Google’s Andrew Nash has a verified attribute exchange plan that he wants to unwrap at the Cloud Identity Summit.
It involves interfaces, standards, user attributes, APIs and what has emerged as the trickiest ingredient - commitments. If all goes well, his presentation will serve as a starting point for an attribute exchange ecosystem.
His plan is already in motion and Nash hopes to share the stage with a couple of innovators working through the next steps - pilots based on APIs Google just released for creating an attribute exchange that intertwines identity providers, relying parties and attribute providers.
“I think it will be a launching pad for the next phase of requirements and interactions that will foster what comes next,” said Nash, director of products for Internet identity at Google.
The ideas build on an interface called Account Chooser, the standards OpenID Connect and OAuth 2.0 and something called Street Identity that facilitates the exchange of user attributes for the purpose of authentication and authorization.
Street Identity, introduced last year, is now intellectual property of the Open Identity Exchange and lives in its Open Attribute Exchange working group, which is building a trust framework to deal with things such as policy, user interaction and permissions.
Into that mix, Google is adding a set of APIs it put into production that allow Google to facilitate the attribute exchange – with a set of caveats Nash says will be his key points: Google never sees the information that is exchanged, Google does not cache or leverage the information, and Google does not take a cut of the revenue stream that is created among service providers, relying parties and attribute providers.
Google’s notion is all boats will be secured, including those of its users.
The pilots Nash brings on stage at CIS are built around Google’s new APIs. “At some level they are like science experiments,” says Nash. “They are not pilots like ‘this is fully baked.’ “
The goal, he says, is to uncover the “next requirements, what are the next important things to do, and to discover some proof points that show relying parties there is some real value to derive from this.”
In the model, Google is the authorization point where Google users or IDPs make decisions about whether or not information gets shared and from what source it gets released.
“We want to seed the technology and uncover the data points to actually get some lift off,” he says. “We are trying to be as far out of the loop as possible,” says Nash, who acknowledges the plan will encounter some tin foil hats.