Today I have been reading the June 25, 2010 draft of the National Strategy for Trusted Identities in Cyberspace as published by the US Department of Homeland Security. To me it is a sound document that makes a lot of sense and no doubt government officials the world over, struggling to come up with a similar strategy for national identity management are taking a keen interest in this document, as will potential Identity Providers.
The phrase “the Strategy does not advocate for the establishment of a national identification card” will for example be music to the ears of the new UK coalition Government advisors. After all scrapping the UK Identity Card scheme was a central promise in the Tory and Lib Dem election manifestos.
On the other hand, promises like scrapping the budget deficit require governments to enable more and more government services to be provided on-line and these services need trusted identities to transact with. But what to call such virtual e-identity cards, to stop pundits shouting they are just bringing identity cards in under a different name?
If you emphasize the fact that these will not be government issued physical cards, but virtual cards supplied by industry and firmly under control of the user; if you emphasize that there will be a choice of suppliers similar to Credit and Debit Cards; and point towards universal interoperability similar to that provided by the electronic payment industry; maybe then you can have your privacy cake and eat it all at the same time!
One aspect of user centricity that I constantly miss in these strategic discussions is the provision of a simple, yet secure user interface, in which the user can manage his/her identity affairs and can have access to audit trail information on what information is sent to which Relying Parties. Some authors/architects seem to think Jo Public is not interested in such things and we just have to concentrate on ‘ease of use’ and ‘choice’ while hiding all the complexity from the user and bury it somewhere in the network.
But to me that is akin to the credit card providers unilaterally deciding not to send me detailed statements of accounts anymore. Sure I might not scrutinize my statements every month, but when I get hit with a particular nasty credit card bill, I am sure to take a closer look at the breakdown of where all my money went this month!
The HSD document also introduces a new role of Attribute Provider (AP), who in the identity eco system is responsible for the processes associated with establishing and maintaining identity attributes. See, I don’t like where this is going, because to me that’s too much like going behind the user’s back in profiling the user. This smells of the tactics of the search engine providers and the credit rating agencies. I would like the user himself/herself to manage his/her claims and so I introduced in onne of my blogs the concept of ‘trust provider’ to back up those claims. Simple example: In my professional identity I may like to put forward the claim, that I have an MBA degree and will authorise my identity provider to verify that claim with the Rotterdam School of Management (RSM). In another identity as classic car restorer, I may wish to completely ignore that claim as it’s irrelevant to that part of my identity.
So for me user centricity is strongly linked with the provision of a management portal given to the user by the IdP. I will blog about that some other day.