Some questions about the Identity Metasystem

I believe the Identity Metasystem is a barn-raising project, in the open public marketspace we call the Internet. Once raised, it becomes part of the Net's infrastructure, kinda like this diagram shows. Also this one.

We build the metasystem with Microsoft's leadership (Kim Cameron's especially) and participation — even using Microsoft's architectural drawings — but in a public space, for public use, in the open marketplace, without any ownership encumberances. The result will be NEA: Nobody will own it, Everybody can use it, and Anybody can improve it. (Yes, there are exceptions to that principle, especially around ownership — even in the LAMP stack. But the virtues are clear, and it's those virtues that make LAMP components adoptable infrastructure.)

The main concerns, naturally, are around trusting Microsoft. (We all have our reasons. Also our reasons to look past them.)

Other questions are technical. Or political. Or combinations of those two (licensing is a good example).

I think we need to be able to talk about the technical questions without getting too bogged down in the politics or completely bogged down in distrust.

So I have some technical questions that I'd like to get answered, or at least approached. And I hope we can drop the distrust stuff while we try to answer them.

First, some reading material, in logical (if not always chronological) order.

• The Laws of Identity, by Kim Cameron
• Microsoft's Vision for an Identity Metasystem (by Kim and others at Microsoft). This includes information about InfoCard, an implementation that will participate in the metasystem

• What is Microsoft Infocard?, by Johannes Ernst
• Kim's response to Johannes' post
• Why Infocard will fall at the first fence, by Julian Bond
• Johannes' pointer back to that last item, which concludes with, "I wonder whether Kim has any response ..."

Now, here's where we set up the question. Johannes says,

In order to accomplish this, InfoCard employs:

SOAP

WS-Addressing

WS-MetadataExchange

WS-Policy

WS-Security

WS-SecurityPolicy

WS-Transfer

WS-Trust

XML Signature

XML Encryption

Julian adds,

And So:

- User end requires Longhorn or an XP upgrade

- Depends on SOAP and the WS protocol stack

- Uses HTML OBJECT tag wth DLL support

- Multiple commercial licensing but with probably no open, free, license.

So that counts out Apple and Linux clients. It may well count out Firefox and other browsers. It almost certainly counts out PHP-Apache websites. Java/Perl server environments probably won't work because interop between MS implementations of the WS stack with Java/Perl implementations is extremely patchy.

Microsoft Implementation Plans (from the very first link, above) Kim and Microsoft say,

Microsoft plans to build software filling all roles within the identity metasystem (while encouraging others to also build software filling these roles, including on non-Windows platforms). Microsoft is implementing the following software components for participation in the metasystem...

... and then lists four items, the first two of which have InfoCard in their titles. The paper continues,

The identity metasystem preserves and builds upon customers' investments in their existing identity solutions, including Active Directory and other identity solutions. Microsoft's implementation will be fully interoperable via WS-* protocols with other identity selector implementations, with other relying party implementations, and with other identity provider implementations.

Non-Microsoft applications will have the same ability to use "InfoCard" to manage their identities as Microsoft applications will. Non-Windows operating systems will be able to be full participants of the identity metasystem we are building in cooperation with the industry. Others can build an entire end-to-end implementation of the metasystem without any Microsoft software, payments to Microsoft, or usage of any Microsoft online identity service.

The boldfaces are mine, and meant to draw attention to both the literal meaning of the passages, and what is clearly Microsoft's intention for the metasystem to serve as an open environment and not a walled garden or a silo.

I think what we have here (looking at Johannes' and Julian's posts, which are representative of questions I hear quite often elsewhere) is an insufficient distinction between an open environment (Identity Metasystem) and one vendor's implementation inside that enviornmemt (InfoCard). Because both come from Microsoft, it's easy to conflate the two.

From the beginning of these conversations, Kim has made it clear to me that he (and Microsoft) want to see other implementations on other platforms, to demonstrate the open and inclusive nature of the metasystem, and to invite more implementations into the marketplace.

So, here's the first big question: Does the metasystem require adoption of SOAP and the whole WS-* suite of protocols (or whatever those are) — that whole bulleted list above — or something much less than that? I've gathered from Kim that WS-Trust is an essential component. But what about the rest of the list? Seems to me that Kim conceives the Identity Metasystem as a wide-open and inclusive architecture in which all kinds of current (LID, Sxip, XRI-XDI) and future identity systems can participate. Is this possible if the required protocols aren't really open or usable in a practical sense, as Julian contend? And, for that matter, is the WS-* suite a done deal, either? What, if anything, needs to be done there to make it (or parts of it) acceptable to those who inclined to dismiss it?

The second big question (especially for my constituency) is, What will it take to get open source developers, and the rest of the non-Microsoft world, to adopt and deploy stuff that works within the metasystem? Licensing is clearly an issue. What else?