[LINK] RFC: Model of (Id)entity and (Id)entity Authentication

stephen at melbpc.org.au stephen at melbpc.org.au
Wed Feb 25 21:21:41 AEDT 2009 

> reviewable draft. Constructively negative feedback greatly appreciated.

Like your thinking Roger.. broad, insightful & respectful of humananity:


The term 'verification' is sometimes used as a synonym for 
authentication. It is much less appropriate because 'verity' = 'truth' 
and 'verify' = 'prove to be true', and hence 'verification' implies that 
a very high level of confidence is necessary, and is attainable. The 
term 'validation' is also sometimes used..

Assertion. There are many different categories of assertion that may be 
important in particular contexts. They include an assertion of fact, an 
assertion of data quality, an assertion relating to value, an attribute 
assertion (i.e. that a particular (id)entity has a particular attribute), 
a location assertion (i.e. that an entity is in a particular location), 
and an agency assertion (i.e. that an (id)entity has the capacity to 
represent, or act as an agent for, a principal).

A particular form of assertion that has been focussed upon by many 
analysts to the virtual exclusion of all others can be usefully referred 
to as an identity assertion. This is an assertion that an identifier is 
being appropriately used, or that the identity in question is who or what 
it purports or is inferred to be.

A further form of assertion is entity assertion. This is an assertion 
that an entifier is being appropriately used, or that the entity in 
question is who or what it purports or is inferred to be. Many analysts 
fail to distinguish entity assertion from identity assertion, and thereby 
create fundamental flaws in their designs.

(and)

It is common among analysts to discuss 'what the person does' and 'what 
the person is' as though they were forms of identity authenticator rather 
than entity authenticator. This is not only erroneous, but also harmful. 

It was noted above that authentication of human identities is 
challenging, expensive, onerous and even demeaning. Authentication of 
human entities is substantially more so. It is undermined by a whole 
litany of difficulties in achieving adequate measurement and comparison 
quality. It suffers serious security vulnerabilities. And it is highly 
personally intrusive and degrading.

--
> The paper is intended for the Identity Workshop at LSE on 5 June.
> 
> Thanks!
> 
> 
> A Sufficiently Rich Model of (Id)entity, Authentication and 
Authorisation
>              http://www.rogerclarke.com/EC/IdModel.html
> 
> During the last 20 years, the practice of identification and identity 
> authentication has been highly unsatisfactory. One important reason 
> for this has been that the theory underpinning the practice has been 
> seriously deficient.
> 
> A model is presented that is argued to be sufficiently comprehensive 
> and rich to reflect the relevant complexities, and hence to guide 
> organisations in devising architectures and business processes for 
> such activities as user registration, 'sign-on' and 'identity 
> management'. The sufficiency of the model is evaluated by means of 
> brief analyses of its application to relevant categories of entity 
> and identity.
> 
> 
> -- 
> Roger Clarke                                 http://www.rogerclarke.com/
> 			            
> Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                     Tel: +61 2 6288 1472, and 6288 6916
> mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
> 
> Visiting Professor in Info Science & Eng  Australian National University
> Visiting Professor in the eCommerce Program      University of Hong Kong
> Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link


Message sent using MelbPC WebMail Server

More information about the Link mailing list