Re: "Identity" from Joe Andrieu on 2017-06-01 (public-credentials@w3.org from June 2017)

From: Joe Andrieu <joe@joeandrieu.com>
Date: Wed, 31 May 2017 23:48:05 -0700
To: public-credentials@w3.org
Message-Id: <1496299685.955549.995051968.074BA61B@webmail.messagingengine.com>

On Wed, May 31, 2017, at 11:20 PM, David Chadwick wrote:
> On 01/06/2017 02:01, Manu Sporny wrote:
> 
> SNIP
> 
> > Let's fast forward to a point where this community has properly defined
> > "identity" in a coherent way. Here are the problems that we will still face:
> > 
> > 1. Some other community has defined it in some other way that makes
> > sense to them and they are unwilling to change the definition... and
> > we're back to not having a unified definition.
> 
> So why don't we use an ISO standard definition? At least we can say that
> we are not inventing our own definition and are using an internationally
> recognised one.
> 
> regards
> 
> David

Sadly, as I discussed in my other longer email, the ISO definition of
identity [1] is
"set of attributes related to an entity."

This is *at best* a valid definition of a digital identity as
represented in an ICT, a limitation that the standard at least states
clearly: "An identity is the information used to represent an entity in
an ICT system." [ICT: Information and Communication Technology]

The problem is that our identities are much larger than what is stored
in any given ICT. Many of our privacy problems are driven by this very
fact. ISO treats identity as a domain-specific concept, but when our
privacy is compromised, it because information leaks from one context to
another. 

Perhaps even more important, because ISO and others think of identity as
domain-specific, they fail to see the relevance of how bad decisions in
identity systems compromise human dignity. The myopia of "the ICT
system" externalizes the consequences of design choices on people's
identities beyond that system.

I'm working with several other identity professionals to try and shift
the ISO language on this, but that will not be a short effort. 

[1] ISO/IEC 24760-1 (Information technology -- Security techniques -- A
framework for identity management Section 3.1.2
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html and
directly at
http://standards.iso.org/ittf/PubliclyAvailableStandards/c057914_ISO_IEC_24760-1_2011.zip


-- 
Joe Andrieu, PMP                                                        
                     joe@legendaryrequirements.com
LEGENDARY REQUIREMENTS                                                  
                                        +1(805)705-8651
Do what matters.                                                        
                  
http://legendaryrequirements.com[http://www.legendaryrequirements.com/]

Received on Thursday, 1 June 2017 06:48:33 UTC