Tuesday, February 13, 2007

rfi User-Centric Identity and the Definition of User-Centric Identity


I've just been crawling through the blogosphere, the literature, my head, etc.....putting together a quick cheatsheet, definition-wise.

In some radical/fundamental/ideal sense, user-centric identity could conceivably mean any and/or all of the following:
  • All user identities/attributes are self-asserted and provisioned
  • All user identity interactions flow through the user's client, icard space, personal idp, and/or agent
  • All user identities/attributes are immediately, conveniently, and visually available to the user from all clients/UIs to present to the appropriate relying parties
  • All user identities/attributes are self-selected within the context of each interaction
  • All user identity-based interactions are engaged in by the user with full knowledge, transparency, and nonrepudiation of the relying parties
  • All user attribute disclosures require permission of the user and/or the user's authorized agent
  • All user identity interactions contribute to the user's privacy
  • All user attribute disclosures are anonymized, encrypted, pseudonymized, and/or minimized in each interaction
  • All user identities/attributes are disclosed and distributed in such a way that they cannot be joined or correlated back to the user
  • All user identities/attributes are stored locally under the user's control and protected through secret keys that only the user possesses and which are authenticated through multiple factors, including biometric
This list pretty much recapitulates Cameron's laws of identity. Just working through the analysis from a slightly different pov.