I agree that there needs to be a common vocabulary and we should start with what is out there and either incorporate them into a new document or upgrade them.

Frankly the NIST documents and ISOs referenced and there are a few RFCs with specific "Glossary" terms as https://tools.ietf.org/html/rfc4949.

--
-jim
Jim Willeke

On Fri, May 5, 2017 at 4:27 AM, Nat Sakimura <nat@sakimura.org> wrote:
It would probably be a good idea to look at ISO definitions such as the ones defined in ISO/IEC 24760-1 and ISO/IEC 29100. They are freely available from ITTF site[1], unlike most ISO standards.

[1] Requirements for attribute-based unlinkable entity authentication

Please note that ISO terms and definitions are unlike most conventional "definitions".

To start with, the terms are actually the abbreviation for the "definition (text)" so that terms in the main text are to be replaced by the definition and readable after the replacement.

Conventional sense of definition often is actually done in the main text as "clauses title" and the paragraphs that follow.

Another important thing to note about ISO/IEC 24760-1 is that their term is a bit unconventional as it is trying to break away from the baggage that the common terms like "IdP" carry. So, I can expect a very negative impression on a first-time reader. But if you actually examine it, it is quite a good read though the models are a bit old. (What do you expect to ISO? Note - I am the head of the delegate for the WG from the Japanese National Body, and because of this conventionalism and oldness of the model, we have voted negatively to the standard. We are one of only a handful of negative voters (besides USA) but I am still saying this.)

When we talk about Identity, we just cannot ignore the relationship to privacy. That is because of "identity", when defined as "set of attributes related to an entity", is in fact personal data if the entity is a living natural person.

ISO/IEC 29100 Privacy framework is a standard that is endorsed by over 50 countries and such liaison organization like Article 29 Working Party (of EU). This standard is much less controversial than 24760-1. In fact, it has almost universal support from those countries. It probably is a good idea to take into account as well.
---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-04-12 23:53, Sarah Squire wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a
vocabulary. Parts A, B, and C each have a section titled "Definitions
and Abbreviations".  It's not official yet, as we're still sorting
through feedback from the public comment period, but you can view the
document as it stands currently here:
 https://pages.nist.gov/800-63-3/ [14]

Sarah Squire
Engage Identity
http://engageidentity.com [15]

On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com>
wrote:

Hi,

The topic of a vocabulary for expressing LoA is very topical right
now. Unfortunately NIST 800-63 doesn't define a vocabulary, life
would be nice if it did. As such everyone is tempted to use the
descriptions in NIST 800-63 and invent their own vocabulary values.
This is not helpful to drive interoperability, but it is done out of
desperation.

The sticky part is that although NIST 800-63 defines categories;
they recognize that there is still operational facts that are
necessary before one really understands what LoA "4" means. I think
it is this that keeps NIST from declaring vocabulary. They recognize
that their specification doesn't control enough space to assure that
"4" means the same thing to everyone.

Thus organizations like SAFE-Biopharma (which covers a very specific
part of healthcare not including actual treatment...). They have
been doing identity proofing for a long time in their space. They
are embracing being more open, and leveraging standards more. 

John

John Moehrke
Principal Engineering Architect: Standards - Interoperability,
Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting
Privacy
M +1 920-564-2067 [11]
JohnMoehrke@gmail.com
https://www.linkedin.com/in/johnmoehrke [12]
https://healthcaresecprivacy.blogspot.com [13]
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten
<catherine.schulten@lifemedid.com> wrote:

Interesting document.  The healthcare space has two primary
communities of actors: the healthcare provider and the patient.

Healthcare providers are physicians, therapists, nurses, etc.  As
such they are typically licensed to practice and they are
employees or credentialed by a hospital or similar organization to
provide their services at certain facilities.  As such these
people have established attributes such as email addresses,
license numbers and federal identifiers (National Provider ID,
DEA#, etc.).  They are also adults.

Patients on the other hand range in age from birth to >100 yrs.
old, may or may not have an email address and certainly aren’t
credentialed to be a patient nor do they have a national ID number
(at least not in the U.S.)

 

The align biopharma “standard” makes sense for providers
working in life sciences since that set of individuals all share
those common attributes.  Notice also that the stakeholders that
developed this open standard are all pharma companies.  Pardon
the pun, but their standards are highly prescriptive to the set of
individuals and the purpose that drives the need for
identity/authentication.

 

Catherine Schulten
Direct: 954-290-1991 [1]

 

FROM: Chris Phillips [mailto:Chris.Phillips@canarie.ca]
SENT: Wednesday, April 12, 2017 10:19 AM
TO: dg-idpro@kantarainitiative.org; Catherine Schulten
<catherine.schulten@lifemedid.com>
SUBJECT: Re: [DG-IDPro] the need to develop a common vocabulary

 

Speaking of a 'common lexicon' here's one in the biopharma space
fresh off the press (I think):

 



http://pharmaleaders.com/align-biopharma-announces-new-identity-management-standard-available-for-life-sciences-industry-input/
[2]

 

I haven't clicked through the non standard T&C's clickwrap around
it however.  Looks like they want to not be encumbered with
restrictions on comments back?

Looks like the word 'standard' may be more opinion than fact. 
Hard to tell.

 

Catherine, inferring from the lifemedid.com [3] domain, this
sounds like an area your organization may circulate in .  

 

Thoughts on how it informs things in the idPro space and the
approach to common vocabulary?

 

C

 

FROM: <dg-idpro-bounces@kantarainitiative.org> on behalf of
Catherine Schulten <catherine.schulten@lifemedid.com>
DATE: Wednesday, April 12, 2017 at 10:04 AM
TO: "dg-idpro@kantarainitiative.org"
<dg-idpro@kantarainitiative.org>
SUBJECT: [DG-IDPro] the need to develop a common vocabulary

 

Found this relevant paragraph in some research I was doing.  The
following from a NIST workshop held in Jan 2016:

 

_DEVELOP A COMMON LEXICON.__ Many participants identified a lack
of standardized terminology regarding identity proofing processes
and functions. For example, some attendees used the term
“verification” while others preferred “validation” for the
same process. For the purposes of NIST’s work, attendees
suggested a common vocabulary should be developed to help ensure
consistency in the framework and across communities, and that the
taxonomy be aligned to the best extent possible with existing
schemes._

 



http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf
[4]

 

Catherine Schulten
VP of Product Management - OrangeHook, Inc. / LifeMed ID
3009 Douglas Blvd., STE 200, Roseville, CA  95661

Direct: 954-290-1991 [1]

Website [5]| LinkedIn [6]| Facebook [7]| Twitter [8]| YouTube [9]

 

 

 

 

IMPORTANT NOTICE: This e-mail communication may contain
confidential or legally privileged information and is intended to
be received only by persons entitled to receive the confidential
information it may contain. Please do not read, copy, forward or
store this message unless you are an intended recipient of it. Any
review, use, dissemination, distribution or copying of this
communication by other than the intended recipient or that
person's agent is strictly prohibited pursuant to the Electronic
Communication Privacy Act,18 USCA 2510. If you have received this
message in error, please notify the sender by forwarding it by
email to the sender and then delete it completely from your
computer system.
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]

_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]



Links:
------
[1] tel:(954)%20290-1991
[2]
http://pharmaleaders.com/align-biopharma-announces-new-identity-management-standard-available-for-life-sciences-industry-input/
[3] http://lifemedid.com
[4] http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf
[5] http://www.orangehook.com/
[6] https://www.linkedin.com/company-beta/4794831/
[7] https://www.facebook.com/orangehook/?fref=ts
[8] https://twitter.com/OrangeHookInc?lang=en
[9] https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA
[10] http://kantarainitiative.org/mailman/listinfo/dg-idpro
[11] tel:(920)%20564-2067
[12] https://www.linkedin.com/in/johnmoehrke
[13] https://healthcaresecprivacy.blogspot.com
[14] https://pages.nist.gov/800-63-3/
[15] http://engageidentity.com/

_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro