Now for the editing and elaboration. First off, per the previous overstuffed formulation:
- "Mutuality: An internet-scalable identity metasystem must ensure that all end- and intermediary-entities (i.e., human users, identity agents, IdPs, RP/SPs, identity brokers, etc.) can engage in mutually acceptable interactions, with mutual risk balancing, and ensure that their various policies are continually enforced in all interactions, including, from the human user’s point of view, such key personal policies/peeves as the need for unambiguous human-machine communication mechanisms, privacy protection, user control and consent, minimal disclosure for a constrained use, limitation of disclosures to necessary and justifiable parties, and so on and so forth."
- Mutuality: An internet-scalable identity metasystem enables interactions built on mutual recognition, assurance, risk, restitution, and responsibility from end to end."
- Trust: transitive trust is shared, assured, cross-domain recognition of the identities of people, applications, servers, and other entities through mutual implementation of X.509 certs, cross-certified or bridged certificate authorities, common certificate policies and certification practice statements, legal/business agreements, and so forth.
- Federation: federated identity is shared, assured, cross-domain recognition of identities, authentications, and attributes through mutual implementation of common standards (SAML/Liberty et al.), federation frameworks, legal/business, agreements, and so forth, plus mutual risk and restitution (i.e., "mutually assured destruction" in terms of legal recourse) if either party abuses the trust/federation relationship
- Reciprocal permission-based resource sharing (i.e., the core use case of user-centric identity, including/especially the "dataweb" XRI/XDI approaches): this is the "mutual kimono opening" scenario that I described earlier, under which the user operates as his/her own personal IdP, and essentially also his/her own personal SP, disclosing personal attributes and other resources to relying parties only on a "need to know" basis (with full user control and consent, minimal disclosure for a constrained use, limitation of disclosures to necessary and justifiable parties, etc.), with the relying parties providing tit-for-tat access to their own resources--a balanced, equitable, symmetric, commensurate, and mutual interchange of goodies
- In user-centric identity environments, how do personal/private IdPs mutually federate to each other, in the absence of (one or more) trusted third parties to vouch for their respective good reputations/behaviors?