Taxonomy AHG Meeting 12/19/2013

From IDESG Wiki
Revision as of 04:04, 28 June 2018 by Omaerz (talk | contribs) (4 revisions imported: Initial Upload of old pages from IDESG Wiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |




Attendees

Adam Madlin (Chair) Ryan Galluzzo Tom Jones
Suzanne Lightman Mike Garcia Seetharama Durbha
Winthrop Baylies Jim Fenton Anne Racuya-Robins

Notes

Objectives/Intro:

  • Discuss objectives for upcoming Plenary
  • Discuss “year-end summary”
  • Confirm consensus on “credential” and “authentication”
  • Continue discussion of “anonymous” and “pseudonymous”

General:

  • The next two meetings will not be held due to the Holidays.
  • The Management Council has requested that each committee develop a one paragraph summary of what has been done over the course of the past year; Adam will be drafting this and sending it around for review.
  • Adam suggested that once we complete the first set of glossary terms, the group should take a few meetings to discuss and review the AHG approach and processes.
  • Adam suggested that the implementations of “pseudonymity” and “anonymity” require a larger conversation; he has set aside a time block for conversation at the plenary if the AHG thinks this it would be useful to host the discussion at that time.
  • The standards committee is interested in this conversation.
  • Adam further suggested that this session should be guided/moderated and could include a panel presentation.
  • Win believes that this will provoke a much larger conversation of roles within the IDESG; but he is unsure whether it will result in any decisions or conclusions.
  • Jim suggested we contact the Privacy Committee about participation in the session, he also believes that the issues of anonymity and pseudonymity extend beyond taxonomy and need to be aligned across the board.
  • Jim suggested a panel discussion with key stakeholders and representatives from the various committees; the goal is not a “fait accompli” but level setting.
  • Adam will continue to push this as a proposal and will engage with others to gain input and shape the session.
  • Seetharama wanted to know if the goal of this panel is to determine whether or not it needs to be defined. Adam suggested it was primarily to gain feedback, promote awareness, and determine a broad range of stances regarding the topic.
  • The AHG will also have their report out and a breakout session.
  • The draft agenda is available on the IDESG website.


Glossary Version 1.1:

  • Both credential and authentication were approved by consensus.
  • Tom did not object to the definition of authentication, but he thinks that it is “awkward” without stating what is produced by the authentication process; he feels it should mention the production of a claim which is validated.
  • Seetharama was not aware that token had been concluded.
  • Jim suggested our existing definition is closely aligned with the 800-63 definition of token and includes “soft tokens” (such as passwords); most people only think of hard tokens and it could be confusing.
  • Seetharama wanted to clarify that he is not objecting to the definition of token; he just did not remember the group finalizing the term
  • Glossary 1.1 is officially concluded; The AHG will submit the current set of approved terms for review by the Plenary without additional notes.


Anonymity and Pseudonymity

  • Tom believes that anonymity is out of scope for the IDESG; if there is no identity there is no “ID Ecosystem.”
  • Seetharama disagreed and suggested that we need to define it before we can make the determination that it is not applicable to the ID Ecosystem.
  • At the last meeting we decided to define the below terms and over the course of the past week developed a starting point for each definition:
Pseudonymous interaction- An interaction for which the data released is not sufficient to infer the entity involved, but for which multiple interactions to the same relying party may be associated with each other.
Pseudonymous digital identity- A digital identity whose attribute values need not identify a unique entity.
Anonymous interaction- An interaction for which the data released is not sufficient to infer the entity involved, and for which information to correlate multiple interactions to the same relying party is not provided.
  • No one suggested adding more related terms.
  • Jim suggested that we do not need to define “pseudonymous digital identity.”
  • Tom suggested that we focus first on pseudonymous digital identity since you cannot determine whether as interaction is being conducted pseudonymously or not; he believes the “inference” statement is not possible; you can only determine the intent of the transaction not what another party may or may not infer from that transaction.
  • Jim disagreed and suggested that in most transactions at the current levels of assurance include information such as the individuals name; in transactions that do not have strong levels of assurance then the assumption is that there is a pseudonym being used.
  • Tom stated that when this is tied back to levels of assurance/strong assertions then the concept makes more sense.
  • Mike thinks Tom is really only considering the interaction from an RP side; from the perspective of the user he wants to be able to know that the other parties do not know the name or true identity of the user.
  • Tom suggested that this is not possible since it there can be no way to avoid the possibility of inferring the identity of the user; he references the yahoo “anonymized” data cases.
  • Mike still believes that there needs to be some degree of confidence for the user to conduct an interaction without the RP knowing who they are.
  • Tom believes there are two separate issues, the user intent v. what can be inferred from the interactions; you can define the user’s intent within the context of the digital identity but not the interactions themselves.
  • The following definition was suggested for Pseudonymous Digital Identity: A digital identity whose attributes values are not verified.
  • Tom believes we need to create a “taxonomy of claim requests” so that the user can understand what the RP wants from the user.
  • Seetharama believes that this is a specification issue not a taxonomy issue. This is too far down the road for discussion right now.


Close out

  • The AHG will continue these discussions at the next meeting and through the listserv.
  • Glossary version 1.1 will be submitted to the Plenary for review and approval.



Actions

Action Owner Due Status
Complete Glossary 1.1 AHG 19-Dec Complete
Submit Glossary 1.1 for Plenary approval Adam Madlin 6-Jan In Progress




Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |