Subject Re: The other side of academic identity
From "David L. Wasley" <dlwasley@xxxxxxxxxxxxx>
Date Fri, 25 Jun 2010 10:50:12 -0700

Many good points have been made in this discussion but I still have some concern about what is being proposed. When Diego started this discussion, he didn't suggest a use case so I am curious how this ORCID (sounds like orchid?) would be useful in a federated identity context.

Three (at least) possibilities come to mind:

1) As part of identity proofing when registering the Subject

Perhaps, but this would require that the registrar be able to verify the binding between the Subject and the ORCID. I'm not sure how this would be done; account linking at the time of ID proofing? Other than "name" and identifier, what would be learned of use to the Registrar or the IdP? Well ...

2) As an information attribute that might be provided to a relying party

If the ORCID could be authoritatively acquired by the IdP, then it might be made available as "useful information" to certain RPs. On the other hand, why would a RP believe it to be accurate or the assertion authoritative? A general mechanism for attribute aggregation would seem more appropriate here (a topic for another conversation; see below).

3) As an identifier for the Subject to be used in an access management decision

It isn't clear why an ORCID per se would be useful in an access management decision unless the author was trying to edit a manuscript of his/hers stored on-line by an RP.

Suppose the ORCID were to be used as The Abstract Identifier for an IdP Subject. That way, if the Subject moved to a different campus, the identifier would remain the same. Of course, that would mean that every RP that requires TAI and the Subject uses throughout their lifetime would be able to correlate all their activities. This potential for serious loss of privacy is what concerns me.

I believe that identifiers are generally context-specific and should not be used beyond that context unless there is a clear necessity to do so. For example, in the US it is necessary to link a bank account number to a taxpayer ID number. That's understood and the "account linking" is appropriate. However, using my taxpayer ID number as The Abstract Identifier for every RP I go to seems unwise and certainly inappropriate. (This identifier was in fact being used as a convenient TAI by campuses and businesses until fairly recently.)

The ability for an IdP Subject to "link" an identifier, as necessary and appropriate, to some activity in which s/he is engaged with a RP would be a very useful capability. For example, an author could "link" their ORCID to a manuscript being submitted electronically to a publisher or library. This is the problem I would like to see addressed, not the notion of finding a convenient permanent serial number for every human on the planet.


At 1:46 PM +0200 on 6/25/10, Ingrid Melve wrote:

On 25.06.2010 11:20, Nicole HARRIS wrote:
Pretty much ditto all of the already said in the uk. We've two identifers that would fit here, our Unique Learner Number and Orcid / Names identifiers for authors. I guess for me these are just another attribute set not issued by the entity organisation so normal problems with aggregation, attribution etc. apply.

One point that was made during some of our local discussion is that
those two are currently disjunct, but will overlap more and more as all
bachelors and master publications get added to the author space.  It is
just a matter of time before a learner publish someting (and with web2.0
and portfolios this happens quicker than you'd imagine)

We are scratching our heads over some of these issues, and may well end
up with having to implement a Unique Learner Number unless the Tax
Authority suddenly comes to their senses and implement the suggested
fixes for the current holes in the Norwegian NIN system.

Trying to sort into categories:
 - national identity numbers
	stable uniqe identifiers
	some countries have, limited within country
	well defined namespace
 - unique learner number
	stable unique identifiers
	UK has national, others have local per institution
 - eduPersonTargetedID
	unique identifiers
	provided by some federations
 - eduPersonPrincipalName
	unique identifiers, rules for reassignment varies
	provided through federations by home institution
	well defined namespace
 - author names (author authority)
	some national schemes, but used in international context
	plenty of ad-hoc: Orcid etc
	overlap, not much discussion library/CRIS/federation yet
 - international students (Erasmus)
	discussion with the R3G about migrating student records
 - email addresses
	unique, but can be reassigned and thrown away
	"drop the boyfriend, drop the email account, start fresh over"
	the most used unique identifier online
	(cell phone numbers share the same properties)
 - reuse google/facebook/whatnot account
	unique identifier assigned by trusted third party
	apart from user friendlyness, share characteristics with PKI

I'd suggest concentrating on the author identity and mapping out that
use case, while keeping the federation principles for minimal
information exposure in mind (if possible).