[KI-LC] FW: Media query from SC Magazine - deadline 2/26/2016 17:30:00

Allan Foster allan.foster at forgerock.com
Tue Feb 23 12:36:38 CST 2016


So this is the discussion of Personas

I also fundamentally disagree that Identity is necessarily a collection
of attributes.  And identity is simply a thing.  Collections of
attributes might be associated with an identity when required for
specific contexts

Allan


Simplify Email: Email Charter <http://emailcharter.org/>

ForgeRock Logo 	*Allan Foster - ForgeRock *
/VP Strategic Partner Enablement/
*Location:*San Francisco
*p:* +1.214.755.9218
*email:* allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>
*blogs:* blogs.forgerock.com/GuruAllan
<http://blogs.forgerock.com/GuruAllan>
*Skype:* Call GuruAllan <http://is.gd/lWVfMG>
*www:* www.forgerock.com <http://www.forgerock.com/>
*www:* www.forgerock.org <http://www.forgerock.org/>

On 2/23/16 9:32 AM, Ken Dagg wrote:
> Colin,
>
> How does this sound to address the question, "My identity as my wife
> sees it may be different to my identity as my bank sees it, which may
> be different again to my identity as my employer sees it. How do we
> cope with multiple attributes in ID management?"
>
> Ken
>
> ===================
>
> Identity Management thinking is beginning to recognize that who an
> individual is (e.g., their identity) is dependent on the scenario in
> which that individual needs to assert who they are. Who you are, and
> how you represent yourself, in social situations, work situations and
> commercial situations is probably different - but all are just
> different representations or variations of you are as an individual.
> That is, your identity is what someone needs to know about you in
> order to interact with you.
>
> For example, in order for you to be able to establish an account, and
> carry out financial transactions, with a bank requires that the bank
> know certain information (i.e., attributes) about you. Some of this
> information is required in order for the bank to deal with you
> effectively while other information is required to satisfy legal
> requirements. Your employer also requires specific information
> (attributes) about you in order to have you as an employee (i.e., to
> pay you, to provide benefits, to provide work facilities). While there
> may be some overlaps between the sets of attributes required to
> satisfy these two relationships there are most likely differences.
> What is emerging is that 1) the required attributes are defined by and
> part of the relationship and 2) there is no one representation that
> satisfies all requirements.
>
> As such, the relationship you want to establish identifies the
> required attributes (i.e., your "identity") and manages them to
> accomplish the purpose that the relationship exists to perform. As the
> user - the Relying Party (RP) - of your identity (e.g., the bank) is
> at risk, they authenticate and manage the set of attributes they
> require of you in order to mitigate the risk of getting it wrong. That
> is, the RP manages the identity of its clients to the degree they need
> to in order to operate. It is essential that the RP undertake a risk
> assessment to identify the consequences - financial and reputational -
> they will suffer if they misidentify someone and then establish, at a
> cost they believe is affordable, the mechanisms they believe will
> mitigate that risk. 
>
> The set of mechanisms they use - the level of assurance they require -
> to mitigate their risk depend on the consequences they will suffer if
> they get it wrong (i.e., they misidentify you). These mechanisms can
> include doing nothing, using internal checks, using Social Media
> sites, using Government Agencies, or using companies that have
> established themselves as Identity Providers (IdPs), Credential
> Service Providers (CSPs), or Attribute Providers (APs). 
>
> Of importance to you, however, is knowing, and being able to correct
> errors in, the information / attributes the RP maintains about you as
> well as being assured that the RP respects your privacy.
>
>
>
> On Tuesday, 23 February 2016, Colin Wallis <colin_wallis at hotmail.com
> <mailto:colin_wallis at hotmail.com>> wrote:
>
>     That's great. Many thanks Sal.
>     Perfect timing for the IRM call coming up in a few hours.
>     Cheers
>     Colin
>
>
>     Colin, I can pitch in on some of these:
>
>      
>
>     What are the latest advances in ID Management technology?
>
>     How has it evolved over the years?
>
>     ID management has been largely about people in the past. How will
>      the Internet of Things change that, if at all?
>
>      
>
>     I can use UMA and IRM as an examplse and also bring in some of the
>     things we have been talking about in the IDoT DG.
>
>      
>
>     *From:*lc-bounces at kantarainitiative.org
>     <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>
>     [mailto:lc-bounces at kantarainitiative.org
>     <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>] *On
>     Behalf Of *Colin Wallis
>     *Sent:* Monday, February 22, 2016 5:50 PM
>     *To:* Mike Schwartz
>     *Cc:* Kantara Leadership Council Kantara
>     *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline
>     2/26/2016 17:30:00
>
>      
>
>     OK, thanks for that offer Mike.
>
>     But the thing is, the guy asked Kantara, so he is expecting a
>     response from experts on behalf of Kantara.
>
>     Taking him to Gluu is kind of one step removed.
>
>     I'm happy for responses to contain links to Gluu and elsewhere,
>     but I think we are setting ourselves up for some copyright
>     concerns if we point folks away, straight out of the gate.
>
>     Cheers
>
>     Colin
>
>     > Date: Mon, 22 Feb 2016 15:11:16 -0600
>     > From: mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
>     > To: colin_wallis at hotmail.com
>     <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
>     > CC: lc at kantarainitiative.org
>     <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
>     > Subject: Re: [KI-LC] Media query from SC Magazine - deadline
>     2/26/2016 17:30:00
>     >
>     >
>     > Colin,
>     >
>     > I'll can offer to take a stab at responding to these questions
>     by the
>     > date requested on a Gluu blog.
>     >
>     > thx,
>     >
>     > Mike
>     >
>     > On 2016-02-22 11:13, Colin Wallis wrote:
>     > > Thanks Ken
>     > > We'll consider this question dealt to.
>     > > Anyone else want to take on one of the others?
>     > > Cheers
>     > > Colin
>     > > .....................................
>     > >> At airports around the world, travelers' identities are routinely
>     > > verified using biometric identification. Recently in India, a new
>     > > facility for pension distribution adapted an iris authentication
>     > > scanner to validate citizens. New generations of fully integrated,
>     > > end-to-end cloud identity management platforms offer clients
>     secure
>     > > and flexible means to pick and choose which services they
>     need. For
>     > > this latest ebook from SC Magazine, we speak to a number of
>     experts
>     > > with hands-on experience about how these advances in
>     technologies are
>     > > changing the face of identity management and opening up new
>     > > opportunities for the enterprise to become more secure—and we’ll
>     > > throw in a few caveats (for one, what happens to privacy when
>     > > biometrics are added to the mix?) that any organization should
>     heed
>     > > when revamping its identity management strategy.
>     > >>
>     > >> Here are the questions he's exploring:
>     > >>
>     > >> What are the latest advances in ID Management technology?
>     > >>
>     > >> How has it evolved over the years?
>     > >>
>     > >> What happens to privacy when biometrics are thrown into the mix?
>     > > GONE GONE....
>     > >>
>     > >> How are ID management systems and access management/roles-based
>     > > management converging?
>     > >>
>     > >> ID management has been largely about people in the past. How will
>     > > the Internet of Things change that, if at all?
>     > >>
>     > >> Is authentication keeping up with trends in ID management?
>     > >>
>     > >> My identity as my wife sees it may be different to my
>     identity as my
>     > > bank sees it, which may be different again to my identity as my
>     > > employer sees it. How do we cope with multiple attributes in ID
>     > > management?
>     > >>
>     > >> How do we maintain and preserve identity in the long term, as a
>     > > person's life and circumstances change?
>     > >>
>     > >> Are there standard for ID management?
>     > >>
>     > >> What are the biggest challenges facing companies that want to
>     design
>     > > and deploy their own ID management systems?
>     > >
>     > > -------------------------
>     > > Date: Mon, 22 Feb 2016 06:58:22 -0500
>     > > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
>     > > 2/26/2016 17:30:00
>     > > From: kendaggtbs at gmail.com
>     <javascript:_e(%7B%7D,'cvml','kendaggtbs at gmail.com');>
>     > > To: colin_wallis at hotmail.com
>     <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
>     > > CC: lc at kantarainitiative.org
>     <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
>     > >
>     > > Colin,
>     > >
>     > > I agree fully that the first two paragraphs address the scope
>     of his
>     > > question regarding biometrics and privacy.
>     > >
>     > > However, your comment, "sense of direction of travel for SC
>     Magazine
>     > > being towards Data Protection" prompts me to include the rest
>     of the
>     > > material regarding Privacy. In my opinion, a focus solely on data
>     > > protection misses the boat on respecting privacy and probably
>     does it
>     > > a disservice. As you are aware, having the best data protection
>     > > practices in the world while using an individual's PII for
>     unstated
>     > > purposes or disclosing it inappropriately, still means the
>     > > organization is not respecting an individual's privacy.
>     > >
>     > > I agree with your concern regarding "a compromise in the
>     sample or the
>     > > templates database" being a major issue with respect to an
>     individual
>     > > having to re-establish and re-bind their identity. However, I
>     would
>     > > argue that the same holds true for any piece of an
>     individual's PII
>     > > that is used by an organization. Biometric data, because it is
>     viewed
>     > > as unique to an individual, is in some organization's minds,
>     viewed as
>     > > a silver bullet with respect to Identifcation. However, in my
>     opinion,
>     > > it is just another piece of data that can be used to mitigate
>     the risk
>     > > of misidentification. If the consequences of misidentification are
>     > > severe it should still be corroborated with other PII. In
>     other words,
>     > > it is not a silver bullet.
>     > >
>     > > This being said, I restructured the answer to address the "silver
>     > > bullet" concept as well as the out-of-scope text. I would
>     recommend
>     > > including the background in the response as I believe that it is
>     > > important to raise the "technology neutral" idea with respect to
>     > > privacy policy/legislation. I would like to start the process of
>     > > changing the perception held by many people that current policy is
>     > > outdated or has been overtaken by advances in technology. (My
>     soapbox
>     > > rant for the day)
>     > >
>     > > Wile we probably aren't going to be killed for not answering
>     all the
>     > > questions I hope that others can address some of them.
>     > >
>     > > Ken
>     > >
>     > > ==============
>     > >
>     > > The perception that something should happen to privacy because
>     > > biometrics enter the mix is erroneous.
>     > >
>     > > Privacy is a state that is respected when an individual
>     understands
>     > > and consents to how their personally identifiable information
>     (PII) is
>     > > collected, maintained, used, disclosed and disposed. Biometric
>     > > information, given its uniqueness to each individual, should be
>     > > considered to be PII.
>     > >
>     > > Regardless of its apparent uniqueness, an organization that
>     wishes to
>     > > mitigate the risk of misidentification of an individual should not
>     > > look at biometric data as a "silver bullet". If the
>     consequences of
>     > > misidentification are high they should still corroborate the
>     biometric
>     > > data with other PII during their authentication. The process,
>     whether
>     > > in the digital or real world, still requires an organization to
>     > > identify the consequences of misidentification before it puts
>     in place
>     > > procedures and techniques (such as the use of biometric data) to
>     > > mitigate that risk.
>     > >
>     > > Background on Privacy
>     > >
>     > > It should be noted that jurisdictions around the world have
>     identified
>     > > that respect of an individual's privacy is technology neutral.
>     > >
>     > > For the US Government NIST Special Publication 800-122 defines
>     PII as
>     > > "any information about an individual maintained by an agency,
>     > > including (1) any information that can be used to distinguish
>     or trace
>     > > an individual‘s identity, such as name, social security
>     number, date
>     > > and place of birth, mother‘s maiden name, or biometric
>     records; and
>     > > (2) any other information that is linked or linkable to an
>     individual,
>     > > such as medical, educational, financial, and employment
>     information."
>     > >
>     > > In other countries with privacy protection laws derived from
>     the OECD
>     > > privacy principles, the term used is more often "personal
>     > > information". This term, in general, is broader than PII. For
>     example,
>     > > there are two pieces of legislation that cover privacy at the
>     federal
>     > > level in Canada: the Privacy Act and the Personal Information
>     > > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
>     > > relates to an individual’s right to access and correct personal
>     > > information the Government of Canada holds about them or the
>     > > Government’s collection, use and disclosure of their personal
>     > > information in the course of providing services (e.g., old age
>     > > pensions or employment insurance). PIPEDA sets out the ground
>     rules
>     > > for how private-sector organizations collect, use or disclose
>     personal
>     > > information in the course of commercial activities across Canada.
>     > >
>     > > Both acts is essence define personal information to be any
>     factual or
>     > > subjective information, recorded or not, about an identifiable
>     > > individual. This includes information in any form, such as:
>     > > * age, name, ID numbers, income, ethnic origin, or blood type;
>     > > * opinions, evaluations, comments, social status, or disciplinary
>     > > actions; and
>     > > * employee files, credit records, loan records, medical records,
>     > > existence of a dispute between a consumer and a merchant,
>     intentions
>     > > (for example, to acquire goods or services, or change jobs).
>     > >
>     > > Excluded is information concerning the name, title, business
>     address
>     > > or telephone number of an employee of an organization.
>     > >
>     > > Both acts identify how personal information should be collected,
>     > > maintained, used, disclosed and disposed. Of interest is the
>     > > requirement to identify a retention period for the personal
>     > > information that is collected about an individual and how that
>     > > information is expunged from an organization's records.
>     > >
>     > > Also of interest is how the power and versatility of
>     re-identification
>     > > algorithms have significantly increased the ability of
>     identifying an
>     > > individual without the use of PII. As such, Big Data is
>     becoming an
>     > > issue in privacy circles.
>     > >
>     > > <snip>
>     > >
>     > >
>     > > _______________________________________________
>     > > LC mailing list
>     > > LC at kantarainitiative.org
>     <javascript:_e(%7B%7D,'cvml','LC at kantarainitiative.org');>
>     > > http://kantarainitiative.org/mailman/listinfo/lc
>     >
>     > --
>     > -------------------------------------
>     > Michael Schwartz
>     > Gluu
>     > Founder / CEO
>     > mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
>
>
>
> -- 
> Kenneth Dagg
> Independent Consultant
> Identification and Authentication
> 613-825-2091
> kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com>
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160223/84422c79/attachment-0001.html>


More information about the LC mailing list