If, bottom-line, user-centric means giving users control over their identity (e.g. when it gets shared, how it gets used) then there had better be some authorization rules defined by the user being enforced if and when some piece of their identity is requested.
And, if the user's identity info is maintained on their behalf by some provider, that provider may have its own policies for access control (e.g. do not share with entities with which no legal agreement exists) unanticipated by the user themself. Both user and provider would have to 'approve' before identity is released. So, as Eve labels it, 'mutual authorization'.
Started me thinking about just how many entities might have an opinion on whether or not some piece of identity be shared:
- the user (I don't want my geolocation shared for marketing purposes)
- any custodian of the identity if different than the user (don't share with competitors)
- the requestor (it might not even want the data if it is to be released with too onerous a set of requirements (e.g. security, reporting etc))
- some regulatory body (must not share unless auditable consent has been obtained)
- some other user (if I provide a reference for a colleague, both she and I would likely have our view of appropriate usages)