Saturday, March 17, 2007

rfi User-Centric Identity and Abstraction


Hmmm...let's see....:
  • "Abstraction: An internet-scalable identity metasystem must provide all end- and intermediary entities (i.e., users, identity agents, IdPs, RP/SPs, identity brokers, etc.) with a consistent, abstract, standardized , lightweight, reliable, speedy, and secure experience/interface across all use cases, interactions, credentials, protocols, platforms, etc while enabling separation of identity contexts across myriad domains, operators, and technologies."
Nah...How about this:
  • Abstraction: An internet-scalable identity metasystem presents a simplified, virtualized , complexity-hiding interface to all entities, from end to end.
Which brings me now to the card-based interaction metaphor: anything but simple. Let me now re-present what I paraphrased Eve Maler as saying:
  • "She pointed out that most of the current crop of user-centric identity schemes (i.e, MSFT CardSpace, OpenID, etc.) focus primarily on the 'human present' mode, which, as Eve stated memorably, means that the 'user's policy is in their brain.' By contrast, she pointed out, Liberty's ID-WSF was developed to support both the 'human present' and 'human absent' modes."
Yikes, you mean I'll have to actually, actively, in real time, and with cloudy cognition of the possible consequence select cards from those that my card-selector coughs up? Or I'll somehow have to write rules to that effect that my automated identity agent will use to select my cards on my behalf? And/or delegate this delicate responsibility to some hopefully responsible human being(s)? And somehow find a way to sync cards across the diverse card selectors in my diverse clients and server-based identity agents? Has this ever-pushy opt-in paradigm spared us from spam in the e-mail universe? What happens when my card selector environment is overstuffed with cards that I opted to receive in the past and am not sure whether I should keep or kill now? What happens when a relying party says that 37 of them are acceptable for this next contemplated transaction? Which should I choose?

In the interest of simplicity, why not simply go back to a default password of "password"? That's user-centric isn't it? In "human-absent-minded" scenario?