Monday, January 23, 2006

Agreement on Identity Rights Agreements

Drummond Reed refers to a Phil Windley post on the value of "identity rights agreements" - pre-defined policies governing the use and sharing of identity info.

When asking for identity info, the requestor would include an identifier (likely some URI) for whatever policy it would abide by if the requested data was released to it. Likewise, the custodian would include the appropriate URI for the policy governing any released data. Drummond & Phil point to Creative Commons as an example of the principle; P3P is another.

Phil throws out some possibilities for those policies that would warrant an identifier.

* Post publicly (broadcast)
* Share with anyone, but can’t broadcast
* Share with self and partners with which you have a legal agreement to honor this agreement
* Keep to self
* Stored encrypted
* Use for this purpose and destroy
The identifiers would serve as a simple and easily parsed syntax for the complete policies (captured and accessible somewhere).

Liberty ID-WSF has a container in our protocols for carrying such identifiers (an empty container because, as yet, we have not ourselves defined any policy syntax or identifiers - despite some early work along this route). The <UsageDirective> SOAP header is defined in the SOAP Binding specification.

Participants in the ID-WSF framework may need to indicate the privacy policy associated with a message. To facilitate this, senders, acting as either a client or a server, may add one or more <UsageDirective> header blocks to the SOAP Header of the message being sent. A appearing in a SOAP-based ID-* request message expresses intended usage. A <UsageDirective> appearing in a response expresses how the receiver of the response is to use the response data. A <UsageDirective> in a response message containing no ID-WSF response message data, a fault response for example, may be used to express policies acceptable to the responder.
Drummond points to Identity Commons as the place where relevant policies (and agreed upon identifiers) might be defined.

Identity rights agreements are becoming one of the galvanizing forces for a revitalized Identity Commons. One of the reasons is the oft-used analogy that “Identity Commons should be to identity rights what Creative Commons is to copyright".
This work would be really interesting & valuable. Identity agreements and their identifiers could be common across particular identity systems (e.g. Liberty, Shib, OpenID, LID, SXIP, WS-*, etc) and so serve as a key piece of any metasystem that underlies or unites such systems.

No comments: