On 14-Mar-06, at 2:32 PM, RL 'Bob' Morgan wrote:
Consensus on moving forward based on this definition?
Eh, no.
I retract my previous consensus and agree with Bob's points below. I
think defining Digital Identity Exchange rather then just Identity
allows us to define what we are solving.
This definition encapsulates the unfortunate confabulation of
"identity" and "identifier" that appears to me to be the cause of
much of the confusion in discussions about this stuff.
An identity is any subset of attributes of an individual which
identifies this individual within any set of individuals.
Set A is the set of all people in the building I'm in now. We're
all employees of the University of Washington. So my attribute
"employee of the UW" doesn't identify me within Set A, hence is not
part of my identity by this defintion. Set B is the set of people
attending next week's bar bof. Only one of them, me, is a UW
employee, so my attribute "employee of the UW" does distinguish me,
hence is part of my identity. So when I send "UW employee" on the
wire, am I sending "identity information" or not?
This is a useless definition for doing a protocol design, because
it's only meaningful in the context of a particular interpreting
party (ie, the party that wants to "identify" (more accurately,
distinguish) one individual from another in a set they are using
(and it's especially useless because that party isn't even referred
to in the definition). What's useful in a protocol design is a
definition that refers to the information being transmitted.
In fact the useful definition is the one that has already been
promoted by Kim Cameron and subjected to endless discussion in the
identitygang context (http://www.identitygang.org/DigitalIdentity):
Digital Identity
Definition: The digital representation of a set of Claims made by
one
Party about itself or another Digital Subject.
where I would modify this slightly and say that it is exactly the
definition of "digital identity exchange":
The transmission of digital representation of a set of Claims
made by
one Party about itself or another Digital Subject, to one or more
other
Parties.
which is supposedly what we're here to talk about.
The distinction that the "subset of attributes" definition is
grasping at but failing to address is that between (1) the entire
mass of "stuff about me" that constitutes a Subject's (aka entity's/
individual's) identity (subsets of which constitute an identity in
any particular context), and (2) those attributes that are
specifically designed to distinguish one Subject from another,
which we call "identifiers" (eg username, UUID, SSN, Subject Name,
etc). Authentication operations have traditionally involved the
use of identifiers, so people tend to associate them with
"identity", and obviously identifier attributes are often useful in
any real identity system.
But in the modern world we observe that identifiers may or may not
be needed in any particular act of system access or personal info
exchange, hence the importance of opening up "digital identity
exchange" to be potentially any "stuff about me". That is, in many
cases the relying party doesn't need "attributes that identify this
individual within a set of individuals", it just needs enough info
to do its job.
This is why modern systems like SAML put emphasis on including
attributes in authentication operations, and define identifier
values that specifically mean "not a useful identifier for
you" (see section 8.3.8 of SAML 2.0 Core).
- RL "Bob"
On Tue, 14 Mar 2006, John Merrells wrote:
I just wanted to close out a thread and check there's agreement:
On 28-Feb-06, at 2:46 AM, Ben Laurie wrote:
"An identity is any subset of attributes of an individual which
identifies this individual within any set of individuals. So usually
there is no such thing as “the identity”, but several of them."
A couple of list members (Jefsey, Dick) seconded this definition.
I can go with this too, although it seems a little complex.
Consensus on moving forward based on this definition?
John
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
