Add Anil John's Tokens and Attributes Definitions?

[ChristopherA]

/re shared_terminology_for_digital_identity_systems.md #bb8adf3 /cc @christianlundkvist

What do you think about adding/reconciling your definition list with Anil John's thoughts on separating tokens and attributes, as he describes here: https://blog.aniljohn.com/2013/01/separating-token-attribute-model.html and here: https://blog.aniljohn.com/2013/03/anonymity-token-attribute-separation-model.html

I find this a subtle but useful distinction, particularly as it also applies to anonymous and pseudo-anonymous forms of WoT that may not have human readable names.

[coder5876]

Thanks for the suggestion @ChristopherA! I need to digest these articles more but it's interesting since it's from the viewpoint of the traditional federated identity model.

My note did define identity as a cryptographic name bound to attributes, as well as having the cryptographic name bound to private keys (i.e. Tokens). I feel like binding the cryptographic name (not necessarily human-readable) to the public keys is a good idea, but the binding to the attributes should be less explicit i.e. the attributes could be encrypted and selectively revealed as @shea256 writes here.

I'll read through the articles more and will try to fit them in. Thanks again!

[ChristopherA]

It also might be worth while to add in reference to attributes definitions for Issuer, Subject, and Claim as those are used in one of the most deployed attribute claims formats, JWT RFC 7519, which is used extensively by both the bitcoin and oauth/openid communities.

-- Christopher Allen

[coder5876]

@ChristopherA: Great idea, I'll update the docs! BTW do you like the name Attestation to refer to a signed attribute claim, or is there a more standardized phrase?

[ChristopherA]

My gut says that we should find a better word than attestation, but I don't have a good alternative. A unsigned statement is just statement. A claim is signed statement. Both are reasonably easy for a non-tech person to understand. But as soon as we say an attestation is a claim about another claim, we are now in the territory of confusing people.

[shea256]

@christianlundkvist I personally overloaded the word "claim" in my selective disclosure writeup. I also thought of using attestation but it didn't sound as good and didn't read as good. I know that "claim" is technically a JWT claim called claim, but I really don't think that's an issue and it's worth it when you get the additional readability and aesthetics of the word set.

[coder5876]

@shea256 @ChristopherA: Claim is nice but it seems to be targeted on being a True/False statement about a collection of attributes. Is this normally the case in the usage of this word? For instance in the JWT the claim field just contains one or more attributes.

For "Attestation" I also think of reputational attestations, i.e. I buy something from a vendor, and I give an attestation like "Good product, good service: 5 stars". I don't feel like claim is a good word for such a thing.

It probably makes sense to have these two (claims about attestations, subjective reputation statements) be separate objects/concepts. If that's the case then I feel that "claim" is a pretty good, precise word for its use.

[coder5876]

@shea256 @ChristopherA: Is a claim normally signed only by the person making the claim? Or is the same word used when other people are signing the claim? I.e. the difference between me stating that I'm over 21 and the DMV stating that I'm over 21.

[ChristopherA]

I make a statement that I'm over 21, and sign it myself and it is now a claim. Someone else points to my claim and makes a claim that they agree. That is a claim. If you trust their claim over mine because their identity is that they are DMV, go for it. Or you trust me, and don't need the support of the other claim, use that. You choose.

I think that is web of trust model.

P.S. If make a claim that I'm over 21, with a proof of existence that 21 years old, you don't need anyone else to affirm my claim.

[ChristopherA]

I think that the verb for these might affirm or confirm, but I'm not sure which is best.

http://www.differencebetween.net/language/difference-between-affirm-and-confirm/

Summary

1. Confirm and affirm, both are transitive verbs but are used differently. Their meanings are different and they cannot, in general be interchanged. They have different meanings, different synonyms and different antonyms.
2. Affirm means, to validate or state positively, to assert as valid and to express someone’s dedication; confirm means, to ratify, to strengthen, and to give assurance.
3. It has been seen that confirm is used for both negative and positive sentences; whereas affirm is mainly positive.
4. The difference can be explained by two sentences;

The receptionist confirmed the hotel reservations.

and,

Serving in the defense services affirms your loyalty to the nation.

We cannot interchange the words confirm and affirm in either of the sentences.

So nouns are confirmation or affirmation?

[coder5876]

Ah, I had in my definitions that attributes would be cryptographically bound to the name/identifier by definition, and claims would then be attributes that are signed by other people. But it seems like in federated identity systems you often have identity attributes that are not cryptographically bound to Tokens/credentials, so perhaps I should reword that.

As for terminology, I feel like "affirmation" or "confirmation" sounds like an authoritative declaration of truth in a sense, i.e. It was not clear if something was true and then I confirm that in fact it is true. Attestation sounds more neutral I think.

I found this under "Attest": a. To certify by signature or oath: attest a will. which sounds pretty close to what we're after.

But perhaps "claim" works in this respect too - I claim that X is over 21 etc...

[dukejones]

I've been using the term "assertion".