An Identity Co-op
A co-op that operates an identity provider and advocates for the use of this provider by the services used by the co-op’s members.
Consumer Perspective
- One way to sign-on to all the sites you use (sometimes referred to as single sign-on)
- Member control over what personal information is collected by the co-op and what is shared with other services
- The co-op works collectively with services used by it’s members to lobby for and support adoption of co-op sign-on
- Members pay a membership fee which is used to cover operational and marketing costs (software development, hosting, training and promotion of the service to others)
Technical Perspective
- The co-op is an OpenID Connect Identity Provider (IdP) (potentially supporting other protocols as well)
- All software is open-source
- Given the value of compromising the service, multi-factor authentication is required (other advanced authentication mechanisms will be considered)
- Regular penetration testing is performed by a third-party
Why do this?
There are a number of good reasons to consolidate identity, but first let’s define how we’re using the word identity in this article:
- A name or handle you can be referred to with
- A set of credentials that you can provide to prove you are this identity Potentially, there are additional things about you which could be valuable to associate with an identity:
- A visual representation of yourself
- Your reputation
- Links to other resources
etc. There are numerous existing systems which provide some of the features described above. There are also existing standards for interfacing between these identity providers and external systems. However, in almost all cases existing identity providers do so as a secondary service. This creates a number of problems:
If a user discards the primary service, their identity is discarded as well
Additional service features create additional security vulnerabilities
Identity is derived from the primary service and may include information that is irrelevant/unnecessary for external systems (in extreme cases this may constitute a security or privacy violation)
These services typically provide identity authentication as means of lock-in to reduce user freedom, not to enhance it
These services typically do not actively advocate for adoption of their identity service by external or third-party systems
In many cases these services are proprietary, closed-source and often privately-owned, limiting the ability for their security and scalabilty to be thoroughly assessed and in most cases eliminating any control the user has over how their personal information is used In contrast to this, the Identity Co-op provides a single service: identity authentication. As such all efforts are focused on providing the highest-quality identity authentication service possible. Control over the system is held by members of the Co-Op. All operational details are available to members and all source code is published openly. The information the co-op will collect from its members is decided by the members themselves and this information is used exclusively to provide value as an identity service. Additionally, this information is only shared with external systems and third-party organizations when necessary to authenticate an identity. As a co-op exists to serve it’s members and their community, the Identity Co-op not only provides the software and infrastructure to authenticate the identities of its members, but it also must advocate for the adoption of this service by the systems its members use. Additionally, co-ops have a responsibility to help other co-ops. The Identity Co-op is no different and will help create additional identity co-ops serving other communities. In this way the service can be distributed in the form of separate co-ops serving members with different needs while sharing knowledge, experience and tools. The utility of this identity may go beyond the applications discussed, but no assumptions are being made that this is the case nor is it necessary for the Identity co-op to be valuable.
References
- https://en.wikipedia.org/wiki/OpenAthens
- https://oauth.net/articles/authentication/
- https://en.wikipedia.org/wiki/OpenID_Connect
- https://coreos.com/blog/announcing-dex.html
- http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
- https://tools.ietf.org/html/rfc6749#section-4.1
- http://openid.net/connect/faq/