These all seem reasonable to me. My only comment is that there may not be a "formal" authority. For example, an identification scheme could use an algorithm to derive a globally unique identifier or use a convention to guarantee sufficient uniqueness. An authority may or may not associate an identifier with an identity.
Regards, William Bartholomew (he/him) – Let’s chat<https://aka.ms/book-willbar> Principal Security Strategist Global Cybersecurity Policy – Microsoft My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours. ________________________________ From: [email protected] <[email protected]> on behalf of David Kemp via lists.spdx.org <[email protected]> Sent: Wednesday, January 11, 2023 2:59 PM To: SPDX-list <[email protected]> Subject: [EXTERNAL] [spdx-tech] Identities At the tech meeting we decided to accept the current identity model and move forward without blocking the 3.0 release. The discussion covered many ideas on which no decisions were documented, and I wonder if we can reach agreement on these points while the discussion is still fresh, without allowing any No Decisions to become blockers. 1) An Identifier is different from an Identity. Discussion: Identifiers have the property of being associated with zero, one, or multiple identities over time. Note: at any specific time an identifier should be associated with at most one identity. 2) Every Identity MUST have an authority. Discussion: The authority associates identifiers with identities. If there is no authority, there can be no identity to which an identifier refers. * The Social Security Administration is the authority that maintains records of peoples' identities. Every 9 digit number is an identifier, but only some of those identifiers are associated with an identity: 000-00-0000 and 123-45-6789 are "SSN identifiers" but they (probably) have never been assigned to an identity by the authority. * "hotmail.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhotmail.com%2F&data=05%7C01%7Cwillbar%40microsoft.com%7Ccb99e45f23e84d1dc13008daf4278ae5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638090747920318654%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tqTKUfKN0kHX4nQ6ieRZH8xQUqWgqpWo3b%2FvH2jVSbc%3D&reserved=0>" is the authority that maintains hotmail identities. The identifier "[email protected]<mailto:[email protected]>" is (probably) not an identity because of minimum length restrictions on the local portion. The authority assigns identifiers to identities, ensuring uniqueness. The identifier "[email protected]<mailto:[email protected]>" has probably been assigned to several identities over time. The authority determines if it is currently assigned to any identity. * Without assistance from the authority it is impossible for SPDX to distinguish the identities to which an identifier is assigned. If "[email protected]<mailto:[email protected]>" is an active identity in 2021 and 2022, it is impossible to know if they are the same identity or two different identities unless some other information (such as SSN or a hypothetical hotmail UID) is included in those identities. SpdxId is not part of the identity - many Identity Elements can be created for the same identity. 3) Authorities determine what subject types they support Discussion: SSA will not assign identities to anyone other than natural people - it is fraud to attempt to create fake accounts. Hotmail doesn't do any identity proofing - anyone or anything can get a hotmail account on request, so the distinction between person and organization doesn't exist for that authority. Squatters have claimed many obvious hotmail organization identifiers, but at the moment "[email protected]<mailto:[email protected]>" is available. 4) Some authorities create identities and assign identifiers to processes Discussion: A process identity type is not a PID running on an operating system, it is a subject type accepted by an identity management authority. Hotmail has already created "[email protected]<mailto:[email protected]>" and "[email protected]<mailto:[email protected]>" identities, and "[email protected]<mailto:[email protected]>" is currently available to be claimed. As above, hotmail does not do any identity proofing or declaration of identity types. But the U.S. Government does explicitly manage non-person entity identities for corporations, devices and processes in addition to person identities. It is neither esoteric nor difficult to accommodate process identities in the logical model; the same standard of acceptance should apply to Principals/Actors/Agents that are processes as to those that are persons or organizations. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4915): https://lists.spdx.org/g/Spdx-tech/message/4915 Mute This Topic: https://lists.spdx.org/mt/96211555/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
