I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:
http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html
Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.
The resultant comparison paper, “Technical Comparison: OpenID and SAML - Draft 05″ seems to me to be at a stage where it can be shared widely (i.e. on the web 
), here it is..
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html
..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).
I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.
So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.
=JeffH sez check it out.
Well, I’m using the term “debate” loosely here because it seems to me, given the marshalled evidence, there isn’t much of a debate to be had, but in any case, Microsoft has responded to Peter Gutmann’s cost analysis of the DRM subsystems in Windows Vista (of which I’d written about earlier), and also in system hardware that has anything to do with handling of so-called “premium content” (i.e. content encoded onto newly emerging HD-DVD and Blu-Ray discs). Their reply is here..
Windows Vista Content Protection - Twenty Questions (and Answers)
http://windowsvistablog.com/blogs/windowsvista/archive
/2007/01/20/windows-vista-content-protection-
twenty-questions-and-answers.aspx
Peter Gutmann’s rebuttal to Microsoft’s response is here..
Microsoft’s Response
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html#response
..which is an appendix of his overall “Cost Analysis of Windows Vista Content Protection” paper.
If you are at all curious as to the veracity and logic of Microsoft’s response, it is worth reading Peter Gutmann’s response in detail.
Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…
A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
Note that this analysis dovetails with Bruce Schneier’s overall “DRM is futile” piece from 2001…
The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3
And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…
Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx
..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.
To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”
Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?
[update 25-Dec-2006]
Peter has updated his analysis paper to provide pointers to publicly available sources.
My colleague and friend, Susan Landau, works (in one of her multi-facets) at the intersection of privacy, security, and public policy. I find it a good idea to keep up on what she’s writing in these areas. She doesn’t (yet?) have a blog per-se, but watching the publications section of her homepage works pretty well — hence there being a link to her page in my sidebar here. She has a couple of recent articles on the multi-faceted topic of the Internet/VoIP and wiretapping/CALEA that are interesting and provocative…