Thursday, March 01, 2007

rfi User-Centric Identity and What Dick Hardt Said


I spoke with Dick yesterday. Just before the call I realized that we had met in a previous life, when I covered the anti-spam space and he ran ActiveState....which he sold (to who?...I forgot) and started SXIP a few years ago. I covered anti-spam as an identity management problem. Anyone out there remember that paper? I might have rehashed it in this blog somewhere in the early days...don't recall. Anyway, just want to point out that I periodically inject identity management back into new contexts in my career (such as the advisory report I'm germinating in my head for Current Analysis, wherein I'll converge IdM with MDM via CDI....still keeping that pot on the back burner....overtaken by more pressing things to dissect...such as today's Oracle acquisition of Hyperion). Or new assignments (such as this gig for BCR).

Anyway, nuff a me, more of Mr. Hardt. He drew a distinction between user-centric identity (the new waves of identity systems in which identity data flows through the user/subject/principal...equivalent to Eve Maler's take on user-centric identity, but also, interestingly, refers to the original SAML implementation profiles as well....browser/artifact and browser/post) and domain-centric identity (i.e., traditional identity systems, characterized by the primary flow of identity data through the directory, IdP, etc.). He also quickly moved the discussion away from user-centric identity, per se, to "internet-scalable identity" (i.e., the same focus taken by Andre Durand and Ping Identity in their excellent recent whitepaper).

Dick asked (and here I'm paraphrasing several things he said at several points during our discussion): How do we scale up user-centric identity schemes, in which claims/attributes flow through and are forwarded by the user, so that they work on an open internet scale, not just within self-contained federations or circles of trust? How do we enable the free movement of claims from anywhere to anywhere? How do we extend lightweight identity management to the "long tail" of websites that don't and won't implement a heavyweight trust/federation model such as SAML or Liberty requires just to do chained/proxied authentication? How do we leverage the same core universal lightweight internet design patterns--i.e., REST using URIs and HTTP/HTTPS--to do internet-scale ubiquitous identity?

As regards identity system scalability, Dick proposed a really interesting analogy (again I paraphrase): Domain-centric identity is like a leased line. Federated identity is like frame relay. User-centric identity is like IP packets.

He said user-centric identity--where it's incumbent on the user/subject to collect, assemble, and present their diverse claims/attributes to each RP/SP they wish to access--might be the most scalable, lightweight, feasible approach for making roles and entitlements portable across federated domains. And for easing the role administration burden within domains. As long as the claims/attributes they're presenting are currently valid in the trusted attribute authority domain that issued them.

Which brought my head back to this thought of user-centric identity for personal role multiplicity management. Or whatever I called that mashup of a notion at the beginning of this current blog thread.