In preparation for a W3C workshop on authentication I submitted a
paper on
the requirements for a digital identity architecture. They're based
on the Seven
Laws of Identity, documented by Kim Cameron, and were used to drive our
protocol design work at Sxip.
I thought it might be useful input to the conversation here.
John
Blog Post: http://www.identity20.com/
Full Paper Here: http://identity20.com/media/images/W3CWebAuth_Sxip.pdf
Kim's Work: http://www.identityblog.com/stories/2004/12/09/thelaws.html
Summary of the requirements....
1. Provide a mechanism for presenting users with the information that
is being requested.
2. Provide a mechanism for users to identify the recipient of the
identity information they
release.
3. Provide a mechanism for relying parties to inform users of the
reason for requesting the
information and how the information will be used.
4. Provide a mechanism for users to compartmentalize their identity
information according
to the context of the interaction.
5. Provide a mechanism that ensures that user information is only
released after the user
consents to its release.
6. Provide a mechanism for the user to specify what the relying party
can do with the
information.
7. Provide users with a mechanism for granular control over the
information that they are
releasing.
8. Provide a mechanism for separating the transaction for acquiring a
claim from the
transaction for presenting a claim.
9. Provide users with the ability to choose their identity storage
agent.
10. Provide pairwise identifiers for anonymous identity transactions.
11. Provide identifiers for public identity transactions.
12. Provide interoperability with existing platforms and standards.
13. Provide a low barrier to entry.
14. Provide a consistent user experience by ensuring that the user
always sees the same
agent, regardless of the context.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
