CDT offers a good explanation of user-centric identity issues

The Center for Democracy and Technology (CDT) has a good summary up on their site detailing a variety of policy issues related to user-centric identity management. There is a lot of attention in the market focused on federated identity management in general, and user-centric identity in particular, but as CDT and others point out there are still plenty of important security and privacy considerations to be addressed. This discussion is in the same general vein as the rise of claims-based identity management, which got a boost in 2007 when Microsoft added support for that identity model in their Geneva platform and made it part of the .Net framework. This topic is timely and relevant once again in the health IT context, as the Center for Information Technology at the National Institutes of Health last fall engaged in a pilot project to assess the use of open identity in the federal government. This pilot, one among several launched in coordination with the federal-wide Identity, Credential, and Access Management (ICAM) initiative.

Among the interesting reading available through the CDT site is a recently released white paper that offers a detailed analysis of salient issues with user-centric identity management, focusing on governance and policy issues. Also linked on the CDT page is an ICAM produced document called the Trust Provider Framework Adoption Process which details a process and set of assessment procedures that federal entities can follow to evaluate trust provider frameworks that might be used by third parties seeking to serve as identity providers and credential issuers in support of federated identity management capabilities. The TPFAP is intended to help determine whether credentials issued by such third parties will satisfy the e-authentication requirements established by the government (and described in NIST Special Publication 800-63), at least at E-Authentication Levels 1 and 2, and non-PKI Level 3. The ICAM document provides a lot of useful technical detail on relevant e-authentication requirements, and as a side benefit offers and interesting example of using a technically focused approach to establishing and consistently evaluating trust models represented by different trust provider frameworks.