Consensus on moving forward based on this definition?
Eh, no.
This definition encapsulates the unfortunate confabulation of "identity"
and "identifier" that appears to me to be the cause of much of the
confusion in discussions about this stuff.
An identity is any subset of attributes of an individual which
identifies this individual within any set of individuals.
Set A is the set of all people in the building I'm in now. We're all
employees of the University of Washington. So my attribute "employee of
the UW" doesn't identify me within Set A, hence is not part of my identity
by this defintion. Set B is the set of people attending next week's bar
bof. Only one of them, me, is a UW employee, so my attribute "employee of
the UW" does distinguish me, hence is part of my identity. So when I send
"UW employee" on the wire, am I sending "identity information" or not?
This is a useless definition for doing a protocol design, because it's
only meaningful in the context of a particular interpreting party (ie, the
party that wants to "identify" (more accurately, distinguish) one
individual from another in a set they are using (and it's especially
useless because that party isn't even referred to in the definition).
What's useful in a protocol design is a definition that refers to the
information being transmitted.
In fact the useful definition is the one that has already been promoted
by Kim Cameron and subjected to endless discussion in the identitygang
context (http://www.identitygang.org/DigitalIdentity):
Digital Identity
Definition: The digital representation of a set of Claims made by one
Party about itself or another Digital Subject.
where I would modify this slightly and say that it is exactly the
definition of "digital identity exchange":
The transmission of digital representation of a set of Claims made by
one Party about itself or another Digital Subject, to one or more other
Parties.
which is supposedly what we're here to talk about.
The distinction that the "subset of attributes" definition is grasping at
but failing to address is that between (1) the entire mass of "stuff about
me" that constitutes a Subject's (aka entity's/individual's) identity
(subsets of which constitute an identity in any particular context), and
(2) those attributes that are specifically designed to distinguish one
Subject from another, which we call "identifiers" (eg username, UUID, SSN,
Subject Name, etc). Authentication operations have traditionally involved
the use of identifiers, so people tend to associate them with "identity",
and obviously identifier attributes are often useful in any real identity
system.
But in the modern world we observe that identifiers may or may not be
needed in any particular act of system access or personal info exchange,
hence the importance of opening up "digital identity exchange" to be
potentially any "stuff about me". That is, in many cases the relying
party doesn't need "attributes that identify this individual within a set
of individuals", it just needs enough info to do its job.
This is why modern systems like SAML put emphasis on including attributes
in authentication operations, and define identifier values that
specifically mean "not a useful identifier for you" (see section 8.3.8 of
SAML 2.0 Core).
- RL "Bob"
On Tue, 14 Mar 2006, John Merrells wrote:
I just wanted to close out a thread and check there's agreement:
On 28-Feb-06, at 2:46 AM, Ben Laurie wrote:
"An identity is any subset of attributes of an individual which
identifies this individual within any set of individuals. So usually
there is no such thing as �the identity�, but several of them."
A couple of list members (Jefsey, Dick) seconded this definition.
I can go with this too, although it seems a little complex.
Consensus on moving forward based on this definition?
John
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
