Friday, June 04, 2010

The calculus

Generally, the more valuable a resource is, the more discerning (or less promiscuous) will an SP/RP be in choosing IdPs/OPs to accept assertions from in order to grant access to that resource.


For a resource with zero value, nothing discourages the RP from accepting identity assertions from any IdP. For a resource with infinite value, nothing encourages the RP to accept assertions from any Idp. For resources with value in between these extremes, increased value pushes the RP to pick partner IdPs from a smaller pool of candidates.

Trust frameworks like OIX, InCommon, and Kantara's IAF, in which the determination of what IdPs are suitable for a given value of resource is removed from the shoulders of the RP, change the equation by making choosing IdPs more scaleable.



For a given resource value, the RP has a larger pool of candidate IdPs to choose from. (except for resources with zero or infinite value).

From the PoV of a given RP, the 'value' of the trust framework is the difference in area under the two curves for the range of values of particular interest to that RP



I think there is enough here to get some Masters student started on a monetization thesis no?

2 comments:

twocroissants said...

If there was a thesis to write on that, I probably should be the guy looking over it, so let me get you idea straight: what you are saying is that using a framework is beneficial for both the identity provider and the resource user? Therefore everybody should be using frameworks? Sounds a bit tautological to me —don't worry: it won't make you any different from a majority of papers in micro-economics— so I just wanted to check: have I missed something?

Paul Madsen said...

Thanks for the comment. I'm saying only that the value of a trust framework for a Relying Party is to increase the size of the population of candidate IdPs from which the RP can choose.

(Similarly for the IdP, ie getting certified means that the population of RPs that might accept its assertions/claims is increased.)

But little/no value in a trust framework for RPs that a) will accept assertions from any IdP, or b) will accept assertions from only a single IdP.