[Wg-p3] A Suggested Policy Demarkation Point: Open Vs. Closed Identity Systems

Brett McDowell email at brettmcdowell.com
Mon Sep 21 05:48:20 PDT 2009

Mark, I think you need to explicitly define the boundary between what
you refer to as "open" vs "closed".  After reading this I don't know
what you are thinking is the clear distinction between the two.

If I were to guess, it looks a bit like:

OPEN = the credential being used to access the resource was not
provisioned by either the entity managing the resource or a 3rd-party
under contract with the entity managing the resource.

CLOSED = the credential being used to access the resource was
provisioned by either the entity managing the resource or a 3rd-party
under contract with the entity managing the resource.

Is that what you mean?  If it is, I'm not sure that's a popular
definition for CLOSED.

Brett McDowell | http://info.brettmcdowell.com | http://kantarainitiative.org

On Mon, Sep 21, 2009 at 6:55 AM, Mark Lizar <info at smartspecies.com> wrote:
> Hello All,
> I have been pondering the merits of a more explicit policy paradigm between
> open vs closed id systems, and a discussion about this for the working
> group.
> The issue being that public policy in closed identity systems or systems
> with limited user driven/managed/volunteered access, needs a different type
> of policy than open, user controlled systems.  In addition, I wonder if this
> type of conversation may actually provide a very useful distinction for
> Kantara driven activities?
> Behind the distinction of open and closed there is a great deal of
> ideological, philosophical, technical, jurisprudence, and sociological
> thought that can be sorted and contributed to both sides of the open and
> closed identity paradigm. A discussion in this light might reveal a
> significant difference in public/privacy policy needed for these very
> different types of applied identity technologies.  From what I understand a
> great deal of the work done in Kantara is for open ID systems?   Does an
> open identity system need different levels or types of assurance for privacy
> than closed identity systems?
>  Eg. Open Id systems, social networking is user controlled, adequate tools
> need to be in place for the user to control the policies and these policies
> need to be enforceable by the user.  Even against the owner of the social
> networking site.
>  Eg. Closed ID systems, enterprise, healthcare, id cards, drivers licenses,
> phone numbers, direct marketing. A policy explicit example for the use of a
> closed id system may be the need to mandate against  function creep and
> designed around very specific to purpose etc. (use Uprove technology etc.)
> With risk management, different types of public usable transparency, access,
> and control is more specific to constitutional rights, rather then contract
> rights.
> Do others think this would be a useful distinction to make and point to
> discuss?
> Overall, it seems current events are pushing the agenda of this working
> group, starting with the Open ID/Inforcard initiative, and the letter this
> group has worked on for ICAM.  Now the news of this round table, the FTC
> roundtable can also be used as an ‘agenda driver’ to get things moving, in
> this sense I think it would be difficult to develop policy with any force or
> meaning, if the policy didnt first engage with the wider Kantara
> community. I propose that we use the roundtable as an opportunity to take
> the FTC questions, develop a survey pilot it in our working group, then vote
> on passing the survey around the working groups to start a process of
> developing a common policy platform for this working group.
> My two cents worth,
> - Mark Lizar
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

More information about the Wg-p3 mailing list