![[OpenID enabled]](http://lid.netmesh.org/images/openid-relying-party-anonymous.gif)
![[LID enabled]](http://lid.netmesh.org/images/lid-relying-party-anonymous.gif)
Idmashup06: What You Need to Know About Identity
From Identity Mashup
Session Notes
Posted by JamieLewis, 17 June
Here are a few issues I can contribute, as originally detailed in an email response to the panel moderator and copied to the other panelists:
- I agree with Esther that identity portability is an essential issue
- It's equally important to consider what identity information is portable, and how it's moved. Federated systems/models have been (correctly) en vogue for a while now; federation enables loose coupling, "just in time" exchange of identity info, and a high tolerance for differences in connected identity systems (asymmetry).
- The more recent trend of user-centrism is about changing the topology of federated identity connections, establishing the user as an empowered participant in the flow of information. But we should be careful not to overshoot the field by equating "participation" with outright and complete "ownership" and "control." Any time an individual enters a relationship, they, by definition, surrender some level of information to the common context of that relationship. What's important is that the user be an informed participant (understanding what he/she is giving up, and the tradeoffs inherent in the relationship) and explicitly opt in to that exchange. This is about giving the user a place at the table.
- Ideally, the best model is for the exchange of identity meta-data, not identity data. Not an entirely new concept, but one on which Bob Blakley of IBM put an interesting spin on by discussing the concept of the "identity oracle" at Catalyst last week, and one that would be useful to raise in this panel (with proper attribution to Bob).
- It's interesting to note that what Bob called the "meta-identity system" could be encouraged by evolving regulatory regimes, increasingly onerous consequences for identity data breaches, and bad PR, all of which will provide at least a partial incentive for companies to reduce the amount of identity information they retain and ask for. In other words, companies won't generally participate in the identity system just to be nice; market dynamics must enable enlightened self-interest. I see some signs that this could be possible, in some cases.
- A basic rule of thumb: retain and aggregate only the minimal amount of identity data necessary to enable an application, service, or transaction. And then only exchange data about the data, not the data itself. (Answer "yes" to the question: is this person over 21, as opposed to revealing the person's birth date/year, gender, and zip code).
- I think it's fair to say that we have agreement on enough things (the need for a "metasystem", the need for a "common user experience", and the need for standardized connection) that real progress is being made. There are still disagreements over the exact architecture of the meta-system, who dictates what features, and what standards are best. But the level of activity is encouraging.
-This is particularly true of the frameworks and dev tools. The identity features/functions in application frameworks/tooling has been woefully inadequate. The advent of things like Higgins, as well as Microsoft's InfoCard model, Windows Communication Foundation; and Novell's Bandit are some of the most encouraging things I've seen this year.
Other points worth considering:
- Smart cards, strong authentication, hardware tokens and so on (generally categorized as "technology") will not stop identity theft, and will not, by themselves, make us more secure, in any context.
- Identity info custodianship is a poorly understood responsibility for many companies. Systems are architected poorly, have gaping vulnerabilities, data is scattered hither and yon, and controls are poor, poorly enforced, or both, which is why we see so many exposure stories in the news, such as the recent US Veterans Administration case.
Related Ideas
