It has been a while since I started this thought but it is not a case that I felt it was a bad thought but more a case that I wanted to let it stew for a while.
In the past few weeks I have seen and heard lots of discussion in regards to attributes so I thought that this renewal of my thought process would be appropriate now.
The last point of discussion here was the thought that we do need to be able to share data to better identify the rights that someone has within an application or transaction. You will note that I use these words, "rights", "application" and "transaction" loosely and this is quite intentional as I believe the fundamental idea spreads across a broad spectrum of transactions.
When we talk about sharing of data, used to identify users, there needs to be agreement as to how we identify the data that is shared. In today's space this has been accomplished through broad agreement on data dictionaries. Sometimes this is based around specific industries while other times it is based nationally. One of the realizations that has come out of working in this area has been that these specific dictionaries can restrict the use of the technologies to a narrow band of the actual user community. While a financial sector has very specific needs to communicate within its sector it has become recognized that the same community has large interaction with other parties where their "standard" data dictionary is not necessarily understood.
Now it is easy in this case to say that maybe a global dictionary is needed or to rely on a national level dictionary that is driven by government standards or by existing best practices. The issue here has always been one of broad agreement and thereby practically implementable solutions. Generally speaking, the broader the agreement, the less practical it is in terms of it's use.
So let's think about how this has worked in other technical areas. DNS is a good example whereby translation is handled through a set of distributed capabilities. Could this idea also be used with a data dictionary service? Let's think of a "centralized" service that translates attribute schema elements between defined data dictionaries. There is no need to share actual data but a method to ensure that "name" is understood as one party communicates to another.
There are of course lots of specific implementation needs to surround this but I would first like to start the discussion to see if it is a needed model before we get to the specifics of things like, knowing who we are dealing with; protecting any sensitive transaction sets; and modeling an implementation to see what is needed from a management and operational perspective to ensure viability and usefulness.
Your thoughts on this are appreciated.
- Posted using BlogPress from my iPad
Monday, November 1, 2010
Friday, October 29, 2010
The dangers of blogging ....
I love my iPad. It was not something that I needed but when my fiancée, now my wife, gave it to me for my birthday I was excited. Was this a neat new toy or could it be more than that? Could it be a useful business tool? Well so far it has certainly become a valuable addition to the business tools I have - and it is still a neat new toy that was great to have on our honeymoon.
All that being said my iPad and the associated apps have come with some extra learning. Grabbing a tall coffee here at my local coffee shop I re-read some of my past posts and saw the glaring typos. Why did I not catch them? Well some of them were not typos in the purist sense as the words were spelt correctly - they were just words that did not belong in that context.
Lesson learned - re-read my posts before I post them. If I miss things I hope you all will catch me.
Cheers
- Posted using BlogPress from my iPad
- Posted using BlogPress from my iPad
All that being said my iPad and the associated apps have come with some extra learning. Grabbing a tall coffee here at my local coffee shop I re-read some of my past posts and saw the glaring typos. Why did I not catch them? Well some of them were not typos in the purist sense as the words were spelt correctly - they were just words that did not belong in that context.
Lesson learned - re-read my posts before I post them. If I miss things I hope you all will catch me.
Cheers
- Posted using BlogPress from my iPad
Location:The dangers of coffee shop blogging
- Posted using BlogPress from my iPad
Thursday, October 7, 2010
Identity & Attributes
A couple of days ago I was in Alexandria having a whiteboard session on attribute exchange. I truly believe that people in a room will solve more problems than people on conference calls etc... I know that great ideas can be shared via blogs and e-mail but when it comes to hashing through the real issues I believe a piece of paper and face time are invaluable.
However that was not my original point when I started writing this. When i was in Alexandria I was leaving to get in my car and I spied this ....
I know it is a car and I know you will wonder what it has to do with identity .... but this car is a great analogy. When one first looks at it, if you know nothing about cars of the 20's and 30's you may think "cool car" but when you look at the front and you see a Bugatti symbol your mind may change. But does the initial view tell the true story? Is this a 1930's Bugatti? Well to truly know we need to be able to validate attributes of the car. The extent of what we validate is based on what our intent is. If we are the casual observer and it is just a "cool car" then the initial look is fine - we really do not care if it is a Bugatti. If you are a car nut then you may check the shape of the grill and the suspension to see if it matches the 30s Bugatti since you may want to be able to tell your friends "I saw this cool 30s Bugatti today". However if you are considering buying this car then you will really want to look at its attributes - engine and chassis numbers, papers of ownership and purchase, repair records etc.
Online transactions are no different. If I am commenting on yesterdays no-hitter on Yahoo! Sports then few people care if I know anything about baseball at all. When I buy my signed Halliday card on eBay then the buyer wants a higher level of assurance that he is going to get paid and will do a check of my credit card before shipping or will wait till the check clears. If I am going to proceed to online voting then the checks should be much more extensive.
We have always done all of these additional checks if a non-online transaction value is considered high - why would we not want to make sure that the same is done online. For those that think that those checks invade their rights I think the answer is simple - do commerce as you did it 10 years ago. For me I am hoping I can get to a point where I have one identity that I can use to provide selectable levels of trust so I can blog in the morning and buy Treasury bonds at night and not have to use 10 different identities to do it but will not have to expose any more data than I feel is needed.
And I will keep working to see that this idea is usable for all ....
.... cu
- Posted using BlogPress from my iPad
However that was not my original point when I started writing this. When i was in Alexandria I was leaving to get in my car and I spied this ....
I know it is a car and I know you will wonder what it has to do with identity .... but this car is a great analogy. When one first looks at it, if you know nothing about cars of the 20's and 30's you may think "cool car" but when you look at the front and you see a Bugatti symbol your mind may change. But does the initial view tell the true story? Is this a 1930's Bugatti? Well to truly know we need to be able to validate attributes of the car. The extent of what we validate is based on what our intent is. If we are the casual observer and it is just a "cool car" then the initial look is fine - we really do not care if it is a Bugatti. If you are a car nut then you may check the shape of the grill and the suspension to see if it matches the 30s Bugatti since you may want to be able to tell your friends "I saw this cool 30s Bugatti today". However if you are considering buying this car then you will really want to look at its attributes - engine and chassis numbers, papers of ownership and purchase, repair records etc.
Online transactions are no different. If I am commenting on yesterdays no-hitter on Yahoo! Sports then few people care if I know anything about baseball at all. When I buy my signed Halliday card on eBay then the buyer wants a higher level of assurance that he is going to get paid and will do a check of my credit card before shipping or will wait till the check clears. If I am going to proceed to online voting then the checks should be much more extensive.
We have always done all of these additional checks if a non-online transaction value is considered high - why would we not want to make sure that the same is done online. For those that think that those checks invade their rights I think the answer is simple - do commerce as you did it 10 years ago. For me I am hoping I can get to a point where I have one identity that I can use to provide selectable levels of trust so I can blog in the morning and buy Treasury bonds at night and not have to use 10 different identities to do it but will not have to expose any more data than I feel is needed.
And I will keep working to see that this idea is usable for all ....
.... cu
- Posted using BlogPress from my iPad
Thursday, September 16, 2010
How do we share information?
When we start talking about identity one of the first things in our minds is how we authenticate people. Today we do this many different ways in many different situations - uniforms and badges on police officers, UPS workers in UPS trucks, drivers licenses, passports, Yahoo! mail ids and on and on. Each of these ways of authenticating people is valid, depending on the situation of course.
In the digital world authentication and authorization take on a different scope. Once we authenticate a user, at some level of assurance, we need to determine what rights and privileges that the entity has within the system or transaction. To do this we must determine some other information about the user - some set of attributes. This is where the conversation gets interesting.
When we begin to discuss attributes the first thing we see is an issue with the definition of what an attribute is versus what ones identity is. Some would argue that outside of a biometric that everything is an attribute as it is asserted by someone else. Others would argue that fundamental data sets created by authoritative sources assert identity and are therefore identity assurances, the level of which can be determined by looking at practice of issuance. So as you can see we start the discussion with a range of opinions on what we should even be including in the bucket.
The next challenge in the discussion then becomes how do we understand the differences in attribute descriptors and use. In some cultures ones last name is in fact stated as the first name and exists as such in records. The range of these "discrepancies" within an environment can be extensive and as that environment grows, think globally, it becomes even a greater challenge.
This is not a new discussion but in my next post I will talk about some of the existing approaches and propose an additional idea.
- Posted using BlogPress from my iPad
In the digital world authentication and authorization take on a different scope. Once we authenticate a user, at some level of assurance, we need to determine what rights and privileges that the entity has within the system or transaction. To do this we must determine some other information about the user - some set of attributes. This is where the conversation gets interesting.
When we begin to discuss attributes the first thing we see is an issue with the definition of what an attribute is versus what ones identity is. Some would argue that outside of a biometric that everything is an attribute as it is asserted by someone else. Others would argue that fundamental data sets created by authoritative sources assert identity and are therefore identity assurances, the level of which can be determined by looking at practice of issuance. So as you can see we start the discussion with a range of opinions on what we should even be including in the bucket.
The next challenge in the discussion then becomes how do we understand the differences in attribute descriptors and use. In some cultures ones last name is in fact stated as the first name and exists as such in records. The range of these "discrepancies" within an environment can be extensive and as that environment grows, think globally, it becomes even a greater challenge.
This is not a new discussion but in my next post I will talk about some of the existing approaches and propose an additional idea.
- Posted using BlogPress from my iPad
Saturday, September 11, 2010
IIW-East
Thursday and Friday of this week was the first Internet & Identity Workshop held on the east coast. This event was timely in that it as a time when citizen identity has some major interest in the White House and on Capitol Hill.
The event itself was not a large event. But the people that were there were engaged, involved and had interesting ideas, proposals and ongoing projects.
During the event the were lots of discussions on frameworks for identity and how to leverage these frameworks. In many cases these frameworks are centered around a community, albeit a potentially large community in some cases. There was considerable discussion on the legal and business aspects of being involved in the framework. Is there risk to a company in being involved and if so can it be mitigated or controlled and is there a reason to be involved? These types of questions are of interest to many companies in the arena and the American Bar Association and others are looking at how to help define the guidelines so there is less trepidation. One interesting discussion from Scott David centered around the leveraging of existing rules & tools and extending some new concepts. Today we have the idea of levels of assurance (LOAs) which help to define what companies duty is in identifying the entities it gives a credential to. The extension of this is to include levels of protection (LOPs) and levels of control (LOCs). LOPs would cover the duties in ensuring that third parties do not gain access to data that they should not have while LOCs cover the duties of organizations to make sure that their people, i.e. first parties, are doing things properly. Interesting enough there are laws and regulations that exist today that cover these things such as HIPAA and Graham-Leach-Bliley.
It is an interesting conversation to be had. There certainly is a evolving legal structure here that better defines things and growth in the overall sector will benefit from it.
- Posted using BlogPress from my iPad
The event itself was not a large event. But the people that were there were engaged, involved and had interesting ideas, proposals and ongoing projects.
During the event the were lots of discussions on frameworks for identity and how to leverage these frameworks. In many cases these frameworks are centered around a community, albeit a potentially large community in some cases. There was considerable discussion on the legal and business aspects of being involved in the framework. Is there risk to a company in being involved and if so can it be mitigated or controlled and is there a reason to be involved? These types of questions are of interest to many companies in the arena and the American Bar Association and others are looking at how to help define the guidelines so there is less trepidation. One interesting discussion from Scott David centered around the leveraging of existing rules & tools and extending some new concepts. Today we have the idea of levels of assurance (LOAs) which help to define what companies duty is in identifying the entities it gives a credential to. The extension of this is to include levels of protection (LOPs) and levels of control (LOCs). LOPs would cover the duties in ensuring that third parties do not gain access to data that they should not have while LOCs cover the duties of organizations to make sure that their people, i.e. first parties, are doing things properly. Interesting enough there are laws and regulations that exist today that cover these things such as HIPAA and Graham-Leach-Bliley.
It is an interesting conversation to be had. There certainly is a evolving legal structure here that better defines things and growth in the overall sector will benefit from it.
- Posted using BlogPress from my iPad
An interesting analogy ....
So this blog was motivated by a colleague who I saw at the recent IIW-East here in DC. For weeks I have been thinking about some ideas, that will come up on the blog in the next few days, and he asked if I had a blog. Well yes I do - but my original blog was a personal endeavor (do you all really want to know how I did in my last 10K?) and not something to generate the types of discussion I am hoping this one will.
So as I am pulling this blog together I was thinking of layout and the whole idea of the discussion.... what are we talking about when we talk about identity? Well we do have times when we want to be totally anonymous ... look like everyone else. There are times when we want to stand out in the crowd ... part of a specific community. Then there are times we need to be known ... an unequivocal "This is me!"... a coming out of the shell as it were.
Ergo ... the background.
So as I am pulling this blog together I was thinking of layout and the whole idea of the discussion.... what are we talking about when we talk about identity? Well we do have times when we want to be totally anonymous ... look like everyone else. There are times when we want to stand out in the crowd ... part of a specific community. Then there are times we need to be known ... an unequivocal "This is me!"... a coming out of the shell as it were.
Ergo ... the background.
Subscribe to:
Posts (Atom)