Sunday, December 10, 2006
Consumer Perspectives on Federated Authorization...
Pat Patterson from Sun commented on the Relationship between SAML and XACML and mentioned that while a specification exists, no one has closed the gap. This of course begs several additional unanswered questions including, but not limited to:
- Should an identity management suite defer provisioning of authorization to an XACML-based entitlements engine such as BEA Aqualogic Security or Securent? If so, what should the architecture of this look like?
- What should be the interface between an XACML PDP provided by BEA, Securent or others and an enterprise SSO platform such as Netegrity Siteminder, Tivoli or OpenSSO?
- Identity Management platforms themselves have built-in enforcement mechanisms to allow or restrict individuals from performing certain tasks. If we are asking enterprises to externalize identity, shouldn't the identity management platforms as part of this continuim externalize out authorization via a standards based mechanism?
- Who is helping IBM build a better model to allow RACF to play in a modern identity world? After all, RACF is both workflow, enforcement and an identity store all in one. What advice would you have for IBM to carve apart RACF?
- What would it take to get the smart folks at Liberty Alliance noodling this?
Anyway, Lets get into the discussion of consumer-oriented identity and some scenarios that haven't been discussed. For example, I may have an identity stored in OpenID format or CardSpace. Likewise, since I am married, how do I express my relationship with my significant other? I would like to share not only my own identity with my bank: Sovereign, my investment provider: TD Ameritrade and my benefits administrator: Fidelity so that she can transfer money to offshore accounts, buy stock in Sun and ensure that all medical claims gets paid for our two sons who recently went to the doctor to be immunized. So, how should one think of relationships in the identity world?
Of course, I have my health insurance through the Aetna and in order to comply with HIPAA, it is vital that they understand not only my identity but my relationship to others so that they can show me the medical records of my son's but may not want to show me when my fictitious daughter decided to have an abortion because of privacy reasons.
I would love to also express a relationship with identity with my lawyer as I am becoming senile and may want to have him pay all of my bills including my auto insurance via my insurance carriers (Amica) web site. I believe I should be able to indicate via XACML or some other open standards based way that not only does my lawyer have a relationship with me, that I authorize him to pay my bills, download policy declarations and even request an ID card on my behalf but I may not want him to cancel the policy nor add on additional drivers. So how should this work?
Wouldn't it be wonderful to reuse the identity management platform and its wonderful attestation capabilities for me to periodically attest that I still am married, I want to ensure my wife and that I also have two sons? What would attestation look like using Cardspace? I wonder what Kim Cameron, Shekhar Jha, Johannes Ernst, Chad Brown, Chris Ceppi, Dick Hardt, and Josh Bregman would recommend in this consumer-oriented situation?