Definition of Identity and Authenticated Identity

[fandreas]

https://github.com/ietf-wg-wimse/draft-ietf-wimse-arch/blob/8234b6de1e221d19c950b0f564e33e5536278218/draft-ietf-wimse-arch.md?plain=1#L217

The term "Authenticated Identity" suggests that all identity-related information can be authenticated. However the definition of identity earlier in the document includes various attributes that cannot necessarily be authenticated. There is a pull request that changes the Identity section significantly, however it doesn't clearly define the term "Identity" either. Further work is needed to ensure crips defintions.

[jsalowey]

I think the challenge here is going to be to define identity here just enough to make the appropriate points. I think for the purposes of this section, the authorization calculation is based on the following:

1. The value of the peer workload's authenticated identifier and other information that may be present in the WIT or certificate
2. Authorization context information based on the current transaction. An example may be a context token issued by a token service
3. Other information that is bound to the peer's workload identifier or authorization context through mechanisms that are currently outside the scope of this document.

[fandreas]

I agree that the "identity" term and a concise definition of it is a challenge (not least based on the earlier thread on this: https://mailarchive.ietf.org/arch/msg/wimse/lkBh5AS63J8gXxtgHqo5X4RxN6A/)

Is the suggestion to remove that term from the document (throughout) and just talk about authenticated identifiers and authorization instead ?