OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comment on sstc-saml-glossary-2.0 (also closes AI #0114)


The glossary currently defines "Identity Federation" as one means of
establishing "Account Linkage" --

[begin-def]
A method of relating accounts at two different providers that represent
the same principal so that the providers can communicate about the
principal. Account linkage can be established through the sharing of
attributes or through identity federation.
[end-def]

However, no definition of "identity" is offered in the glossary. Looking
more closely at the definition of "Identity Federation" we learn:

[begin-def]
Linking accounts for a given principal at a pair of providers within a
federation by establishing (or using an existing) identifier to refer to the
principal.
[end-def]

I would argue that this is more correctly described as "Identifier-based
Federation" or even "Identifier Federation". The role of the word
"identifier" in the current definition also supports this interpretation.

Following along similar lines, I would also propose renaming "Identity
Defederation" to "Identifier-based Defederation". As above, the current
definition alludes only to "identifier" and not to identity.

[begin-def]
The elimination of the linkage between a principal's accounts at an
identity provider and a service provider, such that the identity provider
no longer provides the associated identifier to the service provider, and
the service provider will no longer accept the associated identifier from
the identity provider.
[end-def]

This change creates space for "Attribute-based Federation" or even
"Attribute[d] Federation" which is now defined as:

[begin-proposed-def]
Linking accounts for a given principal at a pair of providers within a
federation by the use of a set of attributes to refer to the principal.
[end-proposed-def]

Modifying the top-level definition of "Account Linking" we now have:

[begin-proposed-def]
A method of relating accounts at two different providers that represent
the same principal so that the providers can communicate about the
principal. Account linkage can be established through federation based on
identifiers or attributes.
[end-proposed-def]

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]