[Wg-p3] A Suggested Policy Demarkation Point: Open Vs. Closed Identity Systems

Iain Henderson iain.henderson at mydex.org
Wed Sep 23 12:52:45 PDT 2009


Yes, in a similar vein i'm minded to tackle a VRM/ VPI variant of the  
onion model, and present that at some point - any downsides in that?

Cheers

Iain

On 23 Sep 2009, at 11:22, Robin Wilton wrote:

> I think the discussion prompted by Mark's email indicates that this  
> is indeed a useful area of further investigation...
>
> I think it's also true that our existing policy paradigms still tend  
> to be based on the view that "x has an identity or an entitlement by  
> virtue of the fact that that identity or entitlement has been  
> asserted by y, and I trust y". The emerging technical options (VPI/ 
> VRM-style approaches) don't all necessarily break that paradigm, but  
> some of them certainly potentially bend it, and ought to be  
> carefully thought through so that the results don't catch adopters  
> by surprise.
>
> Because of the policy dimension, I am happy to put this in front of  
> the P3WG membership so they can help prioritise it relative to the  
> other things we build into our work plan over the coming weeks.
>
> Yrs.,
> Robin
>
> Brett McDowell wrote:
>>
>> Mark, I think you need to explicitly define the boundary between what
>> you refer to as "open" vs "closed".  After reading this I don't know
>> what you are thinking is the clear distinction between the two.
>>
>> If I were to guess, it looks a bit like:
>>
>> OPEN = the credential being used to access the resource was not
>> provisioned by either the entity managing the resource or a 3rd-party
>> under contract with the entity managing the resource.
>>
>> CLOSED = the credential being used to access the resource was
>> provisioned by either the entity managing the resource or a 3rd-party
>> under contract with the entity managing the resource.
>>
>> Is that what you mean?  If it is, I'm not sure that's a popular
>> definition for CLOSED.
>>
>>
>> Brett McDowell | http://info.brettmcdowell.com | http://kantarainitiative.org
>>
>>
>>
>> On Mon, Sep 21, 2009 at 6:55 AM, Mark Lizar <info at smartspecies.com>  
>> wrote:
>>
>>> Hello All,
>>>
>>> I have been pondering the merits of a more explicit policy  
>>> paradigm between
>>> open vs closed id systems, and a discussion about this for the  
>>> working
>>> group.
>>>
>>> The issue being that public policy in closed identity systems or  
>>> systems
>>> with limited user driven/managed/volunteered access, needs a  
>>> different type
>>> of policy than open, user controlled systems.  In addition, I  
>>> wonder if this
>>> type of conversation may actually provide a very useful  
>>> distinction for
>>> Kantara driven activities?
>>>
>>> Behind the distinction of open and closed there is a great deal of
>>> ideological, philosophical, technical, jurisprudence, and  
>>> sociological
>>> thought that can be sorted and contributed to both sides of the  
>>> open and
>>> closed identity paradigm. A discussion in this light might reveal a
>>> significant difference in public/privacy policy needed for these  
>>> very
>>> different types of applied identity technologies.  From what I  
>>> understand a
>>> great deal of the work done in Kantara is for open ID systems?    
>>> Does an
>>> open identity system need different levels or types of assurance  
>>> for privacy
>>> than closed identity systems?
>>>
>>>  Eg. Open Id systems, social networking is user controlled,  
>>> adequate tools
>>> need to be in place for the user to control the policies and these  
>>> policies
>>> need to be enforceable by the user.  Even against the owner of the  
>>> social
>>> networking site.
>>>
>>>  Eg. Closed ID systems, enterprise, healthcare, id cards, drivers  
>>> licenses,
>>> phone numbers, direct marketing. A policy explicit example for the  
>>> use of a
>>> closed id system may be the need to mandate against  function  
>>> creep and
>>> designed around very specific to purpose etc. (use Uprove  
>>> technology etc.)
>>> With risk management, different types of public usable  
>>> transparency, access,
>>> and control is more specific to constitutional rights, rather then  
>>> contract
>>> rights.
>>>
>>> Do others think this would be a useful distinction to make and  
>>> point to
>>> discuss?
>>>
>>> Overall, it seems current events are pushing the agenda of this  
>>> working
>>> group, starting with the Open ID/Inforcard initiative, and the  
>>> letter this
>>> group has worked on for ICAM.  Now the news of this round table,  
>>> the FTC
>>> roundtable can also be used as an ‘agenda driver’ to get things  
>>> moving, in
>>> this sense I think it would be difficult to develop policy with  
>>> any force or
>>> meaning, if the policy didnt first engage with the wider Kantara
>>> community. I propose that we use the roundtable as an opportunity  
>>> to take
>>> the FTC questions, develop a survey pilot it in our working group,  
>>> then vote
>>> on passing the survey around the working groups to start a process  
>>> of
>>> developing a common policy platform for this working group.
>>>
>>> My two cents worth,
>>>
>>> - Mark Lizar
>>>
>>> _______________________________________________
>>> Wg-p3 mailing list
>>> Wg-p3 at kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org
>>>
>>>
>>>
>>
>> _______________________________________________
>> Wg-p3 mailing list
>> Wg-p3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org
>>
> <futureidentity.vcf>_______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

Iain Henderson
iain.henderson at mydex.org

This email and any attachment contains information which is private  
and confidential and is intended for the addressee only. If you are  
not an addressee, you are not authorised to read, copy or use the e- 
mail or any attachment. If you have received this e-mail in error,  
please notify the sender by return e-mail and then destroy it.







More information about the Wg-p3 mailing list