User-Managed Identity Use-Case Gathering

From IIW

Conference IIW8 Room/Time: 5/?

Convener: J. Trent Adams (ISOC)

Notes-taker: J. Trent Adams (ISOC)

Attendees:

  • Iain Hendersen (MyDex)
  • Ariel McNichol (mEgo.com)
  • Sarah Dopp (Cerado)
  • Jens Haensser (UBC)
  • Eve Maler (Sun)
  • Alan Karp (HP Labs)
  • Vittorio Bertocci (Microsoft)
  • Asa Hardcastle (OpenLiberty)
  • @Theron (PeoplePond)
  • George Fletcher (AOL)


Technology Discussed/Considered:

We spent the time identifying and briefly discussing use cases for identity management around information access and sharing. The goal was to capture the use cases, to flesh them out later, then make them available for the community.


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Use Cases Gathered:

  • Certification Management: Emergency Responders
  • Authorized Service Chaining: Back-Up Services
  • Delegated Resource Authorization: Attenuated Delegation
  • Healthcare: Doctor Referral Process
  • Change of Address: Battered Spouse Scenario
  • Social Graph Access: Privacy Tuning by Policy
  • End of Service Data Access: Service Shutdown / User Death
  • Education Data Access: Parent/Payer of Student
  • Social Network: Content Distribution Policies, Control, & Enforcement


High-Level Takeaways:

  • Be careful when creating use cases not to incorrectly apply physical world comparisons to digital identity management; they don't always have a one-to-one analog. Identity management use cases often have multiple points of view (aka multiple first parties) with their own scenario variants.
  • Delegated authority use cases need to clarify the chain of access controls required.
  • Access policy variants need to be handled as scenarios within specific use cases, including exceptions (rather than trying to over-bake the use case to cover all possibilities).
  • Use cases as patterns for scenario implementations should help re-set much of the discussion around what has been acceptable, and what should be improved in future solutions.
  • Data access and transfer points within the use case need to be clearly called out so that they are addressed by user-managed control points.