<div>Danny,</div><div><br></div><div>Another input for the article.</div><div><br></div><div>In response to the question, "My identity as my wife sees it may be different to my identity as my bank sees it, which may be different again to my identity as my employer sees it. How do we cope with multiple attributes in ID management?"</div><div><br></div><div>Ken Dagg</div><div><br></div><div>==================</div><div><br></div><div>Identity Management thinking is beginning to recognize that who an individual is (e.g., their identity) is dependent on the scenario in which that individual needs to assert who they are. Who you are, and how you represent yourself, in social situations, work situations and commercial situations is probably different - but all are just different representations or variations of who you are as an individual - different personas. That is, a persona is what you tell someone about yourself in order to interact with them.</div><div><br></div><div>For example, in order for you to be able to establish an account, and carry out financial transactions, with a bank requires that the bank know certain information (i.e., attributes) about you. Some of this information is required in order for the bank to deal with you effectively while other information is required to satisfy legal requirements. Your employer also requires specific attributes about you in order to have you as an employee (i.e., to pay you, to provide benefits, to provide work facilities). While there may be some overlaps between the sets of attributes required to satisfy these two relationships there are most likely differences. What is emerging is that 1) the required attributes are defined by and specific to the relationship and 2) there is no one representation that satisfies all requirements.</div><div><br></div><div>As such, the relationship you want to establish identifies the required attributes (i.e., your "persona") and manages them to accomplish the purpose that the relationship exists to perform. As the consumer - the Relying Party (RP) - of your persona (e.g., the bank) is at risk, they authenticate and manage the set of attributes they require of you in order to mitigate the risk of getting it wrong. That is, the RP manages the identity of its clients to the degree they need to in order to operate. It is essential that the RP undertake a risk assessment to identify the consequences - financial and reputational - they will suffer if they misidentify someone and then establish, at a cost they believe is affordable, the mechanisms they believe will mitigate that risk. </div><div><br></div><div>The set of mechanisms the RP uses - the level of assurance they require - to mitigate their risk depend on the consequences they will suffer if they get it wrong (i.e., they misidentify you). These mechanisms can include doing nothing, using internal checks, using Social Media sites, using Government Agencies, or using companies that have established themselves as Identity Providers (IdPs), Credential Service Providers (CSPs), or Attribute Providers (APs). </div><div><br></div><div>Of importance to you as an individual, however, is knowing, and being able to correct errors in, the information / attributes the RP maintains about you as well as being assured that the RP respects your privacy.</div><div><br></div>
<br><br>-- <br>Kenneth Dagg<br>Independent Consultant<br>Identification and Authentication<br>613-825-2091<br><a href="mailto:kendaggtbs@gmail.com">kendaggtbs@gmail.com</a><br>