Thursday, February 08, 2007

A certain irony

There is a certain (some might go so far as to say 'rich') irony in a paper commissioned by the Liberty Alliance proposing a distinction between user-centric and federated identity that runs completely counter to prevailing Liberty opinion (or my interpretation of at least).

The "Digital Identity Management A Critical Link to Service Success: A Public Network Perspective" paper examines the challenges and opportunities for network operators

The study analyzes identity management and its crucial role in enabling personalized services. Identity management is viewed as a crucial element in a basket of technology enablers that will be instrumental in preventing network operators from experiencing a dreaded “bit pipe” fate.

In a discussion of user-centric identity, the authors write:

Proposed, but not agreed, definitions for the different architectures are:
  • User-Centric: user decides every time what identity attributes to reveal to the content provider
  • Domain-Centric: user approves identity attributes appropriate to specific domains
  • Federated: user approves transferring of identity attributes already given to other federation members

These are strange criteria. The first would suggest that the (many) Liberty use cases where the user is not actively mediating (either because the identity does not flow through the user agent or because they are not otherwise involved) identity flow are not 'user-centric' - this is absolutely not the accepted Liberty view (in fact it's the definition of user-centric that Liberty argues strongly against).

The 'already given' in the last definition implies that a federated model deals only with the flow of data once it has already been shared at least once, perhaps through 'user-centric' active mediation?

For me, federation is a set of tools (e.g. SAML, Cardspace, OpenID, etc) user-centric is a philosophy for applying those tools.

At least the definitions are qualified by 'not agreed'.

No comments: