Petko D. Petkov a.k.a. pdp wrote a provocative post entitled "Identity 2.0: How Attackers Break into Identity-centric Services".  As you can imagine, I was intrigued by such a title.

In the post, pdp talks about how the real world is decentralized and then claims that Identity 2.0 is centralized. An Identity 2.0 architecture is similarly decentralized. You obtain claims or credentials from who is authoritative about some aspect of your identity, and then present to others to prove you have a particular attribute. A driver’s license proves you are able to drive, and is also accepted to prove your age, name and residency. For me, this is the Province of BC. The authority for these claims is centralized for a certain group of people in the real world. That is how we get trust to scale. Identity 2.0 enables it to work similarly in the online world.

While identifying himself as a newbie with the statement "Identity management services such as OpenID, Microsoft’s CardSpace, Sxip, YADIS", pdp brings up the issues of Cross Site Scripting, Cross Site Request Forgeries, and Phishing as issues with these technologies. I’m so glad that he pointed these issues out. I don’t know what we were all thinking when developing these technologies. Seriously though, these are known issues and having multiple ways of solving it while still having a standard protocol is a "good thing". Currently there are a number of different ways of solving these issues that various parties are developing. In the OpenID world, we worked on the OpenID Provider Authentication Policy Extension (PAPE) to address some of these issues. Summary: it is still early days and there are still lots of pieces to get figured out, but that does not mean we have not been thinking about the issues.

The author does make a good point about the user losing control of her identity provider. There are a number of ways of solving this, usually of a form of multiple levels of control and multiple sources of control. More on that later.