Tuesday, August 22, 2006

Axes in Identity Space

I think there must be some sort of law (not an Identity Law) to the effect that 'Any real world complex phenomena/system can only be adequately modelled with 3 or more parameters'. Chaotic systems notwithstanding, it's typically an artificial simplification to force a model into 2 'dimensions' (e.g. Gartner's quadrants).

Identity systems are an example. They are sufficiently complex that to adequately model and differentiate different systems, three 'axes' seems the bare minimum (4 would be better but ...)

These three seem useful:

Axis 1 - Control Mechanimsms - whether the system enables the user with direct (in the flow) or indirect control (through defined policies enforced by a trusted 3rd party) over the release of their identity.

Axis 2 - Relationships - the nature of the relationship (e.g. trust, legal, etc) between the entity releasing some piece of identity and the entity consuming it. DIfferent systems assume different degrees of coupling.

Axis 3 - Identity - the nature of the identity being shared, e.g. is it an identifier for a subject or other less discriminating attributes.

Different identity systems can be plotted against these co-ordinates. As an example, SAML's Web SSO Profile, when using persistent name identifiers and the HTTP Form POST Binding, can be characterized as:

  1. having the identity flow through the user-agent, and thereby enable direct user-control over its release
  2. typically sharing an identifier for the subject and not extra attributes (although possible)
  3. a symmetric relationship between Identity and Service Provider (the IDP 'knows' the SP as well as the opposite)
When you plot the above characteristics onto the proposed 3D identity space above, you end up with (the torus shape is an artifact of the 3D conversion)
Others to follow.

No comments: