RE: [higgins-dev] entities, and digital identities

["Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>]

Hi Scott,

We need to, and plan to, be able to answer your question. The good news is
that some of the folks on this dev list are, among other things, JAAS
experts. Better yet, they are coming up to speed on Higgins. 

I'm a JAAS novice, but here are a couple thoughts...In Higgins a DI has
exactly one unique-to-containing-context identifier claim. This is what I'm
calling a CUID (a contextually-unique-identifier) identifier. It may have
other identifier claims, but only one CUID claim. This identifier *portion*
of a DI would, as you say, seem to map to a JAAS Principal. And perhaps the
Higgins API could have a special method to create and access this CUID claim
on a DI that used a parameter that implemented JAAS Principal interface. I
say "special" as opposed to the generic Higgins methods to create and access
regular claims.

And I haven't forgotten that it may also be useful to leverage ECF's ID
interface that itself inherits from Principal.

Lots more thought required.

Scott wrote:
> 
> Hi Folks,
> 
> How does this group see these concepts (Digital Identities, Digital
> Subjects) mapping onto the JAAS/Java 2 security concepts of Subject and
> Principal? It seems to me that as currently formulated Digital
> Identities correspond to a certain *type* of Principal (the Principal
> interface semantics are basically a named unique identifier), and
> Digital Subjects correspond (loosely perhaps) to JAAS Subject?...which,
> once authentication is complete has associated with it via
> authentication an arbitrary number of Principals and Credentials.
> 
> But I could be completely off-base about these relationships.
> 
> I do think this is practically important for Higgins because I
> anticipate that the concepts of Subject and Principal will soon play a
> much larger role in the Eclipse Platform APIs.
> 
> Scott
> 
> 
> Paul Trevithick wrote:
> 
> > Inline
> >
> > -----Original Message-----
> > *From:* higgins-dev-bounces@xxxxxxxxxxx
> > [mailto:higgins-dev-bounces@xxxxxxxxxxx] *On Behalf Of *Dale Olds
> > *Sent:* Thursday, March 09, 2006 4:38 PM
> > *To:* higgins-dev
> > *Subject:* [higgins-dev] entities, and digital identities
> >
> > I would like to discuss some terms in the context of Higgins
> > interfaces and classes. At this point I would rather not revisit any
> > of these terms in the sense of the identitygang lexicon, but see if we
> > can reach a common understanding in a more narrow scope of Higgins
> > interfaces and code.
> >
> > Entity
> > ====
> >
> > I know that "entity" is not in the interfaces or classes and is not
> > modeled directly, but I find it useful (and even necessary) to
> > describe things in the real world and we should be clear about what we
> > consider to be "real" and "things". I think "entity" is the most
> > likely term. Claims, attributes, digital identities, digital subject,
> > and principals all purport to be data about something -- some entity.
> > I think of an "entity" as anything that can be identified in human
> > conversation. This is very close to the identity gang lexicon, except
> > that it would include "concept" in the list with person, physical
> > object, animal, and juridical entity. In fact, I think of a juridical
> > entity as a conceptual entity that incurs legal policy. Also, note
> > that a false assertion is still a concept -- we can identify it and
> > talk about it.
> >
> > So it is useful to think of an entity as anything that can be
> > identified in human conversation.
> >
> > Yes. Humans and the topics of their conversations live in the "real"
> > world--the world of /entities/. In a digital system the entities
> > (which could include concepts (I justed added /concept/ to the Higgins
> > wiki's definition of Entity)) are called /digital subjects, /or just
> > /subjects/ for short. The reason for the distinction is that subjects
> > can either (a) exist only in the digital world (and have no "real"
> > world equivalent) or (b) be digital representations of real world
> > entities.
> >
> > BTW, sorry to /add/ complexity, but the distinction between /subject/
> > and /digital identity/ is also worth making here. As Nataraj
> > Nagaratnam (aka Raj) has tried to explain to me, a subject could be
> > represented by a collection of more than one /digital identities/, not
> > just one /digital identity./
> >
> > There is much discussion on the identitygang list that two identities
> > can be identical -- but I think that's because the discussion strays
> > between entities (anything that can be identified) (subjects) and
> > digital identities (a chunk of data). Of course a particular chunk of
> > data (e.g. a set of attributes) can be insufficient to distinguish
> > between two entities, but humans CAN distinguish between the entities
> > or we could not talk about them. The distinction between entities may
> > be as simple as sequence or physical position, be we can identify them
> > or we could not discuss them.
> >
> > Agreed.
> >
> >
> >
> >
> > Digital Identity
> > ===========
> >
> > In networked systems we commonly store data about an entity. I think
> > this corresponds most closely with Digital Identity. It consists of a
> > chunk of structured data.
> >
> > Yes. Let me have a try. A /digital identity/ is represented as a chuck
> > of structured data that is "about" some subject within a given
> > context. There may well be other digital identities in other contexts
> > that are also about that same subject. There could even be N>1 digital
> > identities that are about the same subject.
> >
> > At this point I see no difference between the terms attributes,
> > attribute value assertions, and claims when applied to that structured
> > data. Sometimes sets of attributes are stored as an entity within a
> > larger entity (e.g a user account within a directory service).
> >
> > As I try to follow you, I'd say that a "user account" is a /digital
> > identity/. A /digital identity/ that is a about a /subject/ that
> > stands for a real world /entity/ called a user. A directory service is
> > (I think) modeled as a hierarchical set of /contexts/.
> >
> > Sometimes a set of attributes are presented as part of some
> > interaction with another entity (e.g. name.password authentication,
> > update address book, present credit card info, etc.).
> >
> > Yes. A digital identity containing the appropriate set of claims (a
> > special kind of attribute where the "claimant" of the value of the
> > attribute is known) is presented as part of some interaction.
> >
> > Is this the difference between "digital subject", "digital identity",
> > and "claims" -- merely notions of persistence and larger or smaller
> > subset of attributes?
> >
> > If so, it seems like the higgins interface can have class definitions
> > for digital identity, and attribute, and not (yet) need classes for
> > digital subject, claims, persona, party, etc.
> >
> > Digital subjects are not modeled in Higgins. Only digital identities.
> > In the current version DIs have attributes, but very soon (v0.3) they
> > _will_ have claims as well as attributes.
> >
> > A persona is just a synonym for DI. A party won't be modeled either
> > because a party is a real person. Digital subjects won't be modeled
> > explicitly either.
> >
> >>From what I have seen of the demo code, it seems like a Facet
> > corresponds to a digital identity. Is this where you see it going?
> >
> > Yes. I apologize. One of the last steps in the milestone 0.3 plan is
> > to refactor the code to be consistent with the Higgins/idgang
> > definitions. You are correct. Every occurrence of Facet will be
> > replaced with DigitalIdentity (among other changes).
> >
> >
> >
> > --Dale
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >higgins-dev mailing list
> >higgins-dev@xxxxxxxxxxx
> >https://dev.eclipse.org/mailman/listinfo/higgins-dev
> >
> >
> 
> 
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev