Sharing, withholding and delegating sounds like advice from Management 101, a first introduction to getting things done.  In the case of identity management, there are some hard cases to crack

  1. Sharing metadata: getting information about the right identity provider to the right service provider, as needed
  2. Withholding information about technical detail from the end user, while giving enough information to make informed choices.  One aspect of this is seamless discovery service, where the before mentioned identity provider information is available when needed, without prompting the end user to input something
  3. Delegation of rights.  I may wish to delegate rights to my husband or to a process running on my behalf (webmail should be able to check my mail account via IMAP, even if IMAP is a non-web protocol)
  4. Aggregation of information about me from multiple Identity Providers, while keeping my privacy and giving a user friendly interface to managing my own information

The discussions on these issues have tended to get into complicated corner cases and some heavy protocol elephantiasis.  The simple and elegant design of OAuth gives some hope, as people start experimenting and throwing connected ideas around.  An example is Andreas’ draft work on attribute aggregation.

Simple is good. Testing various ideas helps us sort out how the issues above prevents us from solving some of the use cases

  • Grandfather wants access to e-learning platform, needs to check on school work and see if grandson handed in assignments.  Depends on delegation of rights from parent.  Depends on discovery service to sort this role from the primary role as professor at university.
  • Parent wants to delegate limited rights to supervise schoolwork to grandfather.  Depends on attribute aggregation from multiple sources, as parent-child relation is independent of authentication method.  Depends on seamless discovery service, since this must be possible for all parents.
  • Integration of Web2.0 applications without total mesh coupling.  Depends on withholding information to preserve privacy, and delegation of rights to several process keeping track of social network updates.
  • Universal access to web sites, while preserving privacy.  Getting information about disabilities (sensitive information) to adjust web sites to end user needs.  Depends on aggregation of attributes from multiple sources and delegation of rights.

The issues need to be solved for user centric identities, organization centric identities and federations.  We are not there yet – but the space needs watching.

Advertisements