Perhaps. But wherever we fall on the spectrum of complexity, we should make a distinction between Identity and Artifact. An identity should identify an actor, a person or non-person entity. Artifact should refer to a passive data object that does not act on its own. If a tool is acting autonomously it could have an identity credential / account of its own, but if it is a user agent it would invoke the user's identity credential / account. A BOM or a software tarball would not have its own account. I don't think there is a third category that is both active and passive - an executing bot process and the software for that process are distinct -- each executing bot would have its own identity despite being started from the same software package.
NIST uses "artifact" when defining non-person entity <https://csrc.nist.gov/glossary/term/non_person_entity> as "An entity with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware devices, software applications, and information artifacts.". But the artifacts in this definition are associated with active entities that can be credentialed, as described in Zero-Trust Architecture <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf>: "Enterprise-owned devices may have artifacts that enable authentication ..." and "This [request] may include information such as an internet protocol (IP) address, port information, session key, or similar security artifacts." Dave On Thu, Jun 10, 2021 at 3:52 AM Alexios Zavras <[email protected]> wrote: > OK, going to other extreme towards simplification… > > Do we want to consider that our Core model will only have a simple > “Identity” (a simple string, which might be an email or not) and everything > else (Person, Organization, Tool, Agent, Address, etc.) are in an optional > identity Area_of_Interest / Namespace? 😉 > > > > -- zvr > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4071): https://lists.spdx.org/g/Spdx-tech/message/4071 Mute This Topic: https://lists.spdx.org/mt/83401493/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
