In my book Eve Maler’s about as cool as it gets. XMLGrrl was not only one of the inventors of XML, but deeply understands many of its richest applications from DocBook to SAML. And she’s been a pioneer in applying all of this to the challenge of Internet-scale digital identity.
Her latest blog entry on Pushing String (“The future’s so bright I gotta wear shades“) explores a number of recent developments by Jeff Hodges, Scott Cantor, and Peter Davis for lightening up SAML to make it easier for developers who are jazzed about OpenID. In it she asks about the new “directed identity” feature:
I tried figuring out if the OpenID V2.0 work includes this approach [directed identity] as a possibility for URL-based identifiers, and it appears to go part of the way, though the underlying purpose seems to be different. Revision 10Ã¢â‚¬â„¢s Appendix C.1 says Ã¢â‚¬Å“Supports IdP-driven identifier selection. This new variation of the protocol flow is initiated by entering an Identifier for an IdP instead of an Identifier for an End User, and allows the IdP to assist the End User in selecting an Identifier.Ã¢â‚¬Â But IÃ¢â‚¬â„¢m having trouble finding where in the normative spec this is defined.
Although I’m not one of the editors, I have worked quite a bit on this feature in the 2.0 spec and I apologize if it’s not clear in Draft 10. However Eve is exactly right: starting with OpenID Authentication 2.0, a user will have two options for logging into an OpenID-enabled site: with their personal identifier, or with the identifier of their OpenID provider (IdP). If the user chooses the latter option, the IdP will let the user choose the identifier they want to share with the site — anything from a specific persona to a one-time URL/XRI generated by the IdP just for this relationship.
This will significantly increase the privacy options available under OpenID. Add this to the prospect of new ways to converge OpenID with SAML, and it’s no wonder Eve is singing this merry tune!