Law 5 and OpenID Information Cards

There have been some challenges to the proposal for information cards that carry OpenID tokens on the OpenID list. There was minor spillage into the Concordia list (this is good; Concordia should be aware of this). Gerry Beuchelt, Robin Wilton. John Kemp, and Jeff Bohren have seen fit to comment in the blogosphere. Paul Madsen added a bit of biting sarcasm. I even wondered about the interaction with Law 7 and usability last week. Since I've been involved, I think I'll poke around in the hornet's nest some more.

The argument had been made that there can be different kinds of information cards. Information cards carrying SAML tokens and information cards carrying OpenID tokens. The argument goes on that this is a good thing since it gives relying parties a choice. Is it? Let's play it out.

Suppose a lot of RPs exercise their choice and deploy code that accepts information cards carrying OpenID tokens -- only. Now some user is sitting there with an information card that contains claims and level of assurance an so forth that an OpenID RP would accept. You see this coming, right? The user's card is one that carries a SAML token. She's out of luck.

Her "workaround" is to go get another card that carries a token with the "proper format". This doesn't seem like a very good way to construct an internet scale Identity metasystem to me.

So one of the real consequences of the different token formats is that all RPs, all identity selectors, all IdPs and OPs are going to have to deploy two different pieces of code. And they'll have to maintain those two pieces of code. And for what?

Do Kim's 7 Laws of Identity allow those with such a proposal to wave Law 5 in front of everyone and claim it's justified? I think not. I think Law 5 acknowledges that there might be different situations and they might call for different protocols. But I don't think it gives anyone license to add different formats just because they're different. This is a known phenomenon in the computer field; it's called "Not Invented Here".

I have yet to see any reasons why OpenID tokens provide any extra benefits beyond what you would already have with information cards carrying SAML tokens. Even if there were some, it would be better to work together and make improvements to the next evolution of information cards.

There's one question I forgot to include last week. It came from Mike Beach at Boeing during the Concordia workshop in June. See his last slide (really the penultimate one, I reckon). As they say, it's a good question. And as they should conclude, it deserves a good answer.