Is federated identity moving away from decentralisation?
Stephen Wilson's Babysteps
Ideas to demystify identity, privacy, authentication and safety online.
I wonder if the Liberty Alliance has moved away from decentralisation as a central tenet of their work, and thereby possibly watered down its approach to privacy?
At one time, the Liberty Alliance website stated prominently that
federated identity allows users to link identity information between
accounts without centrally storing personal information. This phrasing
has vanished, replaced by a stated vision that is less specific and more
oriented towards convenience. They now say their aim is to “enable a networked world based on open
standards where consumers, citizens, businesses and governments can more
easily conduct online transactions while protecting the privacy and
security of identity information” (see
This seems odd to me. Is there a broad trend towards centralisation in federated identity? I've been reading a new IdM primer by the OECD, and that document certainly characterises Federated Identity systems as being centrally managed:
With the “federated” model, service providers do not aggregate their account information, but rather stablish a central “identity provider” that keeps track of which user identifiers correspond to the same user.
Reference: Working Party on Information Security and Privacy
THE ROLE OF DIGITAL IDENTITY MANAGEMENT IN THE INTERNET ECONOMY:
A PRIMER FOR POLICYMAKERS
9-10 March 2009
Decentralisation might not be absolutely essential to privacy, but it sure helps, and I don't think it should be abandoned too readily. Yet there would be commercial pressurs at work. My experience is that the business case for federated identity models is far stronger when a centralised authentication broker is involved, because you can create revenue there. So LibertyAlliance, on behalf of its members, might haremove a presumption of deceve taken a strategic decision to move away from decentralisation?