Where it is going ??
Various organisation are working on the problem and its solutions. They produce specification draft, Use case studies, they try to attract members who are waiting for a solution to emerge.
Main players: OpenID & OAuth
OpenId is divided in two: OpenID 2.0 and OpenID Connect. It may be a real plus when linked with WebID, but is still experimental. The decentralized aspect is nice, but I am not sure if people are really concerned. Depending entirely on Facebook doesn't seem to bother anyone. So OAuth or even a proprietary Facebook protocol may seriously reduce OpenID success.
OpenID and OAuth have a good adoption, which is critical for being relevant in the Identity space.
The US "Federal Identity, Credential, and Access Management" (ICAM) validated OpenID 2.0 and SAML 2.0 as Trust Framework. They provide some good documents.
Experiments: WebID & BrowserID
- takes some idea from Microsoft InfoCard abandoned attempt (after the failed Passport attempt)
- Avoid the hierarchical trust model used to authenticate servers
- could moves toward a Web Of Trust, but does not even mention it.
- Looks like it uses RDF to express Trust relationships ?
BrowserID https://browserid.org/ is a Mozilla Labs experiment with the simplified version of the "Verified Email Protocol". It is very simple and web oriented. It doesn't seems to be very successful so far.
Identity in the Cloud (OASIS) is "just" a long and freightening list of use cases. For those who don't see the problem, it is a good read !
JSR 351 is a work in progress "to define API ... that facilitate the use of identity by applications ..." . It will bring standard Java API to well established standards: OAuth, OpenID ... and also annotations to avoid lookups.