What urgently needed is data minimisation. Even here. Core identity is defined by a small and fixed set of identifiers, wich - over here in Europe - defines your natural & digital ID. ALL the rest ...is attributes and requires consent for sharing. With Identity being central, I see to much interest from corporates in putting all this under the "Identity Paradigm". (i.e. Know your Customer) Not good. I prefer the following sequence: Core ID < pairwise persistent pseudonyms (ecosystem-wide) when authenticating (the ecosystem provides a different pseudonunym between the user and any web service/ api. Of course an ecosystem IDmapping then is needed. < analytics (is acceptable due to pseudonyms) < despeudonymisaiton using an ecosystem service when sending the offer to the (unknown) user. < then user knows company but not the other way around < when user engages… only then de we have identity disclosure. Result: - user trust ssystem - user allows (more) pseudonymous data sharing for analytics - Ecosystem-wide pairwise persistent pseudonymisation results in more analytics Conclusion: in the end companies goal is analytcs for which the Idenitty (aka pseudonymisation) is a tool. Luk On 7 Mar 2017, at 13:50, John Moehrke <johnmoehrke@gmail.com<mailto:johnmoehrke@gmail.com>> wrote: I can't help but agree with the poster. I also agree that these are indeed authentication characteristics. Just because they are authentication characteristics does not mean they are not identity attributes. When I see a long time friend, I identify and authenticate him by just seeing his face. Many biometric devices do similar, using the same biometric measurement they will identify which individual this might be, then authenticate that the individual is authentic. Further, in De-Identification methods, these would be considered identifiers or quasi-identifiers. In a De-Identification process they would be removed. In De-Identification the method must treat all data that is subject to the process, and therefore would see authentication characteristics as identity attributes. This said, it would be better that they explain this position. It isn't wrong, in my view; but it is a specific approach. John John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 JohnMoehrke@gmail.com<mailto:JohnMoehrke@gmail.com> https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com<https://healthcaresecprivacy.blogspot.com/> "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Tue, Mar 7, 2017 at 6:23 AM, Kaliya Identity Woman <kaliya@identitywoman.net<mailto:kaliya@identitywoman.net>> wrote: The bottom of the porter says: What is an IDentity Attribute? - what you are - what you know - what you have - what you do Are these not the factors or methods of authentication? I have been in this industry for over 12 years and these (three and now 4 things) have always been referred to as authentication factors. Right? Here is a whole Twitter thread that got started .....https://mobile.twitter.com/dgwbirch/status/838064419385016320 Sent from my iPhone Sent from my iPhone On Mar 7, 2017, at 4:08 AM, Nat Sakimura <nat@sakimura.org<mailto:nat@sakimura.org>> wrote: Not necessarily "most", I think ;-) ISO/IEC 24760-1 defines: 3.1.2 identity set of attributes (3.1.3) related to an entity (3.1.1) 3.1.3 attribute characteristic or property of an entity (3.1.1) that can be used to describe its state, appearance, or other aspects so, it is apparently a wider concept for those people who worked on it. And with the definition, many "difficult" questions become degenerated. My take is: attributes that are necessary to offer the service are more important than others. It could be a verified identifier, or verified address, or verified age, etc. Nat --- Nat Sakimura Chairman, OpenID Foundation On 2017-03-07 19:02, swilson@lockstep.com.au<mailto:swilson@lockstep.com.au> wrote: In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are: - are attributes (ie what someone is) more important than "identity" (ie who someone is)? - how do you know that a given attribute about a Subject is true of the Subject? - that is, what authority vouches for the attribute? - and how do you know that a presented attribute is bound to the Subject and isn't being replayed? If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs. And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes! Cheers, Steve. Stephen Wilson LOCKSTEP GROUP W: http://lockstep.com.au<http://lockstep.com.au/> T: @steve_lockstep _Lockstep Consulting provides independent specialist advice and analysis _ _on digital identity and privacy. Lockstep Technologies develops unique _ _new smart ID solutions that enhance privacy and prevent identity theft. _ -----Original Message----- From: "David Chadwick" <D.W.Chadwick@kent.ac.uk<mailto:D.W.Chadwick@kent.ac.uk>> Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org> Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya Glad you are not in my class! Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password. regards David On 07/03/2017 04:24, Kaliya Identity Woman wrote: HI ID Pro's As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin. There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes" They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn". But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me. Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right. Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber Dr. Doty's https://www.ischool.utexas.edu/people/person_details?PersonID=22 _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro