[KI-LC] FW: Media query from SC Magazine - deadline 2/26/2016 17:30:00
Allan Foster
allan.foster at forgerock.com
Tue Feb 23 12:36:38 CST 2016
So this is the discussion of Personas
I also fundamentally disagree that Identity is necessarily a collection
of attributes. And identity is simply a thing. Collections of
attributes might be associated with an identity when required for
specific contexts
Allan
Simplify Email: Email Charter <http://emailcharter.org/>
ForgeRock Logo *Allan Foster - ForgeRock *
/VP Strategic Partner Enablement/
*Location:*San Francisco
*p:* +1.214.755.9218
*email:* allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>
*blogs:* blogs.forgerock.com/GuruAllan
<http://blogs.forgerock.com/GuruAllan>
*Skype:* Call GuruAllan <http://is.gd/lWVfMG>
*www:* www.forgerock.com <http://www.forgerock.com/>
*www:* www.forgerock.org <http://www.forgerock.org/>
On 2/23/16 9:32 AM, Ken Dagg wrote:
> Colin,
>
> How does this sound to address the question, "My identity as my wife
> sees it may be different to my identity as my bank sees it, which may
> be different again to my identity as my employer sees it. How do we
> cope with multiple attributes in ID management?"
>
> Ken
>
> ===================
>
> Identity Management thinking is beginning to recognize that who an
> individual is (e.g., their identity) is dependent on the scenario in
> which that individual needs to assert who they are. Who you are, and
> how you represent yourself, in social situations, work situations and
> commercial situations is probably different - but all are just
> different representations or variations of you are as an individual.
> That is, your identity is what someone needs to know about you in
> order to interact with you.
>
> For example, in order for you to be able to establish an account, and
> carry out financial transactions, with a bank requires that the bank
> know certain information (i.e., attributes) about you. Some of this
> information is required in order for the bank to deal with you
> effectively while other information is required to satisfy legal
> requirements. Your employer also requires specific information
> (attributes) about you in order to have you as an employee (i.e., to
> pay you, to provide benefits, to provide work facilities). While there
> may be some overlaps between the sets of attributes required to
> satisfy these two relationships there are most likely differences.
> What is emerging is that 1) the required attributes are defined by and
> part of the relationship and 2) there is no one representation that
> satisfies all requirements.
>
> As such, the relationship you want to establish identifies the
> required attributes (i.e., your "identity") and manages them to
> accomplish the purpose that the relationship exists to perform. As the
> user - the Relying Party (RP) - of your identity (e.g., the bank) is
> at risk, they authenticate and manage the set of attributes they
> require of you in order to mitigate the risk of getting it wrong. That
> is, the RP manages the identity of its clients to the degree they need
> to in order to operate. It is essential that the RP undertake a risk
> assessment to identify the consequences - financial and reputational -
> they will suffer if they misidentify someone and then establish, at a
> cost they believe is affordable, the mechanisms they believe will
> mitigate that risk.
>
> The set of mechanisms they use - the level of assurance they require -
> to mitigate their risk depend on the consequences they will suffer if
> they get it wrong (i.e., they misidentify you). These mechanisms can
> include doing nothing, using internal checks, using Social Media
> sites, using Government Agencies, or using companies that have
> established themselves as Identity Providers (IdPs), Credential
> Service Providers (CSPs), or Attribute Providers (APs).
>
> Of importance to you, however, is knowing, and being able to correct
> errors in, the information / attributes the RP maintains about you as
> well as being assured that the RP respects your privacy.
>
>
>
> On Tuesday, 23 February 2016, Colin Wallis <colin_wallis at hotmail.com
> <mailto:colin_wallis at hotmail.com>> wrote:
>
> That's great. Many thanks Sal.
> Perfect timing for the IRM call coming up in a few hours.
> Cheers
> Colin
>
>
> Colin, I can pitch in on some of these:
>
>
>
> What are the latest advances in ID Management technology?
>
> How has it evolved over the years?
>
> ID management has been largely about people in the past. How will
> the Internet of Things change that, if at all?
>
>
>
> I can use UMA and IRM as an examplse and also bring in some of the
> things we have been talking about in the IDoT DG.
>
>
>
> *From:*lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>
> [mailto:lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>] *On
> Behalf Of *Colin Wallis
> *Sent:* Monday, February 22, 2016 5:50 PM
> *To:* Mike Schwartz
> *Cc:* Kantara Leadership Council Kantara
> *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline
> 2/26/2016 17:30:00
>
>
>
> OK, thanks for that offer Mike.
>
> But the thing is, the guy asked Kantara, so he is expecting a
> response from experts on behalf of Kantara.
>
> Taking him to Gluu is kind of one step removed.
>
> I'm happy for responses to contain links to Gluu and elsewhere,
> but I think we are setting ourselves up for some copyright
> concerns if we point folks away, straight out of the gate.
>
> Cheers
>
> Colin
>
> > Date: Mon, 22 Feb 2016 15:11:16 -0600
> > From: mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
> > To: colin_wallis at hotmail.com
> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
> > CC: lc at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
> > Subject: Re: [KI-LC] Media query from SC Magazine - deadline
> 2/26/2016 17:30:00
> >
> >
> > Colin,
> >
> > I'll can offer to take a stab at responding to these questions
> by the
> > date requested on a Gluu blog.
> >
> > thx,
> >
> > Mike
> >
> > On 2016-02-22 11:13, Colin Wallis wrote:
> > > Thanks Ken
> > > We'll consider this question dealt to.
> > > Anyone else want to take on one of the others?
> > > Cheers
> > > Colin
> > > .....................................
> > >> At airports around the world, travelers' identities are routinely
> > > verified using biometric identification. Recently in India, a new
> > > facility for pension distribution adapted an iris authentication
> > > scanner to validate citizens. New generations of fully integrated,
> > > end-to-end cloud identity management platforms offer clients
> secure
> > > and flexible means to pick and choose which services they
> need. For
> > > this latest ebook from SC Magazine, we speak to a number of
> experts
> > > with hands-on experience about how these advances in
> technologies are
> > > changing the face of identity management and opening up new
> > > opportunities for the enterprise to become more secure—and we’ll
> > > throw in a few caveats (for one, what happens to privacy when
> > > biometrics are added to the mix?) that any organization should
> heed
> > > when revamping its identity management strategy.
> > >>
> > >> Here are the questions he's exploring:
> > >>
> > >> What are the latest advances in ID Management technology?
> > >>
> > >> How has it evolved over the years?
> > >>
> > >> What happens to privacy when biometrics are thrown into the mix?
> > > GONE GONE....
> > >>
> > >> How are ID management systems and access management/roles-based
> > > management converging?
> > >>
> > >> ID management has been largely about people in the past. How will
> > > the Internet of Things change that, if at all?
> > >>
> > >> Is authentication keeping up with trends in ID management?
> > >>
> > >> My identity as my wife sees it may be different to my
> identity as my
> > > bank sees it, which may be different again to my identity as my
> > > employer sees it. How do we cope with multiple attributes in ID
> > > management?
> > >>
> > >> How do we maintain and preserve identity in the long term, as a
> > > person's life and circumstances change?
> > >>
> > >> Are there standard for ID management?
> > >>
> > >> What are the biggest challenges facing companies that want to
> design
> > > and deploy their own ID management systems?
> > >
> > > -------------------------
> > > Date: Mon, 22 Feb 2016 06:58:22 -0500
> > > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
> > > 2/26/2016 17:30:00
> > > From: kendaggtbs at gmail.com
> <javascript:_e(%7B%7D,'cvml','kendaggtbs at gmail.com');>
> > > To: colin_wallis at hotmail.com
> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
> > > CC: lc at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
> > >
> > > Colin,
> > >
> > > I agree fully that the first two paragraphs address the scope
> of his
> > > question regarding biometrics and privacy.
> > >
> > > However, your comment, "sense of direction of travel for SC
> Magazine
> > > being towards Data Protection" prompts me to include the rest
> of the
> > > material regarding Privacy. In my opinion, a focus solely on data
> > > protection misses the boat on respecting privacy and probably
> does it
> > > a disservice. As you are aware, having the best data protection
> > > practices in the world while using an individual's PII for
> unstated
> > > purposes or disclosing it inappropriately, still means the
> > > organization is not respecting an individual's privacy.
> > >
> > > I agree with your concern regarding "a compromise in the
> sample or the
> > > templates database" being a major issue with respect to an
> individual
> > > having to re-establish and re-bind their identity. However, I
> would
> > > argue that the same holds true for any piece of an
> individual's PII
> > > that is used by an organization. Biometric data, because it is
> viewed
> > > as unique to an individual, is in some organization's minds,
> viewed as
> > > a silver bullet with respect to Identifcation. However, in my
> opinion,
> > > it is just another piece of data that can be used to mitigate
> the risk
> > > of misidentification. If the consequences of misidentification are
> > > severe it should still be corroborated with other PII. In
> other words,
> > > it is not a silver bullet.
> > >
> > > This being said, I restructured the answer to address the "silver
> > > bullet" concept as well as the out-of-scope text. I would
> recommend
> > > including the background in the response as I believe that it is
> > > important to raise the "technology neutral" idea with respect to
> > > privacy policy/legislation. I would like to start the process of
> > > changing the perception held by many people that current policy is
> > > outdated or has been overtaken by advances in technology. (My
> soapbox
> > > rant for the day)
> > >
> > > Wile we probably aren't going to be killed for not answering
> all the
> > > questions I hope that others can address some of them.
> > >
> > > Ken
> > >
> > > ==============
> > >
> > > The perception that something should happen to privacy because
> > > biometrics enter the mix is erroneous.
> > >
> > > Privacy is a state that is respected when an individual
> understands
> > > and consents to how their personally identifiable information
> (PII) is
> > > collected, maintained, used, disclosed and disposed. Biometric
> > > information, given its uniqueness to each individual, should be
> > > considered to be PII.
> > >
> > > Regardless of its apparent uniqueness, an organization that
> wishes to
> > > mitigate the risk of misidentification of an individual should not
> > > look at biometric data as a "silver bullet". If the
> consequences of
> > > misidentification are high they should still corroborate the
> biometric
> > > data with other PII during their authentication. The process,
> whether
> > > in the digital or real world, still requires an organization to
> > > identify the consequences of misidentification before it puts
> in place
> > > procedures and techniques (such as the use of biometric data) to
> > > mitigate that risk.
> > >
> > > Background on Privacy
> > >
> > > It should be noted that jurisdictions around the world have
> identified
> > > that respect of an individual's privacy is technology neutral.
> > >
> > > For the US Government NIST Special Publication 800-122 defines
> PII as
> > > "any information about an individual maintained by an agency,
> > > including (1) any information that can be used to distinguish
> or trace
> > > an individual‘s identity, such as name, social security
> number, date
> > > and place of birth, mother‘s maiden name, or biometric
> records; and
> > > (2) any other information that is linked or linkable to an
> individual,
> > > such as medical, educational, financial, and employment
> information."
> > >
> > > In other countries with privacy protection laws derived from
> the OECD
> > > privacy principles, the term used is more often "personal
> > > information". This term, in general, is broader than PII. For
> example,
> > > there are two pieces of legislation that cover privacy at the
> federal
> > > level in Canada: the Privacy Act and the Personal Information
> > > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
> > > relates to an individual’s right to access and correct personal
> > > information the Government of Canada holds about them or the
> > > Government’s collection, use and disclosure of their personal
> > > information in the course of providing services (e.g., old age
> > > pensions or employment insurance). PIPEDA sets out the ground
> rules
> > > for how private-sector organizations collect, use or disclose
> personal
> > > information in the course of commercial activities across Canada.
> > >
> > > Both acts is essence define personal information to be any
> factual or
> > > subjective information, recorded or not, about an identifiable
> > > individual. This includes information in any form, such as:
> > > * age, name, ID numbers, income, ethnic origin, or blood type;
> > > * opinions, evaluations, comments, social status, or disciplinary
> > > actions; and
> > > * employee files, credit records, loan records, medical records,
> > > existence of a dispute between a consumer and a merchant,
> intentions
> > > (for example, to acquire goods or services, or change jobs).
> > >
> > > Excluded is information concerning the name, title, business
> address
> > > or telephone number of an employee of an organization.
> > >
> > > Both acts identify how personal information should be collected,
> > > maintained, used, disclosed and disposed. Of interest is the
> > > requirement to identify a retention period for the personal
> > > information that is collected about an individual and how that
> > > information is expunged from an organization's records.
> > >
> > > Also of interest is how the power and versatility of
> re-identification
> > > algorithms have significantly increased the ability of
> identifying an
> > > individual without the use of PII. As such, Big Data is
> becoming an
> > > issue in privacy circles.
> > >
> > > <snip>
> > >
> > >
> > > _______________________________________________
> > > LC mailing list
> > > LC at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','LC at kantarainitiative.org');>
> > > http://kantarainitiative.org/mailman/listinfo/lc
> >
> > --
> > -------------------------------------
> > Michael Schwartz
> > Gluu
> > Founder / CEO
> > mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
>
>
>
> --
> Kenneth Dagg
> Independent Consultant
> Identification and Authentication
> 613-825-2091
> kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com>
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160223/84422c79/attachment-0001.html>
More information about the LC
mailing list