User-centric = Independent
Submitted by doc on Wed, 06/28/2006 - 21:21.
Two days ago, Dick Hardt of Sxip posted What is User-Centeric Identity on his Identity 2.0 blog. His key thoughts were these:
- The user is in the middle of a data transaction. This does not mean the user has to approve every transaction, but that the data always flows through the user’s identity agent. This does have user control and consent advantages that others point out, but I think more importantly, it provides huge scale advantages as the Identity Provider does not have to have any prior knowledge of the Service Provider. The network of sites can build up ad-hoc, just like SMTP servers do today.
- The user has a consistent user experience. That does not mean that all users have the same user experience, but that a specific user is using the same identity agent over and over for each identity transaction, similar to the interfaces we all see for saving and printing files regardless of the application. Currently each SP provides its own user interface which means the user is learning a new interface, sometime for onetime use (eg. site registration) By separating the identity component from the rest of the application, the user also has more certainty on who the SP is which helps resolve phishing.
He also pointed to the piece and vetted the same thoughts with the Identity Gang mailing list.
I posted a response. Several dozen other responses were also posted. The only response to my post came off-list, from Tom Maddox, in this post here. Sez Tom,
As so often, Doc's on the mark here. The details of almost all identity management proposals verge on the mysterious, but the intention behind all of them if they're serious about being user-centric should be to address the needs of all our "autonomous and independent" selves.
He excerpts a bit of my post. But I thought it would be best to surface the whole thing. So here ya go...
To me, and therefore (by ego-orginated projection) to every other non-technical person in the world, user-centric identity centers around the first person possessive pronoun: my.
It's my identity. It is not one conferred upon me by an organization outside myself. It is not a representation of me in a context other than my autonomous and independent self, operating in the larger world we call the marketplace. This is the identity we hope to more fully empower by our various projects.
Andre Durand originally described this as Tier 1 (T1) Assumed (Personal) / Agent Only (device/program)
Specifically,
T1 identities are both timeless & unconditional. They are your true personal digital identity and are owned and controlled entirely by you, for your sole benefit. T1 identities exist for people as well as for devices & programs, with the exception that a device or program T1 operates in AGENT mode only, meaning, it is controlled entirely by another Personal T1.
Tier 2 is Assigned (Corporate): one given to you by some silo. Every card in our wallets, other than our business cards, are these.
Tier 3 is Abstracted (Marketing) and applies to those conditions where some company knows, say, your name and address, but nothing besides that, which doesn't stop them from spamming you with junk mail.
Relations between T1 and T2 involve more than transaction. They also involve what we might generally call conversation and relationsiip.
(Disclosure: I'm on the advisory board for Ping Identity.)
At the Identity Mashup I suggested that it's handy to look at markets in terms of those three activities:
- Relationship
- Conversation
- Transaction
Transaction is a base condition without which we wouldn't have markets. But more happens in markets than transactions -- both economically and culturally. Understanding these other activities is essential to communicating the new experiences of identity we hope to provide customers in the markets that will grow around our goods and services.
In the absence of providing and communicating the immediate and tangible benefits of user-centrism, we'll continue getting the kind of reaction my wife has had from the beginning of my sojourn into this space: "I don't want more identity. I want less."
Less, that is, of what she gets on the Web today, which is the same MSO (Multiple Sign On) hell everybody else experiences.
The one adjective that appeals to her, out of all we've been using to describe the user-centric identity experience, is independence. That's why I've been talking about "independent identity" since I wrote about it last October for Linux Journal.
I know we need to talk about identity agents and solutions and providers and relying parties and assertions and tokens and certificates and the rest of what it will take to build out the first customer-centric marketplaces in the history of the industrialized world, but...
We have to keep the empowering real-world experiences we wish to support in mind.
And, frankly, we don't have those yet. Worse, customers can barely imagine them. Hence, there is no demand for them. Yet.
So we need some demo-sells here.
I believe, along with Conor and others on this list, that our solutions cannot be limited to what happens in browsers or on computer screens. At the very least cell phones and (credit-shaped) cards are also required. This is why I insisted to Roger Desai of Rave Wireless that he attend at least some of the Identity Mashup (which he did). Rodger and Rave Wireless are themselves independent of carrier and equipment provider silos, which puts them in an ideal position to apply the relevant solutions we're building.
(Disclosure: I consult Rave Wireless. And one reason I do is that I'm involved in the Identity Gang.)
Finally, there is the matter of intention. Specifically, supporting what the independent customer intends to do in a given marketplace. Supporting customer intentions in useful ways is what will get all of us the traction we want.
I unpack some of this stuff here. And here:
In the first of those, I suggested (as I also did on a panel at the Identity Mashup) that, in the absence of broad business support for customer independence, we do not yet have a real commons in the Networked world. We may talk about one, but we don't have one.
I mean, it's quite possible to care about the customer, and to be "centric" around the customer without the customer ever feeling independent of the all-silo markets we built in the Industrial Age, and which still stand.
So I would like us to think about what a real commons comprises, and the roles that independent identities will play in reifying what is still only an idealized construct.
London
When they gonna stop blow everything?
London
When they gonna stop blow everything?
London
Police have carried out a controlled explosion on a vehicle at the hospital treating a suspect in the attack on Scotland's busiest airport. Officers also made a fifth arrest in the airport attack and a foiled car bomb plot in London.
WTF
These comments are like rubbish
Sometimes
Sometimes I can't understand...
I've got it
I've got it!
Bullshit
Sorry but you are discussing bullshit
But other said
But other said that the judgement induces common sense, tertium non datur
As one clever
As one clever person said the judgement transforms tragical hedonism.
Interesting
Interesting opinion. But IMHO it's just an opinion.
My experience
I have great experience in that. So I can understand...
Anyway
Anyway I think that the author is right.
Re: You seem confused
Yeah, I also noticed that
You seem confused
You seem confused. Anything wrong?
No comments
Are you sure? You must be joking. I can't believe in that
I'm so sorry
I'm so sorry. Post that you have deleted was mine.
I love the way you write
I love the way you write. It's no wonder you have so many people reading your blog.
Re:
Don't pay any attention at these stupid people.
Another perspective
I have some comments but they don't seem to fit here so you will have to see my blog at http://beachhouse.wordpress.com if you have interest.
Mike Beach
Tier 1 versus Tier 2, from JP
Doc, you know I agree with much of what you have to say on Identity anyway, so this is more a musing and an observation than anything else. I prefer your relational-conversational-transactional approach to that of Durand, and think it therefore becomes 4 tiers......
I am completely comfortable with the Tier 1 identity, the "my" piece. It is when I move to Tier 2 that I start having niggles.
I guess I think of passports and driving licences and corporate building access cards and (perish the thought!) even ID cards as part of the Durand Tier 2. But they are not adequately distinct and separate from who I am, they also help to define me. No man is an iland.
So I want to enrich Tier 1, or redefine Tier 2, somehow saying it is not only about someone else conferring something on me, it is also about my accepting that which is conferred.
Part of my identity, MY identity, is defined by the groups and relationships I have. Yes it is different from pure Tier 1, because it is something mutually defined between a pair, but it is more than something conferred.
In a perfect world I would seek to compress Tier 2 into nothing and absorb what I need to absorb into Tier 1. I have this sneaking suspicion that the mere existence of Tier 2 allows more walls to grow rather than gardens. There's almost a Marxian (of the groucho kind) element to 'not wanting to belong to a group that would have you as a member'.
So.
My personal attempt at the three tiers would be closer to (a)Permanent, that which defines me in isolation, very similar to the Durand Tier 1, pretty static (b) Relational, that which defines me by the groups I belong to (which includes the groups which would have me as a member). This relational tier will need to include age and sex and marital status and nationality, things we largely took as static but now see as more volatile than that. (c) Conversational, which covers my avatars and the ways people can communicate with me and the ways I can communicate with people, again something that changes over time, and includes my physical and virtual addresses and handles and numbers and aliases (d) transactional, that which captures my intentions and preferences and actions, forward and backward in time. I think a credit card is a transactional piece and not a relational or conversational one.
Some part of me wants (a) to be shared universally (b) to be shared with the people I have the relationships with (c) to be shared with the people I have conversations with, which is likely to be (b) anyway and (d) to be shared with (c)/(b).
This is all very provisional, but I think there is value in thinking "mini-me universal and unchanging" plus "relationship me" plus "conversation me" plus "transaction me". The trick is in getting the right things into "relationship me", because that's the tier that all the lock-in merchant will seek to corrupt or subvert.
Some of this is already happening, I regularly see people willing to substitute one "relational me" for another; a driving licence instead of a passport, etc.
Just thoughts, happy to be shot down as usual. Hope all is well with you.
Doc Searls: "User-centric identity is MY identity"
... This is what it is all about; it's not about protocols and user interfaces and standards and phishing protection and cryptography and what have you. It is about technology allowing my electronic identity to emanate directly from me, not from some kind of, usually self-appointed, "provider" of my identity who somehow is considered to be a more authentic source of my authentic self than I myself... [more]
Indentity - Trust. Rights - Duties.
Hi Doc,
I was just browsing past, and I have not read much of the 'before', but one thing that struck me as missing is the concept of trust.
(If I've missed that because I am jumping right in the middle of things, stop reading right now - the rest does not apply).
If all people were honest, 'identity' would be enough. But sadly enough, it's a big, beautiful, ugly world out there, and a mix of 99% honest people and 1% crooks.
So there is another facet - we need trustworthy identities. When two entities (two people, people+a company, company+company) interact, they both need some form of identity, but with that identity there should also be a way to measure trustworthiness. One of the things I would see as a problem is when any identity system/protocol/whathaveyou would allow a single physical person to create multiple identities (sock puppets, etc...).
I also think trustworthiness is intricately linked with accountability. There are many reasons why a person would create multiple identities, but one of the reasons why people use 'sock puppet' identities is because they try to avoid accountability.
In my opinion, any protocol/system/... needs to allow only a single identity per physical person.
I don't think companies are entitled to an identity - any company should be equal to the collective identities of its employees/workers/contractors... It's the people in the companies that make them what they are.
And last, any identity needs to take into account accountability (ur - that sounds odd). I think it's accountability what makes systems like for example eBay and the like work.
Cheers,
Kris