[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re-spun text for Identity Federation Definition
Prateek, Scott, et al, thanks for hashing thru all this.
This turned out to be somewhat long, so please bear with me.
Mishra, Prateek wrote:
> Re-spun text reflects discussion in:
>
> http://lists.oasis-open.org/archives/security-services/200410/msg00040.html
>
>
> A broader discussion is found in:
>
> http://lists.oasis-open.org/archives/security-services/200410/msg00040.html
fwiw, I believe you actually meant this url:
http://lists.oasis-open.org/archives/security-services/200410/msg00002.html
Overall, I feel that Prateek's suggestions are close to what we need, but can
be made more crisp with some refinement and definition of additional terms.
so here goes..
> PROPOSED CHANGES to sstc-glossary-2.0-cd-02:
>
> (1) identity federation, identity defederation respun:
>
> Identity federation
>
> A principal's identity is said to be federated between a set of Providers,
> when there is an agreement between the providers on a set of name-value
> pairs to be used to refer to the principal.
It seems that the above is more a definition for "federated identity".
Also, I suggest using "..a set of identifiers and/or attributes.." rather than
"..a set of name-value pairs..." in the above. This yields..
Federated Identity
A principal's /identity/ is said to be /federated/ between a set of
/Providers/ when there is an agreement between the providers on a
set of /identifiers/ and/or /attributes/ to use to refer to the
Principal.
To support this, we ought to replace the last sentence in the definition of
"attribute" with this..
Attributes are often represented as pairs of "attribute name"
and "attribute value", eg foo='bar', or count=1, etc. These are
often referred to as "attribute value pairs". Note that
/Identifiers/ are essentially "distinguished attributes".
See also Identifier and /XML attribute/.
..and additionally enhance the definition of "identifier" to be..
Identifier
(1) One that identifies [Merriam].
(2) A data object (for example, a string) mapped to a system
entity that uniquely refers to the system entity. A system
entity may have multiple distinct identifiers referring to it.
An identifier is essentially a "distinguished attribute" of
an entity. See also /Attribute/.
Now, given the above definitions, the definition for "identity federation" can
become simply..
"The act of creating a /federated identity/ on behalf of a Principal."
I additionally suggest we add these definitions..
Federate
To link or bind two or more entities together [Merriam].
Identity
The essence of an entity [Merriam]. One’s identity is often described
by one’s characteristics, among which may be any number of identifiers.
See also /Identifier/, /Attribute/.
..and enhance the definition of "federation" to be..
federation
(1) The act of establishing a relationship between two entities
[Merriam].
(2) An association comprising any number of service providers and
identity providers.
..presently we have only the 2nd sense in the gloss, and having both senses
addresses both of the manners in which we wield "federation".
> Identity defederation
>
> A principal's identity is said to be defederated between a set of providers,
> when the providers agree to stop referring to the principal using a certain
> set of name-value pairs.
I suggest rephrasing the above to be..
Identity defederation
The action occuring when /Providers/ agree to stop referring to a
/Principal/ via a certain set of /identifiers/ and/or /attributes/.
> (2) The last sentence in the definition of account linkage would be modified
> to read:
>
> Account linkage can be established by means of identity federation.
agreed.
> (3) No change to definition of account
agreed.
If there aren't any objections, I'll edit this material into a
soon-to-be-published sstc-saml-glossary-2.0-cd-02b.
thanks,
JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]