Patrick reintroduces his 'passive' and 'active' distinction, expressing the varying abilities of clients for enforcing the user's wishes for identity sharing (and probably other identity functions like IDP discovery too).
One issue. Patrick writes
The caveat here is that active federation implies that the user is an active participant in the flow of identity (if not necessarily aware of it because of stored privacy policies). So, active federation requires that the user be 'online' (e.g. be sitting at their desk, looking at their phone, or having inserted their USB dongle into an airport kiosk).
I would argue that active federation is superior to passive federation when the requirements of user-centricity are to give the user the ability to independently enforce control and privacy stuff.
Lots of use-cases have the users online so that their client can actively mediate their identity flow, lots of others don't.
No comments:
Post a Comment