I could tell you many stories about definitions task groups, but I don’t want to render you all in tears!   Nor hear yours  ;-)

 

For sure, the KI Glossary is in need of a blood transfusion, and I for one would like it to deal with identity and subject (and subscriber, for that’s a worthwhile distinction) in an ‘entity’ context, such that specific uses might say "For the purposes of this document …”, as you suggest.  The broader context would also fit into such standards as IS29115, into which significant KI content has been contributed.

 

Just for the record, I would not favour revision of the KI Glossary to satisfy FICAM perspectives – that would render KI a fully US-focused framework, which I do not see as being a desirable goal.  Let FICAM identify (HELP - need a synonym!) how if differs from the broader meaning. 

And it’s only Monday,
R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

www.Zygma.biz

 

From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino
Sent: 23 April 2012 12:30
To: 'Richard G. WILSHER @Zygma'; 'David L. Wasley'; 'Heather Flanagan'
Cc: dg-am@kantarainitiative.org
Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report

 

Richard,

 

Thanks for the input.  It helps to inform and I don’t think the message is any different than what I mentioned on the IA WG call.  Definitions are a place for further work.  They, like the attributes themselves, could almost always use further examination particularly as things evolve, particularly with some of the words involved such as identity and as you point out the wide range of context. 

 

We are  am not suggesting that we change the glossary, that’s not our charge.

 

My enthusiasm is for input, yours included.

 

Sincerely,

 

Sal

 

From: Richard G. WILSHER @Zygma [mailto:RGW@Zygma.biz]
Sent: Monday, April 23, 2012 1:08 AM
To: 'Salvatore D'Agostino'; 'David L. Wasley'; 'Heather Flanagan'
Cc: dg-am@kantarainitiative.org
Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report

 

Sal,

 

I would caution against such enthusiasm.  I’m not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised.  If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used.  For better or worse, and I agree that some could be better, we must proceed with caution.  Certainly, I don’t believe that you can just change the Glossary without due process and evaluation of impact.
R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

www.Zygma.biz

 

From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino
Sent: 22 April 2012 17:22
To: 'David L. Wasley'; 'Heather Flanagan'
Cc: dg-am@kantarainitiative.org
Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report

 

David,

 

It’s fine glad to have the input.  I will try to update the draft later today.

 

Regards,

 

Sal

 

From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley
Sent: Sunday, April 22, 2012 12:37 PM
To: Heather Flanagan
Cc: dg-am@kantarainitiative.org
Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report

 

Well, finally having had a chance to review this, I have a few issues and comments.  I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved.

 

First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative.  However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed.  To wit:

Identity

A unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. 

It further describes "subject" as

Subject

An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.

The AMDG glossary then defines

Identity Attribute

Information bound to a subject identity that specifies a characteristic of the subject.

Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)".

All this seems rather inconsistent.  Perhaps that is the point but then I would suggest it be stated clearly up front.

I hope that we can quash any use of "who" in this context.  In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management.  What is the answer to "who"?  It depends on context.  Then what is "identity"?  That is the question to be addressed.

I suggest something like:

Identity Subject (or just Subject)        The physical person that is the subject of a record in an identity management system.

Identity           The set of information about a Subject that is true.  It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject.

Identity Attributes      Individual components of Identity.  Some attributes are unique to the individual; others are shared with other Subjects.  The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA).

Identity Assertion       One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known.  There must be a trust relationship between the RP the Identity Assertion Provider (IAP).  The RP also may require an assertion of trustworthiness of the Identity Attributes provided.

 

Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas.

Gap (new order)          Gap (current)

1 Terminology              1

2 Contexts                    4

3 Business sets           2

4 Schema                     5

5 Categorization          3

6 Interoperability         6

7 Trust                           7

8 Consent                    8

9 Governance              9

 

Sorry about the massive post.  Attached is a markup with additional comments and suggestions.

            David