Bob Blakley is partly right when he says "It's the relationships, stupid." But then he proposed that we stop talking about "trust" when what we really mean is cryptography . . . Huh?
In the IAM world, relationships with an identity are used to assist in authentication. Think of the "regular customer" scenario. Reputation can be considered as part of the risk/trust relationship to determine what accesses you have or are permitted to do in a session, but it is not an identity or a credential. It's just a part of the level of confidence. Check the terminology in this dictionary: http://identityaccessman.blogspot.com/
Identity does not have a context as such; but the authentication of an identity does. The same identity in a different context does not usually get the same authorizations, because their assurance level (risk/trust) is usually different. We can, should, and often do use Assurance Levels to predetermine the amount of risk / degree of trust we are prepared to accept for any given transaction.
That is, the transactional relationship varies. The regular customer can be trusted if they do the same thing every time, but should not be trusted to do something different on the same basis. The relying party is the one taking the risk. Refer to http://identityaccessman3.blogspot.com/ for an explanation of assurance frameworks.
Dave, the minimal data necessary to satisfy a need for data which could be used as an identifier is all that's needed if there is only one assurance level (which is not usually the case, except for some of the simpler OpenId transactions). And it's clearly not the case where there is the need to "step-up" the credential strength (not the identity) when attempting to transacting a more risky transaction.
"Stop thinking of our vendors, clients, partners, employees and customers in terms of risks to be assessed." I don't think so, Bob.
"Relationship is the context which protects the security and the privacy of identity information"? I don't think so, Bob, unless you simply mean a "legal" relationship.
As for Cryptography, it's a relatively trusted method of keeping shared secrets private, usually in a message. Encryption of an identity 'claim' simply increases the level of confidence in the data. But when we use the word "trust", Bob, almost all of us don't mean "cryptography".
Allan Milgate
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Post new comment