OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Re-spun text for Identity Federation Definition

Prateek, Scott, et al, thanks for hashing thru all this.

This turned out to be somewhat long, so please bear with me.

Mishra, Prateek wrote:
 > Re-spun text reflects discussion in:
 > http://lists.oasis-open.org/archives/security-services/200410/msg00040.html
 > A broader discussion is found in:
 > http://lists.oasis-open.org/archives/security-services/200410/msg00040.html

fwiw, I believe you actually meant this url:


Overall, I feel that Prateek's suggestions are close to what we need, but can 
be made more crisp with some refinement and definition of additional terms.

so here goes..

 > PROPOSED CHANGES to sstc-glossary-2.0-cd-02:
 > (1) identity federation, identity defederation respun:
 > Identity federation
 > A principal's identity is said to be federated between a set of Providers,
 > when there is an agreement between the providers on a set of name-value
 > pairs to be used to refer to the principal.

It seems that the above is more a definition for "federated identity".

Also, I suggest using "..a set of identifiers and/or attributes.." rather than 
"..a set of name-value pairs..." in the above. This yields..

   Federated Identity

     A principal's /identity/ is said to be /federated/ between a set of
     /Providers/ when there is an agreement between the providers on a
     set of /identifiers/  and/or  /attributes/ to use to refer to the

To support this, we ought to replace the last sentence in the definition of 
"attribute" with this..

    Attributes are often represented as pairs of "attribute name"
    and "attribute value", eg  foo='bar', or count=1, etc. These are
    often referred to as "attribute value pairs". Note that
    /Identifiers/ are essentially "distinguished attributes".
    See also Identifier and /XML attribute/.

..and additionally enhance the definition of "identifier" to be..


     (1) One that identifies [Merriam].
     (2) A data object (for example, a string) mapped to a system
         entity that uniquely refers to the system entity. A system
         entity may have multiple distinct identifiers referring to it.
         An identifier is essentially a "distinguished attribute" of
         an entity. See also /Attribute/.

Now, given the above definitions, the definition for "identity federation" can 
become simply..

   "The act of creating a /federated identity/ on behalf of a Principal."

I additionally suggest we add these definitions..

     To link or bind two or more entities together [Merriam].

     The essence of an entity [Merriam]. One’s identity is often described
     by one’s characteristics, among which may be any number of identifiers.
     See also /Identifier/, /Attribute/.

..and enhance the definition of "federation" to be..

     (1) The act of establishing a relationship between two entities
     (2) An association comprising any number of service providers and
         identity providers.

..presently we have only the 2nd sense in the gloss, and having both senses 
addresses both of the manners in which we wield "federation".

 > Identity defederation
 > A principal's identity is said to be defederated between a set of providers,
 > when the providers agree to stop referring to the principal using a certain
 > set of name-value pairs.

I suggest rephrasing the above to be..

   Identity defederation

     The action occuring when /Providers/ agree to stop referring to a
     /Principal/ via a certain set of /identifiers/  and/or  /attributes/.

 > (2) The last sentence in the definition of account linkage would be modified
 >  to read:
 > Account linkage can be established by means of identity federation.


 > (3) No change to definition of account


If there aren't any objections, I'll edit this material into a 
soon-to-be-published sstc-saml-glossary-2.0-cd-02b.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]