W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity"

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Thu, 1 Jun 2017 20:16:01 +0100
To: public-credentials@w3.org
Message-ID: <df25e018-207c-e9ff-fa18-a755f8a87927@kent.ac.uk>


On 01/06/2017 17:06, Joe Andrieu wrote:
> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>> On 01/06/2017 07:48, Joe Andrieu wrote:
>>> On Wed, May 31, 2017, at 11:20 PM, David Chadwick wrote:
>>>> On 01/06/2017 02:01, Manu Sporny wrote:
>>
>>> Sadly, as I discussed in my other longer email, the ISO definition of
>>> identity [1] is
>>> "set of attributes related to an entity."
>>>
>>> This is *at best* a valid definition of a digital identity as
>>> represented in an ICT, a limitation that the standard at least states
>>> clearly: "An identity is the information used to represent an entity in
>>> an ICT system." [ICT: Information and Communication Technology]
>>
>> I have to disagree with you. The ISO definition is very generic
>> (purposefully), since an attribute can be anything that describes the
>> entity. Consequently this very generic definition applies to any and
>> every ICT system. Why are we doing VCs? Because we want to move from
>> paper based systems to ICT systems.
>>
>> So we need a definition that is applicable to ICT, which is surely the
>> purpose of the VC work.
>>
>>>
>>> The problem is that our identities are much larger than what is stored
>>> in any given ICT. 
>>
>> But why is that of interest to the VC group that is working on DIGITAL
>> identities?
> 
> If we mean "digital identity", then say it. Don't confuse it with
> "identity".
> 
> The objections to "identity" are often because of conflation of the two.
> We discuss A when we mean B. We discuss "identity" when what we really
> mean is "the isolated domain-specific digital identity that only applies
> to 
> this particular ICT system".

Ok, but I prefer to use the term identity information when referring to
the information held about a person in an information system. If the IS
is physical and paper based, then the identity information will be held
in paper files. If the IS is an ICT system, then it will indeed be
digital identity information that is stored there.

But I have never moved this discussion in the direction of talking about
a single isolated ICT system, so I am not sure where you got that idea
from. I said 'any and every ICT system'.

> 
> The problem is that these digital identities don't stay isolated.

Of course they dont. Who said they did? Federated identity management
has always been about sharing digital identity information.

> 
> They don't stay in the domain they were created or intended for.

Glad we agree on that.

> 
> Similarly, rights and privileges tied to our real identities are often
> ignored
> or dismantled because *in a given system* it didn't seem relevant
> to the engineers who designed and built it. Identity is innately 
> trans-system. Any given "digital identity" may not be, but our real
> world "identity" absolutely is. By its very nature. We have an identity
> completely independent of any system or authority.

Your last sentence conflicts with your other sentences in 'Identity
Crisis' in which you state 'identity is an emergent phenomenon that does
not have an existence independent of the observer'

So which is it? Is identity completely independent or rather does not
have an existence independently?

> 
> As stated previously, Verifiable Claims will be used as part of 
> various identity systems. In fact, there are numerous examples
> of VCs being used to bridge previously separate identity systems
> by creating a digital equivalence of real-world credentials and tokens
> like driver's licenses, passports, and prescriptions. Our work WILL
> be affecting "identity" and not just "digital identity".

Sorry but I  do not know what you mean by identity, due to the conflict
above.

> 
>>> Many of our privacy problems are driven by this very
>>> fact. ISO treats identity as a domain-specific concept, but when our
>>> privacy is compromised, it because information leaks from one context to
>>> another. 
>>
>> Please explain what you mean by domain-specific, and please explain
>> which other domains, apart from ICT, are of interest to the VC work.
> 
> By domain I mean a specific ICT system, 

I dont think I know anyone who regards identity information as being
specific to a single ICT system. Certainly everyone in the FIM world
knows that identity information is meant for sharing. And people in the
privacy world know that PII is allowed to be shared providing it stays
within the rules. The GDPR is there to ensure the rules are obeyed,
otherwise unscrupulous data controllers would share it in ways it was
never intended for. Even the VC work does not believe in the full and
free sharing of PII, rather it should be under the control of the
holder. So there is no conflict between ISO, GDPR and VC work as far as
I can see.

> aligned with the W3C mental 
> model of security by domain isolation as a response to things like 
> cross-site scripting hacks.

I think you are confusing two separate issues, security vulnerabilities
and data sharing. The Same Origin Policy is there to stop hackers
linking systems that should not be linked, whereas FIM and token binding
etc. are there to ensure that data can be shared safely and securely.


> 
>>> Perhaps even more important, because ISO and others think of identity as
>>> domain-specific, they fail to see the relevance of how bad decisions in
>>> identity systems compromise human dignity. The myopia of "the ICT
>>> system" externalizes the consequences of design choices on people's
>>> identities beyond that system.
>>
>> I think this is an entirely different issue. The bad design of anything
>> (e.g. a knife that unintentionally cuts the user rather than the meat, a
>> car that hits objects because it has protruding parts invisible to the
>> driver etc.) is a design issue and not a domain issue. ICT systems are
>> designed to be used by humans in the physical world so obviously impact
>> the physical world (and are necessarily part of it). You should view the
>> ICT system in its environment of use as the system, and not the ICT
>> system in isolation.
> 
> I'm suggesting that the limited view that "Identity" is the same as the
> digital identity in a given ICT system is the isolation that leads to 
> bad design. 
> 
> If we want to make sure we don't undermine beneficial--or unwittingly 
> enable undesired--aspects of real-world identity, we need to acknowledge
> that identity is inevitably more than the digital identity in
> any given system. 

I think we all realise that. No one has been arguing for the opposite.

> Building systems without that awareness is
> exactly why we've have such push back on privacy issues related to
> cross-domain identifiers 

like email addresses, phone numbers etc? You are right in saying that
privacy advocates don't want us to build globally unique identifiers
into our system as this provides a global correlating handle, but I am
sure we can do that (we have in our VC system). But if the user wishes
to voluntarily provide this, such as an email address, there is little
anyone can do about that.

> and have been warned off of solving "identity".

Well I am sure I have no idea what you mean by 'solving identity'!!

> 
>>> I'm working with several other identity professionals to try and shift
>>> the ISO language on this, but that will not be a short effort. 
>>
>> Perhaps because the current definition is an excellent one!
> 
> It's a fine definition of "digital identity" for a single ICT system.

Correction. Its a fine definition for all ICT systems, whether
interconnected or isolated or federated.

> It 
> falls far short of the mark for identity as it pertains to humans
> interacting 
> with other humans across multiple ICTs and non-ICT domains.

Agreed, because the average human does not understand the concept of
attribute :-) But for ICT professionals it is fine, because I can talk
to you about my identity attributes without any ICT system being involved.

regards

David

> 
>>> [1] ISO/IEC 24760-1 (Information technology -- Security techniques -- A
>>> framework for identity management Section 3.1.2
>>> http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html and
>>> directly at
>>> http://standards.iso.org/ittf/PubliclyAvailableStandards/c057914_ISO_IEC_24760-1_2011.zip
> 
> -j
> 
Received on Thursday, 1 June 2017 21:44:52 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC