Security/identity · 20 Jul 2006

Emulsification is a good thing

Emulsification is how I think of it when you get people with really different points of view together and shake ’em up. The Identity Open Space in Vancouver today and tomorrow seems to be achieving it nicely (unfortunately I had to leave it this afternoon, to head over to the XML Summer School). But so also did the Liberty Alliance meeting that preceded it; a number of non-members took advantage of the offer to attend Liberty sessions.

Some of the first-time attendees I talked to were pleasantly surprised that Liberty members care about lots of the same issues they do — privacy, getting security right, worrying about user convenience, striving for reasonable implementation options. There was also some frustration that it felt like coming into the middle of a movie with little helpful context provided. (I fear that it was like sitting down to the fifth hour of an art film in the original Italian!) But I could see all kinds of new ideas and relationships forming, especially during the all-important hallway conversations.

In the IOS portion (true story: I arrived home to find in the mail a catalog I’ve never seen before, called IOS — Individual Original Style), whose organizational style was designed to simulate the juicy hallway part all the time, I was able to squeeze in two sessions.

The first was User Centric Use Cases; I’ve provided the link here but I don’t see any “official” notes up yet. This session merged the various use-case-collecting ideas of several people, with the goal to start with healthcare and move outward. As one could have guessed, the hour was consumed entirely by one major healthcare use case, and it was fascinating. There were experts in this vertical in the room, but in addition, of course, everyone experiences healthcare and at least some of the attendant identity and access control hassles.

Christina Stephan described the situation on the ground today: Patients typically don’t carry their medical data with them (yet), and while they might carry ID on them, it may be false or stolen (something I hadn’t thought of…I’m picturing weird CSI plotlines). We discussed a variation of the “break glass” scenario, where a patient is unconscious in a city not their own, and the issue is how to get access to their medical records and get them to the right care providers. Someone pointed out that today, consent forms are constantly being pushed on patients at every interaction, suggesting that there’s a natural incentive for the healthcare providers to collect the sorts of patient pre-authorization that would be needed in a more electronically fluid scenario.

(It would seem that Liberty’s Interaction Service combined with appropriate user-created policies could be used to get real-time authorization from designated emergency contacts, such as a family member or regular physician, for data access. In fact, just today I got an offer for a fledgling form of this in the mail from my health insurance provider.)

The group naturally got into the “What is user-centric?” discussion, without a conclusion, of course. :-) However, we had an interesting discussion about how user control of identity data sharing can be accomplished by involving me in real-time exchanges of what I would call metadata about identity — my consent, my policies, my pre-authorizations, discovery of my various providers of identity data, etc. — vs. having to involve me in real-time exchanges of my actual attributes. (Where would authenticator data sit on this data/metadata divide? Is it both a floor wax and a dessert topping?)

As we talked about use cases and drew stick figures, Paul Madsen made a funny at one point (don’t look so shocked). Someone commented: “An unconscious person cannot be an actor. Paul said “Keanu Reeves…?”

I facilitated the second session I attended. It was all Conor Cahill’s fault… I called it Target: Liberty, and the idea was to put smart Liberty folks on the firing line, so to speak, and let people shoot questions and issues at them. I joked that I should have gotten hold of a dunk tank! I managed to get my notes onto the wiki right afterwards, so I won’t rehash them here; you can hit the link above. (There you can also see a picture Thomas Roessler took of me and my “target”.) I feel like I learned something about perceptions of Liberty and how to put together more and better resources for people who are looking into it.

So, a big thumbs-up on the whole concept of mixing communities. Thanks to everybody on the Liberty and Identity Workshop sides who made it happen.

Technorati tag: IdentityOSVan