Some background and a different perspective.

The original IAF was developed from the original NIST 800-63.  The notion of "identity" in 800-63 was basically "a name and something added to make it unique" which is where the definition Ken found came from.  The world has moved quite far from that (naive) notion.

In the identity federation with which I am most familiar (InCommon), we consider "identity attributes" to be potentially "anything that is true about a given entity."  Identifiers, facts, preferences, etc.  For example, "student" is an important attribute that supports access to services and resources restricted to "students."  The basic set of attributes we use is defined in the eduPerson Object Class (http://middleware.internet2.edu/eduperson/).  

Another set of attributes that we have discussed but not implemented would provide information that can help a RP/SP display information to a user, for example "visually impaired" -->> "increase font size," or "color blind" or "deaf", etc.

In this broader notion of "attribute" there are many different kinds:
 - some things are unique to the particular entity; others are shared with other entities
 - some are assigned by an SOA, e.g., passport number; others are self selected, e.g., nickname or display name.
 - some are transient, e.g., "student"; others are permanent and/or never reassigned, e.g., some identifiers.
 - the degree of authoritativeness of any attribute is determined by how it is acquired by the ISP and how current it is, etc.
 - not all attributes will be available from any one ISP, certainly not with the same degree of assurance
 - etc.

We encourage RP/SPs to request the minimum set of attributes that they need in order make an access decision.

David

On Mar 22, 2012, at 10:47 AM, Salvatore D'Agostino wrote:

Thanks Ken,
 
OK so if we move away from ITU f, toward  "Identity Attribute is information that contributes to establishing the identity (a unique name) of a single person?"
 
Yes attributes can support a “higher level of authN” but also are related to authZ independent of or in combination with name or identifier.   It depends on the attribute types, so might we expand this to include “.. contributes to establishing the identity (unique name) and “permissions/privileges/claims” of an individual”
 
Not sure what the actual word is there and put these 3 in as example/suggestion.
 
From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Dagg, Kenneth
Sent: Thursday, March 22, 2012 12:56 PM
To: dg-am@kantarainitiative.org
Subject: [DG-AM] definition of Identity Attribute for the report
 
I checked for the term Identity Attribute in the IAF Glossary and did not find it.  As such, I did not send a note to the IAWG.
 
However, the following terms are in the glossary:
 
* Attribute - a property associated with an individual
* Identity - a unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name.
* Identification - Process of using claimed or observed attributes of an individual to infer who the individual is.
* Identity Proofing - The process by which identity related information is validated so as to identify a person with a degree of uniqueness and certitude sufficient for the purposes for which that identity is to be used.
 
The AMDG report currently defines Identity Attribute as Information bound to a subject identity that specifies a characteristic of the subject.
 
I suggest that this definition is not in alignment with the definitions contained in the IAF glossary. While I have nothing against the definitions contained in ITU-T X.1252 I would suggest that we remain consistent and aligned with KI definitions. I believe the following would be more aligned, "Identity Attribute is information that contributes to establishing the identity (a unique name) of a single person?"
 
Comments? Or reasons not to use this definition (other than it’s not the ITU definition)?
 
BTW: I have updated the report. I added a glossary and some text about RP requirements.  I also took the opportunity to align the recommendations at the start of the report with the recommendations at the end.
 
Ken
 
 
Kenneth Dagg
Senior Project Co-ordinator | Coordonnateur de projet supérieur
Security and Identity Management | Sécurité et gestion des identités
Chief Information Officer Branch | Direction du dirigeant principal de l'information
Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada
Ottawa, Canada K1A 0R5
Kenneth.Dagg@tbs-sct.gc.ca
Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090
Government of Canada | Gouvernement du Canada

 
 
 
_______________________________________________
DG-AM mailing list
DG-AM@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-am