[KI-LC] FW: Media query from SC Magazine - deadline 2/26/2016 17:30:00

Ken Dagg kendaggtbs at gmail.com
Tue Feb 23 16:41:12 CST 2016


Allan,

I agree wholeheartedly that this is a discussion of personas!

The question that was asked by SC Magazine was, "My identity as my wife
sees it may be different to my identity as my bank sees it, which may be
different again to my identity as my employer sees it. How do we cope with
multiple attributes in ID management?" I agree that this is essentially a
discussion of the use of the different personas that an individual
maintains. I was loath, given my perception of the need for brevity and the
readership of SC Magazine, to get into a discussion of the definitions and
differences between the two terms.

In my opinion, most readers of the magazine are looking for solutions to
their need / desire to offer online services and want some ability to
lesson the risk of delivering a service to an illegible individual (e.g., a
medical service to the wrong person) or delivering the wrong amount of
service to an individual (e.g., a $10,000 lottery win to someone who only
won a $100).

Given you comments, as well as trying to address the question that was
asked, would the following make more sense? It implies a relationship
between persona and identity - persona being an application of my identity
in a broad context - but does not get into the discussion.

==========

Identity Management thinking is beginning to recognize that who an
individual is (e.g., their identity) is dependent on the scenario in which
that individual needs to assert who they are. Who you are, and how you
represent yourself, in social situations, work situations and commercial
situations is probably different - but all are just different
representations or variations of who you are as an individual - different
personas. That is, a persona is what someone needs to know about you in
order to interact with you.

For example, in order for you to be able to establish an account, and carry
out financial transactions, with a bank requires that the bank know certain
information (i.e., attributes) about you. Some of this information is
required in order for the bank to deal with you effectively while other
information is required to satisfy legal requirements. Your employer also
requires specific attributes about you in order to have you as an employee
(i.e., to pay you, to provide benefits, to provide work facilities). While
there may be some overlaps between the sets of attributes required to
satisfy these two relationships there are most likely differences. What is
emerging is that 1) the required attributes are defined by and specific to
the relationship and 2) there is no one representation that satisfies all
requirements.

As such, the relationship you want to establish identifies the required
attributes (i.e., your "persona") and manages them to accomplish the
purpose that the relationship exists to perform. As the user - the Relying
Party (RP) - of your persona (e.g., the bank) is at risk, they authenticate
and manage the set of attributes they require of you in order to mitigate
the risk of getting it wrong. That is, the RP manages the identity of its
clients to the degree they need to in order to operate. It is essential
that the RP undertake a risk assessment to identify the consequences -
financial and reputational - they will suffer if they misidentify someone
and then establish, at a cost they believe is affordable, the mechanisms
they believe will mitigate that risk.

The set of mechanisms they use - the level of assurance they require - to
mitigate their risk depend on the consequences they will suffer if they get
it wrong (i.e., they misidentify you). These mechanisms can include doing
nothing, using internal checks, using Social Media sites, using Government
Agencies, or using companies that have established themselves as Identity
Providers (IdPs), Credential Service Providers (CSPs), or Attribute
Providers (APs).

Of importance to you as an individual, however, is knowing, and being able
to correct errors in, the information / attributes the RP maintains about
you as well as being assured that the RP respects your privacy.



On Tue, Feb 23, 2016 at 1:36 PM, Allan Foster <allan.foster at forgerock.com>
wrote:

> So this is the discussion of Personas
>
> I also fundamentally disagree that Identity is necessarily a collection of
> attributes.  And identity is simply a thing.  Collections of attributes
> might be associated with an identity when required for specific contexts
>
> Allan
>
>
> Simplify Email: Email Charter <http://emailcharter.org/>
>
> [image: ForgeRock Logo] *Allan Foster - ForgeRock *
> *VP Strategic Partner Enablement*
> *Location:*San Francisco
> *p:* +1.214.755.9218
> *email:* <allan.foster at forgerock.com>allan.foster at forgerock.com
> *blogs:* blogs.forgerock.com/GuruAllan
> *Skype:* Call GuruAllan <http://is.gd/lWVfMG>
> *www:* www.forgerock.com
> *www:* www.forgerock.org
> On 2/23/16 9:32 AM, Ken Dagg wrote:
>
> Colin,
>
> How does this sound to address the question, "My identity as my wife sees
> it may be different to my identity as my bank sees it, which may be
> different again to my identity as my employer sees it. How do we cope with
> multiple attributes in ID management?"
>
> Ken
>
> ===================
>
> Identity Management thinking is beginning to recognize that who an
> individual is (e.g., their identity) is dependent on the scenario in which
> that individual needs to assert who they are. Who you are, and how you
> represent yourself, in social situations, work situations and commercial
> situations is probably different - but all are just different
> representations or variations of you are as an individual. That is, your
> identity is what someone needs to know about you in order to interact with
> you.
>
> For example, in order for you to be able to establish an account, and
> carry out financial transactions, with a bank requires that the bank know
> certain information (i.e., attributes) about you. Some of this information
> is required in order for the bank to deal with you effectively while other
> information is required to satisfy legal requirements. Your employer also
> requires specific information (attributes) about you in order to have you
> as an employee (i.e., to pay you, to provide benefits, to provide work
> facilities). While there may be some overlaps between the sets
> of attributes required to satisfy these two relationships there are most
> likely differences. What is emerging is that 1) the required attributes are
> defined by and part of the relationship and 2) there is no one
> representation that satisfies all requirements.
>
> As such, the relationship you want to establish identifies the required
> attributes (i.e., your "identity") and manages them to accomplish the
> purpose that the relationship exists to perform. As the user - the Relying
> Party (RP) - of your identity (e.g., the bank) is at risk, they
> authenticate and manage the set of attributes they require of you in order
> to mitigate the risk of getting it wrong. That is, the RP manages the
> identity of its clients to the degree they need to in order to operate. It
> is essential that the RP undertake a risk assessment to identify the
> consequences - financial and reputational - they will suffer if they
> misidentify someone and then establish, at a cost they believe is
> affordable, the mechanisms they believe will mitigate that risk.
>
> The set of mechanisms they use - the level of assurance they require - to
> mitigate their risk depend on the consequences they will suffer if they get
> it wrong (i.e., they misidentify you). These mechanisms can include doing
> nothing, using internal checks, using Social Media sites, using Government
> Agencies, or using companies that have established themselves as Identity
> Providers (IdPs), Credential Service Providers (CSPs), or Attribute
> Providers (APs).
>
> Of importance to you, however, is knowing, and being able to correct
> errors in, the information / attributes the RP maintains about you as well
> as being assured that the RP respects your privacy.
>
>
>
> On Tuesday, 23 February 2016, Colin Wallis < <colin_wallis at hotmail.com>
> colin_wallis at hotmail.com> wrote:
>
>> That's great. Many thanks Sal.
>> Perfect timing for the IRM call coming up in a few hours.
>> Cheers
>> Colin
>>
>>
>> Colin, I can pitch in on some of these:
>>
>>
>>
>> What are the latest advances in ID Management technology?
>>
>> How has it evolved over the years?
>>
>> ID management has been largely about people in the past. How will  the
>> Internet of Things change that, if at all?
>>
>>
>>
>> I can use UMA and IRM as an examplse and also bring in some of the things
>> we have been talking about in the IDoT DG.
>>
>>
>>
>> *From:* lc-bounces at kantarainitiative.org [mailto:
>> lc-bounces at kantarainitiative.org] *On Behalf Of *Colin Wallis
>> *Sent:* Monday, February 22, 2016 5:50 PM
>> *To:* Mike Schwartz
>> *Cc:* Kantara Leadership Council Kantara
>> *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
>> 17:30:00
>>
>>
>>
>> OK, thanks for that offer Mike.
>>
>> But the thing is, the guy asked Kantara, so he is expecting a response
>> from experts on behalf of Kantara.
>>
>> Taking him to Gluu is kind of one step removed.
>>
>> I'm happy for responses to contain links to Gluu and elsewhere, but I
>> think we are setting ourselves up for some copyright concerns if we point
>> folks away, straight out of the gate.
>>
>> Cheers
>>
>> Colin
>>
>> > Date: Mon, 22 Feb 2016 15:11:16 -0600
>> > From: mike at gluu.org
>> > To: colin_wallis at hotmail.com
>> > CC: lc at kantarainitiative.org
>> > Subject: Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
>> 17:30:00
>> >
>> >
>> > Colin,
>> >
>> > I'll can offer to take a stab at responding to these questions by the
>> > date requested on a Gluu blog.
>> >
>> > thx,
>> >
>> > Mike
>> >
>> > On 2016-02-22 11:13, Colin Wallis wrote:
>> > > Thanks Ken
>> > > We'll consider this question dealt to.
>> > > Anyone else want to take on one of the others?
>> > > Cheers
>> > > Colin
>> > > .....................................
>> > >> At airports around the world, travelers' identities are routinely
>> > > verified using biometric identification. Recently in India, a new
>> > > facility for pension distribution adapted an iris authentication
>> > > scanner to validate citizens. New generations of fully integrated,
>> > > end-to-end cloud identity management platforms offer clients secure
>> > > and flexible means to pick and choose which services they need. For
>> > > this latest ebook from SC Magazine, we speak to a number of experts
>> > > with hands-on experience about how these advances in technologies are
>> > > changing the face of identity management and opening up new
>> > > opportunities for the enterprise to become more secure—and we’ll
>> > > throw in a few caveats (for one, what happens to privacy when
>> > > biometrics are added to the mix?) that any organization should heed
>> > > when revamping its identity management strategy.
>> > >>
>> > >> Here are the questions he's exploring:
>> > >>
>> > >> What are the latest advances in ID Management technology?
>> > >>
>> > >> How has it evolved over the years?
>> > >>
>> > >> What happens to privacy when biometrics are thrown into the mix?
>> > > GONE GONE....
>> > >>
>> > >> How are ID management systems and access management/roles-based
>> > > management converging?
>> > >>
>> > >> ID management has been largely about people in the past. How will
>> > > the Internet of Things change that, if at all?
>> > >>
>> > >> Is authentication keeping up with trends in ID management?
>> > >>
>> > >> My identity as my wife sees it may be different to my identity as my
>> > > bank sees it, which may be different again to my identity as my
>> > > employer sees it. How do we cope with multiple attributes in ID
>> > > management?
>> > >>
>> > >> How do we maintain and preserve identity in the long term, as a
>> > > person's life and circumstances change?
>> > >>
>> > >> Are there standard for ID management?
>> > >>
>> > >> What are the biggest challenges facing companies that want to design
>> > > and deploy their own ID management systems?
>> > >
>> > > -------------------------
>> > > Date: Mon, 22 Feb 2016 06:58:22 -0500
>> > > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
>> > > 2/26/2016 17:30:00
>> > > From: kendaggtbs at gmail.com
>> > > To: colin_wallis at hotmail.com
>> > > CC: lc at kantarainitiative.org
>> > >
>> > > Colin,
>> > >
>> > > I agree fully that the first two paragraphs address the scope of his
>> > > question regarding biometrics and privacy.
>> > >
>> > > However, your comment, "sense of direction of travel for SC Magazine
>> > > being towards Data Protection" prompts me to include the rest of the
>> > > material regarding Privacy. In my opinion, a focus solely on data
>> > > protection misses the boat on respecting privacy and probably does it
>> > > a disservice. As you are aware, having the best data protection
>> > > practices in the world while using an individual's PII for unstated
>> > > purposes or disclosing it inappropriately, still means the
>> > > organization is not respecting an individual's privacy.
>> > >
>> > > I agree with your concern regarding "a compromise in the sample or the
>> > > templates database" being a major issue with respect to an individual
>> > > having to re-establish and re-bind their identity. However, I would
>> > > argue that the same holds true for any piece of an individual's PII
>> > > that is used by an organization. Biometric data, because it is viewed
>> > > as unique to an individual, is in some organization's minds, viewed as
>> > > a silver bullet with respect to Identifcation. However, in my opinion,
>> > > it is just another piece of data that can be used to mitigate the risk
>> > > of misidentification. If the consequences of misidentification are
>> > > severe it should still be corroborated with other PII. In other words,
>> > > it is not a silver bullet.
>> > >
>> > > This being said, I restructured the answer to address the "silver
>> > > bullet" concept as well as the out-of-scope text. I would recommend
>> > > including the background in the response as I believe that it is
>> > > important to raise the "technology neutral" idea with respect to
>> > > privacy policy/legislation. I would like to start the process of
>> > > changing the perception held by many people that current policy is
>> > > outdated or has been overtaken by advances in technology. (My soapbox
>> > > rant for the day)
>> > >
>> > > Wile we probably aren't going to be killed for not answering all the
>> > > questions I hope that others can address some of them.
>> > >
>> > > Ken
>> > >
>> > > ==============
>> > >
>> > > The perception that something should happen to privacy because
>> > > biometrics enter the mix is erroneous.
>> > >
>> > > Privacy is a state that is respected when an individual understands
>> > > and consents to how their personally identifiable information (PII) is
>> > > collected, maintained, used, disclosed and disposed. Biometric
>> > > information, given its uniqueness to each individual, should be
>> > > considered to be PII.
>> > >
>> > > Regardless of its apparent uniqueness, an organization that wishes to
>> > > mitigate the risk of misidentification of an individual should not
>> > > look at biometric data as a "silver bullet". If the consequences of
>> > > misidentification are high they should still corroborate the biometric
>> > > data with other PII during their authentication. The process, whether
>> > > in the digital or real world, still requires an organization to
>> > > identify the consequences of misidentification before it puts in place
>> > > procedures and techniques (such as the use of biometric data) to
>> > > mitigate that risk.
>> > >
>> > > Background on Privacy
>> > >
>> > > It should be noted that jurisdictions around the world have identified
>> > > that respect of an individual's privacy is technology neutral.
>> > >
>> > > For the US Government NIST Special Publication 800-122 defines PII as
>> > > "any information about an individual maintained by an agency,
>> > > including (1) any information that can be used to distinguish or trace
>> > > an individual‘s identity, such as name, social security number, date
>> > > and place of birth, mother‘s maiden name, or biometric records; and
>> > > (2) any other information that is linked or linkable to an individual,
>> > > such as medical, educational, financial, and employment information."
>> > >
>> > > In other countries with privacy protection laws derived from the OECD
>> > > privacy principles, the term used is more often "personal
>> > > information". This term, in general, is broader than PII. For example,
>> > > there are two pieces of legislation that cover privacy at the federal
>> > > level in Canada: the Privacy Act and the Personal Information
>> > > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
>> > > relates to an individual’s right to access and correct personal
>> > > information the Government of Canada holds about them or the
>> > > Government’s collection, use and disclosure of their personal
>> > > information in the course of providing services (e.g., old age
>> > > pensions or employment insurance). PIPEDA sets out the ground rules
>> > > for how private-sector organizations collect, use or disclose personal
>> > > information in the course of commercial activities across Canada.
>> > >
>> > > Both acts is essence define personal information to be any factual or
>> > > subjective information, recorded or not, about an identifiable
>> > > individual. This includes information in any form, such as:
>> > > * age, name, ID numbers, income, ethnic origin, or blood type;
>> > > * opinions, evaluations, comments, social status, or disciplinary
>> > > actions; and
>> > > * employee files, credit records, loan records, medical records,
>> > > existence of a dispute between a consumer and a merchant, intentions
>> > > (for example, to acquire goods or services, or change jobs).
>> > >
>> > > Excluded is information concerning the name, title, business address
>> > > or telephone number of an employee of an organization.
>> > >
>> > > Both acts identify how personal information should be collected,
>> > > maintained, used, disclosed and disposed. Of interest is the
>> > > requirement to identify a retention period for the personal
>> > > information that is collected about an individual and how that
>> > > information is expunged from an organization's records.
>> > >
>> > > Also of interest is how the power and versatility of re-identification
>> > > algorithms have significantly increased the ability of identifying an
>> > > individual without the use of PII. As such, Big Data is becoming an
>> > > issue in privacy circles.
>> > >
>> > > <snip>
>> > >
>> > >
>> > > _______________________________________________
>> > > LC mailing list
>> > > LC at kantarainitiative.org
>> > > http://kantarainitiative.org/mailman/listinfo/lc
>> >
>> > --
>> > -------------------------------------
>> > Michael Schwartz
>> > Gluu
>> > Founder / CEO
>> > mike at gluu.org
>>
>
>
> --
> Kenneth Dagg
> Independent Consultant
> Identification and Authentication
> 613-825-2091
> kendaggtbs at gmail.com
>
>
> _______________________________________________
> LC mailing listLC at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/lc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160223/4a57cb64/attachment-0001.html>


More information about the LC mailing list