Subject Re: The other side of academic identity
From Alex Reid <alex.reid@xxxxxxxxxx>
Date Mon, 28 Jun 2010 23:05:45 +0800

At 09:25 PM 24/06/2010, Diego R. Lopez wrote:

I have been pointed to this site:

The consistent, unique identifiers that they claim for researcher citation
would benefit, and probably contribute as well, federated identity.

Don't you see a clear opportunity to make REFEDS play its role?

We have introduced auEduPersonSharedToken into our Australian Federation to serve just this purpose (I wasn't aware of ORCID at the time - early 2008).

Here is its description:

A unique identifier enabling federation spanning services such as Grid and Repositories. Values of the identifier are generated using a set formula. The value has the following qualities:
resolvable (only by an IdP that has supplied it);
not re-assignable;
not mutable (refreshing the value is equivalent to creating a new identity);
permitted to be displayed
    (Note: the value is somewhat display friendly, and may be appended to
    the displayName with a separating space, and used as a unique display
    name to be included in PKI Certificate DNs and as a resource ownership
    label, e.g.
        John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk
    ); and

Notes on Usage:

Service providers participating in federation spanning services may use auEduPersonSharedToken to uniquely identify users to other systems or to map to and from identities in PKI certificates used in grid authentication.

Other attributes (e.g. displayName, identity provider Id, etc) may be used together with auEduPersonSharedToken as a transparent description of a particular person at a point in time. This can be implemented to enable interoperability of both SAML and PKI based systems with services such as data and compute grids. The user's displayName and identity provider may change over time, but it is possible to implement mechanisms for the auEduPersonSharedToken to remain the same.

Note on privacy:

auEduPersonSharedToken is not a privacy preserving identifier and should not be used where services are intended to be provided anonymously. Although auEduPersonSharedToken is an opaque value, as it may be released with the displayName it cannot be relied upon to preserve anonymity.

We also require all IdPs to be able to generate and provide this attribute, and also to provide a away for it to be transferred to another IdP if the "owner" moves: "An Identity Provider must provide a mechanism for transfer of the auEduPersonSharedToken Attribute value when an End User transfers to another Identity Provider."

I'll provide a bit on Use Cases when I can reach the AAF website (seems unreachable at present...).

Cheers, Alex.

T Alex Reid
Advisor, eResearch & Middleware
AARNet (Australia's NREN)
Honorary Professorial Fellow
School of Computer Science & Software Engineering
The University of Western Australia.
home address  71A Raymond Street, Yokine, WA, 6060
ph  +61 8 9345 0440
mobile  +61 40 888 5515
email  alex.reid@xxxxxxxxxx