Importance and Impact of Requirements on Technical Solutions for Identity

W3C Workshop on Identity in the Browser - Position Paper
Frederick Hirsch, Nokia; Co-Chair, W3C Device APIs and Policy Working Group

The browser is becoming a new platform offering much capability through the use of HTML5 and various device APIs. As such a platform, identity plays a critical role in authorizing services and access to information from service providers, whether on the device or Internet.

Much work has been done on Identity Management, including the Liberty Alliance Identity Federation and Web Services, OASIS SAML, WS-Federation, Cardspace/Infocard, and others. Much of this work derived technical requirements from business, legal and regulatory considerations, so requirements from these efforts should be reviewed and considered to avoid rework.

Privacy is an important concern related to the use of identity information. For example, the Liberty Alliance specifications were built on a meeting a requirement to prevent correlation of identity across service providers [1]. The consequences of simple requirements such as this impact various technical designs. Thus these requirements require review as they have a significant impact.

Experience in the W3C Device APIs and Policy Working Group [2] shows that browser adoption of technology is essential and that this requires simplicity and usability. Another lesson from the security community is that user interaction should be limited, especially with requests for permission, as users will tend to ignore and click-through dialogs to achieve immediate results. A lesson from a variety of W3C privacy workshops is that user understanding of technology and policy is difficult to convey and achieve so simplicity in policy as well as technology is valuable.

Requirements that the FTC set out for "Do Not Track" [3] are relevant to identity management as well, if reframed slightly:

  1. implemented universally, e.g. applicable to all browsers and web clients,
  2. usability, including ease of discovery and use,
  3. the user's choice should be persistent,
  4. the solution should be effective and enforceable; and (5) applicable to variety of services.

The first step for any discussion of identity in the browser must be on requirements and assumptions, as any single requirements choice can have a large impact on technical options. In addition, any technical proposal should include a summary of requirements and assumptions, including those that have been deemed as unnecessary.

Notes

[1] "http://projectliberty.org/resource_center/specifications/?f=resource_center/specifications"
[2] "http://www.w3.org/2009/dap/"
[3] "Referenced in Adobe position paper, MeMe Jacobs Rasmussen, http://www.w3.org/2011/track-privacy/papers/adobe.pdf"