Thursday, June 26, 2008

In which I clarify

Often times, in trying to be clever and sarcastic, I dive too deep into the 'satire pool'. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the 'point' I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.

As happened with my recent post on HealthVault's chosen model for OP acceptance.

With that post, I have confused Kim, and for that I here apologize.

I was responding to a post of Simon Willison, in which he defended HealthVault's right to choose OPs selectively - and not be compelled to accept any ol' OP coming in off the street presenting an identity claim.

My post might have given some the impression that I disagreed with Simon. For instance, I wrote
I disagree

Admittedly, this set a tone.

But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs - the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question 'Is this OP appropriate for the resources I protect/manage?'. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to 'em. Partner selection is tough and fraught with risk - they are right to be careful.

I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user's shoulders. User's can't even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don't know much about it ...
Patient: Oh, you'll work it out as you go

So yes Kim, I agree. Resources, and gall bladders, do have rights.

No comments: