Taxonomy AHG Meeting 12/05/2013

Attendees

Objectives/Intro:

Finalize Digital Identity, Identifier, and Authentication.
Discuss the remaining Glossary terms for set 1.1: Credential, Pseudonymous Transaction, and Anonymous Transaction.
Complete the first set of terms by Christmas break.

Token:

Cathy wanted to make sure her comment from last week regarding “token” was recorded and will be reflected at in the notes.

Sal pointed out that tokens can be used for more than just authentication, authorization for example. He will pass his suggested changes across the email list.

Identifier:

The new proposed definition based upon the list serve conversations is: An Attribute that can be used to distinguish a digital identity.
Jim can live with this definition, however he tends to think that an identifier is provided by and identity provider and not an attribute provider. The use of attribute confuses conversations in the NSTIC context which features both IDPs and Aps.
Sal does not think the note meets the needs of the definition— Adam asked that we revisit the note at a later time

Sal also asked about why the definition uses the term “can be” rather than is used; Mike suggested that using this requires there always has to be an “identifier” and we do not want to narrow things that degree; Sal stated that he could live with the definition as is.
There were no ongoing objections and the definition of identifier was approved by consensus; Sal requested that we check to ensure that the listed sources on the wiki are still relevant to the accepted definitions.

Digital Identity:

Current definition is: An attribute set that can be uniquely distinguished in a given context and can be used for a digital interaction.
Sal suggested that this definition does not address identity at all; it could be anything digital. It doesn’t specify what is being distinguished. He believes that the definition does not stand on its own.
John Stearns believed it is acceptable as it is.
Mike suggested that the inclusion of “in a digital transaction” requires the things to be capable of a digital interaction; primarily he wants the definition to be broad enough to ensure use within as many NSTIC use cases as possible.
Sal dropped his objection, but requested that we update the notes to provide more clarity.
The definition of Digital Identity was approved by the AHG as final.

Authentication:

Process of confirmation of a claimed identity based on valid credentials.
Process of determining the validity of a credential used to claim a digital identity.

Jim prefers the second definition.
Suzanne also prefers the second because it actually opens the possibility of a failed authentication.
Mike agreed. He also believes that the first implies that the credential is valid before the authentication has taken place.
Ben believes the second definition only relays the point of view of the RP; he feels it needs to include the concept of presenting the identity as well as determining the validity of the definition.
Mike thinks Ben’s concerns are valid; he suggested that as the user I cannot authenticate by the second definition.
Win suggested the definitions has two parts a) Claiming a digital identity and b) determining validity of the credential involved.
Ben suggested changing it to a “communication process” not just “process”

Tom Jones pointed out you do not request a credential at the time of authentication, you do it at enrollment.
There are concerns that this definition is dependent up the definition of credential.
Sal asked how many parties are involved in authentication:

It was determined there are only two; the User and the IDP. The RP accepts or does not accept the claim generated by the IDP.

The new suggested definition is: An iterative two-party process involving submission of a digital credential and determining the validity of the digital identity.
Mike and Suzanne suggested the removal of iterative and two-party because it would require all approaches to authentication to be iterative and two-party. Mike believes it is a bad idea to close the door on different approaches to authentication.

Adam suggested a “multi-party” process
Suzanne suggested replacing submission with presentation; though Jim objected stating that if his credential is his private key he will not be presenting it to anyone.
Jim believes we should table this conversation and discuss it in conjunction with credential.
The discussion was tabled in favor of opening credential for discussion.

Credential:

The group currently has multiple working definitions of credential which are all available on the wikipage.
Ben suggested that the two definitions in the discussion guide could work, but as a group we need to select the definition of credential that supports the broadest uses in the IDESG. It could be affected by LOA and by the factors used as credentials.

Adam does not believe the LOA or type will change the definition just the type of credential used.
John believes we could combine these two definitions into one.
Tom suggested that the two definitions are contradictory and that there are at least two different types of credentials; one that authenticates a user and another that authenticates a message.
Adam suggested that the term could have more than one definition.

Seetharama suggested that the binding is not a credential; NIST 800-63 suggests that the binding is the definition of the credential.

Tom agrees, but he has seen this kind of definition used in several contexts across industry.

Seetharama stressed the need to keep our definitions as open as possible to different factors and types.
Tom clarified that his only objection to the NIST definition is the lack of “token” being included in the definition.
Adam asked Tom to send an email to the list serve to discuss his objections and propose a new definition for credential.

Close out

Action	Owner	Due	Status
Complete Glossary 1.1	AHG	19-Dec	In-progress