...
Unlike in the classic web object identities have in most cases an owner, user, administrator or other related persons or objects.
Lifecycle of objects
The lifecycle of objects might be different from identity of individuals. And object can be brought to existence. It can be assigned to an owner. An object might also change its owner. And object can technically disappear. The life cycle might be significant shorter or longer than in classic Identify management.This can lead to dynamic changes in routing, identity management etc….TBD
Object identifier and namespace
An object identifier addresses an object within a defined name space. Example: A phone number "0183485886" points to a certain phone. An IP address 123.23.45.67 points to a certain Internet protocol interface assigned to a certain device. The phone number is only valid inside the ITU E.164 telephony system. And the IP-address is only valid in (public) internet name space.
If an object A has a phone number as an identifier and an object B an IP-Address it needs a mapping mechanism (service) to map both addresses in order to enable communication between A and B.
The mapping service could be private and specific a certain use-cases or it could be a general and public one, like the DNS.
TBD…
Governance of object data
Objects in the "Internet of Things" produce data. These data might lead to personally identifiable information (PII). A car for example is able to track GPS positions and to provide a complete movement profile of a certain person.
Transparency
Although these data are mainly used for maintenance or additional services in automotive user information and consent should be mandatory.
Data minimization / data collection (in advance
Complex machines e.g. combine harvesters have hundreds of sensors that are able to produce tons of data. Data should not be collected if they are not used for a specific use-case.
TBD…. Anchor _GoBack _GoBack
Issues
- Data Ownership/Control
- Who owns/controls data
- In a combine harvester or vehicle (truck, automobile, motorcycle), is the data owned by
- the manufacturer
- dealer
- service provider (e.g., maintenance/repair shop)
- harvester/vehicle owner
- each harvester/vehicle user
- employees
- clients
- prospective buyers
- family members
- friends
- other passengers (e.g., others whose GPS locations also become known)
- what happens when you pick up a stranger (hitch-hiker) or give a ride to the airport to an unknown colleague met at a conference
- a third-party who provides the sensor to support a service, such as
- disseminating aggregated data as a subscription service
- collecting driver behavioral data to determine insurance rates?
- from a data transaction that requires the interaction of multiple devices owned/controlled by multiple parties?
- when a device is sold?
- In a combine harvester or vehicle (truck, automobile, motorcycle), is the data owned by
- Who owns/controls data
- Consent
- Whose consent will be required for interactions that involve numerous sensors, controllers, and reporting devices
- For example,
- If an auto manufacturer owns data collected by a vehicle, will it require consent from the vehicle owner and service provider?
- Will each user be required to provide consent for data generated while they are driving?
- the same concerns apply to determining
- For example,
- Whose consent will be required for interactions that involve numerous sensors, controllers, and reporting devices
- Data Ownership/Control/Consent Contracts
- NOTE: While the above issues can be managed by contract law, should there be an default data ownership/control model ?
- The rationale for such a model is that current contracts (e.g., privacy policies, web site terms of use) are one-sided that the negotiation asymmetry may be considered unfair.
- NOTE: While the above issues can be managed by contract law, should there be an default data ownership/control model ?
- Identity discovery
- What attributes would an identity registry need to maintain to be of use to people or devices seeking sensor or controller devices to integrate into a solution
- For example,
- weather sensors
- traffic sensors
- location tracking sensors
- security sensors
- weather alerts
- traffic alerts
- location tracking alerts
- security alerts
- For example,
- Will owners/users have the ability to prevent their devices from being discovered?
- Will they have some selectivity about who can discover their devices?
- Will they have some control over who can interrogate their devices?
- What attributes would an identity registry need to maintain to be of use to people or devices seeking sensor or controller devices to integrate into a solution
- Identity impersonation
- How will devices preclude impersonation of the other devices with which they exchange data?
- Will each device that might generate, process, or report on private, sensitive, or confidential data be required to provide its own IAM capabilities to prevent fraudulent use?
- Will devices be required to develop usernames and passwords to interact with other devices? (How does my calendar system access a GPS system for my child's school bus, to minimize her waiting in the cold on a snowy day when traffic is behind schedule?)
- If so, who sets the username/password or other criteria?
- How will this information be stored securely?
- How will it be modified/updated?
References
ISO 19770 Syllabus |
|
| |
SWID Schema | XML schema for ISO/IEC 19770 Software ID Tags |
| |
NIST IR 7693 | Specification for Asset Identification | http://csrc.nist.gov/publications/nistir/ir7693/NISTIR-7693.pdf |
|
NIST IR 7695 | Common Platform Enumeration: Naming Specification Version 2.3 | http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf |
|
NIST IR 7696 | Common Platform Enumeration : Name Matching Specification Version 2.3 | http://csrc.nist.gov/publications/nistir/ir7696/NISTIR-7696-CPE-Matching.pdf |
|
NIST IR 7697 | Common Platform Enumeration: Dictionary Specification Version 2.3 | http://csrc.nist.gov/publications/nistir/ir7697/NISTIR-7697-CPE-Dictionary.pdf |
|
NIST IR 7698 | Common Platform Enumeration: Applicability Language Specification Version 2.3 | http://csrc.nist.gov/publications/nistir/ir7698/NISTIR-7698-CPE-Language.pdf |
|
IETF RFC 2578 | Structure of Management Information Version 2 (SMIv2) |
| |
ITU-T X.672 | Object identifier resolution system |
| |
ITU-T X.660 | Procedures for the operation of object identifier registration authorities: General procedures and top arcs of the international object identifier tree |
| |
ITU-T OID Flyer | “Object Identifiers and their Registration Authorities: Your Solution to Identification” | http://www.itu.int/dms_pub/itu-t/oth/0B/04/T0B040000482C01PDFE.pdf |
|
ISO 26324:2012 | Digital object identifier system |
|