From stollman.j at gmail.com Tue Mar 25 04:42:18 2008 From: stollman.j at gmail.com (j stollman) Date: Tue, 25 Mar 2008 07:42:18 -0400 Subject: [Sig-ia] Specifying documents versus attributes for authentication Message-ID: Criteria for Identity Proofing: Documents or Attributes The IAF, like various US federal regulations and guidelines, specifies breeder documents as the source of evidence to substantiate the identity of someone seeking an identity credential. This approach has found general resonance among the American members actively involved in the IAF review discussions, because the documents cited (1) have a history of being used as a basis for establishing identity within the US, (2) are reasonably ubiquitous in the US and (3) typically contain most of the same information ? even though they are issued by multiple domestic entities. The problem is exacerbated because we do not even require specific documents. Instead we require a choice of documents from a listed pool of documents (driver's license, utility bills, etc.). Bob Pinheiro raised the issue that rather than specifying breeder documents, we might be better served by trying to specify the specific attributes that we want vetted by some authority. The reasons for this alternative approach include the following: 1. Specifying particular documents in place of specific fields that we consider vital to identity proofing is tantamount to specifying a technology (particular documents) rather than our requirements (the information necessary to properly proof a person's identity). And a stated goal of the IAF is to be technology agnostic. 2. While there is general consistency among the *types* of information contained in these documents within the confines of the US, it is not clear that the same information is contained in these same (or equivalent documents) elsewhere in the world. A lack of such consistency in the type of information contained on breeder documents implies that the process of authenticating people in one country relies on different information than authenticating them in another. This is not necessarily a problem ? as long as the results remain equally reliable. But this inconsistency may subject the identity proofing process to undesirable results -- including foul play -- compromising the entire process. 3. While there may also be an acceptable level of consistency in the * quality* (i.e., reliability) of information contained in these documents within the confines of the US, it is not clear that the quality exists in these same (or equivalent documents) elsewhere in the world. Variability in the quality of this information likely subjects the identity proofing process to additional risk. Specifying Technology versus Requirements I suspect that reliance on named documents rather than specific attributes is based on the premise that identity proofing is not an exact science in which specific attributes are necessary. Instead, we are seeking a preponderance of evidence through multiple factors, such as the various data fields included on a driver's license. But, even if this is the case, we might change our criteria specification to "at least "two" documents issued by independent third parties each of which evidences at least "five" of the following factors: height, weight, eye color, birth date, birth place, a photograph discernable as the applicant, current address, etc. " (The numbers "two" and "five" are merely a place holder for whatever numbers we decide are appropriate. We may use different numbers for different assurance levels.) We may or may not then give examples of the types of documents that we consider to be evidentiary (e.g., driver's license, passport, government-issued ID, utility bill in the US). We may or may not also require that some minimum number of factors be included on at least "two" such documents. (Here again, the number "two" is just a place holder.) Information Types The concern for variation in the types of information presented in named breeder documents stems from the fact that most breeder documents vary in their content depending on which entity issued them (including government-issued documents such as driver's licenses, as well as privately issued documents such as birth certificates and utility bills). In the US, alone, we have over fifty different issuers of driver's licenses (when you count DC, and territories such as Puerto Rico, Guam, etc.). And much of the information contained on these documents is transient information, such as name (which frequently changes after marriage or divorce, and sometimes changes on a whim) and address (which changes with increasing frequency as our society becomes more mobile). While within the US, we have a level of comfort in specifying breeder documents by category, the question becomes: what is it that such documents are really evidencing? My driver's license has neither my correct name, nor my correct address. My name was misspelled by a clerk thirty years ago and trying to correct it is a nuisance. My address changed because I moved. My height is about the same. My weight has changed. My eye color is correct and my hair color has not grayed sufficiently that it is still reasonably accurate. My picture is discernable because I remain without mustaches and beard. Going outside the US, I suspect that the variability in content will increase. The problem may be further complicated if driver's licenses are not as widespread outside the US as within it. Are there many city dwellers who rely on public transportation and never bothered to obtain driver's licenses? Information Quality Do we have a reason to expect that driver's licenses and utility bills provide the same level of information assurance that they do in the US? Are they an equally reliable source of information? Do we have enough knowledge of the breadth of documents that we are specifying by category to be confident that we are truly covering 80% of our target population? Next Steps I don't know the answer to the various questions I raise here. But they should not be hard questions to answer. Information Type and Quality Because the assumption that non-US documents contain equivalent information and are of equal quality is so fundamental to our current approach, we need to recognize that we are making this assumption. And, at a minimum, they questions raised should be vetted with the non-US membership of Project Liberty. I suggest that it would be better to vet them before we publish, rather than embarrassing ourselves with a major faux pas. Specifying Documents by Name As for the decision to specify documents rather than particular fields, it may be that the response we obtain to posing questions to our non-US membership helps us make this decision. Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080325/1676a62f/attachment.html From altermap at mail.nih.gov Tue Mar 25 08:52:40 2008 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Tue, 25 Mar 2008 11:52:40 -0400 Subject: [Sig-ia] Specifying documents versus attributes for authentication Message-ID: <8C40DAAF38B0A84C9312702FA41930EA04805488@NIHCESMLBX3.nih.gov> I think the document cites "government-issued credential." Is that not sufficiently international? Also, if you think about it, what the credential attests to is that an agency of a government has vetted the person's identity. So, a government-issued credential is a shortcut, so the CSP doesn't have to vet all those attributes. -------------------------- Peter Alterman, Ph.D Asst. CIO e-Authentication and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ----- Original Message ----- From: j stollman To: sig-ia at lists.projectliberty.org Sent: Tue Mar 25 07:42:18 2008 Subject: [Sig-ia] Specifying documents versus attributes for authentication Criteria for Identity Proofing: Documents or Attributes The IAF, like various US federal regulations and guidelines, specifies breeder documents as the source of evidence to substantiate the identity of someone seeking an identity credential. This approach has found general resonance among the American members actively involved in the IAF review discussions, because the documents cited (1) have a history of being used as a basis for establishing identity within the US, (2) are reasonably ubiquitous in the US and (3) typically contain most of the same information ? even though they are issued by multiple domestic entities. The problem is exacerbated because we do not even require specific documents. Instead we require a choice of documents from a listed pool of documents (driver's license, utility bills, etc.). Bob Pinheiro raised the issue that rather than specifying breeder documents, we might be better served by trying to specify the specific attributes that we want vetted by some authority. The reasons for this alternative approach include the following: 1. Specifying particular documents in place of specific fields that we consider vital to identity proofing is tantamount to specifying a technology (particular documents) rather than our requirements (the information necessary to properly proof a person's identity). And a stated goal of the IAF is to be technology agnostic. 2. While there is general consistency among the types of information contained in these documents within the confines of the US, it is not clear that the same information is contained in these same (or equivalent documents) elsewhere in the world. A lack of such consistency in the type of information contained on breeder documents implies that the process of authenticating people in one country relies on different information than authenticating them in another. This is not necessarily a problem ? as long as the results remain equally reliable. But this inconsistency may subject the identity proofing process to undesirable results -- including foul play -- compromising the entire process. 3. While there may also be an acceptable level of consistency in the quality (i.e., reliability) of information contained in these documents within the confines of the US, it is not clear that the quality exists in these same (or equivalent documents) elsewhere in the world. Variability in the quality of this information likely subjects the identity proofing process to additional risk. Specifying Technology versus Requirements I suspect that reliance on named documents rather than specific attributes is based on the premise that identity proofing is not an exact science in which specific attributes are necessary. Instead, we are seeking a preponderance of evidence through multiple factors, such as the various data fields included on a driver's license. But, even if this is the case, we might change our criteria specification to "at least "two" documents issued by independent third parties each of which evidences at least "five" of the following factors: height, weight, eye color, birth date, birth place, a photograph discernable as the applicant, current address, etc. " (The numbers "two" and "five" are merely a place holder for whatever numbers we decide are appropriate. We may use different numbers for different assurance levels.) We may or may not then give examples of the types of documents that we consider to be evidentiary (e.g., driver's license, passport, government-issued ID, utility bill in the US). We may or may not also require that some minimum number of factors be included on at least "two" such documents. (Here again, the number "two" is just a place holder.) Information Types The concern for variation in the types of information presented in named breeder documents stems from the fact that most breeder documents vary in their content depending on which entity issued them (including government-issued documents such as driver's licenses, as well as privately issued documents such as birth certificates and utility bills). In the US, alone, we have over fifty different issuers of driver's licenses (when you count DC, and territories such as Puerto Rico, Guam, etc.). And much of the information contained on these documents is transient information, such as name (which frequently changes after marriage or divorce, and sometimes changes on a whim) and address (which changes with increasing frequency as our society becomes more mobile). While within the US, we have a level of comfort in specifying breeder documents by category, the question becomes: what is it that such documents are really evidencing? My driver's license has neither my correct name, nor my correct address. My name was misspelled by a clerk thirty years ago and trying to correct it is a nuisance. My address changed because I moved. My height is about the same. My weight has changed. My eye color is correct and my hair color has not grayed sufficiently that it is still reasonably accurate. My picture is discernable because I remain without mustaches and beard. Going outside the US, I suspect that the variability in content will increase. The problem may be further complicated if driver's licenses are not as widespread outside the US as within it. Are there many city dwellers who rely on public transportation and never bothered to obtain driver's licenses? Information Quality Do we have a reason to expect that driver's licenses and utility bills provide the same level of information assurance that they do in the US? Are they an equally reliable source of information? Do we have enough knowledge of the breadth of documents that we are specifying by category to be confident that we are truly covering 80% of our target population? Next Steps I don't know the answer to the various questions I raise here. But they should not be hard questions to answer. Information Type and Quality Because the assumption that non-US documents contain equivalent information and are of equal quality is so fundamental to our current approach, we need to recognize that we are making this assumption. And, at a minimum, they questions raised should be vetted with the non-US membership of Project Liberty. I suggest that it would be better to vet them before we publish, rather than embarrassing ourselves with a major faux pas. Specifying Documents by Name As for the decision to specify documents rather than particular fields, it may be that the response we obtain to posing questions to our non-US membership helps us make this decision. Jeff Stollman stollman.j at gmail.com 1.610.640.4115 From brett at projectliberty.org Tue Mar 25 08:56:58 2008 From: brett at projectliberty.org (Brett McDowell) Date: Tue, 25 Mar 2008 11:56:58 -0400 Subject: [Sig-ia] Specifying documents versus attributes for authentication In-Reply-To: <8C40DAAF38B0A84C9312702FA41930EA04805488@NIHCESMLBX3.nih.gov> References: <8C40DAAF38B0A84C9312702FA41930EA04805488@NIHCESMLBX3.nih.gov> Message-ID: Jeff, are you commenting on the latest version in circulation inside IAEG, or the public draft 1.0 which is several months out-of-date? Brett McDowell | Liberty Alliance | vCard| Calendar On Tue, Mar 25, 2008 at 11:52 AM, Alterman, Peter (NIH/CIT) [E] < altermap at mail.nih.gov> wrote: > I think the document cites "government-issued credential." Is that not > sufficiently international? Also, if you think about it, what the > credential attests to is that an agency of a government has vetted the > person's identity. So, a government-issued credential is a shortcut, so the > CSP doesn't have to vet all those attributes. > -------------------------- > Peter Alterman, Ph.D > Asst. CIO e-Authentication and > Chair, Federal PKI Policy Authority > Cell: 301-252-8846 > > ----- Original Message ----- > From: j stollman > To: sig-ia at lists.projectliberty.org > Sent: Tue Mar 25 07:42:18 2008 > Subject: [Sig-ia] Specifying documents versus attributes for > authentication > > > Criteria for Identity Proofing: Documents or Attributes > > > The IAF, like various US federal regulations and guidelines, specifies > breeder documents as the source of evidence to substantiate the identity of > someone seeking an identity credential. This approach has found general > resonance among the American members actively involved in the IAF review > discussions, because the documents cited (1) have a history of being used as > a basis for establishing identity within the US, (2) are reasonably > ubiquitous in the US and (3) typically contain most of the same information > ? even though they are issued by multiple domestic entities. > > The problem is exacerbated because we do not even require specific > documents. Instead we require a choice of documents from a listed pool of > documents (driver's license, utility bills, etc.). > > Bob Pinheiro raised the issue that rather than specifying breeder > documents, we might be better served by trying to specify the specific > attributes that we want vetted by some authority. The reasons for this > alternative approach include the following: > > 1. Specifying particular documents in place of specific fields that > we consider vital to identity proofing is tantamount to specifying a > technology (particular documents) rather than our requirements (the > information necessary to properly proof a person's identity). And a stated > goal of the IAF is to be technology agnostic. > 2. While there is general consistency among the types of information > contained in these documents within the confines of the US, it is not clear > that the same information is contained in these same (or equivalent > documents) elsewhere in the world. A lack of such consistency in the type > of information contained on breeder documents implies that the process of > authenticating people in one country relies on different information than > authenticating them in another. This is not necessarily a problem ? as long > as the results remain equally reliable. But this inconsistency may subject > the identity proofing process to undesirable results -- including foul play > -- compromising the entire process. > 3. While there may also be an acceptable level of consistency in the > quality (i.e., reliability) of information contained in these documents > within the confines of the US, it is not clear that the quality exists in > these same (or equivalent documents) elsewhere in the world. Variability in > the quality of this information likely subjects the identity proofing > process to additional risk. > > > Specifying Technology versus Requirements > > > I suspect that reliance on named documents rather than specific attributes > is based on the premise that identity proofing is not an exact science in > which specific attributes are necessary. Instead, we are seeking a > preponderance of evidence through multiple factors, such as the various data > fields included on a driver's license. But, even if this is the case, we > might change our criteria specification to > > "at least "two" documents issued by independent third parties each of > which evidences at least "five" of the following factors: height, weight, > eye color, birth date, birth place, a photograph discernable as the > applicant, current address, etc. " > > (The numbers "two" and "five" are merely a place holder for whatever > numbers we decide are appropriate. We may use different numbers for > different assurance levels.) > > We may or may not then give examples of the types of documents that we > consider to be evidentiary (e.g., driver's license, passport, > government-issued ID, utility bill in the US). > > We may or may not also require that some minimum number of factors be > included on at least "two" such documents. (Here again, the number "two" is > just a place holder.) > > > Information Types > > > The concern for variation in the types of information presented in named > breeder documents stems from the fact that most breeder documents vary in > their content depending on which entity issued them (including > government-issued documents such as driver's licenses, as well as privately > issued documents such as birth certificates and utility bills). In the US, > alone, we have over fifty different issuers of driver's licenses (when you > count DC, and territories such as Puerto Rico, Guam, etc.). And much of the > information contained on these documents is transient information, such as > name (which frequently changes after marriage or divorce, and sometimes > changes on a whim) and address (which changes with increasing frequency as > our society becomes more mobile). While within the US, we have a level of > comfort in specifying breeder documents by category, the question becomes: > what is it that such documents are really evidencing? My driver's license > has neither my correct name! > , nor my correct address. My name was misspelled by a clerk thirty years > ago and trying to correct it is a nuisance. My address changed because I > moved. My height is about the same. My weight has changed. My eye color > is correct and my hair color has not grayed sufficiently that it is still > reasonably accurate. My picture is discernable because I remain without > mustaches and beard. > > Going outside the US, I suspect that the variability in content will > increase. The problem may be further complicated if driver's licenses are > not as widespread outside the US as within it. Are there many city dwellers > who rely on public transportation and never bothered to obtain driver's > licenses? > > > Information Quality > > > Do we have a reason to expect that driver's licenses and utility bills > provide the same level of information assurance that they do in the US? > Are they an equally reliable source of information? Do we have enough > knowledge of the breadth of documents that we are specifying by category to > be confident that we are truly covering 80% of our target population? > > > Next Steps > > > I don't know the answer to the various questions I raise here. But they > should not be hard questions to answer. > > > Information Type and Quality > > > Because the assumption that non-US documents contain equivalent > information and are of equal quality is so fundamental to our current > approach, we need to recognize that we are making this assumption. And, at > a minimum, they questions raised should be vetted with the non-US membership > of Project Liberty. I suggest that it would be better to vet them before we > publish, rather than embarrassing ourselves with a major faux pas. > > > Specifying Documents by Name > > > As for the decision to specify documents rather than particular fields, it > may be that the response we obtain to posing questions to our non-US > membership helps us make this decision. > > > > > Jeff Stollman > stollman.j at gmail.com > 1.610.640.4115 > _______________________________________________ > Sig-ia mailing list > Sig-ia at lists.projectliberty.org > > http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080325/c3f87873/attachment-0001.html From bob at bobpinheiro.com Tue Mar 25 14:27:53 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 25 Mar 2008 17:27:53 -0400 Subject: [Sig-ia] Specifying documents versus attributes for authentication In-Reply-To: <8C40DAAF38B0A84C9312702FA41930EA04805488@NIHCESMLBX3.nih.g ov> References: <8C40DAAF38B0A84C9312702FA41930EA04805488@NIHCESMLBX3.nih.gov> Message-ID: <0JYB00HMB2GB1OL0@vms040.mailsrvcs.net> I think we still have this issue of what constitutes an "identity." At Assurance Level 3, for instance, in-person proofing requires that a person not only present a government issued photo ID that can be verified as legitimate, but that the personal information displayed on the photo ID can be sufficiently corroborated "to ensure a unique identity." Presumably not every government-issued photo ID will do, only those that contain sufficient information to establish a unique identity. For instance, my entrance pass for the town swimming pool has my name and picture on it. If by "identity" we mean only a person's name, that probably would be sufficient. But if we are trying to uniquely identify an individual, other attributes or identifiers would be needed. Which identifiers are sufficient to establish a unique identity? The IAF states only that these could include "date of birth, current address of record, and other personal information sufficient to ensure a unique identity." For remote proofing at Assurance Level 3, assuming a person possess an acceptable government-issued photo ID, the person needs to also present additional information that can be corroborated. One possibility allowed is to present "personal information relating to the applicant, such as: (a) a name that matches the referenced photo-ID; (b) date of birth; (c) current address or personal telephone number; (d) the issuer, account number, and expiration date of a current credit card." Are all four of these things required? Only some of them? Or just enough of them to ensure a unique identity? None of this identifying information is strictly required, however, since the IAF also allows that "an account number issued by a regulated financial institution" may be presented instead. So I think that even within Assurance Level 3, it is not clear which identifiers are needed to ensure a unique identity, or that the reliability of the in-person and remote proofing are equivalent. There are two ways to deal with this, I think. One way would be to specify a specific set of attributes, such as name, address, and birthdate, which taken together is sufficient to ensure a unique identity. In that case, identity proofing would consist of whatever in-person or remote means can be devised to ensure that the specific name, birthdate, and address are associated with the person whose identity is being proofed. That seems to be a legitimate approach, but on the other hand we do not want to get bogged down in an ongoing philosophical debate about what constitutes an identity. Maybe not everyone would agree that an identity should be defined by these three particular attributes. The other approach is to forget about "identity" entirely, and assume that the proofing process is designed only to verify whatever identity attributes a person chooses to make known to a CSP. In that case, the CSP would be providing a service to Relying Parties whose purpose would be to authenticate only claims pertaining to those attributes. For instance, I may provide only my SSN to a CSP. If the CSP could verify that the SSN is truly mine (at some Assurance Level), the credential and token given to me by the CSP could be used only to verify a claim of ownership of a particular SSN at a Relying Party. Whether CSPs would choose to provide such a capability would likely depend on whether they perceive a "market" for a service to authenticate only specific identity attributes, or combinations of attributes. Both of these approaches seem reasonable, and share the basic idea of starting with identity attributes first, then figuring out which documents or other methods are needed to "proof" specific instances of those attributes, at each Assurance Level, in-person or remotely. Since we are mostly interested in online authentication, it might be useful to ask whether the kinds of authentication taking place online pertain more to authentication of unique "identities", or to authentication of various sets of identity attributes, or even to claims of authority to perform certain functions. If we still like the idea of defining an identity in terms of specific attributes, maybe we can just start by agreeing on or more sets of identity attributes, each of which is believed sufficient to ensure a unique identity. Bob ------------------------ Robert Pinheiro Consulting LLC 1-908-654-1939 At 11:52 AM 3/25/2008, Alterman, Peter (NIH/CIT) [E] wrote: >I think the document cites "government-issued >credential." Is that not sufficiently >international? Also, if you think about it, >what the credential attests to is that an agency >of a government has vetted the person's >identity. So, a government-issued credential is >a shortcut, so the CSP doesn't have to vet all those attributes. >-------------------------- >Peter Alterman, Ph.D >Asst. CIO e-Authentication and >Chair, Federal PKI Policy Authority >Cell: 301-252-8846 > >----- Original Message ----- >From: j stollman >To: sig-ia at lists.projectliberty.org >Sent: Tue Mar 25 07:42:18 2008 >Subject: [Sig-ia] Specifying documents versus attributes for authentication > > >Criteria for Identity Proofing: Documents or Attributes > > >The IAF, like various US federal regulations and >guidelines, specifies breeder documents as the >source of evidence to substantiate the identity >of someone seeking an identity credential. This >approach has found general resonance among the >American members actively involved in the IAF >review discussions, because the documents cited >(1) have a history of being used as a basis for >establishing identity within the US, (2) are >reasonably ubiquitous in the US and (3) >typically contain most of the same information ? >eeven though they are issued by multiple domestic entities. > >The problem is exacerbated because we do not >even require specific documents. Instead we >require a choice of documents from a listed pool >of documents (driver's license, utility bills, etc.). > >Bob Pinheiro raised the issue that rather than >specifying breeder documents, we might be better >served by trying to specify the specific >attributes that we want vetted by some >authority. The reasons for this alternative approach include the following: > >1. Specifying particular documents in place >of specific fields that we consider vital to >identity proofing is tantamount to specifying a >technology (particular documents) rather than >our requirements (the information necessary to >properly proof a person's identity). And a >stated goal of the IAF is to be technology agnostic. >2. While there is general consistency among >the types of information contained in these >documents within the confines of the US, it is >not clear that the same information is contained >in these same (or equivalent documents) >elsewhere in the world. A lack of such >consistency in the type of information contained >on breeder documents implies that the process of >authenticating people in one country relies on >different information than authenticating them >in another. This is not necessarily a problem ? >as long as the rresults remain equally >reliable. But this inconsistency may subject >the identity proofing process to undesirable >results -- including foul play -- compromising the entire process. >3. While there may also be an acceptable >level of consistency in the quality (i.e., >reliability) of information contained in these >documents within the confines of the US, it is >not clear that the quality exists in these same >(or equivalent documents) elsewhere in the >world. Variability in the quality of this >information likely subjects the identity >proofing process to additional risk. > > >Specifying Technology versus Requirements > > >I suspect that reliance on named documents >rather than specific attributes is based on the >premise that identity proofing is not an exact >science in which specific attributes are >necessary. Instead, we are seeking a >preponderance of evidence through multiple >factors, such as the various data fields >included on a driver's license. But, even if >this is the case, we might change our criteria specification to > >"at least "two" documents issued by independent >third parties each of which evidences at least >"five" of the following factors: height, >weight, eye color, birth date, birth place, a >photograph discernable as the applicant, current address, etc. " > >(The numbers "two" and "five" are merely a >place holder for whatever numbers we decide are >appropriate. We may use different numbers for different assurance levels.) > >We may or may not then give examples of the >types of documents that we consider to be >evidentiary (e.g., driver's license, passport, >government-issued ID, utility bill in the US). > >We may or may not also require that some minimum >number of factors be included on at least "two" >such documents. (Here again, the number "two" is just a place holder.) > > >Information Types > > >The concern for variation in the types of >information presented in named breeder documents >stems from the fact that most breeder documents >vary in their content depending on which entity >issued them (including government-issued >documents such as driver's licenses, as well as >privately issued documents such as birth >certificates and utility bills). In the US, >alone, we have over fifty different issuers of >driver's licenses (when you count DC, and >territories such as Puerto Rico, Guam, >etc.). And much of the information contained on >these documents is transient information, such >as name (which frequently changes after marriage >or divorce, and sometimes changes on a whim) and >address (which changes with increasing frequency >as our society becomes more mobile). While >within the US, we have a level of comfort in >specifying breeder documents by category, the >question becomes: what is it that such >documents are really evidencing? My driver's >license has neither my correct name, nor my >correct address. My name was misspelled by a >clerk thirty years ago and trying to correct it >is a nuisance. My address changed because I >moved. My height is about the same. My weight >has changed. My eye color is correct and my >hair color has not grayed sufficiently that it >is still reasonably accurate. My picture is >discernable because I remain without mustaches and beard. > >Going outside the US, I suspect that the >variability in content will increase. The >problem may be further complicated if driver's >licenses are not as widespread outside the US as >within it. Are there many city dwellers who >rely on public transportation and never bothered to obtain driver's licenses? > > >Information Quality > > >Do we have a reason to expect that driver's >licenses and utility bills provide the same >level of information assurance that they do in >the US? Are they an equally reliable source of >information? Do we have enough knowledge of the >breadth of documents that we are specifying by >category to be confident that we are truly >covering 80% of our target population? > > >Next Steps > > >I don't know the answer to the various questions >I raise here. But they should not be hard questions to answer. > > >Information Type and Quality > > >Because the assumption that non-US documents >contain equivalent information and are of equal >quality is so fundamental to our current >approach, we need to recognize that we are >making this assumption. And, at a minimum, they >questions raised should be vetted with the >non-US membership of Project Liberty. I suggest >that it would be better to vet them before we >publish, rather than embarrassing ourselves with a major faux pas. > > >Specifying Documents by Name > > >As for the decision to specify documents rather >than particular fields, it may be that the >response we obtain to posing questions to our >non-US membership helps us make this decision. > > > > >Jeff Stollman >stollman.j at gmail.com >1.610.640.4115 >_______________________________________________ >Sig-ia mailing list >Sig-ia at lists.projectliberty.org >http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org > From stollman.j at gmail.com Wed Mar 26 20:00:44 2008 From: stollman.j at gmail.com (j stollman) Date: Wed, 26 Mar 2008 23:00:44 -0400 Subject: [Sig-ia] defining Identity: a first attempt Message-ID: Here is a proposal for defining identity. At a minimum, consider it a straw man to focus discussion. I will likely be unavailable on any calls for the next month while I am in Asia. But I will have email access. -- Jeff Stollman stollman.j at gmail.com 1 202.683.8699 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080326/237563d1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Defining identity for the IAF.doc Type: application/msword Size: 52736 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080326/237563d1/attachment-0001.doc From philippe.clement at orange-ftgroup.com Thu Mar 27 03:05:10 2008 From: philippe.clement at orange-ftgroup.com (philippe.clement at orange-ftgroup.com) Date: Thu, 27 Mar 2008 11:05:10 +0100 Subject: [Sig-ia] defining Identity: a first attempt In-Reply-To: Message-ID: Hi Jeff, I think it is an excellent work to discuss the field of the identity * One little remark concerning the "stability" of the social security number: In france, the SSN begins with a figure representing the gender of the individual (1 for man and 2 for women) and I think that it could be not as stable as it seems... The fact is that I don't either know if there is a change of this SSN in case of change of gender... * one another thing I think that could be interesting would be (maybe in the beginning of the document) to describe an existing wide variety of definitions for "Identy" or combined words (see enclosed few definitions based on the term "identity" I had gathered for an internal work at Orange) hope this helps... best regards, Philippe Philippe Clement Online Advertising Line of Business Head of Identity Marketing tel. 01 45 29 65 04 cell. 06 81 24 67 21 philippe.clement at orange-ftgroup.com ________________________________ De : sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] De la part de j stollman Envoy? : jeudi 27 mars 2008 04:01 ? : IA SIG Objet : [Sig-ia] defining Identity: a first attempt Here is a proposal for defining identity. At a minimum, consider it a straw man to focus discussion. I will likely be unavailable on any calls for the next month while I am in Asia. But I will have email access. -- Jeff Stollman stollman.j at gmail.com 1 202.683.8699 ********************************* This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ******************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080327/feb451b4/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1264 bytes Desc: orange_logo.gif Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080327/feb451b4/attachment-0002.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1081 bytes Desc: ampersand.gif Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080327/feb451b4/attachment-0003.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: identity definitions.ppt Type: application/vnd.ms-powerpoint Size: 683008 bytes Desc: identity definitions.ppt Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080327/feb451b4/attachment-0001.ppt From dervla at projectliberty.org Fri Mar 28 10:00:27 2008 From: dervla at projectliberty.org (Dervla O'Reilly) Date: Fri, 28 Mar 2008 10:00:27 -0700 Subject: [Sig-ia] Liberty Alliance's Identity Assurance workshop, May 28, 1-5pm, Boston, MA, USA Message-ID: <00b501c890f5$39722bb0$380fa8c0@dervla26024d8d> Attached is the invitation for the Identity Assurance workshop in Boston on May 28. Please feel free to share this with your colleagues and partners as appropriate. This workshop will provide attendees with a solid understanding of Identity Assurance work underway in the marketplace, tangible guidance on what other institutions are doing, and a blueprint for how to get involved. Details on the event and conference registration are available at http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=e8b763a1-5506-47f7-8968-d4 307834e85c If you have any questions regarding this event, please let me know. Regards, Dervla ______________________ Dervla O'Reilly Events Manager Liberty Alliance Project +1-415-731-4487 office +1-415-948-3650 mobile +1-419-793-9235 fax dervla at projectliberty.org www.projectliberty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080328/cd4ede85/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: TowerGroup Pre-Con Workshop_032708.pdf Type: application/pdf Size: 295228 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080328/cd4ede85/attachment-0001.pdf From dervla at projectliberty.org Fri Mar 28 13:58:05 2008 From: dervla at projectliberty.org (Dervla O'Reilly) Date: Fri, 28 Mar 2008 13:58:05 -0700 Subject: [Sig-ia] Online interactions data study findings from ID Analytics Message-ID: <002001c89116$6c572e60$380fa8c0@dervla26024d8d> All, Attached is a summary whitepaper report that Paul Norton of ID Analytics wanted to share with the group. The papers summarizes research on using traditional identity elements with online data elements to enhance identity proofing. Paul is copied, should you have any questions. Regards, Dervla ______________________ Dervla O'Reilly Events Manager Liberty Alliance Project +1-415-731-4487 office +1-415-948-3650 mobile +1-419-793-9235 fax dervla at projectliberty.org www.projectliberty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080328/5cc869de/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ID Analytics Online Whitepaper Summary.pdf Type: application/octet-stream Size: 233750 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080328/5cc869de/attachment-0001.obj