The Problems With Identities

By John Taschek  |  Posted 2002-08-05 Print this article Print

The strength of a network is based on its weakest link—it's likely to be an identity.

The popularity of the Liberty Alliance and Microsofts Passport has as much to do with IT demand as it does with vendor neediness. Vendors need Web and enterprise identity management to succeed in creating the market and driving demand for a new set of products that sit at the core of the application stack. If vendors fail, they risk losing a strategic battle to develop the standards (de facto and real) for Web services integration—and probably a big chunk of change as well.

Enterprises, meanwhile, need some standards for federating identities; otherwise, single sign-on becomes a pie-in-the-sky concept made possible only by internally developed, client/server-based, proprietary solutions.

Passport is available, the Liberty Alliance specification was completed last month and OASIS has demonstrated SAML interoperability, but were not there yet. Heres whats missing:

Federated ID creation. Oblix CTO and co-founder Nand Mulchandani raises a good point: What happens when a user wants to federate an ID on a system that has no account for that user? There are no standards for how this can be done. That makes federation possible only if two organizations have agreements with each other and if users have accounts on each system.

Federated ID deletion. If a user is deleted from an account that is federated with another, theres no way to manage deletion of the second account. The Liberty Alliance spec has some verbiage on how users can be disconnected, but none about deletion.

Enterprise ID management. Passport has another problem—no enterprise will allow users to authenticate to the corporate network via a Passport account. Two accounts still have to be maintained and synchronized.

The master ID. Any identity management tool needs a master identity, whether its one account used to log in to a single-sign-on service or one based on the Liberty Alliance. Without a master identity, theres going to be a hodgepodge of individual identities that have to be managed at the corporate level. Guess what? Corporate IT isnt going to get into that business.

Weak ID. The weakest link in a network is likely to be an identity, probably one based on a user name and password. The Liberty Alliance can pass authentication strength to the authorization service, but this is only a first step. Oblix, Netegrity and a host of others are working on this problem.

Anything else missing? Write to me at

Related Stories:
  • Commentary: Liberty Is All About Identification Control
  • Liberty Alliance Spec Wont Cure Security Mess
  • Deal Links Visa, MasterCard Accounts to Passport
  • Liberty Alliance or Passport?
  • Averting Web Identity Crisis
    As the director of eWEEK Labs, John manages a staff that tests and analyzes a wide range of corporate technology products. He has been instrumental in expanding eWEEK Labs' analyses into actual user environments, and has continually engineered the Labs for accurate portrayal of true enterprise infrastructures. John also writes eWEEK's 'Wide Angle' column, which challenges readers interested in enterprise products and strategies to reconsider old assumptions and think about existing IT problems in new ways. Prior to his tenure at eWEEK, which started in 1994, Taschek headed up the performance testing lab at PC/Computing magazine (now called Smart Business). Taschek got his start in IT in Washington D.C., holding various technical positions at the National Alliance of Business and the Department of Housing and Urban Development. There, he and his colleagues assisted the government office with integrating the Windows desktop operating system with HUD's legacy mainframe and mid-range servers.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel