When we start talking about identity one of the first things in our minds is how we authenticate people. Today we do this many different ways in many different situations - uniforms and badges on police officers, UPS workers in UPS trucks, drivers licenses, passports, Yahoo! mail ids and on and on. Each of these ways of authenticating people is valid, depending on the situation of course.
In the digital world authentication and authorization take on a different scope. Once we authenticate a user, at some level of assurance, we need to determine what rights and privileges that the entity has within the system or transaction. To do this we must determine some other information about the user - some set of attributes. This is where the conversation gets interesting.
When we begin to discuss attributes the first thing we see is an issue with the definition of what an attribute is versus what ones identity is. Some would argue that outside of a biometric that everything is an attribute as it is asserted by someone else. Others would argue that fundamental data sets created by authoritative sources assert identity and are therefore identity assurances, the level of which can be determined by looking at practice of issuance. So as you can see we start the discussion with a range of opinions on what we should even be including in the bucket.
The next challenge in the discussion then becomes how do we understand the differences in attribute descriptors and use. In some cultures ones last name is in fact stated as the first name and exists as such in records. The range of these "discrepancies" within an environment can be extensive and as that environment grows, think globally, it becomes even a greater challenge.
This is not a new discussion but in my next post I will talk about some of the existing approaches and propose an additional idea.
- Posted using BlogPress from my iPad
Thursday, September 16, 2010
Saturday, September 11, 2010
IIW-East
Thursday and Friday of this week was the first Internet & Identity Workshop held on the east coast. This event was timely in that it as a time when citizen identity has some major interest in the White House and on Capitol Hill.
The event itself was not a large event. But the people that were there were engaged, involved and had interesting ideas, proposals and ongoing projects.
During the event the were lots of discussions on frameworks for identity and how to leverage these frameworks. In many cases these frameworks are centered around a community, albeit a potentially large community in some cases. There was considerable discussion on the legal and business aspects of being involved in the framework. Is there risk to a company in being involved and if so can it be mitigated or controlled and is there a reason to be involved? These types of questions are of interest to many companies in the arena and the American Bar Association and others are looking at how to help define the guidelines so there is less trepidation. One interesting discussion from Scott David centered around the leveraging of existing rules & tools and extending some new concepts. Today we have the idea of levels of assurance (LOAs) which help to define what companies duty is in identifying the entities it gives a credential to. The extension of this is to include levels of protection (LOPs) and levels of control (LOCs). LOPs would cover the duties in ensuring that third parties do not gain access to data that they should not have while LOCs cover the duties of organizations to make sure that their people, i.e. first parties, are doing things properly. Interesting enough there are laws and regulations that exist today that cover these things such as HIPAA and Graham-Leach-Bliley.
It is an interesting conversation to be had. There certainly is a evolving legal structure here that better defines things and growth in the overall sector will benefit from it.
- Posted using BlogPress from my iPad
The event itself was not a large event. But the people that were there were engaged, involved and had interesting ideas, proposals and ongoing projects.
During the event the were lots of discussions on frameworks for identity and how to leverage these frameworks. In many cases these frameworks are centered around a community, albeit a potentially large community in some cases. There was considerable discussion on the legal and business aspects of being involved in the framework. Is there risk to a company in being involved and if so can it be mitigated or controlled and is there a reason to be involved? These types of questions are of interest to many companies in the arena and the American Bar Association and others are looking at how to help define the guidelines so there is less trepidation. One interesting discussion from Scott David centered around the leveraging of existing rules & tools and extending some new concepts. Today we have the idea of levels of assurance (LOAs) which help to define what companies duty is in identifying the entities it gives a credential to. The extension of this is to include levels of protection (LOPs) and levels of control (LOCs). LOPs would cover the duties in ensuring that third parties do not gain access to data that they should not have while LOCs cover the duties of organizations to make sure that their people, i.e. first parties, are doing things properly. Interesting enough there are laws and regulations that exist today that cover these things such as HIPAA and Graham-Leach-Bliley.
It is an interesting conversation to be had. There certainly is a evolving legal structure here that better defines things and growth in the overall sector will benefit from it.
- Posted using BlogPress from my iPad
An interesting analogy ....
So this blog was motivated by a colleague who I saw at the recent IIW-East here in DC. For weeks I have been thinking about some ideas, that will come up on the blog in the next few days, and he asked if I had a blog. Well yes I do - but my original blog was a personal endeavor (do you all really want to know how I did in my last 10K?) and not something to generate the types of discussion I am hoping this one will.
So as I am pulling this blog together I was thinking of layout and the whole idea of the discussion.... what are we talking about when we talk about identity? Well we do have times when we want to be totally anonymous ... look like everyone else. There are times when we want to stand out in the crowd ... part of a specific community. Then there are times we need to be known ... an unequivocal "This is me!"... a coming out of the shell as it were.
Ergo ... the background.
So as I am pulling this blog together I was thinking of layout and the whole idea of the discussion.... what are we talking about when we talk about identity? Well we do have times when we want to be totally anonymous ... look like everyone else. There are times when we want to stand out in the crowd ... part of a specific community. Then there are times we need to be known ... an unequivocal "This is me!"... a coming out of the shell as it were.
Ergo ... the background.
Subscribe to:
Posts (Atom)