UserPreferences

LightweightAuthnProtocol

Lightweight Authentication Protocol Resolution

  1. Introduction
  2. Background
  3. Proposed Resolution
  4. Discussion
  5. Resolution as Passed

1. Introduction

This page is for discussion of an XDI.ORG trustee motion to encourage convergence of the open source community on a lightweight HTTP SSO (single sign-on) protocol.

2. Background

As illustrated by the presentation agenda for the [WWW]Internet Identity Workshop, there are currently at least five open source protocols that have been developed for doing “lightweight” distributed HTTP-based authentication. None of these currently uses the OASIS [WWW]SAML protocol because it is considered “heavyweight”.

XDI.ORG has already developed an ISSO (I-Name Single Sign-On) specification based on SAML 2.0 (see IservicesSpecs) that is part of a proposed package of services all accredited i-brokers will need to support.

In recent discussions the XDI.ORG board has considered adopting and requiring a lighter-weight HTTP authentication protocol as a secondary ISSO implementation (in addition to SAML 2.0) to help facilitate broader adoption of ISSO. Initial discussions were quite favorable to this idea and the board agreed (informally) to work on a draft resolution supporting the adoption of a lightweight protocol.

NOTE: we use 'lightweight' nor 'heavyweight' as terms relative to the difficulting of implementing and adopting - neither terms is intended to be negative. We (the XDI.ORG board) are working to adopt both as this gives users and implementers more choice.

3. Proposed Resolution

Following is a first draft of a proposed resolution by the XDI.ORG board of trustees:

BE IT RESOLVED that the trustees of XDI.ORG encourage convergence of the open source community on a lightweight, royalty-free, interoperable HTTP-based single sign-on protocol. The trustees are prepared to incorporate such a protocol into the I-Name Single Sign-On (ISSO) I-Service Specification as a lightweight alternative to the currently defined SAML 2.0 authentication protocol (which will still be an option). These specifications determine the interoperability requirements for all XDI.ORG-Accredited I-Brokers, so this will add momentum to broad adoption of such a protocol.

4. Discussion

Please use this space for discussion, alternate wordings, etc.

Another take; a commitment to adopt and require lightweight; a bit more process description including timeline for global launch.

BE IT RESOLVED that the trustees of XDI.ORG have agreed to adopt and require support of a lightweight, royalty-free, interoperable HTTP-based single sign-on protocol as part of XDI.ORG i-broker accreditation. The trustees will choose a single lightweight protocol for the global launch timeframe and encourage the open source development community to either converge the various protocols or develop a simple approach to interoperability, so that adoption requirements of i-brokers is kept "lightweight" while the greatest number of sites and users are able to benefit from the work. The trustees will consider and choose from candidate protocols submitted by (some date) based on the following criteria:

  1. ubiquity of protocol

  2. ability to implement within timeframe

  3. availability of open source implementation in multiple programming language

  4. ability to utilize and leverage on XRI

  5. ability to deal with multi-bytes languages

  6. availability of interoperable process with SAML

  7. (other criteria?).

The chosen protocol will be a part of the I-Services interoperability requirements for all XDI.ORG-Accredited I-Brokers, thus gaining additional momentum for adoption.

5. Resolution as Passed

The motion below was developed and approved by private email conversation among the XDI.ORG board members. It passed unanimously.

In the spirit of supporting the 'entire community' - of which Johannes Ernst, et. al have written regarding the YADIS effort - the XDI.ORG board of trustees seeks to affirm the value, worth, and importance of identity interoperability. We believe the YADIS effort comes not a moment too soon and we wish to support it publicly and enthusiastically as representatives of the XDI.ORG community.

THEREFORE, BE IT RESOLVED that the trustees of XDI.ORG have agreed to adopt and require support of the YADIS HTTP-based single sign-on protocol (in addition to SAML) as part of XDI.ORG i-broker accreditation provided there is a way to make i-services interoperable by and between i-name users who authenticate with either protocol (YADIS or SAML), and that the YADIS specification meets the following criteria:

  1. It can be reasonably implemented within launch timeframe (launch scheduled for 2/1/2006)

  2. is free of royalties and patent encumbrances

  3. is available in open source implementations

  4. can utilize and leverage XRI

  5. can accommodate multi-byte languages