Ryan, respectfully, I don’t agree with your plan forward. Also to further this discussion I have opened slots on the IDESG taxonomy wiki where we can capture this discussion and hopefully come to agreement on what we are trying to protect in the Identity
Ecosystem Framework. I suggest human attributes but whatever is decided we need to build a reference model definition for others to be guided by. As I have already mentioned human attributes and personal information belong to the same domain namely human capability. It is human capability that we are trying to protect and encourage. While Bob’s Pinheiro’s definition has some merit it is too narrow to protect dynamic human capability and is already out of date as to human attributes not to mention the Big Data challenges. This is one reason among many why we need to claim and acknowledge the dynamic nature of human capabilities and align the human attributes these capabilities create with something more encompassing and universal such as human rights. Ryan you said “The IDESG is attempting to create an identity ecosystem framework intended to govern those identity service providers and RPs that voluntarily choose to adopt the rules, requirements, and standards embodied in that framework.” More than that we are working on creating and providing a certification program a “Trustmark” that will enhance the standing of an Identity Providers or Service Provider to potential customers. The IDESG is giving, or giving away something valuable. Distrust in cyberspace and online is growing. If IDESG creates a ”Trustmark” plan that misses the mark by a mile, trust will be even harder to re-establish. Ryan you said “We are not creating legislation and we are not going to regulate the entire internet and mobile world. So—at least to start—I suggest we begin by answering this question within the context of what we have begun to lay out as our target transaction; namely one which is authenticated and involves “personal information” (as suggested above). What security requirements should we seek to put into place to protect metadata in this instance? “ But the IDESG is creating a contract for compliance. The self attestation and assessment has requirements. This is exactly the right place to identify and make clear what we are trying to protect. Metadata can not be left to security alone but must have privacy protections. What is going to happened with the data in providers’ audit and security logs? Metadata is personal information or human attributes and must be protected by privacy whenever it exists. We have not reached agreement that our target transaction is authentication. We must begin with Registration because that is the touch point with human capabilities, human attributes and personal information. User managed access (UMA) while constructive is not enough of an answer. We can’t begin with access. If end users are able to evaluate providers based on informed valuation of what his or her human attributes are worth they will chose the partners that offer them a good value proposition. Any “Trustmark” that obscures that value will not be trusted. Regards, Ann Racuya-Robbins