Taxonomy AHG Meeting 11/14/2013

From IDESG Wiki
Revision as of 04:04, 28 June 2018 by Omaerz (talk | contribs) (5 revisions imported: Initial Upload of old pages from IDESG Wiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |




Attendees

Adam Madlin (Chair) Ryan Galluzzo Bryan Russell
John Stearns Mike Garcia Bryan Russel
Robert Faron Jim Fenton Eric Krum
Anne Racuya-Robins Cathy Tilton Kaliya Hamlin
Seethrama Durbha Christopher Spottiswoode Winthrop Baylies
Ben Wilson Bev Corwin


Notes

Objectives/Intro:

  • The goal of this meeting is to gain consensus on the following new definitions:
    Digital identity: An attribute set that can be uniquely distinguished in a given context.
    Pseudonymous interaction: An online interaction such that attributes are untraceable to the attribute owner.
    Anonymous interaction: An online interaction such that attributes are untraceable to the attribute owner and unlinkable to any other interaction but may be persistent through a session.
  • Adam stressed that, just because we are putting “Identity” aside for the moment, it does not mean that we will not re-address at a later date if the AHG thinks it is necessary
  • Adam called for any objections to taking up these items as the foucs of today’s discussion; there were no objections


Digital Identity:

  • Ben Wilson supports the proposed definition.
  • Jim Fenton believes that the current definition suggests that the user gives the identity to a relying party. He does not agree and believes that the correct definition would be based on the concept that the ID is an account at an IDP (with associated attributes) that is given by the IDP to an RP for the purposes of a specific interaction. The current definition is to RP centric and the digital identity exists outside of relying party contexts. He suggests: An attribute set that is associated with a given entity. Jim wanted to know what kind of identities don’t have an entity tied to them.
    Ben suggests that this reads far too much into what is actually contained in the definition.
    Seetharama agrees with Ben; he feels the current text actually does support the IDP/RP interactions Jim highlights in his argument. He also points out that, in general, some form or aspect of the identity is always shared with the RP.
  • Bryan asked, “What kind of identity is not created or initiated by an entity?”
    • Mike pointed out the example of the “Facebook” shadow identity; these have a lot of attributes and information that identify you, but the entity takes no action in creating it.
    Adam pointed out the fact that many organizations create marketing identities and enterprise identities that the root entity has little or no part in creating.
  • Bryan is opposed to excluding the term entity from the definition of “digital identity”; you cannot have an identity without an entity to create that identity.
  • John Stearns suggested that the current definition is a perfectly acceptable definition for the term; it allows for multiple identities for multiple purposes which is essential to the NSTIC strategy.
  • Bryan thinks this definition creates a situation where anyone can create a digital identity without the root entity’s knowledge.
  • Bob pointed out that the key is ensuring the “unique within a context” to allow people to have multiple identities in multiple contexts, but not necessarily having them tied back to a single entity. Without this, pseudonyms and anonymity will not be possible.
  • Eric suggested that “less is more” when it comes to the definitions and suggested moving forward with the current definition of “digital identity.”
  • After Adam inquired, Jim stated that he did not believe there are any privacy concerns with the current definition of “digital identity”
  • Adam called for members of the meeting to raise their hands if they objected to the definition; there were 15 attendees and only 2 objections.
  • Christopher suggested that this is a root definition and that it needs to be simple; it is not intended to specifically account for every possible version of digital identity that can arise in the ecosystem. He supports the current definition.
  • Eric believes that in order to account for anonymous interactions and pseudonyms, the definition of digital identity cannot include the phrase, “tied to an entity.”
  • Jim pointed out that he does not consider the cases of Facebook “shadow identities” and Wikipedia biographies to be part of his identity or “digital identities.” He still feels like “digital identity” should be associated with an entity; he doesn’t care who creates it, but to be his identity he needs to be the entity using it.

Pseudonymous Interaction

  • Jim wants to know if this has to be “untraceable” or an interaction where the attributes do not necessarily have to be vetted and trusted by the RP.
  • Adam suggested that verified or trust attributes can be part of a pseudonymous interaction.
  • Eric Krum suggested: An online interaction such that the attributes are not verified by the relying party.
  • Ben Wilson disagrees with the current definition, he does not believe that it has to be untraceable; he suggests: An online interaction where the attribute owner use a fictitious identifier.
  • The dictionary definition is: bearing or using a fictitious name.
  • Seetharama suggests this should be shifted to a “pseudonymous identity” and not an interaction; he believes the dictionary definition would work. The key is that there is no verification of the attributes associated with the identity.
  • Ben disagrees with this approach. He likes the idea of defining a pseudonymous interaction.
  • Eric suggests: An online assertion of an identity where the attributes are not verifiable by the relying party.
  • Mike suggested that if we go down the road of defining pseudonymous identity we will have the same battle we just had with “identity” and “digital identity” all over again.

Anonymous Interaction

  • We are intentionally avoiding the concept of “anonymous identity.” In last week’s meeting there were suggestions that the primary aspect of an anonymous interaction is that it is that the pseudonym used in the transaction is not persistent or linkable across multiple transactions.
  • Seetharam believes that the current definition is good, but not necessarily comprehensive; he believes that some attributes may in fact be used across transactions without being linked to an identity or the pseudonym.
  • There was a suggestion that an anonymous identity could be essentially the same as a “digital identity” with the removal of the phrase, “uniquely distinguished.”
    Mike does not believe so; during a session you are still uniquely distinguished from all others.
  • Ben thinks the definition works well.

Pseudonymous Identity

  • Current definition put forth is: An identity where the attributes are verified as being owned by the entity that created it.
  • Jim does not agree with this definition.
  • Seetharama also disagrees; his big concern is over the issue of “owned” and “real” in the definition of entity.
  • Mike suggested that this needs to be a “Pseudonymous Digital Identity”; he also suggested that the definition could include, “not verified as being owned by a specific entity.”
  • Bob stated that the he believes the pseudonymous definitions should not include untraceable, but “traceable only where the user choose to allow it.” With anonymous, he feels untraceable is appropriate.
  • Mike agrees and points out that this why he wants to focus on the interactions; he believes that you can use a digital identity in different kind of interactions without having to change or get a new identity. You could potentially use the same identity for different kinds of transactions, including pseudonymous and anonymous.

Decisions

  • Adam called for approval of the term “Digital Identity”-12 yes votes, one objection, and two abstentions.
    The Definition of “Digital Identity” was approved by the AHG.
  • Open questions:
    Do we define “Pseudonymous Interaction,” “Pseudonymous Identity,” both or one not the other?
    Do we still need to define “identity?”
    Definition of “anonymous interactions” is still up for debate


Actions

Action Owner Due Status
None N/A N/A N/A




Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |