Comments on: R-E-S-P-E-C-T

By: Chris Drake

Chris Drake — Wed, 04 Apr 2007 08:23:09 +0000

The hard truth is:

(A) nobody agrees what “User Centric” should mean.

(B) almost everything will “break” if the user has to be the intermediary at run time. Web sites need to send us update emails, need to charge us subscription renewals, may be required by law to provide our address to police, etc etc: all of this must take place without the users presence.

Perhaps the best solution is to lobby for everyone to always clarify their meaning when using the term “User Centric” - if you mean “run time intermediary” - say so. If you mean access-policy architect, say it. If you mean any of the dozen or more other things I’ve read today - elaborate.

My personal understanding of what user-centric should mean is that other people are not allowed to keep any of my information about me in their “data silos”. I put my info into my ID provider, and anytime anyone else wants it, they have to come and get it. I can thus revoke access anytime I want, and audit the use of my info.

By: Rohan Pinto

Rohan Pinto — Thu, 06 Jul 2006 13:59:43 +0000

Higgins Trust Framework - finally out !!

During the recent identity mashup, the folks@Higgins put together a demo walkthrough of the Higgins Trust Framework (HTF) and how personal profile information can be federated and synchronized across sites. David Berlind from zdnet blogged about it an…

By: Identity 2.0 » What is user-centric identity?

Identity 2.0 » What is user-centric identity? — Tue, 27 Jun 2006 03:56:23 +0000

[…] User-centric identity has become a buzz word in the identity market. Eve Maler, Paul Madsen and Pete Rowley have all been talking about it. I was on a panel with Eve and Kim Cameron a couple weeks ago during Catalyst where we talked about user-centric identity. My key thoughts on it were: […]

By: Shekhar Jha

Shekhar Jha — Sat, 24 Jun 2006 23:36:37 +0000

Sorry for getting late to this user-centric discussion. I liked the idea of making the user-centric term more specific and concrete. This is due to my frustration of seeing this term being used so loosely by everybody. I have put my thoughts together and would love to get feedback. To summarize my entry, I think that we need to define a way to measure the user centricity of the protocol and relationship that we are talking about. Would love to hear your thoughts.

By: Pamela Dingle

Pamela Dingle — Wed, 21 Jun 2006 18:39:07 +0000

I have to agree that ‘user-centric’, to me, seems like a very “marketing-friendly” term (and as such, could be very useful, don’t get me wrong).

The bottom line is, it is very useful if you can designate (and sometimes enforce) who is in the driver’s seat for a given transaction. If it is a case where the user is initiating an internet transaction, they should be in the driver’s seat. If the user is an employee in a corporation, however, that user may happen to be utilizing technology that is “user-centric”, but really it is the corporation that is at the “center”, with the user simply along for the ride. In both cases, what I see as different here, compared to what exists today, is transparency between all parties as to who is control, and transparency to the user as to what data is being passed.

Um, not that this suggests to me a better name. I’m quite willing to use what’s already out there, and take liberties with it where necessary :-)

Pam

By: carolina

carolina — Wed, 21 Jun 2006 15:31:49 +0000

I don’t believe that our life is so complex so as to need such myriad of terms (user client-centric vs. user proxy-centric and so on). On the contrary, I think that we should strive for simplicity: “user-centric” is the new marketing buzz word and people seem to like it, however in my opinion it shouldn’t imply that the user (and/or the user terminal) needs to be in the middle of every transaction. As Eve mentioned, I can definitely control what my bank does with my money, and I certainly do not need to be consulted for every single Euro that leaves my account, or be physically involved every time that a payment order reaches my bank. This doesn’t mean that my money is less safe (or at least by now ;-)
I also agree with Conor: the user can have the full control of his online data and/or resources simply because of the existence of marvellous “remote control tools”, namely “user-defined policies” that govern the way in which his information is accessed/shared.
And such policies could be enforced by the user terminal, by any sort or Hw/Sw entity in the user terminal, or by a network server — without continuously having to interact with the user. This is, in my opinion, the key issue.
Even more, sometimes the policies will not be defined “from scratch” by the user, but a good identity management product will come with predefined values, values that make sense for most of the users. For instance, my grandma might not be able to define each of the details by herself, she would appreciate some help.
Sometimes it is not a so good idea to give too much decision power to someone who doesn’t have enough information/ability to decide. Has anyone thought about this? - I hope nobody will call me fascist for it ;-).
BTW, my grandma’s answer to the question of an hypothetical user-centric system asking “Would you like to be consulted every time that anyone googles your name?” would be “Please……..NO!”.
If this is the definition of a “user-centric” system, sometimes I would prefer a “user-absent” one ;-) //carolina.

By: Eve

Eve — Wed, 21 Jun 2006 13:49:56 +0000

Hi Robin– But all traffic passing via the user(’s client) is precisely what a lot of people are proposing, and they call it “user-centric identity”. My take on Conor’s suggestion is that if the salient feature you want is the decoupling of the IdP and RP, then you don’t strictly need a “local” (client-based) intermediary to make this happen; a “remote” intermediary working on your behalf would suffice as well. Even though I’m doubtful people will step back from the “user-centric” terminology, it’s clear we at least need finer-grained terms than we’ve got.

For an umbrella term, I think there are a number of choices (none of which should be “user-centric”!): empowered, governed, responsive, and even sensitive… “User-consented” isn’t right for the name of the philosophy; it speaks only to a raw property of exchange, and doesn’t convey the idea that human-computer interaction principles matter.

By: Robin Wilton

Robin Wilton — Wed, 21 Jun 2006 09:40:33 +0000

I’ve tried floating the notion of ‘user sensitive’ identity…

http://blogs.sun.com/roller/page/racingsnake?entry=user_sensitive_identity_management

And Richard Veryard (whose opinion I rate) suggested that is too ‘weak’, and proposed ‘user responsive’.

I think one of the issues with ‘user-centric’ is the strong ’spatial’ or topological analogy which it implies. As Conor points out, that drags in assumptions of ‘all traffic passing via the user’, which is by no means what is always functionally required.

By: Hubert

Hubert — Wed, 21 Jun 2006 07:24:33 +0000

Hi guys,

it sounds to me that Connor is describing something customer-facing (the user does need to be present and validate the process) and agent-facing (there is a proxy or agent that has the user’s authority to approve the exchange of info); am I guessing right?
BTW, yes I do need to create a new flash version of our demo; soon…

Cheers,
Hubert

By: Eve M.

Eve M. — Wed, 21 Jun 2006 01:38:05 +0000

Hi Mark– My guess is that the people doing identity systems would very much like to avoid reinventing the wheel when it comes to policy expressions, including privacy policy! It’s not overlap, maybe, so much as complementary goals. The identity systems would function ultimately as policy enforcement points, but would want to use specialist technology for policy decision points.

I haven’t heard much (or anything, to be honest) about APPEL or EPAL lately. However, it’s interesting that P3P is used in so many cases; I hadn’t known. I’ve heard, indeed, that it’s static and inflexible and thus impractical for many common scenarios but have no personal experience with it.

Another technology that leaps to mind, particularly where fine policy granularity and the full gamut of access control options are requirements, would be XACML. It even has a privacy profile already.

I always turn to my expert colleague Anne Anderson for thoughts on such things. I’ll ask if she’s interested in commenting further here.