<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Georgia">So this is the discussion of Personas<br>
<br>
I also fundamentally disagree that Identity is necessarily a
collection of attributes. And identity is simply a thing.
Collections of attributes might be associated with an identity
when required for specific contexts<br>
<br>
Allan<br>
<br>
<br>
</font>
<div class="moz-signature">
<div>Simplify Email: <a href="http://emailcharter.org/">Email
Charter</a>
<br>
<br>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
<tbody>
<tr>
<td valign="top" width="160"> <img
src="http://www.macguru.com/logo.png"
moz-do-not-send="true" alt="ForgeRock Logo"
style="float: left; padding: 2px 6px 0 0"> </td>
<td valign="top"> <b><span>Allan Foster - ForgeRock </span></b><br>
<i>VP Strategic Partner Enablement</i><br>
<b>Location:</b>San Francisco<br>
<b>p:</b> +1.214.755.9218<br>
</td>
</tr>
<tr>
<td colspan="3">
<b>email:</b> <a
href="mailto:allan.foster@forgerock.com"><a class="moz-txt-link-abbreviated" href="mailto:allan.foster@forgerock.com">allan.foster@forgerock.com</a></a><br>
<b>blogs:</b> <a
href="http://blogs.forgerock.com/GuruAllan">blogs.forgerock.com/GuruAllan</a><br>
<b>Skype:</b> <a href="http://is.gd/lWVfMG">Call
GuruAllan</a><br>
<b>www:</b> <a href="http://www.forgerock.com/">www.forgerock.com</a><br>
<b>www:</b> <a href="http://www.forgerock.org/">www.forgerock.org</a><br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="moz-cite-prefix">On 2/23/16 9:32 AM, Ken Dagg wrote:<br>
</div>
<blockquote
cite="mid:CAKSgTGTzCRTOu5SE8KKg+ghnaJo21H58P0LcooxZYZds5LFojw@mail.gmail.com"
type="cite">
<div>Colin,</div>
<div><br>
</div>
<div>How does this sound to address the question, "My identity as
my wife sees it may be different to my identity as my bank sees
it, which may be different again to my identity as my employer
sees it. How do we cope with multiple attributes in ID
management?"</div>
<div><br>
</div>
<div>Ken</div>
<div><br>
</div>
<div>===================</div>
<div><br>
</div>
<div>Identity Management thinking is beginning to recognize that
who an individual is (e.g., their identity) is dependent on the
scenario in which that individual needs to assert who they are.
Who you are, and how you represent yourself, in social
situations, work situations and commercial situations is
probably different - but all are just different representations
or variations of you are as an individual. That is, your
identity is what someone needs to know about you in order to
interact with you.</div>
<div><br>
</div>
<div>For example, in order for you to be able to establish an
account, and carry out financial transactions, with a bank
requires that the bank know certain information (i.e.,
attributes) about you. Some of this information is required in
order for the bank to deal with you effectively while other
information is required to satisfy legal requirements. Your
employer also requires specific information (attributes) about
you in order to have you as an employee (i.e., to pay you, to
provide benefits, to provide work facilities). While there may
be some overlaps between the sets of attributes required to
satisfy these two relationships there are most likely
differences. What is emerging is that 1) the required attributes
are defined by and part of the relationship and 2) there is no
one representation that satisfies all requirements.</div>
<div><br>
</div>
<div>As such, the relationship you want to establish identifies
the required attributes (i.e., your "identity") and manages them
to accomplish the purpose that the relationship exists to
perform. As the user - the Relying Party (RP) - of your identity
(e.g., the bank) is at risk, they authenticate and manage the
set of attributes they require of you in order to mitigate the
risk of getting it wrong. That is, the RP manages the identity
of its clients to the degree they need to in order to operate.
It is essential that the RP undertake a risk assessment to
identify the consequences - financial and reputational - they
will suffer if they misidentify someone and then establish, at a
cost they believe is affordable, the mechanisms they believe
will mitigate that risk. </div>
<div><br>
</div>
<div>The set of mechanisms they use - the level of assurance they
require - to mitigate their risk depend on the consequences they
will suffer if they get it wrong (i.e., they misidentify you).
These mechanisms can include doing nothing, using internal
checks, using Social Media sites, using Government Agencies, or
using companies that have established themselves as Identity
Providers (IdPs), Credential Service Providers (CSPs), or
Attribute Providers (APs). </div>
<div><br>
</div>
<div>Of importance to you, however, is knowing, and being able to
correct errors in, the information / attributes the RP maintains
about you as well as being assured that the RP respects your
privacy.</div>
<div><br>
</div>
<br>
<br>
On Tuesday, 23 February 2016, Colin Wallis <<a
moz-do-not-send="true" href="mailto:colin_wallis@hotmail.com"><a class="moz-txt-link-abbreviated" href="mailto:colin_wallis@hotmail.com">colin_wallis@hotmail.com</a></a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="ltr">That's great. Many thanks Sal.
<div>Perfect timing for the IRM call coming up in a few
hours.</div>
<div>Cheers</div>
<div>Colin<br>
<div><br>
<br>
<div>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Colin,
I can pitch in on some of these:</span></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p><span
style="font-family:"Calibri","sans-serif"">What
are the latest advances in ID Management
technology?<br>
<br>
How has it evolved over the years?<br>
<br>
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p><span
style="font-family:"Calibri","sans-serif"">ID
management has been largely about people in the
past. How will the Internet of Things change
that, if at all?</span></p>
<p><span
style="font-family:"Calibri","sans-serif""> </span></p>
<p><span
style="font-family:"Calibri","sans-serif"">I
can use UMA and IRM as an examplse and also bring
in some of the things we have been talking about
in the IDoT DG.</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #b5c4df
1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','lc-bounces@kantarainitiative.org');"
target="_blank">lc-bounces@kantarainitiative.org</a>
[mailto:<a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','lc-bounces@kantarainitiative.org');"
target="_blank">lc-bounces@kantarainitiative.org</a>]
<b>On Behalf Of </b>Colin Wallis<br>
<b>Sent:</b> Monday, February 22, 2016 5:50 PM<br>
<b>To:</b> Mike Schwartz<br>
<b>Cc:</b> Kantara Leadership Council Kantara<br>
<b>Subject:</b> Re: [KI-LC] Media query from
SC Magazine - deadline 2/26/2016 17:30:00</span></p>
</div>
</div>
<p> </p>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">OK,
thanks for that offer Mike.</span></p>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">But
the thing is, the guy asked Kantara, so he is
expecting a response from experts on behalf of
Kantara.</span></p>
</div>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">Taking
him to Gluu is kind of one step removed.</span></p>
</div>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">I'm
happy for responses to contain links to Gluu
and elsewhere, but I think we are setting
ourselves up for some copyright concerns if we
point folks away, straight out of the gate.</span></p>
</div>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">Cheers</span></p>
</div>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">Colin</span></p>
<div>
<p><span
style="font-family:"Calibri","sans-serif"">>
Date: Mon, 22 Feb 2016 15:11:16 -0600<br>
> From: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','mike@gluu.org');"
target="_blank">mike@gluu.org</a><br>
> To: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','colin_wallis@hotmail.com');"
target="_blank">colin_wallis@hotmail.com</a><br>
> CC: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','lc@kantarainitiative.org');"
target="_blank">lc@kantarainitiative.org</a><br>
> Subject: Re: [KI-LC] Media query from
SC Magazine - deadline 2/26/2016 17:30:00<br>
> <br>
> <br>
> Colin,<br>
> <br>
> I'll can offer to take a stab at
responding to these questions by the <br>
> date requested on a Gluu blog.<br>
> <br>
> thx,<br>
> <br>
> Mike<br>
> <br>
> On 2016-02-22 11:13, Colin Wallis
wrote:<br>
> > Thanks Ken<br>
> > We'll consider this question dealt
to.<br>
> > Anyone else want to take on one of
the others?<br>
> > Cheers<br>
> > Colin<br>
> >
.....................................<br>
> >> At airports around the world,
travelers' identities are routinely<br>
> > verified using biometric
identification. Recently in India, a new<br>
> > facility for pension distribution
adapted an iris authentication<br>
> > scanner to validate citizens. New
generations of fully integrated,<br>
> > end-to-end cloud identity
management platforms offer clients secure<br>
> > and flexible means to pick and
choose which services they need. For<br>
> > this latest ebook from SC
Magazine, we speak to a number of experts<br>
> > with hands-on experience about how
these advances in technologies are<br>
> > changing the face of identity
management and opening up new<br>
> > opportunities for the enterprise
to become more secure—and we’ll<br>
> > throw in a few caveats (for one,
what happens to privacy when<br>
> > biometrics are added to the mix?)
that any organization should heed<br>
> > when revamping its identity
management strategy.<br>
> >> <br>
> >> Here are the questions he's
exploring:<br>
> >> <br>
> >> What are the latest advances
in ID Management technology?<br>
> >> <br>
> >> How has it evolved over the
years?<br>
> >> <br>
> >> What happens to privacy when
biometrics are thrown into the mix?<br>
> > GONE GONE....<br>
> >> <br>
> >> How are ID management systems
and access management/roles-based<br>
> > management converging?<br>
> >> <br>
> >> ID management has been largely
about people in the past. How will<br>
> > the Internet of Things change
that, if at all?<br>
> >> <br>
> >> Is authentication keeping up
with trends in ID management?<br>
> >> <br>
> >> My identity as my wife sees it
may be different to my identity as my<br>
> > bank sees it, which may be
different again to my identity as my<br>
> > employer sees it. How do we cope
with multiple attributes in ID<br>
> > management?<br>
> >> <br>
> >> How do we maintain and
preserve identity in the long term, as a<br>
> > person's life and circumstances
change?<br>
> >> <br>
> >> Are there standard for ID
management?<br>
> >> <br>
> >> What are the biggest
challenges facing companies that want to
design<br>
> > and deploy their own ID management
systems?<br>
> > <br>
> > -------------------------<br>
> > Date: Mon, 22 Feb 2016 06:58:22
-0500<br>
> > Subject: Re: [KI-LC] FW: Media
query from SC Magazine - deadline<br>
> > 2/26/2016 17:30:00<br>
> > From: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','kendaggtbs@gmail.com');"
target="_blank">kendaggtbs@gmail.com</a><br>
> > To: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','colin_wallis@hotmail.com');"
target="_blank">colin_wallis@hotmail.com</a><br>
> > CC: <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','lc@kantarainitiative.org');"
target="_blank">lc@kantarainitiative.org</a><br>
> > <br>
> > Colin,<br>
> > <br>
> > I agree fully that the first two
paragraphs address the scope of his<br>
> > question regarding biometrics and
privacy.<br>
> > <br>
> > However, your comment, "sense of
direction of travel for SC Magazine<br>
> > being towards Data Protection"
prompts me to include the rest of the<br>
> > material regarding Privacy. In my
opinion, a focus solely on data<br>
> > protection misses the boat on
respecting privacy and probably does it<br>
> > a disservice. As you are aware,
having the best data protection<br>
> > practices in the world while using
an individual's PII for unstated<br>
> > purposes or disclosing it
inappropriately, still means the<br>
> > organization is not respecting an
individual's privacy.<br>
> > <br>
> > I agree with your concern
regarding "a compromise in the sample or the<br>
> > templates database" being a major
issue with respect to an individual<br>
> > having to re-establish and re-bind
their identity. However, I would<br>
> > argue that the same holds true for
any piece of an individual's PII<br>
> > that is used by an organization.
Biometric data, because it is viewed<br>
> > as unique to an individual, is in
some organization's minds, viewed as<br>
> > a silver bullet with respect to
Identifcation. However, in my opinion,<br>
> > it is just another piece of data
that can be used to mitigate the risk<br>
> > of misidentification. If the
consequences of misidentification are<br>
> > severe it should still be
corroborated with other PII. In other words,<br>
> > it is not a silver bullet.<br>
> > <br>
> > This being said, I restructured
the answer to address the "silver<br>
> > bullet" concept as well as the
out-of-scope text. I would recommend<br>
> > including the background in the
response as I believe that it is<br>
> > important to raise the "technology
neutral" idea with respect to<br>
> > privacy policy/legislation. I
would like to start the process of<br>
> > changing the perception held by
many people that current policy is<br>
> > outdated or has been overtaken by
advances in technology. (My soapbox<br>
> > rant for the day)<br>
> > <br>
> > Wile we probably aren't going to
be killed for not answering all the<br>
> > questions I hope that others can
address some of them.<br>
> > <br>
> > Ken<br>
> > <br>
> > ==============<br>
> > <br>
> > The perception that something
should happen to privacy because<br>
> > biometrics enter the mix is
erroneous.<br>
> > <br>
> > Privacy is a state that is
respected when an individual understands<br>
> > and consents to how their
personally identifiable information (PII) is<br>
> > collected, maintained, used,
disclosed and disposed. Biometric<br>
> > information, given its uniqueness
to each individual, should be<br>
> > considered to be PII.<br>
> > <br>
> > Regardless of its apparent
uniqueness, an organization that wishes to<br>
> > mitigate the risk of
misidentification of an individual should
not<br>
> > look at biometric data as a
"silver bullet". If the consequences of<br>
> > misidentification are high they
should still corroborate the biometric<br>
> > data with other PII during their
authentication. The process, whether<br>
> > in the digital or real world,
still requires an organization to<br>
> > identify the consequences of
misidentification before it puts in place<br>
> > procedures and techniques (such as
the use of biometric data) to<br>
> > mitigate that risk.<br>
> > <br>
> > Background on Privacy<br>
> > <br>
> > It should be noted that
jurisdictions around the world have
identified<br>
> > that respect of an individual's
privacy is technology neutral.<br>
> > <br>
> > For the US Government NIST Special
Publication 800-122 defines PII as<br>
> > "any information about an
individual maintained by an agency,<br>
> > including (1) any information that
can be used to distinguish or trace<br>
> > an individual‘s identity, such as
name, social security number, date<br>
> > and place of birth, mother‘s
maiden name, or biometric records; and<br>
> > (2) any other information that is
linked or linkable to an individual,<br>
> > such as medical, educational,
financial, and employment information."<br>
> > <br>
> > In other countries with privacy
protection laws derived from the OECD<br>
> > privacy principles, the term used
is more often "personal<br>
> > information". This term, in
general, is broader than PII. For example,<br>
> > there are two pieces of
legislation that cover privacy at the
federal<br>
> > level in Canada: the Privacy Act
and the Personal Information<br>
> > Protection and Electronic
Documents Act (PIPEDA). The Privacy Act<br>
> > relates to an individual’s right
to access and correct personal<br>
> > information the Government of
Canada holds about them or the<br>
> > Government’s collection, use and
disclosure of their personal<br>
> > information in the course of
providing services (e.g., old age<br>
> > pensions or employment insurance).
PIPEDA sets out the ground rules<br>
> > for how private-sector
organizations collect, use or disclose
personal<br>
> > information in the course of
commercial activities across Canada.<br>
> > <br>
> > Both acts is essence define
personal information to be any factual or<br>
> > subjective information, recorded
or not, about an identifiable<br>
> > individual. This includes
information in any form, such as:<br>
> > * age, name, ID numbers, income,
ethnic origin, or blood type;<br>
> > * opinions, evaluations, comments,
social status, or disciplinary<br>
> > actions; and<br>
> > * employee files, credit records,
loan records, medical records,<br>
> > existence of a dispute between a
consumer and a merchant, intentions<br>
> > (for example, to acquire goods or
services, or change jobs).<br>
> > <br>
> > Excluded is information concerning
the name, title, business address<br>
> > or telephone number of an employee
of an organization.<br>
> > <br>
> > Both acts identify how personal
information should be collected,<br>
> > maintained, used, disclosed and
disposed. Of interest is the<br>
> > requirement to identify a
retention period for the personal<br>
> > information that is collected
about an individual and how that<br>
> > information is expunged from an
organization's records.<br>
> > <br>
> > Also of interest is how the power
and versatility of re-identification<br>
> > algorithms have significantly
increased the ability of identifying an<br>
> > individual without the use of PII.
As such, Big Data is becoming an<br>
> > issue in privacy circles.<br>
> > <br>
> > <snip><br>
> > <br>
> > <br>
> >
_______________________________________________<br>
> > LC mailing list<br>
> > <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','LC@kantarainitiative.org');"
target="_blank">LC@kantarainitiative.org</a><br>
> > <a moz-do-not-send="true"
href="http://kantarainitiative.org/mailman/listinfo/lc"
target="_blank">http://kantarainitiative.org/mailman/listinfo/lc</a><br>
> <br>
> -- <br>
> -------------------------------------<br>
> Michael Schwartz<br>
> Gluu<br>
> Founder / CEO<br>
> <a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','mike@gluu.org');"
target="_blank">mike@gluu.org</a></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
-- <br>
Kenneth Dagg<br>
Independent Consultant<br>
Identification and Authentication<br>
613-825-2091<br>
<a moz-do-not-send="true" href="mailto:kendaggtbs@gmail.com">kendaggtbs@gmail.com</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
LC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LC@kantarainitiative.org">LC@kantarainitiative.org</a>
<a class="moz-txt-link-freetext" href="http://kantarainitiative.org/mailman/listinfo/lc">http://kantarainitiative.org/mailman/listinfo/lc</a>
</pre>
</blockquote>
<br>
</body>
</html>