惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
月光博客
月光博客
腾讯CDC
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园_首页
量子位
博客园 - 聂微东
Jina AI
Jina AI
小众软件
小众软件
The Cloudflare Blog
有赞技术团队
有赞技术团队
V
V2EX
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
WordPress大学
WordPress大学
阮一峰的网络日志
阮一峰的网络日志
B
Blog
MongoDB | Blog
MongoDB | Blog
L
LangChain Blog
宝玉的分享
宝玉的分享
C
Check Point Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
IT之家
IT之家
N
Netflix TechBlog - Medium
I
InfoQ
J
Java Code Geeks
S
SegmentFault 最新的问题
V
Visual Studio Blog
Microsoft Security Blog
Microsoft Security Blog
博客园 - 叶小钗
D
DataBreaches.Net
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
B
Blog RSS Feed
S
Schneier on Security
Webroot Blog
Webroot Blog
P
Proofpoint News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
Project Zero
Project Zero
Scott Helme
Scott Helme
C
CERT Recently Published Vulnerability Notes
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security

OpenID Foundation

Public Review Period for Proposed OpenID Connect Ephemeral Subject Identifier 1.0 Final Specification - OpenID Foundation Call for Participation: Demonstrate MCP-based AI agent security with open identity standards AuthZEN at Identiverse 2026: authorization in the agent era Public Review Period for Proposed Implementer’s Draft of OpenID Connect Key Binding - OpenID Foundation As AltID launches, Danish media seek OIDF view Errata to OpenID Identity Assurance Specifications Approved - OpenID Foundation Public Review Period for Proposed Implementer’s Drafts of Two OpenID Federation Extensions - OpenID Foundation OIDF proud to support BIS Innovation Hub’s Aperta Report Announcing the new Digital Credentials Harmonized Presentation Working Group OpenID Foundation advances authorization for the agent era with new AuthZEN Working Group Drafts Australian Digital Trust Community Group’s 2nd Innovation Day – 24th June 2026 - OpenID Foundation OIDF conformance tests deliver results in La Ciotat Four OpenID Foundation voices at ID4Africa 2026 in Abidjan CrowdStrike joins the OIDF as a Sustaining Corporate Member OpenID AuthZEN wins EIC 2026 Outstanding Project Recognition Insights from the OIDF’s Australia Innovation Day OIDF presents at ITU-T workshop on digital ID and agentic AI Implementer’s Draft of International Government Assurance (iGov) Profile for OAuth 2.0 Approved - OpenID Foundation Notice of Vote to Approve Proposed Errata to OpenID Identity Assurance Specifications - OpenID Foundation OpenID Connect Advanced Syntax for Claims (ASC) 1.0 Implementer’s Draft Approved - OpenID Foundation OIDF has implemented a new Liaison Policy effective immediately - OpenID Foundation The OIDF Groups, Activities, & Events Code of Conduct Policy has been updated – here’s what you need to know - OpenID Foundation Notice of Vote to Approve Proposed Errata to OpenID Connect for Identity Assurance 1.0 - OpenID Foundation OpenID Federation 1.1 Final Specifications Approved - OpenID Foundation **Save the Date** OpenID Foundation Global Conference 2027 - OpenID Foundation Calling all members – register for the GDC Conference now Notice of Vote to Approve the Proposed Implementer’s Draft of OpenID Connect Advanced Syntax for Claims (ASC) 1.0 - OpenID Foundation Notice of Vote to Approve Proposed OpenID Federation 1.1 Final Specifications - OpenID Foundation
How we got here: what six decades of identity history tell us about the agent age
Serj Hallam · 2026-07-15 · via OpenID Foundation

By Sar Haidar, Platform Engineer at MIT Open Learning 

Every identity standard we work with today was built to solve a problem someone was staring at right then. OAuth, OIDC, SAML, the token flows we spend our careers refining: each one began as an urgent answer to an immediate question. That was the premise of a talk I gave at Identiverse earlier this year, and it's worth restating for anyone thinking about where identity goes next. We have never once designed the whole system on purpose. We've patched it, one urgent problem at a time, for sixty years. Understanding that pattern is the best tool we have for seeing where the next patch is headed.

The pattern, compressed

It starts in 1961, when MIT's Compatible Time Sharing System let multiple people use one computer at once for one of the first times, and immediately raised a question nobody had faced before: how does a machine know whose files are whose? Fernando Corbató's answer was the password. Within a year, a grad student named Allan Scherr printed the password file and logged in as other users to get more compute time. Often cited as the first recorded credential theft, and the industry's response set the template for everything that followed: protect the secret better, and never question whether a shared secret was the model to build on in the first place.

That pattern repeats at every scale change. Hashing and salting (Morris and Thompson, 1979) made stolen passwords harder to use, but didn't touch the underlying assumption. Kerberos (MIT's Project Athena, mid-1980s) solved authentication across a campus of networked workstations. It was brilliant inside one trust boundary, and blind to anything outside it. The 1988 Morris worm exposed what happens when a network built on personal trust between colleagues quietly becomes a city of strangers. X.500 tried to answer with one universal global directory and collapsed under its own complexity; LDAP won by being good enough to ship. Cookies solved a real, narrow problem for Netscape in 1994, since stateless HTTP couldn't recognize a returning visitor, and became the infrastructure of surveillance advertising almost by accident.

By the turn of the century the problem had a new name: fragmentation at global scale. A single centralised identity provider, an approach Microsoft tried early with Passport (1999), failed because no one would hand one company the keys to everyone's identity. SAML (2001 to 2002) worked beautifully for institutions that already trusted each other and was useless for strangers. OpenID (2005) proposed the most philosophically honest answer, your own URL as your identity, no gatekeeper, and almost nobody used it, because typing a URL to log in was too much friction. The federation question never got a clean answer; it got outsourced instead. First informally, through OAuth powered social login, where three or four companies now vouch for most of the consumer web, and then as a service, through a new generation of identity vendors. Then the smartphone, with Touch ID and Face ID, quietly erased the line between being authenticated and just being yourself.

What stuck with the room

The talk closes on the current inflection point: AI agents, and an identity stack that was never built for a world where the "user" making a call might not be a human at all, where nobody yet agrees on the ratio of non-human identities to human ones, let alone who's accountable when an autonomous call misfires.

But that's not what people brought up afterward. In the conversations that followed the session, the recurring comment was about the choice to tell sixty years of identity history as a plain, human narrative rather than a stack of acronyms and protocol names. People said they appreciated the non-technical framing, the sense that each of these standards was invented by someone solving a very immediate, very human problem, often without any idea of what it would become decades later. That feedback is worth sitting with. Our field is fluent in discussing identity as a technical problem. We get far less practice discussing it as a human one, and the agent era is about to make that second fluency just as necessary as the first.

Why this matters for OIDF's work right now

This isn't an abstract concern. It's the exact gap the OpenID Foundation's Artificial Intelligence Identity Management (AIIM) Community Group was stood up to address: the silos between the AI and identity communities, and the risk that hard won lessons about security, privacy, and interoperability get relearned the hard way inside agentic systems instead of applied from the start. The Foundation's 2025 whitepaper on agentic AI identity, and the ongoing work on On Behalf Of (OBO) token exchange, are direct responses to the same question the talk raises: when an agent acts, whose authority is it acting under, and how do we preserve accountability through multiple hops of delegation rather than falling back to raw impersonation or static API keys? Phil Windley's work on authorized trajectories, the idea that just in time credentials alone may not be enough and that we may need to reason about an agent's whole intended path of action, points at the same open question from a different angle.

The historical pattern suggests we'll solve the technical version of this problem the way we always have: well, and just in time. The harder task, the one the audience kept circling back to, is holding onto the human part alongside it: that an agent acting in your name is a statistical model predicting your next move, useful, but not you. That distinction isn't a footnote to the standards work. It's the reason the standards work matters.

About the author: Sar is a Platform Engineer at MIT Open Learning, where he builds systems that make learning accessible at scale. He's also the creator of SyntheticAuth.ai, where he writes about identity and AI with a mix of technical depth and skepticism. He's an active open-source contributor who believes the systems that govern trust should be transparent and collaborative.

This post is based on a session delivered at Identiverse 2026 (Mandalay Bay, Las Vegas, June 16) titled "How We Got Here: The Story Behind Your Identity Stack and the Assumptions We Must Leave Behind."

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to building trusted identity ecosystems. Our mission is to lead the global community in identity standards that are secure, interoperable, and privacy respecting. Founded in 2007, we are a community of technical experts. The Foundation's OpenID Connect standard is now used by billions of people across millions of applications. More recently, the FAPI security profile - built on OAuth 2.0 - has become the standard of choice for interoperable Open Banking and Open Data implementations, while OpenID for Verifiable Credentials specifications are underpinning a new generation of digital wallets. Today, the OpenID Foundation's standards are the connective tissue that enable people to assert their identity and access their data at scale, the scale of the internet, enabling "networks of networks" to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.