After a decade in digital identity, one of my overwhelming takeaways is that the subjects at the very heart of the field — identities, attributes, tokens, credentials — are an order of magnitude (at least) more complex than they appear to the layman.

The closest analogy is the atom — what seems so simple at a conceptual level turns out to have oceans of complexity swirling beneath it when you ask the devil for the details.

So in this field I especially prize clear thinking and modeling (I would go so far as saying that XDI would be impossible without it.)

For a shining example, look no further than Anil John’s new blog entry, A Model for Separating Token and Attribute Manager Functions. I especially like how the model reveals key differences between four different real world identity systems, including the currently popular social login model.

[Update: for the ideas leading to his model, Anil credits Andrew Hughes, Ken Dagg, David Wasley and Colin Soutar from the Kantara Identity Assurance Working Group.]