Identity Management & Roles Based Access Control
Thursday, July 21, 2005
  Distributed Identity

I've just watched a video interview with Kim Cameron, identity architect at Microsoft. I've been reading his blog for a while (as you can see I have it linked on the right), following the discussion surrounding identity, identity systems, protocols and so on.

There's been a lot of discussion about ensuring that identity remains with the individual, whilst at the same time seemingly tying the source of identity to a device. Robert Scoble, the interviewer, at one point (without a single trace of irony) remarks that he'd like to 'store his personal identity information on Windows, where he knows it will be secure'.

A lot of the examples given revolve around storing identity profiles on a portable device (such as a mobile phone) and handing out different identities for different purposes as and when.

My immediate thought (well, not immediate as it's something I've been cogitating over for a long time now) is why does there need to be a personal relationship between the identity provider and the identity requester in the first place?

Current thinking, especially around federated identity, is that each organisation you do business with needs to hold some information about you, such as a username, password, credit card details, whatever. There are notable exceptions to this, such as the nascent PingID and OpenID, however my favourite is one espoused by Internet2, and being adopted by higher education - Shibboleth.

In essence the idea behind Shibboleth is that the organisation you are dealing with never knows who you are, or anything about you, except that which you release from a trusted identity store. The difference between this model and Microsoft's Infocards or the Liberty Alliance is that these schemes rely on sharing identity information between trusted sources - the federation part - so that your details are available directly to the organisation you are dealing with, whereas Shibboleth allows the individual to specify which identity source to use, which then only replies with specific, limited, non-personally identifying information.

In this scheme I can go to Amazon, attempt to buy something, and instead of logging in to Amazon, I would log in to my own selected trusted identity source (one that Amazon also trusts), which would then tell Amazon 'yes, I know who this person is'. I can then go about my shopping, select what I want, and when it comes time to pay, I can use the same system to select which payment provider to use, again without Amazon ever having to know who I am, having to record any information about me, or store my credit card details in their own servers.

The main reason for this type of system (called the WAYF - Where Are You From - system in Shibboleth) is that it lets me retain one (and only one) copy of personal data, and lets me select how much information to reveal (or how much not to reveal), or even to not reveal any information at all except a confirmation.

Think about it for a moment. If you've ever bought anything online, how many times and to how many different organisations have you given your credit card details? How many of these organisations also have your address so they can deliver your items to you? And how many of these also require you to log in? And have you set a reminder question so you can recover your password? Have you used the same question anywhere else?

Of course you can request your personal information be deleted, although some companies (Gamespy for one) point blank refuse to delete personal information or user accounts, and will only 'disable' the account. (I'm not entirely sure where this leaves issues of liability should the account details be hacked and/or stolen. Someone want to clarify for me?)

Personally I would rather select an identity provider that I trust (and that would delete my details on request) to provide attributed confirmation to remote sites than have to log in directly.
Comments: Post a Comment

<< Home

Tom speaks on Identity and identity Management.

Kim Cameron's Identity Blog
Digital ID World
(more coming soon...)

June 2005 / July 2005 / September 2005 /

Powered by Blogger