Agree with Steve. I'd recommend separating attributes (i.e., things about or associated with an entity), from what the attributes are used to do (i.e., authorization, authentication), from proving that the attributes are true about the entity (i.e., binding an attribute to and entity). I use entity to allow for things as well as individuals. My two cents, Ken On Tue, Mar 7, 2017 at 11:28 AM Hutchinson, Steve (GE Digital) < Stephen.Hutchinson@ge.com> wrote:
Totally agree that an identity represents a thing while authentication and authorization are processes (and distinct processes at that).
Authentication events can use attributes associated with the identity to determine whether or not the current actor is associated with the identity they claim to represent. Attributes would include the userid and the password just as it would also include name, address, and phone number. The only attribute required to be unique within a particular security domain is the userid.
Another attribute could be a device identifier, which in turn would have its own identity with attributes associated with it. I could query these attributes as part of an authorization process. For example, we have applications here at GE that you can only access from a GE-issued device. When I attempt to access that app, I have to authenticate myself with traditional ID/PWD but after successfully authenticating, the service detects my device certificate (and some secret sauce) and checks to ensure that not only am I on a GE device, but it is a device that is associated with my identifier.
Long story short, I do not believe that there are “authentication attributes” but there are attributes associated with identities that can be used to perform authentication and attributes that can be used to authorize access to protected resources. And in our brave new IoT world, those identity attributes can be associated with both humans AND things.
My two cents,
Hutch
*From:* dg-idpro-bounces@kantarainitiative.org [mailto: dg-idpro-bounces@kantarainitiative.org] *On Behalf Of *Kaliya Identity Woman *Sent:* Tuesday, March 07, 2017 10:16 AM *To:* Natale, Bob <RNATALE@mitre.org> *Cc:* dg-idpro@kantarainitiative.org *Subject:* EXT: Re: [DG-IDPro] IdM Poster. (thats wrong)
I love to hear from some other folks
When these four things are listed TOGETHER. As a group. And presented explaining identity.
Are they not "the factors or methods of authentication"?
Sent from my iPhone
On Mar 7, 2017 from, at 6:15 AM, Natale, Bob <RNATALE@mitre.org> wrote:
That’s true … but not necessarily the total dichotomy implied by the assertion that “Identity is NOT Authentication” … authenticator attributes can also be identifier attributes and vice versa … the closer an authenticator attribute (like a human fingerprint) is to a unique identifier (like a human fingerprint paired with some threshold set of appropriate biographic, biometric, behavioral, and social attributes), the murkier the line between identity and authentication might become.
Or so it seems to me…. Things might vary a bit, with respect to what is a valid identity attribute, between human person identities and virtual entity identifiers as well … but that’s probably a topic for a different thread!
Ultimately, however, I strongly favor keeping the concepts of identity, authentication, authorization, and access control distinctly defined, as that is what holds in the general case.
Avanti,
BobN
*From:* dg-idpro-bounces@kantarainitiative.org [ mailto:dg-idpro-bounces@kantarainitiative.org <dg-idpro-bounces@kantarainitiative.org>] *On Behalf Of *Jim Willeke *Sent:* Tuesday, March 07, 2017 6:26 AM *To:* dg-idpro@kantarainitiative.org *Subject:* Re: [DG-IDPro] IdM Poster. (thats wrong)
As always, statements without context are philosophical discussions.
Identity is NOT Authentication.
Authentication is "things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc."
Authentication is the process of establishing confidence in the Identification of an Entity. That is confidence that the Identification is authentic.
Levels of Assurance or Vectors of Assurance address the degree of confidence in an assertion of Authentication.
--
-jim Jim Willeke
On Tue, Mar 7, 2017 at 5:02 AM, <swilson@lockstep.com.au> wrote:
In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are:
- are attributes (ie what someone is) more important than "identity" (ie who someone is)?
- how do you know that a given attribute about a Subject is true of the Subject?
- that is, what authority vouches for the attribute?
- and how do you know that a presented attribute is bound to the Subject and isn't being replayed?
If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs.
And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes!
Cheers,
Steve.
Stephen Wilson
*Lockstep Group *
W: http://lockstep.com.au <https://urldefense.proofpoint.com/v2/url?u=http-3A__lockstep.com.au&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=Eu7pdw3Awvoyrabg9fH7yXmktLXSf0PMUyO1JoLe3No&e=>
T: @steve_lockstep
*Lockstep Consulting provides independent specialist advice and analysis *
*on digital identity and privacy. Lockstep Technologies develops unique *
*new smart ID solutions that enhance privacy and prevent identity theft. *
-----Original Message----- From: "David Chadwick" <D.W.Chadwick@kent.ac.uk> Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Hi Kaliya
Glad you are not in my class!
Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password.
regards
David
On 07/03/2017 04:24, Kaliya Identity Woman wrote:
HI ID Pro's
As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.
There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"
They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".
But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.
Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.
Here is the post on their site with the poster.
https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... <https://urldefense.proofpoint.com/v2/url?u=https-3A__identity.utexas.edu_infographics_identity-2Dattributes-2Dand-2Dthe-2Didentity-2Decosystem&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=ItRssCf9w9X0Tcqh4O2xzwP0_ByDx4--VPHgct-IFaU&e=>
Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber
Dr. Doty's
https://www.ischool.utexas.edu/people/person_details?PersonID=22
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro <https://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e=>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro <https://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e=>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro <https://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e=>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
-- Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 kendaggtbs@gmail.com