In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are: - are attributes (ie what someone is) more important than "identity" (ie who someone is)? - how do you know that a given attribute about a Subject is true of the Subject? - that is, what authority vouches for the attribute? - and how do you know that a presented attribute is bound to the Subject and isn't being replayed? If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs. And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes! Cheers, Steve. Stephen Wilson Lockstep Group W: http://lockstep.com.au T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "David Chadwick" Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya Glad you are not in my class! Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password. regards David On 07/03/2017 04:24, Kaliya Identity Woman wrote:

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit...

Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

That’s true … but not necessarily the total dichotomy implied by the assertion that “Identity is NOT Authentication” … authenticator attributes can also be identifier attributes and vice versa … the closer an authenticator attribute (like a human fingerprint) is to a unique identifier (like a human fingerprint paired with some threshold set of appropriate biographic, biometric, behavioral, and social attributes), the murkier the line between identity and authentication might become. Or so it seems to me…. Things might vary a bit, with respect to what is a valid identity attribute, between human person identities and virtual entity identifiers as well … but that’s probably a topic for a different thread! Ultimately, however, I strongly favor keeping the concepts of identity, authentication, authorization, and access control distinctly defined, as that is what holds in the general case. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Jim Willeke Sent: Tuesday, March 07, 2017 6:26 AM To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) As always, statements without context are philosophical discussions. Identity is NOT Authentication. Authentication is "things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc." Authentication is the process of establishing confidence in the Identification of an Entity. That is confidence that the Identification is authentic. Levels of Assurance or Vectors of Assurance address the degree of confidence in an assertion of Authentication. -- -jim Jim Willeke On Tue, Mar 7, 2017 at 5:02 AM, mailto:swilson@lockstep.com.au> wrote: In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are: - are attributes (ie what someone is) more important than "identity" (ie who someone is)? - how do you know that a given attribute about a Subject is true of the Subject? - that is, what authority vouches for the attribute? - and how do you know that a presented attribute is bound to the Subject and isn't being replayed? If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs. And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes! Cheers, Steve. Stephen Wilson Lockstep Group W: http://lockstep.com.au T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "David Chadwick" mailto:D.W.Chadwick@kent.ac.uk> Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya Glad you are not in my class! Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password. regards David On 07/03/2017 04:24, Kaliya Identity Woman wrote:

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit...

Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barberhttp://www.ece.utexas.edu/people/faculty/suzanne-barber

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

Totally agree that an identity represents a thing while authentication and authorization are processes (and distinct processes at that). Authentication events can use attributes associated with the identity to determine whether or not the current actor is associated with the identity they claim to represent. Attributes would include the userid and the password just as it would also include name, address, and phone number. The only attribute required to be unique within a particular security domain is the userid. Another attribute could be a device identifier, which in turn would have its own identity with attributes associated with it. I could query these attributes as part of an authorization process. For example, we have applications here at GE that you can only access from a GE-issued device. When I attempt to access that app, I have to authenticate myself with traditional ID/PWD but after successfully authenticating, the service detects my device certificate (and some secret sauce) and checks to ensure that not only am I on a GE device, but it is a device that is associated with my identifier. Long story short, I do not believe that there are “authentication attributes” but there are attributes associated with identities that can be used to perform authentication and attributes that can be used to authorize access to protected resources. And in our brave new IoT world, those identity attributes can be associated with both humans AND things. My two cents, Hutch From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman Sent: Tuesday, March 07, 2017 10:16 AM To: Natale, Bob Cc: dg-idpro@kantarainitiative.org Subject: EXT: Re: [DG-IDPro] IdM Poster. (thats wrong) I love to hear from some other folks When these four things are listed TOGETHER. As a group. And presented explaining identity. Are they not "the factors or methods of authentication"? Sent from my iPhone On Mar 7, 2017 from, at 6:15 AM, Natale, Bob mailto:RNATALE@mitre.org> wrote: That’s true … but not necessarily the total dichotomy implied by the assertion that “Identity is NOT Authentication” … authenticator attributes can also be identifier attributes and vice versa … the closer an authenticator attribute (like a human fingerprint) is to a unique identifier (like a human fingerprint paired with some threshold set of appropriate biographic, biometric, behavioral, and social attributes), the murkier the line between identity and authentication might become. Or so it seems to me…. Things might vary a bit, with respect to what is a valid identity attribute, between human person identities and virtual entity identifiers as well … but that’s probably a topic for a different thread! Ultimately, however, I strongly favor keeping the concepts of identity, authentication, authorization, and access control distinctly defined, as that is what holds in the general case. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Jim Willeke Sent: Tuesday, March 07, 2017 6:26 AM To: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) As always, statements without context are philosophical discussions. Identity is NOT Authentication. Authentication is "things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc." Authentication is the process of establishing confidence in the Identification of an Entity. That is confidence that the Identification is authentic. Levels of Assurance or Vectors of Assurance address the degree of confidence in an assertion of Authentication. -- -jim Jim Willeke On Tue, Mar 7, 2017 at 5:02 AM, mailto:swilson@lockstep.com.au> wrote: In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are: - are attributes (ie what someone is) more important than "identity" (ie who someone is)? - how do you know that a given attribute about a Subject is true of the Subject? - that is, what authority vouches for the attribute? - and how do you know that a presented attribute is bound to the Subject and isn't being replayed? If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs. And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes! Cheers, Steve. Stephen Wilson Lockstep Group W: http://lockstep.com.auhttps://urldefense.proofpoint.com/v2/url?u=http-3A__lockstep.com.au&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=Eu7pdw3Awvoyrabg9fH7yXmktLXSf0PMUyO1JoLe3No&e= T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "David Chadwick" mailto:D.W.Chadwick@kent.ac.uk> Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya Glad you are not in my class! Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password. regards David On 07/03/2017 04:24, Kaliya Identity Woman wrote:

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit...https://urldefense.proofpoint.com/v2/url?u=https-3A__identity.utexas.edu_infographics_identity-2Dattributes-2Dand-2Dthe-2Didentity-2Decosystem&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=ItRssCf9w9X0Tcqh4O2xzwP0_ByDx4--VPHgct-IFaU&e=

Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barberhttps://urldefense.proofpoint.com/v2/url?u=http-3A__www.ece.utexas.edu_people_faculty_suzanne-2Dbarber&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=fZ8oXDooalHkDel1pg3BTAjV1hpcxsngGZJvUvt9Vsk&e=

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ischool.utexas.edu_people_person-5Fdetails-3FPersonID-3D22&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=ttoWolYfLQyRW9JdF5IUB8krtORSDqgwAAxf72O7VXU&e=

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idprohttps://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e=

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idprohttps://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e= _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idprohttps://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e= _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idprohttps://urldefense.proofpoint.com/v2/url?u=http-3A__kantarainitiative.org_mailman_listinfo_dg-2Didpro&d=DwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=3av-RSw9vyoSVB73bPh-tA&m=cXKI4rlh-h7IKvviyWPdGXi4EfOXl2BIP1fJCu1p0fg&s=c8bxSSFP88LVrYwa4C59bKLJraJR6zVfPaLAt6wo59s&e=

There must be a special version of Godwin's Law for the identerati, where it's only a matter of time before a discussion descends to definitions. I was trying really hard to communicate some points in plain language. Attributes are things we need to know about people. Passwords are things we never want anyone to know. So passwords cannot be attributes about users (in fact we urge people to pick passwords that do not reveal their traits). Can't we talk about that without arguing identification vs authentication vs authorization, and going to dictionaries at twenty paces? And can't we once and for all recognise that there must be something wrong with the very idea of IDAM terminology? Every year or so, an email list breaks out with a debate like this, and it gets bogged down in definitions. Every single time. Does no one see what that means? It's not that the definitions are wrong. It's that definitions aren't helping. We need to drop the arbitrary jargon, and use plain language to describe what we think about stuff. The never-ending arguments are pathogical! They point to a disease! See also [ http://lockstep.com.au/blog/2011/01/22/forget-authentication ]( http://lockstep.com.au/blog/2011/01/22/forget-authentication ) Cheers, Steve. Stephen Wilson Lockstep W: http://lockstep.com.au T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "Jim Willeke" Sent: Tuesday, 7 March, 2017 10:26pm To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) As always, statements without context are philosophical discussions. Identity is NOT Authentication. Authentication is "things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc." Authentication is the process of establishing confidence in the Identification of an Entity. That is confidence that the Identification is authentic. Levels of Assurance or Vectors of Assurance address the degree of confidence in an assertion of Authentication. ---jim Jim Willeke On Tue, Mar 7, 2017 at 5:02 AM, <[ swilson@lockstep.com.au ]( mailto:swilson@lockstep.com.au )> wrote: In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are: - are attributes (ie what someone is) more important than "identity" (ie who someone is)? - how do you know that a given attribute about a Subject is true of the Subject? - that is, what authority vouches for the attribute? - and how do you know that a presented attribute is bound to the Subject and isn't being replayed? If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs. And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes! Cheers, Steve. Stephen Wilson Lockstep Group W: [ http://lockstep.com.au ]( http://lockstep.com.au ) T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "David Chadwick" <[ D.W.Chadwick@kent.ac.uk ]( mailto:D.W.Chadwick@kent.ac.uk )> Sent: Tuesday, 7 March, 2017 6:07pm To: [ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org ) Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya Glad you are not in my class! Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password. regards David On 07/03/2017 04:24, Kaliya Identity Woman wrote:

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster. [ https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... ]( https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... )

Here is Dr Barbers faculty page - [ http://www.ece.utexas.edu//people/faculty/suzanne-barber ]( http://www.ece.utexas.edu//people/faculty/suzanne-barber )

Dr. Doty's

[ https://www.ischool.utexas.edu/people/person_details?PersonID=22 ]( https://www.ischool.utexas.edu/people/person_details?PersonID=22 )

_______________________________________________ DG-IDPro mailing list [ DG-IDPro@kantarainitiative.org ]( mailto:DG-IDPro@kantarainitiative.org ) [ http://kantarainitiative.org/mailman/listinfo/dg-idpro ]( http://kantarainitiative.org/mailman/listinfo/dg-idpro )

_______________________________________________ DG-IDPro mailing list [ DG-IDPro@kantarainitiative.org ]( mailto:DG-IDPro@kantarainitiative.org ) [ http://kantarainitiative.org/mailman/listinfo/dg-idpro ]( http://kantarainitiative.org/mailman/listinfo/dg-idpro ) _______________________________________________ DG-IDPro mailing list [ DG-IDPro@kantarainitiative.org ]( mailto:DG-IDPro@kantarainitiative.org ) [ http://kantarainitiative.org/mailman/listinfo/dg-idpro ]( http://kantarainitiative.org/mailman/listinfo/dg-idpro )

Not necessarily　"most", I think ;-) ISO/IEC 24760-1 defines: 3.1.2 identity set of attributes (3.1.3) related to an entity (3.1.1) 3.1.3 attribute characteristic or property of an entity (3.1.1) that can be used to describe its state, appearance, or other aspects so, it is apparently a wider concept for those people who worked on it. And with the definition, many "difficult" questions become degenerated. My take is: attributes that are necessary to offer the service are more important than others. It could be a verified identifier, or verified address, or verified age, etc. Nat --- Nat Sakimura Chairman, OpenID Foundation On 2017-03-07 19:02, swilson@lockstep.com.au wrote:

In essence, I think most IDAM professionals would agree that attributes are things that RPs need to know about Subjects in order to [help] decide whether or not to accept a message, document etc. Some of the nice questions we're all dealing with currently are:

- are attributes (ie what someone is) more important than "identity" (ie who someone is)?

- how do you know that a given attribute about a Subject is true of the Subject?

- that is, what authority vouches for the attribute?

- and how do you know that a presented attribute is bound to the Subject and isn't being replayed?

If an attribute is something that we need to know about someone, then clearly passwords are something else. Likewise for PINs (the cool thing about PINs when at matched on-card is that nobody other the Subject ever knows the PIN). And CVVs.

And then there is biometrics. There are broadly two modes of biometric presentation: One-to-One, where it is generally preferred that the biometric is matched locally in order to unlock a device (ala FIDO, or Apple iTouch), and One-to-Many (often tellingly called "identification") where I suppose the attribute could be regarded as an attribute. But the general aversion to One-to-Many matching of biometrics points to an ideal where biometrics are NOT identity attributes!

Cheers,

Steve.

Stephen Wilson

LOCKSTEP GROUP 

W: http://lockstep.com.au

T: @steve_lockstep

_Lockstep Consulting provides independent specialist advice and analysis _

_on digital identity and privacy. Lockstep Technologies develops unique _

_new smart ID solutions that enhance privacy and prevent identity theft. _

-----Original Message----- From: "David Chadwick" Sent: Tuesday, 7 March, 2017 6:07pm To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)

Hi Kaliya

Glad you are not in my class!

Seriously though, passwords are identity attributes if one regards every piece of information that is associated with a user as an identity attribute. But they are clearly not identifiers in the general case, as they do not uniquely identify anyone, given that 'password' and '123456789' are two of the most common passwords on the Internet. However, if you have a very strong password then it is possible that it could be an identifier, if you are the only person in the world using that password.

regards

David

On 07/03/2017 04:24, Kaliya Identity Woman wrote:

...

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster.

https://identity.utexas.edu/infographics/identity-attributes-and-the-identit...

...

Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

I can't help but agree with the poster. I also agree that these are indeed authentication characteristics. Just because they are authentication characteristics does not mean they are not identity attributes. When I see a long time friend, I identify and authenticate him by just seeing his face. Many biometric devices do similar, using the same biometric measurement they will identify which individual this might be, then authenticate that the individual is authentic. Further, in De-Identification methods, these would be considered identifiers or quasi-identifiers. In a De-Identification process they would be removed. In De-Identification the method must treat all data that is subject to the process, and therefore would see authentication characteristics as identity attributes. This said, it would be better that they explain this position. It isn't wrong, in my view; but it is a specific approach. John John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Tue, Mar 7, 2017 at 6:23 AM, Kaliya Identity Woman < kaliya@identitywoman.net> wrote:

The bottom of the porter says:

What is an IDentity Attribute? - what you are - what you know - what you have - what you do

Are these not the factors or methods of authentication?

I have been in this industry for over 12 years and these (three and now 4 things) have always been referred to as authentication factors.

Right?

Here is a whole Twitter thread that got started ..... https://mobile.twitter.com/dgwbirch/status/838064419385016320

Sent from my iPhone

Sent from my iPhone

On Mar 7, 2017, at 4:08 AM, Nat Sakimura wrote:

Not necessarily "most", I think ;-)

ISO/IEC 24760-1 defines:

3.1.2

identity

set of attributes (3.1.3) related to an entity (3.1.1)

3.1.3

attribute

characteristic or property of an entity (3.1.1) that can be used to describe its state, appearance, or other aspects

so, it is apparently a wider concept for those people who worked on it.

And with the definition, many "difficult" questions become degenerated.

My take is: attributes that are necessary to offer the service are more important than others.

It could be a verified identifier, or verified address, or verified age, etc.

Nat

---

Nat Sakimura

Chairman, OpenID Foundation

On 2017-03-07 19:02, swilson@lockstep.com.au wrote:

In essence, I think most IDAM professionals would agree that

attributes are things that RPs need to know about Subjects in order to

[help] decide whether or not to accept a message, document etc. Some

of the nice questions we're all dealing with currently are:

- are attributes (ie what someone is) more important than "identity"

(ie who someone is)?

- how do you know that a given attribute about a Subject is true of

the Subject?

- that is, what authority vouches for the attribute?

- and how do you know that a presented attribute is bound to the

Subject and isn't being replayed?

If an attribute is something that we need to know about someone, then

clearly passwords are something else. Likewise for PINs (the cool

thing about PINs when at matched on-card is that nobody other the

Subject ever knows the PIN). And CVVs.

And then there is biometrics. There are broadly two modes of biometric

presentation: One-to-One, where it is generally preferred that the

biometric is matched locally in order to unlock a device (ala FIDO, or

Apple iTouch), and One-to-Many (often tellingly called

"identification") where I suppose the attribute could be regarded as

an attribute. But the general aversion to One-to-Many matching of

biometrics points to an ideal where biometrics are NOT identity

attributes!

Cheers,

Steve.

Stephen Wilson

LOCKSTEP GROUP

W: http://lockstep.com.au

T: @steve_lockstep

_Lockstep Consulting provides independent specialist advice and

analysis _

_on digital identity and privacy. Lockstep Technologies develops

unique _

_new smart ID solutions that enhance privacy and prevent identity

theft. _

-----Original Message-----

From: "David Chadwick"

Sent: Tuesday, 7 March, 2017 6:07pm

To: dg-idpro@kantarainitiative.org

Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)

Hi Kaliya

Glad you are not in my class!

Seriously though, passwords are identity attributes if one regards

every

piece of information that is associated with a user as an identity

attribute. But they are clearly not identifiers in the general case,

as

they do not uniquely identify anyone, given that 'password' and

'123456789' are two of the most common passwords on the Internet.

However, if you have a very strong password then it is possible that

it

could be an identifier, if you are the only person in the world using

that password.

regards

David

On 07/03/2017 04:24, Kaliya Identity Woman wrote:

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm

in

the new Masters of Science in Identity Management and Security at UT

Austin.

There have been some challenges in what has been taught... including

that the factors of authentication are not that...but "identifying

Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was

actually taught)... in this poster on the other side they are

identity

attributes..yes identity attributes. Sigh. I have raised issues

about

these two things that have been taught...and well not gotten very

far.

(besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with

blogs or twitter handles can point at the poster - references it and

explain why both things are wrong. (cause they, specifically Dr.

Barber

and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its

'wrongness" it snot great that this center is putting out this

information...it doesn't help us in the long run get explaining this

stuff right.

Here is the post on their site with the poster.

https://identity.utexas.edu/infographics/identity- attributes-and-the-identity-ecosystem

Here is Dr Barbers faculty page

- http://www.ece.utexas.edu//people/faculty/suzanne-barber

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22

_______________________________________________

DG-IDPro mailing list

DG-IDPro@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________

DG-IDPro mailing list

DG-IDPro@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________

DG-IDPro mailing list

DG-IDPro@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________

DG-IDPro mailing list

DG-IDPro@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idpro

_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro

Hi Catherine, The identity attribute space has to cover at least the following kinds of entities: -- Physical human entities (PEs) -- Non-person entities (NPEs) -- Personas (alias-like virtual entities associated with PEs or NPEs) -- Virtual entities (which might represent PEs or NPEs) Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Catherine Schulten Sent: Tuesday, March 07, 2017 6:09 PM To: Kaliya Identity Woman ; dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin. I am surprised about some of their statements on this poster as it is not how I would think to describe them. 1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes. 2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson: [Image posted by Lynn on January 31 at 10:04 PM] I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list. 3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata? 4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things. I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email. Catherine Schulten Direct: 954-290-1991 From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman Sent: Monday, March 6, 2017 11:24 PM To: dg-idpro@kantarainitiative.org Subject: [DG-IDPro] IdM Poster. (thats wrong) HI ID Pro's As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin. There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes" They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn". But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me. Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right. Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... [Image removed by sender.] Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barberhttp://www.ece.utexas.edu/people/faculty/suzanne-barber Dr. Doty's https://www.ischool.utexas.edu/people/person_details?PersonID=22

Hi Kaliya, Don’t mistake the value of an attribute for the attribute as a construct. My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes. Avanti, BobN From: Kaliya Identity Woman [mailto:kaliya@identitywoman.net] Sent: Wednesday, March 08, 2017 1:32 AM To: Natale, Bob Cc: Catherine Schulten ; dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Sent from my iPhone On Mar 7, 2017, at 9:27 PM, Natale, Bob mailto:RNATALE@mitre.org> wrote: Hi Catherine, The identity attribute space has to cover at least the following kinds of entities: -- Physical human entities (PEs) -- Non-person entities (NPEs) -- Personas (alias-like virtual entities associated with PEs or NPEs) -- Virtual entities (which might represent PEs or NPEs) For clarification purposes the focus of the UT program is on people and PII. So far in 12+ months of discussions NPEs have not come up once really. Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people. That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them. Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Catherine Schulten Sent: Tuesday, March 07, 2017 6:09 PM To: Kaliya Identity Woman mailto:kaliya@identitywoman.net>; dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin. I am surprised about some of their statements on this poster as it is not how I would think to describe them. 1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes. 2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson: I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list. 3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata? 4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things. I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email. Catherine Schulten Direct: 954-290-1991 From: dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman Sent: Monday, March 6, 2017 11:24 PM To: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: [DG-IDPro] IdM Poster. (thats wrong) HI ID Pro's As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin. There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes" They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn". But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me. Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right. Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barberhttp://www.ece.utexas.edu/people/faculty/suzanne-barber Dr. Doty's https://www.ischool.utexas.edu/people/person_details?PersonID=22

I've been lurking on the list and the topic that Kaliya introduced provides an interesting real world example of what id professionals would encounter. Through other work, I came across 'Annex A: Characteristics of a credential' from ITU x.1254: Entity authentication assurance framework from 2012[1] as an interesting datapoint to this topic. I too was a bit surprised at the definition of attributes that appeared in the infographic Kaliya called out and the inclusion of password as an attribute. I think it's inclusion was more for the exploration of the assessment items 1-4 on the infographic so that the 'attribute called password' can be included and is not an attempt to rewrite what attributes are. I also think it's worth mentioning, but low probability of being an influence, that some databases like Mysql actually use language in their queries to expressly say users are identified by their passwords, therefore one could assume that passwords are attributes[2]: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass'; Does this alter the conversation or steer things differently? Unlikely. I do think this topic expands what an identity professional should be cognizant and/or observant of who is attempting to define things. It would be interesting to understand the position an id professional (and body that credentials them) would take about assessing which definitions SHOULD be taken and from which body and what the id professional body desires to define as in their wheelhouse. I suspect the answer will be 'it depends on the situation' and choosing one body (in no particular order) ITU, IETF, OASIS, NIST, Government X, Government Y , etc over another is a recipe for perpetual conflict. Does the developing id professional body of knowledge speak to things like this at all? C [1] X.1254 : Entity authentication assurance framework https://www.itu.int/rec/T-REC-X.1254-201209-I/en [2] Mysql password reset: https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html From: on behalf of Charles Eckert Date: Wednesday, March 8, 2017 at 9:31 AM To: "'Natale, Bob'" , Kaliya Identity Woman Cc: "dg-idpro@kantarainitiative.org" Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Have been following this discussion closely and had a few thoughts on this statement. While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes. The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts. I suspect identity attributes have a few key characteristics: 1) Sufficient to identify a specific entity within a context (application, national, global, etc) 2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes) 3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute Behavioural Biometrics “Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event. The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities. Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program. Charles From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Natale, Bob Sent: Wednesday, March 8, 2017 3:30 AM To: Kaliya Identity Woman Cc: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya, Don’t mistake the value of an attribute for the attribute as a construct. My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes. Avanti, BobN From: Kaliya Identity Woman [mailto:kaliya@identitywoman.net] Sent: Wednesday, March 08, 2017 1:32 AM To: Natale, Bob Cc: Catherine Schulten ; dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Sent from my iPhone On Mar 7, 2017, at 9:27 PM, Natale, Bob wrote:

Hi Catherine,

The identity attribute space

has to cover at least the following kinds of entities: -- Physical human entities (PEs) -- Non-person entities (NPEs) -- Personas (alias-like virtual entities associated with PEs or NPEs) -- Virtual entities (which might represent PEs or NPEs)

For clarification purposes the focus of the UT program is on people and PII. So far in 12+ months of discussions NPEs have not come up once really. Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people. That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them.

Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it.

Avanti, BobN

From:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Catherine Schulten Sent: Tuesday, March 07, 2017 6:09 PM To: Kaliya Identity Woman ; dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)

Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin. I am surprised about some of their statements on this poster as it is not how I would think to describe them.

1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes.

2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson:

I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list.

3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata?

4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-Ecosystem/Overview https://www.idesg.org/The-ID-Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things.

I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email.

Catherine Schulten Direct: 954-290-1991

From:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman Sent: Monday, March 6, 2017 11:24 PM To: dg-idpro@kantarainitiative.org Subject: [DG-IDPro] IdM Poster. (thats wrong)

HI ID Pro's

As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin.

There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes"

They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn".

But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me.

Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right.

Here is the post on their site with the poster.

https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... ecosystem

Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barber http://www.ece.utexas.edu/people/faculty/suzanne-barber

Dr. Doty's

https://www.ischool.utexas.edu/people/person_details?PersonID=22

If there was ever an example of how we are not going to define our way out of a mess, this is it. This is not about the definition of "attribute"; it's really about the thinking that goes on (or doesn't go on) behind all the arbitrary technicalities. How are we to think clearly about digital identity? In plain English, an attribute (or an assertion or a claim) is something that one party needs to know about another party. A password is no such thing. Why do we spend so much time categorizing things and defining things, when it just doesn't make sense to think about things in that way? Definitions is not the mission; understanding digital identity and making it work is the mission. Taxonomists are important but most of us should be engineers. Cheers, Steve. PS. Andrew, please don't think I am directing criticism to you; your email was just the catalyst. I note that at several points you suggest that further glossary work is not necessarily the way to go. Stephen Wilson Managing Director Lockstep Group E: swilson@lockstep.com.au M: +61 (0)414 488 851 W: http://lockstep.com.au T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "Andrew Hughes" Sent: Tuesday, 28 March, 2017 12:12pm To: "Chris Phillips" Cc: "dg-idpro@kantarainitiative.org" Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) For now, the BoK does not talk about definitions of terms explicitly (and it MIGHT NOT do so in future): - we have created a taxonomy category called "Concepts" within each aspect of the BoK. This is a place for a more rich description and explanation of the important concepts. The important thing here is that it's supposed to explain the concepts for understanding - so in the cited case there would have to be enough explanation about why attributes could be defined in a certain way and maybe even what some alternative explanations might be. I could see the possibility of having some paragraphs on this topic included - still TBD but if anyone adds text to the live document we'd all appreciate it. - one of our participants is looking through the ISO terms and definitions to seek out additional concepts and standards that could/should be added to the BoK for later elaboration - my personal opinion on attempting to combine glossaries that were built for different purposes is: don't do it. If the orgs managing those glossaries want to harmonize them, then excellent: ID Pro would be very pleased to participate. If they are not interested then even if ID Pro could create the perfect combination, we should not - because the managing orgs would be very unlikely to adopt the work directly & it makes the glossary mapping exercise very fragile and non-manageable. Do I think that short-term term mapping tools are useful? Yes. But something like this needs a longer term solution. Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 [ AndrewHughes3000@gmail.com ]( mailto:AndrewHughes3000@gmail.com ) [ ca.linkedin.com/pub/andrew-hughes/a/58/682/ ]( http://ca.linkedin.com/pub/andrew-hughes/a/58/682/ ) Identity Management | IT Governance | Information Security On Mon, Mar 27, 2017 at 6:34 AM, Chris Phillips <[ Chris.Phillips@canarie.ca ]( mailto:Chris.Phillips@canarie.ca )> wrote: I've been lurking on the list and the topic that Kaliya introduced provides an interesting real world example of what id professionals would encounter. Through other work, I came across 'Annex A: Characteristics of a credential' from ITU x.1254: Entity authentication assurance framework from 2012[1] as an interesting datapoint to this topic. I too was a bit surprised at the definition of attributes that appeared in the infographic Kaliya called out and the inclusion of password as an attribute. I think it's inclusion was more for the exploration of the assessment items 1-4 on the infographic so that the 'attribute called password' can be included and is not an attempt to rewrite what attributes are. I also think it's worth mentioning, but low probability of being an influence, that some databases like Mysql actually use language in their queries to expressly say users are identified by their passwords, therefore one could assume that passwords are attributes[2]: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass'; Does this alter the conversation or steer things differently? Unlikely. I do think this topic expands what an identity professional should be cognizant and/or observant of who is attempting to define things. It would be interesting to understand the position an id professional (and body that credentials them) would take about assessing which definitions SHOULD be taken and from which body and what the id professional body desires to define as in their wheelhouse. I suspect the answer will be 'it depends on the situation' and choosing one body (in no particular order) ITU, IETF, OASIS, NIST, Government X, Government Y , etc over another is a recipe for perpetual conflict. Does the developing id professional body of knowledge speak to things like this at all? C [1] X.1254 : Entity authentication assurance framework [ https://www.itu.int/rec/T-REC-X.1254-201209-I/en ]( https://www.itu.int/rec/T-REC-X.1254-201209-I/en ) [2] Mysql password reset: [ https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html ]( https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html ) From: <[ dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org )> on behalf of Charles Eckert <[ mr.eckert@gmail.com ]( mailto:mr.eckert@gmail.com )> Date: Wednesday, March 8, 2017 at 9:31 AM To: "'Natale, Bob'" <[ RNATALE@mitre.org ]( mailto:RNATALE@mitre.org )>, Kaliya Identity Woman <[ kaliya@identitywoman.net ]( mailto:kaliya@identitywoman.net )> Cc: "[ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org )" <[ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org )> Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Have been following this discussion closely and had a few thoughts on this statement. While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes. The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts. I suspect identity attributes have a few key characteristics: 1) Sufficient to identify a specific entity within a context (application, national, global, etc) 2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes) 3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute Behavioural Biometrics “Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event. The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities. Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program. Charles From: [ dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org ) [[ mailto:dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org )] On Behalf Of Natale, Bob Sent: Wednesday, March 8, 2017 3:30 AM To: Kaliya Identity Woman Cc: [ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org ) Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya, Don’t mistake the value of an attribute for the attribute as a construct. My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes. Avanti, BobN From: Kaliya Identity Woman [[ mailto:kaliya@identitywoman.net ]( mailto:kaliya@identitywoman.net )] Sent: Wednesday, March 08, 2017 1:32 AM To: Natale, Bob <[ RNATALE@mitre.org ]( mailto:RNATALE@mitre.org )> Cc: Catherine Schulten <[ catherine.schulten@lifemedid.com ]( mailto:catherine.schulten@lifemedid.com )>; [ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org ) Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Sent from my iPhone On Mar 7, 2017, at 9:27 PM, Natale, Bob <[ RNATALE@mitre.org ]( mailto:RNATALE@mitre.org )> wrote: Hi Catherine, The identity attribute space has to cover at least the following kinds of entities: -- Physical human entities (PEs) -- Non-person entities (NPEs) -- Personas (alias-like virtual entities associated with PEs or NPEs) -- Virtual entities (which might represent PEs or NPEs) For clarification purposes the focus of the UT program is on people and PII. So far in 12+ months of discussions NPEs have not come up once really. Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people. That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them. Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it. Avanti, BobN From:[ dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org ) [[ mailto:dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org )] On Behalf Of Catherine Schulten Sent: Tuesday, March 07, 2017 6:09 PM To: Kaliya Identity Woman <[ kaliya@identitywoman.net ]( mailto:kaliya@identitywoman.net )>; [ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org ) Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin. I am surprised about some of their statements on this poster as it is not how I would think to describe them. 1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes. 2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson: I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list. 3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata? 4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” [ https://www.idesg.org/The-ID-Ecosystem/Overview ]( https://www.idesg.org/The-ID-Ecosystem/Overview ) The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things. I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email. Catherine Schulten Direct: [ 954-290-1991 ]( tel:(954)%20290-1991 ) From:[ dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org ) [[ mailto:dg-idpro-bounces@kantarainitiative.org ]( mailto:dg-idpro-bounces@kantarainitiative.org )] On Behalf Of Kaliya Identity Woman Sent: Monday, March 6, 2017 11:24 PM To: [ dg-idpro@kantarainitiative.org ]( mailto:dg-idpro@kantarainitiative.org ) Subject: [DG-IDPro] IdM Poster. (thats wrong) HI ID Pro's As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin. There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes" They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn". But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me. Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right. Here is the post on their site with the poster. [ https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... ]( https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... ) Here is Dr Barbers faculty page - [ http://www.ece.utexas.edu//people/faculty/suzanne-barber ]( http://www.ece.utexas.edu/people/faculty/suzanne-barber ) Dr. Doty's [ https://www.ischool.utexas.edu/people/person_details?PersonID=22 ]( https://www.ischool.utexas.edu/people/person_details?PersonID=22 ) _______________________________________________ DG-IDPro mailing list [ DG-IDPro@kantarainitiative.org ]( mailto:DG-IDPro@kantarainitiative.org ) [ http://kantarainitiative.org/mailman/listinfo/dg-idpro ]( http://kantarainitiative.org/mailman/listinfo/dg-idpro )

Hi Steve, While I generally agree with your overall view below (indeed, we typically have to live with multiple complementary or qualifying definitions and a significant level of terminological ambiguity in the IT domain generally) but I believe that restricting ourselves to a human-entities only perspective will ultimately (and fairly quickly) result in painting ourselves into a corner. So, with respect to” an attribute (or an assertion or a claim) is something that one party needs to know about another party. A password is no such thing.“: The first part is a useful definition. The second part is not necessarily true in all cases … e.g., some non-person entities when authenticating virtual entities … in such instances, a password (or any effective equivalent) may well be “something that one party” (the authenticating entity) “needs to know about another party” (the virtual entity being authenticated). Or do you see that as an invalid use case in an absolute sense or just not relevant to this group’s work? An explicit agreement to avoid identity concerns of NPEs may be a reasonable scope constraint to adopt … I wouldn’t favor doing so (sophisticated NPEs capable of effecting real-world impacts may be prevalent in our not-too-distant future … but it would explicitly remove NPE concerns from the work and that’s preferable to doing so implicitly … IMHO. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of swilson@lockstep.com.au Sent: Monday, March 27, 2017 9:32 PM To: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) If there was ever an example of how we are not going to define our way out of a mess, this is it. This is not about the definition of "attribute"; it's really about the thinking that goes on (or doesn't go on) behind all the arbitrary technicalities. How are we to think clearly about digital identity? In plain English, an attribute (or an assertion or a claim) is something that one party needs to know about another party. A password is no such thing. Why do we spend so much time categorizing things and defining things, when it just doesn't make sense to think about things in that way? Definitions is not the mission; understanding digital identity and making it work is the mission. Taxonomists are important but most of us should be engineers. Cheers, Steve. PS. Andrew, please don't think I am directing criticism to you; your email was just the catalyst. I note that at several points you suggest that further glossary work is not necessarily the way to go. Stephen Wilson Managing Director Lockstep Group E: swilson@lockstep.com.aumailto:swilson@lockstep.com.au M: +61 (0)414 488 851 W: http://lockstep.com.au T: @steve_lockstep Lockstep Consulting provides independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft. -----Original Message----- From: "Andrew Hughes" mailto:andrewhughes3000@gmail.com> Sent: Tuesday, 28 March, 2017 12:12pm To: "Chris Phillips" mailto:Chris.Phillips@canarie.ca> Cc: "dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org" mailto:dg-idpro@kantarainitiative.org> Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) For now, the BoK does not talk about definitions of terms explicitly (and it MIGHT NOT do so in future): - we have created a taxonomy category called "Concepts" within each aspect of the BoK. This is a place for a more rich description and explanation of the important concepts. The important thing here is that it's supposed to explain the concepts for understanding - so in the cited case there would have to be enough explanation about why attributes could be defined in a certain way and maybe even what some alternative explanations might be. I could see the possibility of having some paragraphs on this topic included - still TBD but if anyone adds text to the live document we'd all appreciate it. - one of our participants is looking through the ISO terms and definitions to seek out additional concepts and standards that could/should be added to the BoK for later elaboration - my personal opinion on attempting to combine glossaries that were built for different purposes is: don't do it. If the orgs managing those glossaries want to harmonize them, then excellent: ID Pro would be very pleased to participate. If they are not interested then even if ID Pro could create the perfect combination, we should not - because the managing orgs would be very unlikely to adopt the work directly & it makes the glossary mapping exercise very fragile and non-manageable. Do I think that short-term term mapping tools are useful? Yes. But something like this needs a longer term solution. Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.commailto:AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/http://ca.linkedin.com/pub/andrew-hughes/a/58/682/ Identity Management | IT Governance | Information Security On Mon, Mar 27, 2017 at 6:34 AM, Chris Phillips mailto:Chris.Phillips@canarie.ca> wrote: I've been lurking on the list and the topic that Kaliya introduced provides an interesting real world example of what id professionals would encounter. Through other work, I came across 'Annex A: Characteristics of a credential' from ITU x.1254: Entity authentication assurance framework from 2012[1] as an interesting datapoint to this topic. I too was a bit surprised at the definition of attributes that appeared in the infographic Kaliya called out and the inclusion of password as an attribute. I think it's inclusion was more for the exploration of the assessment items 1-4 on the infographic so that the 'attribute called password' can be included and is not an attempt to rewrite what attributes are. I also think it's worth mentioning, but low probability of being an influence, that some databases like Mysql actually use language in their queries to expressly say users are identified by their passwords, therefore one could assume that passwords are attributes[2]: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass'; Does this alter the conversation or steer things differently? Unlikely. I do think this topic expands what an identity professional should be cognizant and/or observant of who is attempting to define things. It would be interesting to understand the position an id professional (and body that credentials them) would take about assessing which definitions SHOULD be taken and from which body and what the id professional body desires to define as in their wheelhouse. I suspect the answer will be 'it depends on the situation' and choosing one body (in no particular order) ITU, IETF, OASIS, NIST, Government X, Government Y , etc over another is a recipe for perpetual conflict. Does the developing id professional body of knowledge speak to things like this at all? C [1] X.1254 : Entity authentication assurance framework https://www.itu.int/rec/T-REC-X.1254-201209-I/en [2] Mysql password reset: https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html From: mailto:dg-idpro-bounces@kantarainitiative.org> on behalf of Charles Eckert mailto:mr.eckert@gmail.com> Date: Wednesday, March 8, 2017 at 9:31 AM To: "'Natale, Bob'" mailto:RNATALE@mitre.org>, Kaliya Identity Woman mailto:kaliya@identitywoman.net> Cc: "dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org" mailto:dg-idpro@kantarainitiative.org> Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Have been following this discussion closely and had a few thoughts on this statement. While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes. The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts. I suspect identity attributes have a few key characteristics: 1) Sufficient to identify a specific entity within a context (application, national, global, etc) 2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes) 3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute Behavioural Biometrics “Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event. The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities. Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program. Charles From: dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Natale, Bob Sent: Wednesday, March 8, 2017 3:30 AM To: Kaliya Identity Woman Cc: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya, Don’t mistake the value of an attribute for the attribute as a construct. My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes. Avanti, BobN From: Kaliya Identity Woman [mailto:kaliya@identitywoman.net] Sent: Wednesday, March 08, 2017 1:32 AM To: Natale, Bob mailto:RNATALE@mitre.org> Cc: Catherine Schulten mailto:catherine.schulten@lifemedid.com>; dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Sent from my iPhone On Mar 7, 2017, at 9:27 PM, Natale, Bob mailto:RNATALE@mitre.org> wrote: Hi Catherine, The identity attribute space has to cover at least the following kinds of entities: -- Physical human entities (PEs) -- Non-person entities (NPEs) -- Personas (alias-like virtual entities associated with PEs or NPEs) -- Virtual entities (which might represent PEs or NPEs) For clarification purposes the focus of the UT program is on people and PII. So far in 12+ months of discussions NPEs have not come up once really. Password and PINs are shared secrets that can/should/ do change they are not as I see it attributes of actual people. That is things used by other people or systems to describe them. By the definition of a Password as a shared secret (between them and the system they enrolled in) it is NOT known by others and therefore can not describe (an attribute) or be used to identify them. Computer users (to use the term broadly, i.e., inclusive of all kinds of ICT devices) are virtual entities … the computer user with username “BobNatale” might ultimately point back to me, or someone else (named Bob Natale, Willy Wonka, or Marilyn Monroe), or to an intelligent software agent under the control of some government agency, etc. … but that username and PIN/passcode/password/PKI cert/etc. are identity attributes for that virtual entity … not for the actual entity behind it. Avanti, BobN From:dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Catherine Schulten Sent: Tuesday, March 07, 2017 6:09 PM To: Kaliya Identity Woman mailto:kaliya@identitywoman.net>; dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya – I was not an attendee at RSA but I thank you for sending this information over to the IDPro workgroup. I feel it is important to understand how others are discussing the identity topic, especially from a edu source like University of TX @ Austin. I am surprised about some of their statements on this poster as it is not how I would think to describe them. 1) I don’t consider one’s username/passcode/PIN as an identity attribute and I doubt that anyone in the identity space would list those things off if they were asked to cite examples of identity attributes. Person’s Name, phone numbers, SSN, DL #’s are what we typically think of when asked to list personal identity attributes. 2) I have consistently observed the definition around an authenticator to be “something you have, know or are”. In fact, a recent episode of Jeopardy had the following question so this seems to be a topic that is somewhat understood by the layperson: I have never heard “something you do” listed in this definition. Unless the author means a biometric along the line of signature cadence or heartbeat rhythm. I guess those could be considered “something you do”. But they should fall under the “something you are” category. I can’t imagine they mean one’s job as “something you are”. It’s not clear and I would challenge the inclusion of this bullet point in that list. 3) The poster also states that an identity ecosystem “assigns level of risk and value” – I assume they are referencing NIST IR 8112 around Identity Metadata? 4) One other point – the term Identity Ecosystem is one that the IDESG has already “snagged”. “an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.” https://www.idesg.org/The-ID-Ecosystem/Overview The poster should either align with that definition or perhaps come up with their own term if they are wanting to describe something else. I will make sure that that folks I work with the IDESG are aware that University of TX @ Austin is also using this term. Not sure if it has been trademarked or anything but I could cause confusion if used to mean different things. I think I maybe have a few dozen Twitter followers so my posting a rebuttal won’t go very far – but I would be interested in hearing a response from the faculty if you want to forward them this email. Catherine Schulten Direct: 954-290-1991tel:(954)%20290-1991 From:dg-idpro-bounces@kantarainitiative.orgmailto:dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Kaliya Identity Woman Sent: Monday, March 6, 2017 11:24 PM To: dg-idpro@kantarainitiative.orgmailto:dg-idpro@kantarainitiative.org Subject: [DG-IDPro] IdM Poster. (thats wrong) HI ID Pro's As those of you know who attended the ID-Pro breakfast at RSA.. I'm in the new Masters of Science in Identity Management and Security at UT Austin. There have been some challenges in what has been taught... including that the factors of authentication are not that...but "identifying Information" or as in the poster below says "Identity Attributes" They also have taught that password are identifiers (yes this was actually taught)... in this poster on the other side they are identity attributes..yes identity attributes. Sigh. I have raised issues about these two things that have been taught...and well not gotten very far. (besides being told i'm a "bad student" and "unwilling to learn". But now they have this fabulous poster. I'm hoping some of you with blogs or twitter handles can point at the poster - references it and explain why both things are wrong. (cause they, specifically Dr. Barber and Dr. Doty don't believe me. Or maybe this group could write a joint letter explaining its 'wrongness" it snot great that this center is putting out this information...it doesn't help us in the long run get explaining this stuff right. Here is the post on their site with the poster. https://identity.utexas.edu/infographics/identity-attributes-and-the-identit... Here is Dr Barbers faculty page - http://www.ece.utexas.edu//people/faculty/suzanne-barberhttp://www.ece.utexas.edu/people/faculty/suzanne-barber Dr. Doty's https://www.ischool.utexas.edu/people/person_details?PersonID=22 _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.orgmailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro