Security/identity · 2007-10-30

Well-rounded identity for the whole person

One topic I discussed briefly in my talk last week (slides still pending, sorry) was the larger question of “identity for what/whom?”. One of the things we often forget when discussing “user-centric” identity is that many non-human entities have a unique identity, and it’s useful to strive for identity systems that can unify the handling of human-mapped identities and other-mapped identities — corporations, departments, devices, software applications, etc.

Even if you stick to just human-related identities, one thing that has always bugged me slightly about the phrase “user-centric identity” is that it presumes a user of some networked client device, when we know perfectly well that lots of humans spend considerable portions of their day offline, by choice or not. I don’t know anyone who actually prefers to be online to pay a bill that comes to the same exact amount every month. They just want to be able, in their own sweet time, to audit the payments that were automatically made. Not to mention the many scenarios where an emergency or sudden change in state might call for you (or someone else you know) to be roused from sleep or a meeting to answer an important question (with “Sell! Sell!” or “Yes, you have my consent to operate” or “No, that unusual purchase was not made by me”). I think Mike Jones now considers me the “break-glass scenario queen” since he readily tossed such topics to me in Barcelona last week :-), but in reality offline scenarios are all around us.

Back in August I jokingly tried out the phrase “user centricity by polling” in dealing with users when they’re offline. But now I realize that the description I’m after is more like “human-centric identity”. It comes with both online and offline scenarios and still needs to allow for (real-time or not) informed consent and attribute exchange.

I thought of this when reading Will Norris’s post OpenID is not a provisioning engine. He riffs on a scenario from James Henstridge where you can propagate a new shipping address to every service that needs to know it. (Actually, I think the shipping address scenario advances to a technical assumption a little too fast. The timing need not be when the address changes but rather just in time when a service finds itself needing to ship something to someone.) Will discusses why OpenID and its Attribute Exchange extension are not intended to meet the use case of immediate attribute update in between user login sessions, and what sorts of push and pull technologies might be needed to solve it. He provides a very interesting perspective, delving into options for managing this process at a variety of points on the stack-layer and “lightweightness” scales.

I would submit the Liberty Web Services framework for consideration as another option. It adds identity semantics on top of web services — to give one small example, it standardizes WS-Security token representations for the identities of the person asking, the service asking, the service being asked, and the person that service is about. (Notice that right away we’re in a world that includes both human and non-human identities!) It also defines special web services to meet those sophisticated offline use cases, such as the Interaction Service, which allows for person-polling using a mechanism chosen by them (such as SMS). My ID-WSF Basics preso from January provides a gentle introduction to the framework for anyone interested to learn more.

(Paul Bryan has heavily influenced my thinking on the “identity for what/whom” issue. Thanks, Paul!)