Ken, What I question is the need to have different terms and roles for providers of a plain and of derived attribute. What function would we miss or what risk increase if the identity attribute provider would serve derived attributes together with pristine attributes? I also wonder if we need to impose a restriction to an attribute provider to be only an "Identity Attribute Provider". Is an affiliation or a role an identity attribute? A case number in a hospital, which is meant to be temporal? Credit rating? Regarding context: I agree that context is relevant. For the purpose of automated access decisions the context either needs to be described in the assertion or the policy. Or the federation is limited to a set of parties who operate in a known or regulated context. Best regards Rainer Am 28.02.2012 um 14:46 schrieb Dagg, Kenneth:
Rainer,
Some thoughts that your comments stired up.
The terms I am proposing are the following:
Identity Assertion Provider: provides an assertion that someone's identity is valid. This assertion is made to a level of assurance (criteria need to be determined). In my mind, the provider is able to assert someone's identity in the context in which they validated it.
Identity Attribute Provider: provides an actual attribute (or possibly a set of attributes) and a level of assurance of the attribute(s) (the criteria for each LoA need to be determined). An example of this would be the value 22 to a query, "what is John's age?"
Identity Attribute Validation Provider: provides an assertion concerning an attribute without providing the attribute. An example, when John is 22, would be the answer Yes (to a LoA) to the query, "is John over the age of 18?" The validation could also be for a set of attributes. For example, a response could validate that John Smith, 22, and 123 Anywhere Lane (these form part of a query) are a valid set of attributes without providing the actual attributes or any other attributes held by the provider. The service provider could then make a decision as to the identity of the individual they have in front of them (physically or electronically). This puts the risk on the service provider (where I believe it belongs) to ensure that they verify the identity of an individual in the context that they exist based upon assertions on a number (that they determine) of attributes.
Both of these types of providers could be the same organization though they might be different). The real difference is the type of query being responded to. Both types act as Authoritative Parties.
You raise an interesting concept - the doctor that is making a claim about the age of the patient. As a thought, is the doctor not fulfilling the role of an Identity Attribute (Validation) Provider when making this claim? If this is the case, then the doctor needs to have a LoA associated with the claim. In fact, is the claim made by the doctor not the same type of claim as the claim made someone who fulfils the role of guarantor on a passport application?
My concern is with the Identity Assertion Provider. The assertion, in my mind, is very dependent on the context in which an individual's identity is validated by the Identity Assertion Provider so that they can make an assertion. This context really needs to be understood by the party that will be relying upon the assertion in order that they can rely upon it. As I said above, I believe that the risk associated with context should be with the service provider rather than the identity provider. The identity provider should just be an authoritative party about a set of identity attributes. In this model, a service provider could even go to several attribute authoritative parties for the same attribute if they wanted multiple confirmations.
I need to think about these concepts more and invite comment.
Ken
Kenneth Dagg Senior Project Co-ordinator | Coordonnateur de projet supérieur Security and Identity Management | Sécurité et gestion des identités Chief Information Officer Branch | Direction du dirigeant principal de l'information Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada Ottawa, Canada K1A 0R5 Kenneth.Dagg@tbs-sct.gc.ca Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090 Government of Canada | Gouvernement du Canada
-----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Rainer Hoerbe Sent: February 28, 2012 4:05 PM To: Dagg, Kenneth Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] AM Report Clean up (RE: REMINDER & AGENDA - DG-AM call, 28-Feb-2012)
Ken,
Whether an attribute is a plain attribute (birthdate, age = 29) or a derived attribute (age is in valid range) is not really a question of assertion but of the attribute policy complexity. An example of an asserted attribute would be a treatment relationship assertion (TRC), which is asserted by the patient's smartcard.
Yet it is questionable if a TRC claimed by the doctor (because the patient cannot use/does not have a smartcard) is not assured. Even it is kind of a self-assured attribute, the context (audit, professional code of conduct, threat of punishment) will lead to quite reliable data in practice.
Is there somewhere a definition of an asserted, validated and assured attribute?
- Rainer
Am 27.02.2012 um 13:03 schrieb Dagg, Kenneth:
Context Topic
To me Context is a valid concept but I believe that it is only an issue for Identity Assertion Providers and is not an issue for Identity Attribute Providers or for Identity Attribute Assertion Providers. In my mind, an Attribute Provider supplies content (e.g., age is 29) while an Attribute Assertion Provider supplies assertions about content (e.g., age is valid).
My rationale is: an Identity Attribute (Assertion) Provider, as an Authoritative Party, maintains Identity Attributes to a Level of Assurance that they provide (content or assertion) upon a request from a service provider. In other words, they are either an authoritative party of an attribute or not. I'm not sure if the context in which the IAP has gathered the attribute matters to them.
Where context matters, I believe, is when Identity Assertions (as opposed to Identity Attribute Assertions) are made. In this case, the context in which they have validated an identity matters greatly in terms of the assertion it can make concerning the identity of a subject.
To me, the attribute assertion world is easier than the identity assertion world as, I believe, Identity Attribute Providers (whether they provide actual content or just assertions about content) is just an extension of credential service providers. The extension is not simple as there are several policy/legal issues (e.g., consent) that have to be addressed.
Where I believe context also matters is in the Service Provider space. However, the context in which a service provider uses Identity Attributes is set by the attributes they are allowed (legally/by policy) to gather in order to 1) uniquely identify the individual, 2) determine eligibility for the service, and 3) deliver service.
Query Language Topic
I agree with the statement, "With no standard/normative query language, there is no way to ask a broad set of identity providers anything about the entities they are authoritative for. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?"
To me, to satisfy this, requires the service provider to either make a "discovery" like query or, the provider, as a federation member, having metadata to describe the attributes it maintains. The query to obtain the attributes then becomes a standard protocol.
I would further suggest, given this rational, that the Query Language be merged into the Protocol section as it seems to belong there instead of being a section on its own.
_______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am