Monday, October 02, 2006

I agree 100% but ......

Ping Identity's Patrick clarifies his thinking on what user-centric identity management is, and how various identity systems (e.g. Cardspace, SAML, OpenID etc) can support it.

Patrick reintroduces his 'passive' and 'active' distinction, expressing the varying abilities of clients for enforcing the user's wishes for identity sharing (and probably other identity functions like IDP discovery too).

One issue. Patrick writes

I would argue that active federation is superior to passive federation when the requirements of user-centricity are to give the user the ability to independently enforce control and privacy stuff.
The caveat here is that active federation implies that the user is an active participant in the flow of identity (if not necessarily aware of it because of stored privacy policies). So, active federation requires that the user be 'online' (e.g. be sitting at their desk, looking at their phone, or having inserted their USB dongle into an airport kiosk).

Lots of use-cases have the users online so that their client can actively mediate their identity flow, lots of others don't.

No comments: