I’ve had several conversations recently, including one at the TERENA/EMC2 (higher education federation) workshop in Rome yesterday, which suggest that we are gradually overcoming some of the adoption barriers to attribute-based authorisation.
That might sound a bit dry and esoteric, but actually it’s a Good Thing, and intuitively simple. To try and put it in a nutshell: for an awful lot of service access decisions, it’s not actually important to know who the service requester is – it’s usually just important to know some particular thing about them. Here are a couple of examples:
- If someone wants to buy a drink in a bar, it’s not important who they are, what’s important is whether they are of legal age;
- If someone needs a blood transfusion, it’s more important to know their blood type than their identity…
In the past, of course, unique identifiers have been used as a way to index that attribute data. You tell me who you are, and I’ll look up the record which associates that identity with all the attribute data I hold about you. Then I’ll make an entitlement/access control decision based on that information.
For understandable reasons, that approach tends to lead to a very disclosure-heavy design. If the first thing I have to provide you with is the index to all the data you hold about me, every request for a service implicitly unlocks everything about me, rather than only that information relevant to this request. In simple and/or hierarchical relationships, and when communication between multiple parties is difficult or impossible, this is a rational (and sometimes perhaps the only) way to do things.
However, the internet undermines some of those assumptions: online service provision relationships are often neither simple nor hierarchical; multi-party communication and transactions are the norm.
The problem is, we’ve ended up by default with the worst of both worlds. We have all the disclosure-heaviness of the previous model, plus the promiscuous communication of the web. And that’s why I think the increasing awareness of attribute-level assertion is so important. It offers far better ways of having multi-party transactions take place with selective disclosure of the user’s data.
That’s not to say that attribute-level assertions are the panacea. There are still knotty problems to resolve, even if we adopt that approach; for instance:
- managing user consent and control;
- making selective disclosure appropriate to each given context;
- defining and enforcing ‘sticky policy’, to protect users’ preferences even after the data has been disclosed;
- catering for transactions which involve multiple different levels of assurance;
- defining appropriate metaphors to represent all this to the user…
- … and so on.
But the signs are positive. Awareness that attribute-level assertions are a key component is a vital first step, and it is heartening to see that awareness rising and becoming increasingly widespread.