Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
thank you. Changes have been incorporated in wiki and work doc and uploaded.
-Heather
----- Original Message -----
From: "Kenneth Dagg"
Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 http://www.Zygma.biz www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Richard, Being aware of the necessary KI process, I was not suggesting that AMDG make changes to the current KI Glossary. I was suggesting that "for the purposes of this DG, the following definitions need to be at variance with the KI IAF glossary." At some point, the KI glossary should be reviewed as well. Of course, the IAF use of terms may require that some terms have an IAF-specific meaning, e.g., to comply with the narrow definitions used by FICAM. My use of "identity" in the broad, philosophical sense is intentional. That encourages thinking about components of identity broadly as opposed to the extremely parochial notion promulgated by NIST. After I sent my post yesterday, it occurred to me that there was a remaining conundrum: the relationship between "identity" (broadly) and "(online) credentials". In it's purest sense, the online credential simply provides an identifier that maps to the credential holder's IdMS record and, in my world, that identifier is also an attribute of the Subject. Of course a credential may include further information as well, PKI being the classical example, but that is not required. The primary purpose of the credential is to create a binding, at some LOA, between the physical Subject and the identifier that leads to the Subject's IdMS record. IMHO, that model clarifies a lot of terminology that continues to create confusion. David On Apr 23, 2012, at 1:07 AM, Richard G. WILSHER @Zygma wrote:
Sal,
I would caution against such enthusiasm. I’m not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don’t believe that you can just change the Glossary without due process and evaluation of impact. R
Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz
From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
David,
It’s fine glad to have the input. I will try to update the draft later today.
Regards,
Sal
From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report
Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved.
First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)".
All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front.
I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed.
I suggest something like:
Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system.
Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject.
Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA).
Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided.
Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9
Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
Richard, Thanks for the input. It helps to inform and I don't think the message is any different than what I mentioned on the IA WG call. Definitions are a place for further work. They, like the attributes themselves, could almost always use further examination particularly as things evolve, particularly with some of the words involved such as identity and as you point out the wide range of context. We are am not suggesting that we change the glossary, that's not our charge. My enthusiasm is for input, yours included. Sincerely, Sal From: Richard G. WILSHER @Zygma [mailto:RGW@Zygma.biz] Sent: Monday, April 23, 2012 1:08 AM To: 'Salvatore D'Agostino'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
I could tell you many stories about definitions task groups, but I don't want to render you all in tears! Nor hear yours ;-) For sure, the KI Glossary is in need of a blood transfusion, and I for one would like it to deal with identity and subject (and subscriber, for that's a worthwhile distinction) in an 'entity' context, such that specific uses might say "For the purposes of this document .", as you suggest. The broader context would also fit into such standards as IS29115, into which significant KI content has been contributed. Just for the record, I would not favour revision of the KI Glossary to satisfy FICAM perspectives - that would render KI a fully US-focused framework, which I do not see as being a desirable goal. Let FICAM identify (HELP - need a synonym!) how if differs from the broader meaning. And it's only Monday, R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 http://www.Zygma.biz www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 23 April 2012 12:30 To: 'Richard G. WILSHER @Zygma'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Richard, Thanks for the input. It helps to inform and I don't think the message is any different than what I mentioned on the IA WG call. Definitions are a place for further work. They, like the attributes themselves, could almost always use further examination particularly as things evolve, particularly with some of the words involved such as identity and as you point out the wide range of context. We are am not suggesting that we change the glossary, that's not our charge. My enthusiasm is for input, yours included. Sincerely, Sal From: Richard G. WILSHER @Zygma [mailto:RGW@Zygma.biz] Sent: Monday, April 23, 2012 1:08 AM To: 'Salvatore D'Agostino'; 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: RE: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Sal, I would caution against such enthusiasm. I'm not sure whether David is proposing these changes just in this specific context, or that the KI (IAF) Glossary be revised. If the former, then I can see that getting out of step with the KI Glossary would cause a number of problems, but if you are proposing changes to the Glossary itself, then there are problems with simply changing these definitions without understanding the context in which they are used. For better or worse, and I agree that some could be better, we must proceed with caution. Certainly, I don't believe that you can just change the Glossary without due process and evaluation of impact. R Richard G. WILSHER CEO, Zygma LLC O: +1 714 965 99 42 M: +1 714 797 99 42 www.Zygma.biz From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Salvatore D'Agostino Sent: 22 April 2012 17:22 To: 'David L. Wasley'; 'Heather Flanagan' Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report David, It's fine glad to have the input. I will try to update the draft later today. Regards, Sal From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of David L. Wasley Sent: Sunday, April 22, 2012 12:37 PM To: Heather Flanagan Cc: dg-am@kantarainitiative.org Subject: Re: [DG-AM] LAST CALL for the Attribute Management Discussion Group report Well, finally having had a chance to review this, I have a few issues and comments. I apologize for the degree of changes this post suggests but I feel that significant clarity could be achieved. First of all, WRT the glossary: the text refers to the KI IAF Glossary as normative. However, that was derived at least in part from NIST 800-63 and it's notion of "identity" is seriously flawed. To wit: Identity A unique name for a single person. Because a person's legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name. It further describes "subject" as Subject An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity. The AMDG glossary then defines Identity Attribute Information bound to a subject identity that specifies a characteristic of the subject. Then, under Gap #1, it states that "... identity proofing [establishes] the set of Identty Attributes ... necessary ... to infer ... who an individual is (i.e., the identity of the individual)". All this seems rather inconsistent. Perhaps that is the point but then I would suggest it be stated clearly up front. I hope that we can quash any use of "who" in this context. In particular, I would avoid ever using the term "who the Subject is" since that is a source of major confusion when discussing identity management. What is the answer to "who"? It depends on context. Then what is "identity"? That is the question to be addressed. I suggest something like: Identity Subject (or just Subject) The physical person that is the subject of a record in an identity management system. Identity The set of information about a Subject that is true. It is highly unlikely that any one Identity Provider (IdP) will have a complete Identity for any given Subject. Identity Attributes Individual components of Identity. Some attributes are unique to the individual; others are shared with other Subjects. The degree with which the validity of each Attribute is known will vary depending on how or where it was acquired, whether it can change over time, and the nature of the Source of Authority (SOA). Identity Assertion One or more Identity Attributes that together identify a Subject to a Relying Party (RP) within the context that the Subject wishes to be known. There must be a trust relationship between the RP the Identity Assertion Provider (IAP). The RP also may require an assertion of trustworthiness of the Identity Attributes provided. Finally, I would reorder the "gaps" so that there is a better flow of concepts and ideas. Gap (new order) Gap (current) 1 Terminology 1 2 Contexts 4 3 Business sets 2 4 Schema 5 5 Categorization 3 6 Interoperability 6 7 Trust 7 8 Consent 8 9 Governance 9 Sorry about the massive post. Attached is a markup with additional comments and suggestions. David
participants (4)
-
David L. Wasley -
Heather Flanagan -
Richard G. WILSHER @Zygma -
Salvatore D'Agostino