So, we had a great session at the JISC Conference 2009 on identity and both Lawrie and I were exteremely pleased with the audience feedback and involvement we had. I won’t repeat the notes of what was discussed as the very diligent and accurate roving JISC blogger assigned to our session got those and they are here (many thanks for that).
What I will do is to go through what I got out of the session, a few more resources on identity and some of the material we didn’t get to cover.
So, starting on what I got out of the session:
- People are thinking a lot more about identity issues in academia; when we first started talking about identity in groups (a good example being in the first blog post I ever did for JISC) , we had a large number of listeners and fewer particpants. Great to see that more people have gone to find out more and are looking at how they need to deal with identity in their area;
- Universities such as Cardiff (thanks to David Harrison for mentioning this at the session) are starting to educate their students on how they need to deal with identity. It would be useful to have more examples as one of the points raised in the session is that students are a key group to engage with;
- There are many people out in institutions who have a good grasp on the issues that need to be dealt with and an appreciation of what it means for their areas;
- Working with an audience rather than presenting to them can get the most out of a session for both the people leading the session and those attending. I must admit I was a bit fearful of how this would work given we had a small room that was packed full (Lawrie even gave up his chair!) and it was quite a large group (70+);
- Identity is a complex subject yet it is one that can be approached simply by working with our peers to understand how it will affect how we work in academia;
- We can control our identity and reputation online, which benefits not only us but also our teams our departments and our institutions. We need to think at a variety of scales;
In terms of resources, we had a jargon segment to try to explain key terms that are used within identity management. I’ll stick my hand up to a few admissions:
- These weren’t intended to be ‘absolute’ definitions;
- They aren’t intended to be a comprehensive glossary – there are no doubt omissions but I feel it is best to start small and these are the most common (and often for a new user most confusing) terms that are heard;
- When I wrote them I was writing them for the average learner, teacher or student in an institution – yes they are simplified and lose some of the technical detail;
So, after all the excuses, here are the terms:
Identity credentials – generally a username and password but anything that identifies you as a user. Also known more commonly as an ‘identity’.
Registration – ensuring that the person who you are issuing a set of identity credentials to is who they say they are. When we talked about the birth of an identity in the session, registration is when this happens.
Authn – Authentication – re-verifying that the user is who they say they are before they are allowed to carry out an action.
Auths or authz – Authorisation – the process of verifying that someone who is trying to access a resource (be that a paper, journal article, some data or something else) is entitled to do so.
PII – Personally Identifiable Information – anything that can personally identify you or another person. This could be your name or a piece of information about you that could only apply to you. This is what we most need to protect and ensure is up to date as it can affect our academic reputation.
User-centric identity – the concept of the user being able to control what information (PII or otherwise) they release about themselves and thus control their identity.
OpenID – a technology that came out of the social software world (think blogs and wikis) that allows you to control what information you release about yourself. One of the most popular user-centric identity systems.
OAuth – a new technology that allows applications or sites to carry out an action for a user without handing over user names and password details to another site. The best example is the recent talk over software like Tweetdeck being able to post comments to Twitter on behalf of users.
Federated identity – is where a series of bodies that provide identity credentials and a series of bodies that control access to resources get together to agree a common set of rules so someone who has identity credentials from any of the bodies that issue them can access resources from any of the bodies that control access to them.
UK federation – the body in the UK that provides federated identity for UK further and higher education.
Finally, here are a few further resources:
- The presentation and notes can be found here;
- www.pipl.com allows you to see what information is held about you. You can equally use Google to do a similar search for yourself;
- http://openid.net tells you more aboutOpenID and how to get one;
- http://oauth.net/about/gives more information on OAuth and how it works;
- Andy Powell is running a symposium on access and identity management in e-research; more details can be found here;
- JISC’s latest project is producing an identity management toolkit for institutions. More details on what it is doing can be found here;
I’d welcome comments on this blog, the events blog or tweets tagged with either #jisc09 or #jisc09_id. We need to keep this discussion going and build on the good work done in the session. If you have any direct questions on what JISC is doing in access and identity management going forward then please talk with Chris Brown, who is taking over this area from me.