Some thoughts from today's model discussion: 1) Boxes in the model have names and definitions. Definitions must be captured correctly, names are just labels, not things that we reason about to drive definitions.
2) Entity means "thing" - any unit with a separate existence. Creator and originatedBy have a type of "an entity that can do things", i.e., a person, organization or tool can do things, a document or package cannot. 3) An entity that can do things is the same entity whether it is doing something or not - a person, organization or tool that is doing something is the same person organization or tool being referenced. The label "Identity" cannot be used as rationale that an entity that is doing something is different from the same entity that is not doing something. 4) The word agent has two conflicting meanings - an entity acting on behalf of a principal, and an entity acting on its own behalf. A process/device that has its own identity doesn't have to be "sentient", it just needs to have its actions be recognized as legitimate. This is especially visible in the cloud, where tools have API keys and other mechanisms to allow them to do things. The definition-first approach leads to: Something that *could* have a credential (but doesn't have to) and *could* be managed by an identity management system (but doesn't have to be) is labeled an "Identity". An Identity could be a Person, Organization, Tool/Device/Process/Service (see next section) or an unspecified concrete Identity. Identities are mutually exclusive with Artifacts, defined as entities that cannot act. These two Entity kinds (those that can be active, and those that are always passive) are required, if "Identity" and "Artifact" are not the best labels for them, then we need different labels not different definitions. ========= Section 2 Agent: Even if FOAF and other ontology literature uses "agent" for the second meaning (principal) while explicitly excluding the first (proxy), the word "actor" does not have that problem. An actor can act using its own identity or on behalf of a principal's identity. But this is moot because there is no need for an Agent/Actor class. A proxy tool is not an individual entity, it is an application used by many identities. A principal tool is an individual entity with an identity. If we want to reserve the word "tool" for an actor that has no identity and can only act as a proxy for a principal, then there needs to be another class and label for processes that have identities. NIST defines Person and Non-Person entities. NPEs include organizations, devices and processes (https://csrc.nist.gov/glossary/term/non_person_entity ). ======== Conclusion 1) There is no separate Actor class / Element type. An Identity is an Identity whether it is acting or just being referenced. 2) Identity can be the simplest identifier of unknown kind, or can be subclassed into Person, Organization and whatever label we pick for "tool-that-has-an-identity / device / process". 2) Creator / Originator should have an actor of type Identity, and proxy (non-active) tools should be listed in a separate property: CreationInformation + created: DateTime + createdBy: Identity [1..*] + createdUsing: String [0..*] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4892): https://lists.spdx.org/g/Spdx-tech/message/4892 Mute This Topic: https://lists.spdx.org/mt/95655914/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
