Re: "Identity"

Hi Joe

On 01/06/2017 07:48, Joe Andrieu wrote:
> On Wed, May 31, 2017, at 11:20 PM, David Chadwick wrote:
>> On 01/06/2017 02:01, Manu Sporny wrote:
>>
>> SNIP
>>
>>> Let's fast forward to a point where this community has properly defined
>>> "identity" in a coherent way. Here are the problems that we will still face:
>>>
>>> 1. Some other community has defined it in some other way that makes
>>> sense to them and they are unwilling to change the definition... and
>>> we're back to not having a unified definition.
>>
>> So why don't we use an ISO standard definition? At least we can say that
>> we are not inventing our own definition and are using an internationally
>> recognised one.
>>
>> regards
>>
>> David
> 
> Sadly, as I discussed in my other longer email, the ISO definition of
> identity [1] is
> "set of attributes related to an entity."
> 
> This is *at best* a valid definition of a digital identity as
> represented in an ICT, a limitation that the standard at least states
> clearly: "An identity is the information used to represent an entity in
> an ICT system." [ICT: Information and Communication Technology]

I have to disagree with you. The ISO definition is very generic
(purposefully), since an attribute can be anything that describes the
entity. Consequently this very generic definition applies to any and
every ICT system. Why are we doing VCs? Because we want to move from
paper based systems to ICT systems.

So we need a definition that is applicable to ICT, which is surely the
purpose of the VC work.

> 
> The problem is that our identities are much larger than what is stored
> in any given ICT. 

But why is that of interest to the VC group that is working on DIGITAL
identities?


> Many of our privacy problems are driven by this very
> fact. ISO treats identity as a domain-specific concept, but when our
> privacy is compromised, it because information leaks from one context to
> another. 

Please explain what you mean by domain-specific, and please explain
which other domains, apart from ICT, are of interest to the VC work.


> 
> Perhaps even more important, because ISO and others think of identity as
> domain-specific, they fail to see the relevance of how bad decisions in
> identity systems compromise human dignity. The myopia of "the ICT
> system" externalizes the consequences of design choices on people's
> identities beyond that system.

I think this is an entirely different issue. The bad design of anything
(e.g. a knife that unintentionally cuts the user rather than the meat, a
car that hits objects because it has protruding parts invisible to the
driver etc.) is a design issue and not a domain issue. ICT systems are
designed to be used by humans in the physical world so obviously impact
the physical world (and are necessarily part of it). You should view the
ICT system in its environment of use as the system, and not the ICT
system in isolation.

> 
> I'm working with several other identity professionals to try and shift
> the ISO language on this, but that will not be a short effort. 

Perhaps because the current definition is an excellent one!

regards

David

> 
> [1] ISO/IEC 24760-1 (Information technology -- Security techniques -- A
> framework for identity management Section 3.1.2
> http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html and
> directly at
> http://standards.iso.org/ittf/PubliclyAvailableStandards/c057914_ISO_IEC_24760-1_2011.zip
> 
> 

Received on Thursday, 1 June 2017 07:45:15 UTC