Can the Concordia Project Bring Coherence to Federated Identity?

Robin Cover's XML Daily Newslink yesterday, one of my "must reads" (you can sign up for a free subscription at newsletter-subscribe@xml.coverpages.org), included a note on the formation of the Concordia Working Group by the Liberty Alliance Project (LAP). The story caught my eye for three reasons: it addresses a real problem, it's using an increasingly common approach to do so, and it's advancing the state of the art at the same time in a new and interesting way. I'd like to look at each of those reasons in greater detail.

 
 
First, let's review the real world problem: LAP is wrestling with a frustration that concerns us all: how can we take advantage of all that the Internet can offer without (a) having our privacy violated and our bank accounts emptied by the Bad Guys, while (b) not being driven crazy by endless user IDs, passwords, and other safeguards thrown up to deal with (a)? Or, as LAP more elegantly phrases it: 
The vision of Liberty Alliance is to enable a networked world based on open standards where consumers, citizens, businesses and governments can more easily conduct online transactions while protecting the privacy and security of identity information. This world, where devices and identities of all kinds are linked by federation and protected by universal strong authentication, is being built today with Liberty’s open identity standards, business and deployment guidelines and best practices for managing privacy.
 The second reason is also systemic, but in a different way, as this Working Group is the latest in a series of initiatives born of the realization that it's increasingly rare for single standards organizations to be able to solve real-world problems for end-users, as compared to point solutions for vendors. The reasons include that there are two many moving parts, too many different organizations involved in standardizing those parts, and too much that has to happen quickly in order to keep up with technical innovation and commercial exploitation of new technologies. 
 

Another problem is that vendors are constantly tempted to go their own way to create cool new tools that fragment the Web platform that end users would like to take for granted, rather than collaborating in standards organizations to develop common approaches that could be easily enabled (and therefore would be incorporated) into all browsers and Web sites without any action needed by the user. The result? Placing users in what Carl Howe yesterday called plug-in hell.
 
The third reason is that this standards-based particular initiative is being launched using a hybrid methodology that borrows as much from an open source project as from a standards development working group. And very appropriately so, as well.
 
So let’s take a closer look. The new PAL Working Group is taking the increasingly common approach of setting up shop downstream from the standards development procss, and creating what it calls “Metasystem Use Cases.” This approach works roughly as follows: 
1. Identify a high-level problem that needs solving (e.g, making e-commerce sites easier to use and more secure when you do)
 
2. Define specific situations that need to be addressed in order to achieve that goal. Call them “Use Cases” (example: log on to a new e-commerce site and call on existing data found elsewhere using the minimum number of clicks to be ready to do what you want to do, without worrying about possible security consequences)
 
3. Find existing standards, protocols and services that make this possible, and describe them clearly in a specification, which you may call a “profile” or “guideline”
 
4. Make the document freely available so that as many developers and users as possible take advantage of it, providing incentives for more and more to do so, thereby achieving the original goal
 In the case of the Concordia project, the high-level objective is described as follows:
 
The goal of this group is to help drive the development of use-case scenarios where multiple identity specifications, standards and/or other initiatives might co-exist, recognizing heterogeneous deployment environments of the marketplace.
 
More generally, the Project hopes to create a layer of easily implemented tools that will enable the use cases to be successfully achieved. More specifically, the Project hopes to:
  • Drive development of a ubiquitous, interoperable, privacy-respecting layer for identity in order to:
    • Help drive deployment costs down
    • Assure implementers and deployers of better success and greater productivity
    • Lead to more commercial products and open source offerings, in turn leading to a healthy market
    • Facilitate new service offerings
  • Assure interoperability across this layer
    • Deliver confidence to implementers and deployers in implementing today with successful interoperability tomorrow
  • Encourage strong, cross-sector, cross-geography participation through an open development process
Interestingly enough, the Concordia project is using a collaborative, Wiki-based approach that invites anyone, member or non-member alike, to participate in the effort. This stands in contrast to earlier, vendor-driven, member driven, and (substantial) dues-based efforts such as the Web Services Interoperability Initiative (WS-I), the Mobile Imaging and Printing Consortium, and the Network Centric Operations Industry Consortium (the last two are clients of mine). The Scope and Criteria for Success sections of the Concordia project Charter provide a cogent rationale for this approach:
2. Scope
The Concordia Working Group recognizes that deployers are working in a constantly shifting heterogeneous environment. In order to advance the identity marketplace, there needs to be a conscientious effort to develop systems, devices, applications and identities that will successfully and seamlessly interoperate. As such, this Group is chartered to:
 
·         Become an active public discussion forum for the development, contribution and analysis of cross-protocol use cases for systems in a wide variety of vertical and horizontal deployment models.
·         Drive virtual and public events that allow for discussion and development of use cases and corresponding solutions
·         Develop, publish, and maintain a detailed roadmap to drive focused output
 
 

3. Criteria for Success

·         Sufficient participation from interested community experts, including Liberty members and non-members
·         Strong information sharing on use cases and constructive next steps for protocol development, etc, across the group
·         Regular meetings (phone and/or physical) to facilitate group communication, experience sharing and guidance
 
This strikes me as a very sensible and wholesome approach to solving complex modern IT-based challenges. I’ll therefore be watching this project with interest, and hoping for its success. Clearly, we need to develop effective ways to address the increasing number of broad-based problems that only such downstream, metasystem projects can successfully address. The more creative experiments like this that are launched, the more likely it will be that some will strike the right balance between effort and reward, incentives and successes, that the open source model has so clearly achieved. 

For further blog entries on Open Source and Open Standards, click here

subscribe to the free Consortium Standards Bulletin