Users should be in control of their own identity attributes

* The benefits of user-centric identity

User-centric identity revolves around a small set of core principles. Among those are the ideas that the user should be in control of their own identity attributes and that there should be no central repository of their personal data controlled by a third party. Kim Cameron's "Laws of Identity" go into a lot more detail, but these are two of the basic ideas that any user-centric identity system must have.

I'm on record (all over the place, but you could start at as favoring what I call the "personal directory" as the best way to provide user-centric identity within the confines of a standardized storage and access system. In terms of LDAP, x.500, eDirectory, iPlanet, etc. - each user would have their own organizational unit (OU), which would be under their direct control. They would decide whether or not to reveal objects and attributes to others outside their OU. That OU could be a part of a larger OU (family, neighborhood, community, city, enterprise, church, school, and so on) in a hierarchical arrangement. But a physical hierarchy might prove too constrained - you couldn't, for example, have your OU exist within both the neighborhood and the school unless one was a subset of the other.

A virtual hierarchy, though, would solve many of the problems. Using a virtual system, with context-based views your personal OU could be a part of an endless number of higher level OUs whenever you choose it to be. Or, rather, it would always be a part of each hierarchy, but the person viewing the data would see it in a different way based on the context in which it is set. The combination of that context (e.g., work, home, school, family, etc.) with the permissions you have granted meet the requirements that are necessary for a working user-centric identity system.

The major point of contention between the bottoms-up, user-centric approach to identity and the top-down, hierarchy-centric view has been data storage. The former view wants no central storage; the latter view seems to require it. Virtual directories, virtual hierarchies and context-driven identity can help to bridge that gap and get us past the philosophical but very important disagreements we have about structure and get on with the delights, efficiencies and benefits that a global identity system can offer. This will take work, but the tools are available and if we approach the task with an open mind and a willingness to compromise it should be able to be accomplished in a relatively short time. The enlistment office is open, what are you waiting for? Drop me a note, then get to work.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022