I have been at the Burton Catalyst this week. At the reception I was discussing with Paul Trevithick about how I define user-centric identity. The phrase I use is “the people are in the protocol.” Though I wasn’t expecting it, the next day Paul was on a panel when he was asked what user-centric identity was and he quoted me. Cool, but then the next day another panel was asked about the quote and whether having people in the protocol was just a way of excluding other protocols and groups. Well since I wasn’t on the panel to answer that I thought I would take the opportunity to do so here.

When I say protocol I mean it in its broadest sense, in the sense that showing my driving license to a cop at a traffic stop and the cop returning it to me is a protocol. In that transaction I am in possession of the information, I have full knowledge of what information I would pass along to the cop, and I also have the choice of saying no - even if that might result in bad things happening. So people in the protocol means that rather than being an end node that may begin a transaction and perhaps be the recipient of the end results but with only vague or even no information about the information passed in the transaction, they are rather a conduit for all identity decisions in an environment of informed consent. This necessarily means that the protocol must pass through the user, or in other words appear on the screen and be approved by the user. That is an architectural philosophy that results from Kim Cameron’s laws of identity and it is a necessary one in order to gain user buy in. It is also just the right thing to do.

It turns out that it really isn’t hard to architect identity systems to include freedom and choice, but it might not be what one would create if the issue were never considered. It is also not too difficult to re-architect to take account of the philosophy - some work has already begun in SAML for example. Putting people in the protocol is the first step towards providing a scaleable identity framework that takes account of the requirements of the important part - the person. The first step towards treating the users of identity systems with respect.