[KI-LC] FW: Media query from SC Magazine - deadline 2/26/2016 17:30:00

Ken Dagg kendaggtbs at gmail.com
Wed Feb 24 12:09:36 CST 2016


Allan,

I don't want to bug you but the Kantara responses to the SC Magazine
questions are due on Friday.

Any thoughts on my revisions? If it is still not a good response from your
perspective I will need to try another tack or get someone else to prepare
Kantara's response. While Kantara doesn't have to respond to all questions
I believe that this is one question that we should provide a response to.

Thanks,
Ken


On Tuesday, 23 February 2016, Ken Dagg <kendaggtbs at gmail.com> wrote:

> Allan,
>
> I agree wholeheartedly that this is a discussion of personas!
>
> The question that was asked by SC Magazine was, "My identity as my wife
> sees it may be different to my identity as my bank sees it, which may be
> different again to my identity as my employer sees it. How do we cope with
> multiple attributes in ID management?" I agree that this is essentially a
> discussion of the use of the different personas that an individual
> maintains. I was loath, given my perception of the need for brevity and the
> readership of SC Magazine, to get into a discussion of the definitions and
> differences between the two terms.
>
> In my opinion, most readers of the magazine are looking for solutions to
> their need / desire to offer online services and want some ability to
> lesson the risk of delivering a service to an illegible individual (e.g., a
> medical service to the wrong person) or delivering the wrong amount of
> service to an individual (e.g., a $10,000 lottery win to someone who only
> won a $100).
>
> Given you comments, as well as trying to address the question that was
> asked, would the following make more sense? It implies a relationship
> between persona and identity - persona being an application of my identity
> in a broad context - but does not get into the discussion.
>
> ==========
>
> Identity Management thinking is beginning to recognize that who an
> individual is (e.g., their identity) is dependent on the scenario in which
> that individual needs to assert who they are. Who you are, and how you
> represent yourself, in social situations, work situations and commercial
> situations is probably different - but all are just different
> representations or variations of who you are as an individual - different
> personas. That is, a persona is what someone needs to know about you in
> order to interact with you.
>
> For example, in order for you to be able to establish an account, and
> carry out financial transactions, with a bank requires that the bank know
> certain information (i.e., attributes) about you. Some of this information
> is required in order for the bank to deal with you effectively while other
> information is required to satisfy legal requirements. Your employer also
> requires specific attributes about you in order to have you as an employee
> (i.e., to pay you, to provide benefits, to provide work facilities). While
> there may be some overlaps between the sets of attributes required to
> satisfy these two relationships there are most likely differences. What is
> emerging is that 1) the required attributes are defined by and specific to
> the relationship and 2) there is no one representation that satisfies all
> requirements.
>
> As such, the relationship you want to establish identifies the required
> attributes (i.e., your "persona") and manages them to accomplish the
> purpose that the relationship exists to perform. As the user - the Relying
> Party (RP) - of your persona (e.g., the bank) is at risk, they authenticate
> and manage the set of attributes they require of you in order to mitigate
> the risk of getting it wrong. That is, the RP manages the identity of its
> clients to the degree they need to in order to operate. It is essential
> that the RP undertake a risk assessment to identify the consequences -
> financial and reputational - they will suffer if they misidentify someone
> and then establish, at a cost they believe is affordable, the mechanisms
> they believe will mitigate that risk.
>
> The set of mechanisms they use - the level of assurance they require - to
> mitigate their risk depend on the consequences they will suffer if they get
> it wrong (i.e., they misidentify you). These mechanisms can include doing
> nothing, using internal checks, using Social Media sites, using Government
> Agencies, or using companies that have established themselves as Identity
> Providers (IdPs), Credential Service Providers (CSPs), or Attribute
> Providers (APs).
>
> Of importance to you as an individual, however, is knowing, and being able
> to correct errors in, the information / attributes the RP maintains about
> you as well as being assured that the RP respects your privacy.
>
>
>
> On Tue, Feb 23, 2016 at 1:36 PM, Allan Foster <allan.foster at forgerock.com
> <javascript:_e(%7B%7D,'cvml','allan.foster at forgerock.com');>> wrote:
>
>> So this is the discussion of Personas
>>
>> I also fundamentally disagree that Identity is necessarily a collection
>> of attributes.  And identity is simply a thing.  Collections of attributes
>> might be associated with an identity when required for specific contexts
>>
>> Allan
>>
>>
>> Simplify Email: Email Charter <http://emailcharter.org/>
>>
>> [image: ForgeRock Logo] *Allan Foster - ForgeRock *
>> *VP Strategic Partner Enablement*
>> *Location:*San Francisco
>> *p:* +1.214.755.9218
>> *email:* <javascript:_e(%7B%7D,'cvml','allan.foster at forgerock.com');>
>> allan.foster at forgerock.com
>> <javascript:_e(%7B%7D,'cvml','allan.foster at forgerock.com');>
>> *blogs:* blogs.forgerock.com/GuruAllan
>> *Skype:* Call GuruAllan <http://is.gd/lWVfMG>
>> *www:* www.forgerock.com
>> *www:* www.forgerock.org
>> On 2/23/16 9:32 AM, Ken Dagg wrote:
>>
>> Colin,
>>
>> How does this sound to address the question, "My identity as my wife sees
>> it may be different to my identity as my bank sees it, which may be
>> different again to my identity as my employer sees it. How do we cope with
>> multiple attributes in ID management?"
>>
>> Ken
>>
>> ===================
>>
>> Identity Management thinking is beginning to recognize that who an
>> individual is (e.g., their identity) is dependent on the scenario in which
>> that individual needs to assert who they are. Who you are, and how you
>> represent yourself, in social situations, work situations and commercial
>> situations is probably different - but all are just different
>> representations or variations of you are as an individual. That is, your
>> identity is what someone needs to know about you in order to interact with
>> you.
>>
>> For example, in order for you to be able to establish an account, and
>> carry out financial transactions, with a bank requires that the bank know
>> certain information (i.e., attributes) about you. Some of this information
>> is required in order for the bank to deal with you effectively while other
>> information is required to satisfy legal requirements. Your employer also
>> requires specific information (attributes) about you in order to have you
>> as an employee (i.e., to pay you, to provide benefits, to provide work
>> facilities). While there may be some overlaps between the sets
>> of attributes required to satisfy these two relationships there are most
>> likely differences. What is emerging is that 1) the required attributes are
>> defined by and part of the relationship and 2) there is no one
>> representation that satisfies all requirements.
>>
>> As such, the relationship you want to establish identifies the required
>> attributes (i.e., your "identity") and manages them to accomplish the
>> purpose that the relationship exists to perform. As the user - the Relying
>> Party (RP) - of your identity (e.g., the bank) is at risk, they
>> authenticate and manage the set of attributes they require of you in order
>> to mitigate the risk of getting it wrong. That is, the RP manages the
>> identity of its clients to the degree they need to in order to operate. It
>> is essential that the RP undertake a risk assessment to identify the
>> consequences - financial and reputational - they will suffer if they
>> misidentify someone and then establish, at a cost they believe is
>> affordable, the mechanisms they believe will mitigate that risk.
>>
>> The set of mechanisms they use - the level of assurance they require - to
>> mitigate their risk depend on the consequences they will suffer if they get
>> it wrong (i.e., they misidentify you). These mechanisms can include doing
>> nothing, using internal checks, using Social Media sites, using Government
>> Agencies, or using companies that have established themselves as Identity
>> Providers (IdPs), Credential Service Providers (CSPs), or Attribute
>> Providers (APs).
>>
>> Of importance to you, however, is knowing, and being able to correct
>> errors in, the information / attributes the RP maintains about you as well
>> as being assured that the RP respects your privacy.
>>
>>
>>
>> On Tuesday, 23 February 2016, Colin Wallis <
>> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
>> colin_wallis at hotmail.com
>> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>> wrote:
>>
>>> That's great. Many thanks Sal.
>>> Perfect timing for the IRM call coming up in a few hours.
>>> Cheers
>>> Colin
>>>
>>>
>>> Colin, I can pitch in on some of these:
>>>
>>>
>>>
>>> What are the latest advances in ID Management technology?
>>>
>>> How has it evolved over the years?
>>>
>>> ID management has been largely about people in the past. How will  the
>>> Internet of Things change that, if at all?
>>>
>>>
>>>
>>> I can use UMA and IRM as an examplse and also bring in some of the
>>> things we have been talking about in the IDoT DG.
>>>
>>>
>>>
>>> *From:* lc-bounces at kantarainitiative.org [mailto:
>>> lc-bounces at kantarainitiative.org] *On Behalf Of *Colin Wallis
>>> *Sent:* Monday, February 22, 2016 5:50 PM
>>> *To:* Mike Schwartz
>>> *Cc:* Kantara Leadership Council Kantara
>>> *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline
>>> 2/26/2016 17:30:00
>>>
>>>
>>>
>>> OK, thanks for that offer Mike.
>>>
>>> But the thing is, the guy asked Kantara, so he is expecting a response
>>> from experts on behalf of Kantara.
>>>
>>> Taking him to Gluu is kind of one step removed.
>>>
>>> I'm happy for responses to contain links to Gluu and elsewhere, but I
>>> think we are setting ourselves up for some copyright concerns if we point
>>> folks away, straight out of the gate.
>>>
>>> Cheers
>>>
>>> Colin
>>>
>>> > Date: Mon, 22 Feb 2016 15:11:16 -0600
>>> > From: mike at gluu.org
>>> > To: colin_wallis at hotmail.com
>>> > CC: lc at kantarainitiative.org
>>> > Subject: Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
>>> 17:30:00
>>> >
>>> >
>>> > Colin,
>>> >
>>> > I'll can offer to take a stab at responding to these questions by the
>>> > date requested on a Gluu blog.
>>> >
>>> > thx,
>>> >
>>> > Mike
>>> >
>>> > On 2016-02-22 11:13, Colin Wallis wrote:
>>> > > Thanks Ken
>>> > > We'll consider this question dealt to.
>>> > > Anyone else want to take on one of the others?
>>> > > Cheers
>>> > > Colin
>>> > > .....................................
>>> > >> At airports around the world, travelers' identities are routinely
>>> > > verified using biometric identification. Recently in India, a new
>>> > > facility for pension distribution adapted an iris authentication
>>> > > scanner to validate citizens. New generations of fully integrated,
>>> > > end-to-end cloud identity management platforms offer clients secure
>>> > > and flexible means to pick and choose which services they need. For
>>> > > this latest ebook from SC Magazine, we speak to a number of experts
>>> > > with hands-on experience about how these advances in technologies are
>>> > > changing the face of identity management and opening up new
>>> > > opportunities for the enterprise to become more secure—and we’ll
>>> > > throw in a few caveats (for one, what happens to privacy when
>>> > > biometrics are added to the mix?) that any organization should heed
>>> > > when revamping its identity management strategy.
>>> > >>
>>> > >> Here are the questions he's exploring:
>>> > >>
>>> > >> What are the latest advances in ID Management technology?
>>> > >>
>>> > >> How has it evolved over the years?
>>> > >>
>>> > >> What happens to privacy when biometrics are thrown into the mix?
>>> > > GONE GONE....
>>> > >>
>>> > >> How are ID management systems and access management/roles-based
>>> > > management converging?
>>> > >>
>>> > >> ID management has been largely about people in the past. How will
>>> > > the Internet of Things change that, if at all?
>>> > >>
>>> > >> Is authentication keeping up with trends in ID management?
>>> > >>
>>> > >> My identity as my wife sees it may be different to my identity as my
>>> > > bank sees it, which may be different again to my identity as my
>>> > > employer sees it. How do we cope with multiple attributes in ID
>>> > > management?
>>> > >>
>>> > >> How do we maintain and preserve identity in the long term, as a
>>> > > person's life and circumstances change?
>>> > >>
>>> > >> Are there standard for ID management?
>>> > >>
>>> > >> What are the biggest challenges facing companies that want to design
>>> > > and deploy their own ID management systems?
>>> > >
>>> > > -------------------------
>>> > > Date: Mon, 22 Feb 2016 06:58:22 -0500
>>> > > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
>>> > > 2/26/2016 17:30:00
>>> > > From: kendaggtbs at gmail.com
>>> > > To: colin_wallis at hotmail.com
>>> > > CC: lc at kantarainitiative.org
>>> > >
>>> > > Colin,
>>> > >
>>> > > I agree fully that the first two paragraphs address the scope of his
>>> > > question regarding biometrics and privacy.
>>> > >
>>> > > However, your comment, "sense of direction of travel for SC Magazine
>>> > > being towards Data Protection" prompts me to include the rest of the
>>> > > material regarding Privacy. In my opinion, a focus solely on data
>>> > > protection misses the boat on respecting privacy and probably does it
>>> > > a disservice. As you are aware, having the best data protection
>>> > > practices in the world while using an individual's PII for unstated
>>> > > purposes or disclosing it inappropriately, still means the
>>> > > organization is not respecting an individual's privacy.
>>> > >
>>> > > I agree with your concern regarding "a compromise in the sample or
>>> the
>>> > > templates database" being a major issue with respect to an individual
>>> > > having to re-establish and re-bind their identity. However, I would
>>> > > argue that the same holds true for any piece of an individual's PII
>>> > > that is used by an organization. Biometric data, because it is viewed
>>> > > as unique to an individual, is in some organization's minds, viewed
>>> as
>>> > > a silver bullet with respect to Identifcation. However, in my
>>> opinion,
>>> > > it is just another piece of data that can be used to mitigate the
>>> risk
>>> > > of misidentification. If the consequences of misidentification are
>>> > > severe it should still be corroborated with other PII. In other
>>> words,
>>> > > it is not a silver bullet.
>>> > >
>>> > > This being said, I restructured the answer to address the "silver
>>> > > bullet" concept as well as the out-of-scope text. I would recommend
>>> > > including the background in the response as I believe that it is
>>> > > important to raise the "technology neutral" idea with respect to
>>> > > privacy policy/legislation. I would like to start the process of
>>> > > changing the perception held by many people that current policy is
>>> > > outdated or has been overtaken by advances in technology. (My soapbox
>>> > > rant for the day)
>>> > >
>>> > > Wile we probably aren't going to be killed for not answering all the
>>> > > questions I hope that others can address some of them.
>>> > >
>>> > > Ken
>>> > >
>>> > > ==============
>>> > >
>>> > > The perception that something should happen to privacy because
>>> > > biometrics enter the mix is erroneous.
>>> > >
>>> > > Privacy is a state that is respected when an individual understands
>>> > > and consents to how their personally identifiable information (PII)
>>> is
>>> > > collected, maintained, used, disclosed and disposed. Biometric
>>> > > information, given its uniqueness to each individual, should be
>>> > > considered to be PII.
>>> > >
>>> > > Regardless of its apparent uniqueness, an organization that wishes to
>>> > > mitigate the risk of misidentification of an individual should not
>>> > > look at biometric data as a "silver bullet". If the consequences of
>>> > > misidentification are high they should still corroborate the
>>> biometric
>>> > > data with other PII during their authentication. The process, whether
>>> > > in the digital or real world, still requires an organization to
>>> > > identify the consequences of misidentification before it puts in
>>> place
>>> > > procedures and techniques (such as the use of biometric data) to
>>> > > mitigate that risk.
>>> > >
>>> > > Background on Privacy
>>> > >
>>> > > It should be noted that jurisdictions around the world have
>>> identified
>>> > > that respect of an individual's privacy is technology neutral.
>>> > >
>>> > > For the US Government NIST Special Publication 800-122 defines PII as
>>> > > "any information about an individual maintained by an agency,
>>> > > including (1) any information that can be used to distinguish or
>>> trace
>>> > > an individual‘s identity, such as name, social security number, date
>>> > > and place of birth, mother‘s maiden name, or biometric records; and
>>> > > (2) any other information that is linked or linkable to an
>>> individual,
>>> > > such as medical, educational, financial, and employment information."
>>> > >
>>> > > In other countries with privacy protection laws derived from the OECD
>>> > > privacy principles, the term used is more often "personal
>>> > > information". This term, in general, is broader than PII. For
>>> example,
>>> > > there are two pieces of legislation that cover privacy at the federal
>>> > > level in Canada: the Privacy Act and the Personal Information
>>> > > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
>>> > > relates to an individual’s right to access and correct personal
>>> > > information the Government of Canada holds about them or the
>>> > > Government’s collection, use and disclosure of their personal
>>> > > information in the course of providing services (e.g., old age
>>> > > pensions or employment insurance). PIPEDA sets out the ground rules
>>> > > for how private-sector organizations collect, use or disclose
>>> personal
>>> > > information in the course of commercial activities across Canada.
>>> > >
>>> > > Both acts is essence define personal information to be any factual or
>>> > > subjective information, recorded or not, about an identifiable
>>> > > individual. This includes information in any form, such as:
>>> > > * age, name, ID numbers, income, ethnic origin, or blood type;
>>> > > * opinions, evaluations, comments, social status, or disciplinary
>>> > > actions; and
>>> > > * employee files, credit records, loan records, medical records,
>>> > > existence of a dispute between a consumer and a merchant, intentions
>>> > > (for example, to acquire goods or services, or change jobs).
>>> > >
>>> > > Excluded is information concerning the name, title, business address
>>> > > or telephone number of an employee of an organization.
>>> > >
>>> > > Both acts identify how personal information should be collected,
>>> > > maintained, used, disclosed and disposed. Of interest is the
>>> > > requirement to identify a retention period for the personal
>>> > > information that is collected about an individual and how that
>>> > > information is expunged from an organization's records.
>>> > >
>>> > > Also of interest is how the power and versatility of
>>> re-identification
>>> > > algorithms have significantly increased the ability of identifying an
>>> > > individual without the use of PII. As such, Big Data is becoming an
>>> > > issue in privacy circles.
>>> > >
>>> > > <snip>
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > LC mailing list
>>> > > LC at kantarainitiative.org
>>> > > http://kantarainitiative.org/mailman/listinfo/lc
>>> >
>>> > --
>>> > -------------------------------------
>>> > Michael Schwartz
>>> > Gluu
>>> > Founder / CEO
>>> > mike at gluu.org
>>>
>>
>>
>> --
>> Kenneth Dagg
>> Independent Consultant
>> Identification and Authentication
>> 613-825-2091
>> kendaggtbs at gmail.com
>> <javascript:_e(%7B%7D,'cvml','kendaggtbs at gmail.com');>
>>
>>
>> _______________________________________________
>> LC mailing listLC at kantarainitiative.org <javascript:_e(%7B%7D,'cvml','LC at kantarainitiative.org');>http://kantarainitiative.org/mailman/listinfo/lc
>>
>>
>>
>

-- 
Kenneth Dagg
Independent Consultant
Identification and Authentication
613-825-2091
kendaggtbs at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160224/9255c76b/attachment-0001.html>


More information about the LC mailing list