22 February, 2006 - 6:20am

We've submitted a position paper to the W3C Workshop on Transparency and Usability of Web Authentication, for improving the security of Web interactions, and thought it a natural fit to delineate the Identity 2.0 design requirements for a user-centric approach to identity management.

In the paper our CTO John Merrells and CEO Dick Hardt provide the following perspective on the issue:

We believe that the Web, and the Internet in general, requires a new identity infrastructure that places the user at the center of their identity transactions. By making users central in authentication and identity exchanges, security and privacy risks are minimized thus leading to levels of trust that allow the Web to reach its full interactive potential.

A high level overview of the design goals, (which compliment the Seven Laws of Identity, by Microsoft's Kim Cameron), is as follows:

1. Provide a mechanism for presenting users with the information that is being requested.
2. Provide a mechanism for users to identify the recipient of the identity information they release.
3. Provide a mechanism for relying parties to inform users of the reason for requesting the information and how the information will be used.
4. Provide a mechanism for users to compartmentalize their identity information according to the context of the interaction.
5. Provide a mechanism that ensures that user information is only released after the user consents to its release.
6. Provide a mechanism for the user to specify what the relying party can do with the information.
7. Provide users with a mechanism for granular control over the information that they are releasing.
8. Provide a mechanism for separating the transaction for acquiring a claim from the transaction for presenting a claim.
9. Provide users with the ability to choose their identity storage agent.
10. Provide pairwise identifiers for anonymous identity transactions.
11. Provide identifiers for public identity transactions.
12. Provide interoperability with existing platforms and standards.
13. Provide a low barrier to entry. (NOTE: this includes providing a flexible gradient of security levels.)
14. Provide a consistent user experience agent, regardless of the context.

Detailed information is available in the full paper. The next iteration of our protocol, SXIP 2.0, meets all of these design requirements.