Thursday, March 01, 2007

rfi User-Centric Identity and What Roger Sullivan Said


We spoke on Feb 16, and he spoke primarily in his capacity as president of Liberty Alliance. We're scheduled to speak again next week.

First off, Roger said that Liberty wants to participate in industry discussions and work to develop user-centric identity into a tangible, practical reality. In fact, several people active in Liberty--including Brett McDowell, Eve Maler, and Conor Cahill--are taking a more proactive role in this regard.

I pointed out to him that, when I first looked closely at this new wave of user-centric identity projects, I experienced deja vu. A few years back, during my Burton Group days, I did a consulting gig with Liberty during the period when they were first developing ID-WSF, and I noted that the core use case then--"permission-based attribute sharing"--seems to be also the core use case for CardSpace, OpenID, and other efforts now. Why is this? Did ID-WSF miss the mark? Or is it too heavyweight? Or are the new up-and-comers reinventing a perfectly fine wheel? Or is it a fifth wheel for a vehicle still under assembly?

"Yes, Liberty Alliance collaborated on this use case a few years ago for ID-WSF," said Roger. "Now I don't want to dampen the enthusiasm of people who are working on these new projects [outside Liberty]. There are legitimate new use cases being developed: anonymity, rightful anonymity, and transition from such an environment to a more trusted relationship. We must bridge from self-asserted identity environments to federated identity environments such as Liberty and SAML." He mentioned that Liberty has scheduled an open forum to work on these issues at its upcoming April session in Brussels, and that the forum is open to non-Liberty members. He also pointed out that non-Liberty members are encouraged to participate in the Liberty-hosted wikis at

Bottom line about user-centric identity, though, says Roger, is that it's only half the equation: "People usually discuss this topic as referring to having complete control over my own identity and credentials at some level. But for you to trust me, the attestation of my credentials must come from a trusted third party. The challenge the industry faces now is that a novice person comes to the identity management space and their instinctual reaction is 'I don't want anybody to know anything about me.' But how do you do e-commerce [under those conditions]? How can I have trust in you? The novice might respond: 'from that little lock in the lower right corner of my browser.' But of course that's ridiculous. To grow the [identity management] industry, proponents of self-asserted identity models must come to reconciliation with third-party-reliance services, in order to define use cases that move from user-centric identity to [mainstream federation] environments within e-commerce."

Roger said a lot more, all of it interesting. When I circle back with him, I'll flesh out this blogpost, or do a new one, that brings it all into the thread.