Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consulting
o +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security
If there was ever an example of how we are not going to define our way out of a mess, this is it.
This is not about the definition of "attribute"; it's really about the thinking that goes on (or doesn't go on) behind all the arbitrary technicalities.
How are we to think clearly about digital identity?
In plain English, an attribute (or an assertion or a claim) is something that one party needs to know about another party. A password is no such thing.
Why do we spend so much time categorizing things and defining things, when it just doesn't make sense to think about things in that way? Definitions is not the mission; understanding digital identity and making it work is the mission. Taxonomists are important but most of us should be engineers.
Cheers,
Steve.
PS. Andrew, please don't think I am directing criticism to you; your email was just the catalyst. I note that at several points you suggest that further glossary work is not necessarily the way to go.
Stephen Wilson
Managing Director
Lockstep Group
E: swilson@lockstep.com.au
M: +61 (0)414 488 851
W: http://lockstep.com.au
T: @steve_lockstep
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
-----Original Message-----
From: "Andrew Hughes" <andrewhughes3000@gmail.com>
Sent: Tuesday, 28 March, 2017 12:12pm
To: "Chris Phillips" <Chris.Phillips@canarie.ca>
Cc: "dg-idpro@kantarainitiative.org " <dg-idpro@kantarainitiative.org >
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)For now, the BoK does not talk about definitions of terms explicitly (and it MIGHT NOT do so in future):- we have created a taxonomy category called "Concepts" within each aspect of the BoK. This is a place for a more rich description and explanation of the important concepts. The important thing here is that it's supposed to explain the concepts for understanding - so in the cited case there would have to be enough explanation about why attributes could be defined in a certain way and maybe even what some alternative explanations might be. I could see the possibility of having some paragraphs on this topic included - still TBD but if anyone adds text to the live document we'd all appreciate it.- one of our participants is looking through the ISO terms and definitions to seek out additional concepts and standards that could/should be added to the BoK for later elaboration- my personal opinion on attempting to combine glossaries that were built for different purposes is: don't do it. If the orgs managing those glossaries want to harmonize them, then excellent: ID Pro would be very pleased to participate. If they are not interested then even if ID Pro could create the perfect combination, we should not - because the managing orgs would be very unlikely to adopt the work directly & it makes the glossary mapping exercise very fragile and non-manageable. Do I think that short-term term mapping tools are useful? Yes. But something like this needs a longer term solution.
Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consultingo +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security
On Mon, Mar 27, 2017 at 6:34 AM, Chris Phillips <Chris.Phillips@canarie.ca> wrote:
I've been lurking on the list and the topic that Kaliya introduced provides an interesting real world example of what id professionals would encounter. Through other work, I came across 'Annex A: Characteristics of a credential' from ITU x.1254: Entity authentication assurance framework from 2012[1] as an interesting datapoint to this topic.I too was a bit surprised at the definition of attributes that appeared in the infographic Kaliya called out and the inclusion of password as an attribute. I think it's inclusion was more for the exploration of the assessment items 1-4 on the infographic so that the 'attribute called password' can be included and is not an attempt to rewrite what attributes are.I also think it's worth mentioning, but low probability of being an influence, that some databases like Mysql actually use language in their queries to expressly say users are identified by their passwords, therefore one could assume that passwords are attributes[2]:ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';
Does this alter the conversation or steer things differently? Unlikely.I do think this topic expands what an identity professional should be cognizant and/or observant of who is attempting to define things.It would be interesting to understand the position an id professional (and body that credentials them) would take about assessing which definitions SHOULD be taken and from which body and what the id professional body desires to define as in their wheelhouse. I suspect the answer will be 'it depends on the situation' and choosing one body (in no particular order) ITU, IETF, OASIS, NIST, Government X, Government Y , etc over another is a recipe for perpetual conflict.Does the developing id professional body of knowledge speak to things like this at all?C[1] X.1254 : Entity authentication assurance framework https://www.itu.int/rec/T-REC-X.1254-201209-I/en [2] Mysql password reset: https://dev.mysql.com/doc/refman/5.7/en/resetting- permissions.html From: <dg-idpro-bounces@kantarainitiative.org > on behalf of Charles Eckert <mr.eckert@gmail.com>
Date: Wednesday, March 8, 2017 at 9:31 AM
To: "'Natale, Bob'" <RNATALE@mitre.org>, Kaliya Identity Woman <kaliya@identitywoman.net>
Cc: "dg-idpro@kantarainitiative.org " <dg-idpro@kantarainitiative.org >
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)Have been following this discussion closely and had a few thoughts on this statement.
While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes.
The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts.
I suspect identity attributes have a few key characteristics:
1) Sufficient to identify a specific entity within a context (application, national, global, etc)
2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes)
3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute
Behavioural Biometrics
“Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event.
The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities.
Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program.
Charles
From: dg-idpro-bounces@
kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org ] On Behalf Of Natale, Bob
Sent: Wednesday, March 8, 2017 3:30 AM
To: Kaliya Identity Woman
Cc: dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Hi Kaliya,
Don’t mistake the value of an attribute for the attribute as a construct.
My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes.
Avanti,
BobN
From: Kaliya Identity Woman [mailto:kaliya@identitywoman.
net ]
Sent: Wednesday, March 08, 2017 1:32 AM
To: Natale, Bob <RNATALE@mitre.org>
Cc: Catherine Schulten <catherine.schulten@lifemedid.com >; dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Sent from my iPhone
On Mar 7, 2017, at 9:27 PM, Natale, Bob <RNATALE@mitre.org> wrote:Hi Catherine,
The identity attribute space
has to cover at least the following kinds of entities:
-- Physical human entities (PEs)
-- Non-person entities (NPEs)
-- Personas (alias-like virtual entities associated with PEs or NPEs)
-- Virtual entities (which might represent PEs or NPEs)
For clarification purposes the focus of the UT program is on people and PII.
So far in 12+ months of discussions NPEs have not come up once really.
Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people.
That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them.
Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it.
Avanti,
BobN
From:dg-idpro-bounces@
kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org ] On Behalf Of Catherine Schulten
Sent: Tuesday, March 07, 2017 6:09 PM
To: Kaliya Identity Woman <kaliya@identitywoman.net>; dg-idpro@kantarainitiative.org
Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)
Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin.
I am surprised about some of their statements on this poster as it is not how I would think to describe them.
1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes.
2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson:
<image002.jpg>
I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list.
3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata?
4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-
Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things.
I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email.
Catherine Schulten
Direct: 954-290-1991
From:dg-idpro-bounces@
kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org ] On Behalf Of Kaliya Identity Woman
Sent: Monday, March 6, 2017 11:24 PM
To: dg-idpro@kantarainitiative.org
Subject: [DG-IDPro] IdM Poster. (thats wrong)
HI ID Pro's
As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.
There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"
They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".
But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.
Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.
Here is the post on their site with the poster.
<image003.jpg>
Here is Dr Barbers faculty page - http://www.ece.utexas.edu//
people/faculty/suzanne-barber
Dr. Doty's
https://www.ischool.utexas.
edu/people/person_details? PersonID=22
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro