The Story So Far
Last week I opened the conversation about generation change with the hypothesis that Enron and SOX defined the current generation of digital identity and that the next generation is upon on us. I proposed that there are 3 characteristics of this next generation:
- Pace
- On Behalf Of
- Proof and Portability
Last week I tackled Pace and this week we will tackle On Behalf Of.
On Behalf Of
But the new generation will not only be defined by Continuous Identity. There is a use case within identity that we have never formally addressed: on-behalf-of. One of the earliest questions that I received as an analyst was how does the industry address on-behalf-of from a protocol perspective. We didn’t, 20 some years ago, have an answer to this question and we have made meager progress subsequently.
On-behalf-of is the undiscovered super-continent of identity. We know it exists. We know it is crucial to explore. And yet… we haven’t, until relatively recently, attempted to discover and explore the land of OBO.
So how does the current generation handle OBO? Approaches include:
- “Iglazer_sa” vs “iglazer” accounts
- Credential checkout with workflow approvals a..k.a. PAM
- Arcane ‘Login As’ per app functionality
- Householding and parental controls
More recently we did create RFC 8693 but its use has been limited.
OBO might seem like an interesting, albeit academic, problem to solve, but actually it is very crucial for us to solve. Why? AI (and our own mortality.)
Consider that OBO is a proxy for two major issues:
- Accountability: understanding who or what has performed an action on behalf of another carbon- or silicon-based lifeform is really important. Especially when things go in an unexpected direction.
- Authorization: expressing and enforcing the limitations of what a person or thing can do when acting on behalf of another person or thing is absolutely crucial
AI is driving both topics. But it’s not the only thing that is driving the exploration of OBO. Let’s go back to this slide: AI (and our own mortality.) All of us will have to confront the passing of a loved one as well as planning for our own passing. Whilst there is extensive law and practice that address the handling of physical and financial parts of one’s estate, what of one’s digital estate? How does one describe their wishes in terms of what to do with a person’s blog posts, digital photos, mp3 collection, and so on? And how does one from a technical perspective indicate that a person is acting on the wishes of another with respect to their digital estate?
In 2024 Dean Saxe started raising these questions and many more. Prompted by his own personal experiences along with those of people like George Fletcher, Eve Maler, Mike Kiser, myself, and others the Death and the Digital Estate community group formed under the auspices of the OpenID Foundation. Early in conversations there, the issues of OBO began to appear. Around the same time AI and MCP began to become more and more of a thing which requires further OBO work. The cataloging of delegation use cases continues in the OIDF eKYC working group.
Given the importance of the on-behalf-of problem, where should one start? Three suggestions:
First, (re)familiarize yourself with OAuth token exchange RFC 8693. The subject/actor token exchange pattern was originally proposed over 10 years ago and, at least based on my own experience, met with middling adoption. It is now very much in play as a means to limit what an AI bot can do in a resource server mediated by an MCP server.
Second, there is a need to drive accountability and authorization deeper into our microservices infrastructure. I am thrilled that transaction tokens have recently moved into “working group last call” status as of the end of July. If you are not familiar with Txn-Tokens you need to be. Born out of need to ensure that in a complex services environment, the context of originating call was preserved throughout the call chain. TraTs is another likely means of pushing OBO context and control deeper into our infrastructure.
Lastly, if you are at all interested in the implications of delegation and OBO, get involved over at the OpenID Foundation. Either participate in the eKYC working group where George is spearheading cataloging and exploring delegation patterns, or in the Death and the Digital Estate community group, where we are working on guidance on how to plan for the management of one’s own digital estate.