[Wg-p3] A Suggested Policy Demarkation Point: Open Vs. Closed Identity Systems

Mark Lizar info at smartspecies.com
Wed Sep 23 06:41:09 PDT 2009

Brett et al.

This is more along the lines of what I was getting at, Patrick &  
Stephen responses were very illuminating, and I would venture that an  
open identity system, or closed identity system is perhaps not as  
immediately understandable as I had imagined.  What I was referring to  
was the host of granular control, and trust issues that arise  
depending on how an identity is created, managed, and used.

I agree with the notion of one explicit policy domain for identifiers  
being needed for assurance.  In particular the issues related  
regarding the fooly of  Open PKI this was extremely illuminating.

I will try to develop a bit more of a discussion paper for tomorrow in  
context of the FTC roundtable and see if we can traverse the various  
lexicon, and trust issues involved in discussing or evolving a policy  

Best Regards,


On 21 Sep 2009, at 13:48, Brett McDowell wrote:

> Mark, I think you need to explicitly define the boundary between what
> you refer to as "open" vs "closed".  After reading this I don't know
> what you are thinking is the clear distinction between the two.
> If I were to guess, it looks a bit like:
> OPEN = the credential being used to access the resource was not
> provisioned by either the entity managing the resource or a 3rd-party
> under contract with the entity managing the resource.
> CLOSED = the credential being used to access the resource was
> provisioned by either the entity managing the resource or a 3rd-party
> under contract with the entity managing the resource.
> Is that what you mean?  If it is, I'm not sure that's a popular
> definition for CLOSED.
> Brett McDowell | http://info.brettmcdowell.com | http://kantarainitiative.org
> On Mon, Sep 21, 2009 at 6:55 AM, Mark Lizar <info at smartspecies.com>  
> wrote:
>> Hello All,
>> I have been pondering the merits of a more explicit policy paradigm  
>> between
>> open vs closed id systems, and a discussion about this for the  
>> working
>> group.
>> The issue being that public policy in closed identity systems or  
>> systems
>> with limited user driven/managed/volunteered access, needs a  
>> different type
>> of policy than open, user controlled systems.  In addition, I  
>> wonder if this
>> type of conversation may actually provide a very useful distinction  
>> for
>> Kantara driven activities?
>> Behind the distinction of open and closed there is a great deal of
>> ideological, philosophical, technical, jurisprudence, and  
>> sociological
>> thought that can be sorted and contributed to both sides of the  
>> open and
>> closed identity paradigm. A discussion in this light might reveal a
>> significant difference in public/privacy policy needed for these very
>> different types of applied identity technologies.  From what I  
>> understand a
>> great deal of the work done in Kantara is for open ID systems?    
>> Does an
>> open identity system need different levels or types of assurance  
>> for privacy
>> than closed identity systems?
>>  Eg. Open Id systems, social networking is user controlled,  
>> adequate tools
>> need to be in place for the user to control the policies and these  
>> policies
>> need to be enforceable by the user.  Even against the owner of the  
>> social
>> networking site.
>>  Eg. Closed ID systems, enterprise, healthcare, id cards, drivers  
>> licenses,
>> phone numbers, direct marketing. A policy explicit example for the  
>> use of a
>> closed id system may be the need to mandate against  function creep  
>> and
>> designed around very specific to purpose etc. (use Uprove  
>> technology etc.)
>> With risk management, different types of public usable  
>> transparency, access,
>> and control is more specific to constitutional rights, rather then  
>> contract
>> rights.
>> Do others think this would be a useful distinction to make and  
>> point to
>> discuss?
>> Overall, it seems current events are pushing the agenda of this  
>> working
>> group, starting with the Open ID/Inforcard initiative, and the  
>> letter this
>> group has worked on for ICAM.  Now the news of this round table,  
>> the FTC
>> roundtable can also be used as an ‘agenda driver’ to get things  
>> moving, in
>> this sense I think it would be difficult to develop policy with any  
>> force or
>> meaning, if the policy didnt first engage with the wider Kantara
>> community. I propose that we use the roundtable as an opportunity  
>> to take
>> the FTC questions, develop a survey pilot it in our working group,  
>> then vote
>> on passing the survey around the working groups to start a process of
>> developing a common policy platform for this working group.
>> My two cents worth,
>> - Mark Lizar
>> _______________________________________________
>> Wg-p3 mailing list
>> Wg-p3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

More information about the Wg-p3 mailing list