At the tech meeting we decided to accept the current identity model and move forward without blocking the 3.0 release. The discussion covered many ideas on which no decisions were documented, and I wonder if we can reach agreement on these points while the discussion is still fresh, without allowing any No Decisions to become blockers.
*1) An Identifier is different from an Identity.* Discussion: Identifiers have the property of being associated with zero, one, or multiple identities over time. Note: at any specific time an identifier should be associated with at most one identity. *2) Every Identity MUST have an authority.* Discussion: The authority associates identifiers with identities. If there is no authority, there can be no identity to which an identifier refers. * The Social Security Administration is the authority that maintains records of peoples' identities. Every 9 digit number is an identifier, but only some of those identifiers are associated with an identity: 000-00-0000 and 123-45-6789 are "SSN identifiers" but they (probably) have never been assigned to an identity by the authority. * "hotmail.com" is the authority that maintains hotmail identities. The identifier "[email protected]" is (probably) not an identity because of minimum length restrictions on the local portion. The authority assigns identifiers to identities, ensuring uniqueness. The identifier " [email protected]" has probably been assigned to several identities over time. The authority determines if it is currently assigned to any identity. * Without assistance from the authority it is impossible for SPDX to distinguish the identities to which an identifier is assigned. If " [email protected]" is an active identity in 2021 and 2022, it is impossible to know if they are the same identity or two different identities unless some other information (such as SSN or a hypothetical hotmail UID) is included in those identities. SpdxId is not part of the identity - many Identity Elements can be created for the same identity. *3) Authorities determine what subject types they support* Discussion: SSA will not assign identities to anyone other than natural people - it is fraud to attempt to create fake accounts. Hotmail doesn't do any identity proofing - anyone or anything can get a hotmail account on request, so the distinction between person and organization doesn't exist for that authority. Squatters have claimed many obvious hotmail organization identifiers, but at the moment "[email protected]" is available. *4) Some authorities create identities and assign identifiers to processes* Discussion: A process identity type is not a PID running on an operating system, it is a subject type accepted by an identity management authority. Hotmail has already created "[email protected]" and " [email protected]" identities, and "[email protected]" is currently available to be claimed. As above, hotmail does not do any identity proofing or declaration of identity types. But the U.S. Government does explicitly manage non-person entity identities for corporations, devices and processes in addition to person identities. It is neither esoteric nor difficult to accommodate process identities in the logical model; the same standard of acceptance should apply to Principals/Actors/Agents that are processes as to those that are persons or organizations. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4914): https://lists.spdx.org/g/Spdx-tech/message/4914 Mute This Topic: https://lists.spdx.org/mt/96211555/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
