Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
thank you. Changes have been incorporated in wiki and work doc and uploaded. -Heather ----- Original Message ----- From: "Kenneth Dagg" <Kenneth.Dagg@tbs-sct.gc.ca> To: "Heather Flanagan" <hlflanagan@internet2.edu>, dg-am@kantarainitiative.org Sent: Wednesday, April 18, 2012 6:01:03 AM Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Heather, In giving the draft report a final read I have the following observations / suggestions. For the most part they are linkages between areas of the report and the addition of a couple more examples of efforts in this space. I used the line numbers from a printed copy of the Word document. Line91: change from, "... by the Discussion Group it identified areas that had no ..." to "... by the Discussion Group it identified areas that it believed had no ..." Line108-115: the term "individual" is used where as the definition uses the term "subject". I would suggest changing one or the other. Line155-156: please change the text to "Federating Identity Management in the Government of Canada: A Backgrounder> which is the title of the document the link points to. Before Line 201: the Government of New Zealand has an Evidence of Identity Standard which can be viewed at http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Resource-material-Evidence-of-... . I would suggest it be added. Line 281: change "UX" to "user experience". Line 281: as this gap is related (closely I believe) to gap9 I would suggest a sentence be added to the end along the lines of "It is also important when examining the use of attributes." Line 283: I believe that Kantara Initiative P3WG work, specifically efforts around the Privacy Assessment Criteria, are related to this gap - http://kantarainitiative.org/confluence/display/p3wg/Home Line 292: Similar to line 281 I would suggest a sentence be added along the lines of "The definition of governance needs to identify the extent to which consent is required." Line 319: I believe recommendation 2 should also address gap #8 in order to ensure use of attributes is linked to consent to use. Line 374: I believe recommendation 6 should also address gap #8 in order to ensure governance of attribute use is linked to consent to use. Kenneth Dagg Senior Project Co-ordinator | Coordonnateur de projet supérieur Security and Identity Management | Sécurité et gestion des identités Chief Information Officer Branch | Direction du dirigeant principal de l'information Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada Ottawa, Canada K1A 0R5 Kenneth.Dagg@tbs-sct.gc.ca Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090 Government of Canada | Gouvernement du Canada -----Original Message----- From: dg-am-bounces@kantarainitiative.org [ mailto:dg-am-bounces@kantarainitiative.org ] On Behalf Of Heather Flanagan Sent: April 17, 2012 2:27 PM To: dg-am@kantarainitiative.org Subject: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Hi all - This week will be the time to make any final edits to our report before we turn it in to the Leadership Council. Please take a few moments to review the document as you are being listed as one of the contributors since you are on the roster. Last call is open until Sunday, April 22. Assuming no major changes, we will be submitting the word document to the LC on Monday, April 23. Wiki version: http://kantarainitiative.org/confluence/display/AMDG/Report+-+DRAFT Word Doc: http://kantarainitiative.org/confluence/download/attachments/58196114/AMDG-D... Heather Flanagan, AMDG secretary _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am
Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 <http://www.Zygma.biz> www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Richard, Being aware of the necessary KI process, I was not suggesting that AMDG make changes to the current KI Glossary. I was suggesting that "for the purposes of this DG, the following definitions need to be at variance with the KI IAF glossary." At some point, the KI glossary should be reviewed as well. Of course, the IAF use of terms may require that some terms have an IAF-specific meaning, e.g., to comply with the narrow definitions used by FICAM. My use of "identity" in the broad, philosophical sense is intentional. That encourages thinking about components of identity broadly as opposed to the extremely parochial notion promulgated by NIST. After I sent my post yesterday, it occurred to me that there was a remaining conundrum: the relationship between "identity" (broadly) and "(online) credentials". In it's purest sense, the online credential simply provides an identifier that maps to the credential holder's IdMS record and, in my world, that identifier is also an attribute of the Subject. Of course a credential may include further information as well, PKI being the classical example, but that is not required. The primary purpose of the credential is to create a binding, at some LOA, between the physical Subject and the identifier that leads to the Subject's IdMS record. IMHO, that model clarifies a lot of terminology that continues to create confusion. David On Apr 23, 2012, at 1:07 AM, Richard G. WILSHER @Zygma wrote:
Sal,
I would caution against such enthusiasm. I’m not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don’t believe that you can just change the Glossary without due process and evaluation of impact. R
Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz
From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
David,
It’s fine glad to have the input. I will try to update the draft later today.
Regards,
Sal
From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved.
First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)".
All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front.
I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed.
I suggest something like:
Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system.
Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject.
Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA).
Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided.
Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9
Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Richard, Thanks for the input. It helps to inform and I don't think the message is any different than what I mentioned on the IA WG call. Definitions are a place for further work. They, like the attributes themselves, could almost always use further examination particularly as things evolve, particularly with some of the words involved such as identity and as you point out the wide range of context. We are am not suggesting that we change the glossary, that's not our charge. My enthusiasm is for input, yours included. Sincerely, Sal From: Richard G. WILSHER @Zygma [mailto:RGW@Zygma.biz] Sent: Monday, April 23, 2012 1:08 AM To: 'Salvatore D'Agostino'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
I could tell you many stories about definitions task groups, but I don't want to render you all in tears! Nor hear yours ;-) For sure, the KI Glossary is in need of a blood transfusion, and I for one would like it to deal with identity and subject (and subscriber, for that's a worthwhile distinction) in an 'entity' context, such that specific uses might say "For the purposes of this document .", as you suggest. The broader context would also fit into such standards as IS29115, into which significant KI content has been contributed. Just for the record, I would not favour revision of the KI Glossary to satisfy FICAM perspectives - that would render KI a fully US-focused framework, which I do not see as being a desirable goal. Let FICAM identify (HELP - need a synonym!) how if differs from the broader meaning. And it's only Monday, R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 <http://www.Zygma.biz> www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 23 April 2012 12:30 To: 'Richard G. WILSHER @Zygma'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Richard, Thanks for the input. It helps to inform and I don't think the message is any different than what I mentioned on the IA WG call. Definitions are a place for further work. They, like the attributes themselves, could almost always use further examination particularly as things evolve, particularly with some of the words involved such as identity and as you point out the wide range of context. We are am not suggesting that we change the glossary, that's not our charge. My enthusiasm is for input, yours included. Sincerely, Sal From: Richard G. WILSHER @Zygma [mailto:RGW@Zygma.biz] Sent: Monday, April 23, 2012 1:08 AM To: 'Salvatore D'Agostino'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
participants (4)
-
David L. Wasley -
Heather Flanagan -
Richard G. WILSHER @Zygma -
Salvatore D'Agostino