{"id":996,"date":"2008-06-25T22:02:18","date_gmt":"2008-06-26T06:02:18","guid":{"rendered":"\/?p=996"},"modified":"2008-06-25T22:07:22","modified_gmt":"2008-06-26T06:07:22","slug":"resources-have-rights-too","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=996","title":{"rendered":"Resources have rights too"},"content":{"rendered":"

Paul Madsen<\/a> has a knack for pithy identity wisdom.\u00a0 But his recent piece <\/a>on HealthVault's use of OpenID made me do a double take.<\/p>\n

“Simon Willison defends<\/a> HealthVault<\/a>‘s choice of OPs [OpenID providers – Kim].<\/p>\n

“I disagree. It is I, as a user<\/a>, that should be able to dictate to HealthVault the OPs from which they are to accept identity assertions through OpenID.<\/p>\n

“Just as I, as a user of Vista, should be able to dictate to Microsoft which software partners they work with to bundle into the OS (I particularly like the Slow Down to Crawl install).<\/p>\n

“Just as I, as a Zune user … oh wait, there are no Zune users….<\/p>\n

“The mechanism by which I (the user) am able to indicate to HealthVault, or Vista, my preferences for their partners is called ‘the market<\/a>‘.”<\/p>\n

Hmmm.\u00a0\u00a0All passion aside, are\u00a0Vista and HealthVault\u00a0really the same things?<\/p>\n

When you buy an operating system like Vista, it is the\u00a0substratum\u00a0of\u00a0YOUR personal computer.\u00a0 You should be able to\u00a0run whatever YOU want on it.\u00a0 That strikes me as part of the very definition of the PC.<\/p>\n

But what about a cloud service like HealthVault?\u00a0\u00a0And here I want to get away from the specifics of HealthVault, and talk generically about services that live in the cloud.\u00a0\u00a0In terms of the points I want to make, we\u00a0could just as easily be talking about Facebook, LinkedIn, Blogger or Hotmail.<\/p>\n

As a user, do you\u00a0own\u00a0such a\u00a0service?\u00a0Do you run it in\u00a0whatever way you see fit?\u00a0\u00a0<\/p>\n

I've tried a lot of\u00a0services, and I don't think I've ever seen one that gives you that kind of carte blanche.\u00a0<\/p>\n

Normally\u00a0a service\u00a0provides options. You can\u00a0often control content, but\u00a0you function within parameters.\u00a0 Your biggest decision is whether you want to use the service in the first place.\u00a0 That's a large part of what “the market” in services really is like.<\/p>\n

But let me\u00a0push this part of the discussion onto “the stack” for a moment.<\/p>\n

PUSH<\/strong><\/p>\n

Last week a friend came by and told me a story.\u00a0 One of his<\/em> friends regularly used an Internet\u00a0advertising service, and paid for it via the Internet too.\u00a0 At some point, a large transaction “went missing”.\u00a0 The victim contacted the service\u00a0through which he was making the transaction, and was told it “wasn't their problem”.\u00a0 Whose problem was it?<\/p>\n

I don't know\u00a0anything about\u00a0legal\u00a0matters and am not talking from that point of view.\u00a0 It just seems obvious to me that if you are a company that values its relationships with customers,\u00a0this kind of breach\u00a0really\u00a0IS your problem, and you need to face up to that.<\/p>\n

And there is the rub.\u00a0 I\u00a0never want to be the one saying, “Sorry – this is your problem, not ours.”\u00a0 But if I'm going share the problem,\u00a0shouldn't I\u00a0have some say in preventing it and limiting my liability?<\/p>\n

POP<\/strong><\/p>\n

I think that someone offering a service has the right to define the conditions for use of the service (let's\u00a0for now ignore\u00a0the fact\u00a0that there may be some regulation of such conditions – for example certain conditions might be “illegal” in some jurisdictions).\u00a0 And that includes security requirements.<\/p>\n

In other words, matters of access control proceed from the resource.<\/strong>\u00a0 The resource decides who can access it.\u00a0\u00a0\u00a0Identity assertions are a tool which a resource may use to accomplish this.\u00a0 For years we've gotten this backwards, thinking access proceeded from the identity to the resource – we need to reverse our thinking.<\/p>\n

Takeaway:\u00a0 “user-centric” doesn't mean The Dictatorship of the Users.\u00a0 <\/em>In fact there are three parties whose interests must be accomodated (the user, the resource, and the claims provider).\u00a0 At times this is going to be complex.\u00a0 Proclamations like, “It is I, as a user<\/a>, that should be able to dictate…” just don't capture what is\u00a0at stake here.\u00a0<\/p>\n

I like the way Simon Willison\u00a0puts this<\/a>:<\/p>\n

“You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then \u201cproving\u201d that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it\u2019s a dumb network<\/a>: the protocol just concentrates on passing assertions around; it\u2019s up to the endpoints to set policies and invent interesting applications.<\/p>\n

“Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used…”<\/p>\n

In a later post – where\u00a0he seems to have calmed down a bit\u00a0–\u00a0Paul mentions a Liberty\u00a0framework\u00a0that allows relying parties to “outsource the assessment of… OPs to accredited 3rd parties (or at least provide a common assessment framework…)”.\u00a0 This sounds more like the Paul I know, and I\u00a0want to learn more about\u00a0his thinking\u00a0in this area.<\/p>\n","protected":false},"excerpt":{"rendered":"

User-centric doesn't mean ‘The Dictatorship of the Users’<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[37,43,8,3,42,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/996"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=996"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/996\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}