It’s only fair, she got my tounge.

    Comment by Adam — 24 Jul 2006 @ 5:52

  8. Humans are way too sneaky to trust one another. Ultimately, we probably secretly don’t even trust ourselves … :O)

    Who said that? Shhhh …

    Comment by robin — 24 Jul 2006 @ 8:29

  9. Dick, I did tell you I disagreed when we were discussing it. At length.

    Comment by Ben — 24 Jul 2006 @ 10:40

  10. I think Adam got the better part of the deal 🙂

    Comment by cat — 24 Jul 2006 @ 16:33

  11. I know that Google choose SAML for their SPI(Service Provider Interface) in their enterpise solution. Then I wonder that Google *really* think SAML is not widely used, mature, reliable and secure.

    Comment by Seung-Hyun Kim — 25 Jul 2006 @ 10:13

  12. You can find ‘Google Authentication/Authorization for Enterprise SPI Guide’ in below url.

    Comment by Seung-Hyun Kim — 25 Jul 2006 @ 10:14

  13. Ben,

    I really see that you don’t believe SAML to be widely deployed, scalable and/or mature. I’m just asking you /why/ you believe that. Why is SAML not scalable (for example)?

    Comment by John Kemp — 25 Jul 2006 @ 12:28

  14. You can’t switch “and” for “or”. I didn’t say SAML wasn’t scaleable. Specifically, I am saying it isn’t widely deployed.

    Comment by Ben — 25 Jul 2006 @ 13:45

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress