Superpatterns

Dave Kearns recently mused on the use of location in access control:

I could see [the user's location] being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).

and Kim Cameron responded, mapping this into his identity metasystem vision:

In the identity metasystem, the relying party could indicate in its policy that it requires several sets of identity claims- one indicating who the user is, and another indicating where the user is. The claims might come from different authorities (e.g. an enterprise and a trusted location provider). These would be implemented as two Security Token Services (claims transformers). Both sets of claims, taken together, would identify the user from the point of view of the relying party.

Now, first, I have to agree with Dave’s 2002 article – this does indeed seem more like authorization than authentication. Now to the question of geo-location… Liberty defined the ID-SIS Geolocation Service earlier this year. An access control system (like, say, Sun Java System Access Manager) can implement policy based on location (or any other attribute or ‘claim’). So, an application (or, more likely, some agent protecting that app – in access control jargon a ‘policy enforcement point’ or PEP) can provide access to a given resource depending on policy constraints such as “Is the user within 100m of location X”. When a user attempts to access the resource, the PEP sends a policy query for that constraint to the access control system’s ‘policy decision point’ (PDP). The PDP queries the geolocation service for the user’s current location and responds ‘true’ or ‘false’ to the PEP accordingly, which then grants or denies access to the resource as appropriate.
The elegance of this approach is that only one component of the system (the PDP) need be trusted with the user’s identity (this might also be possible in Kim’s identity metasystem). The information available to other components around the network is limited to exactly what they need to know – i.e. does the user’s identity meet a given constraint. And, of course, you could deploy such a system right now using products from a number of vendors, since all of the above is defined by Liberty and is shipping today.

If you’ve visited Planet Identity yet then you’ll probably have noticed that it’s inherited the same look as Planet Sun – not surprising, since I just reused the PS code. Now, I have pretty limited graphical talent – as you can probably see from my almost-standard Sotto theme. This is where you come in – if you have a modicum of artistic flair, and feel like contributing a new look for Planet Identity, I’d like to hear from you. I can’t pay you, but I’ll give you full credit on the page, and your work will be seen by thousands… ok, hundreds… well, a few people every day.
Incidentally – this is my first post using BlogEd – if you can read this then it’s working.

I took the plunge: I registered planetidentity.org, configured Planet and got it working all in under 48 hours. So, go take a look at Planet Identity. There seems to be an issue with entry times – Andre Durand of Ping has a load of old entries at the top, but I’m hoping that will go away as it beds in. Enjoy – and let me know if there are any other blogs you think I should add – I’m sure I’ve missed a load.
Huge thanks to Steve Lau for contributing hosting space, and Ludo Poitou for giving me his existing Sun internal Planet Identity as a basis. Without them I’d still be googling for hosting and scratching my head over the Planet docs.