Have been following this discussion closely and had a few thoughts on this statement.
While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes.
The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts.
I suspect identity attributes have a few key characteristics:
1) Sufficient to identify a specific entity within a context (application, national, global, etc)
2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes)
3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute
Behavioural Biometrics
“Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event.
The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities.
Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program.
Charles
From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Natale, Bob
Sent: Wednesday, March 8, 2017 3:30 AM
To: Kaliya Identity Woman
Cc: dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Hi Kaliya,
Don’t mistake the value of an attribute for the attribute as a construct.
My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes.
Avanti,
BobN
From: Kaliya Identity Woman [mailto:kaliya@identitywoman.net]
Sent: Wednesday, March 08, 2017 1:32 AM
To: Natale, Bob <RNATALE@mitre.org>
Cc: Catherine Schulten <catherine.schulten@lifemedid.com>; dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Sent from my iPhone
On Mar 7, 2017, at 9:27 PM, Natale, Bob <RNATALE@mitre.org> wrote:
Hi Catherine,
The identity attribute space
has to cover at least the following kinds of entities:
-- Physical human entities (PEs)
-- Non-person entities (NPEs)
-- Personas (alias-like virtual entities associated with PEs or NPEs)
-- Virtual entities (which might represent PEs or NPEs)
For clarification purposes the focus of the UT program is on people and PII.
So far in 12+ months of discussions NPEs have not come up once really.
Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people.
That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them.
Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it.
Avanti,
BobN
From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Catherine Schulten
Sent: Tuesday, March 07, 2017 6:09 PM
To: Kaliya Identity Woman <kaliya@identitywoman.net>; dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
I am surprised about some of their statements on this poster as it is not how I would think to describe them.
1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes.
2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson:
<image002.jpg>
I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list.
3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata?
4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things.
I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email.
Catherine Schulten
Direct: 954-290-1991
From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman
Sent: Monday, March 6, 2017 11:24 PM
To: dg-idpro@kantarainitiative.org
Subject: [DG-IDPro] IdM Poster. (thats wrong)
HI ID Pro's
As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.
There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"
They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".
But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.
Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.
Here is the post on their site with the poster.
<image003.jpg>
Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber
Dr. Doty's
https://www.ischool.utexas.edu/people/person_details?PersonID=22