What’s Your UPD?

As you may know, I have struggled for sometime with the concept of user-centric identity. To be very upfront, i don’t think that institutionally managed access and identity management is the answer to everything and I do think that it will improve, move forward and tie in with processes used elsewhere by users in a more effective way. I have just struggled a bit with user-centric. What exactly do we mean by user-centric??

Whilst at the eduserv symposium last week, I accidentally managed to provide some clarity to my addled brain with two accidental comments. At lunch, I was talking to Nate Klingenstein about Facebook Connect and Facebook interaction with OpenID and Nate talked about his ‘Facebook identifier’. I quickly piped up – “but Nate, there is no such thing as a Facebook identifier”. Now i don’t know the ins and outs of the Facebook system and I am sure they may very well have their own unique identifier for users in there somewhere but as a user, my unique identifier within Facebook is my e-mail address. In my case, one of a couple of hotmail addresses that I hold. I also commented during the symposium that i was disappointed that the Facebook implementation of OpenID did not allow a user to register with OpenID…you still have to register with an e-mail address. In this instance Facebook are not really implementing OpenID as a true alternative for users – but simply aggregating their identity and access controls with an OpenID. My OpenID becomes an attribute held by Facebook.

This also got me thinking about domains and identity. I am very used to the concept of identifiers being associated with domains – this is exactly how the UK federation and its attribute sets work. With OpenID my identity is also connected to a domain and my identifier is expressed as part of one. I got myself in an interesting muddle when talking about OpenID during the symposium when I referred to ‘your management and your ability to be trusted’ – meaning “you the domain owner”. Many people took this to mean “you the user”. This lead to an interesting question about users who actually own and manage their domain and create an OpenID as part of this domain that is independent from any other OpenID provider…and perhaps more trust worthy because user-MANAGED and truly user-centric. Unfortunately affording your own (sensible) domain name and managing your own OpenID in this way is beyond most of us!

So where am I going with all this? I think it might be sensible if we stopped talking about institution-centric and user-centric identity management. This implies that things like Google ID’s, Twitter ID’s or even OpenID’s are more “user-centric” than an institutional identifier. They aren’t – they are all related to a specific domain and at the moment if you want to have access to services within that domain, you have to have one. I think this is still true of most OpenID providers…you still have to chose someones domain. You sign up for an institutional ID when you register at an institution in the same way as you sign up for a twitter ID by, erm, signing up!

I think it might be better if we started talking about a User’s Preferred Domain (UPD) for access and identity management. I get JISC-points for creating a TLA (Three Letter Acronym) and it is also wonderfully perverse in its inaccuracy like the ubiquitous ‘pin number’ (small things like this please me). I get to elect a UPD where my identity is managed. This might be my institution, it might be hotmail, it might be Facebook, it might be OpenID, it might be Twitter. I then get to link all my other identities to this UPD using identity management tools such as CardSpace and its related developments. This is where the user-centricity comes in…in the ability to use the management tools effectively and not in the actually process of assigning an identifier. It is also inclusive of what we currently term ‘institutional-centric’ identity management – which in itself can still have user-centric management tools in a layer above the identity store. Authorisation is also possible based on the various assurances that can be provided by each of my presented domains.

This is not radical new thinking in the identity management space (sorry, not that clever) but is attempting to break down the myth that institution-centric identity is somehow different and comparable to processes that have been termed user-centric identity. It’s all domain-centric, it’s all domain-managed…we just need to work out how to better enable the user-management within these domains, and provide better user-management across these domains.