Identifiers

Identifier Mappings - Draft Guide to OIDs (DOC)

An identifier is a function that maps real-world subjects into name or character strings, so that distinct subjects have distinct strings. A real-world subject may be a person, an object (for example, a printer or a file), a group, or a department. A real-world subject can have multiple identifiers. For example, a person may have a Social Security number, an email address, userids on several systems, a network ID, and others.

Identifiers have always been part of the campus IT environment, but until recently their use was relatively narrow and limited. As the number of computing and networked resources has proliferated, so too have identifiers. With the growing importance of these resources, issues of rights and responsibilities associated with each identifier become critical.

The key issues are assigning identifiers (How are they formed? Who hands them out? How long are they good for? Can they be reused? What resources are they valid for?) and relating identifiers (Are some dependent on others? Can an effective mapping be made among a real-world subject's set of identifiers?).

Current Environment

The current situation at most universities is that individuals have many disjoint identifiers and objects have few or no identifiers. Further, the scope and policies associated with identifiers tend to be poorly defined. Typically, a user will have an email address, a unix login or userid, a LAN account name, a social security type number, and perhaps additional identifiers for administrative systems, modem pools, etc. The rights and responsibilities of each identifier are usually not explicit. Further, when presented with one identifier for a subject, it may not be readily possible to obtain another identifier (for another context) if needed.

Identity today is primarily a campus-based issue. When campuses seek to interoperate, issues will arise on the type of identifier that needs to be exchanged, and the forms and policies for that identifier. Moreover, to the degree that identifiers enable users to access other forms of electronic credentials, there may need to be agreements and consistency between campuses about the policies associated with classes of identifiers.

Next steps

Given the importance and proliferation of identifiers, a campus should do an inventory of existing identifiers and examine the technologies and policies associated with them. The set of questions below may serve as an aid.

Another useful step would be to clarify the issues around electronic identifiers. This includes hosts, printers, etc.

References

Much of the deep thought and good work about identifiers in higher education has been done in the last few years at Stanford. The following references are particularly useful:

• www.stanford.edu/group/itss-ccs/project/registry/person_registry/attributes/
• consult.stanford.edu/pub/internet/netinfo/i-d/draft-ietf-ldapext-authmeth-02.txt
• www.stanford.edu/group/networking/directory/PubliclyUniqIdentV1_0.html
• www.stanford.edu/group/itss-ccs/project/sunetid/sunetid.design/sunetid.requirements

A good description of object identifiers can be found in Cliff Lynch's article on digital objects at www.arl.org/newsltr/194/identifier.html.

An Inventory of Campus Identifiers

What are the primary identifiers (for example, userid, social security number, netware login, email address) used in electronic environments on campus? What are their primary uses?

For each of the primary identifiers, consider the following:

A. Scope of each identifier

• Who issues the identifier?
• What populations are able to get an ID?
• What are the sets of resources that the identifier is used for?
• Do you assign IDs to things other than people, such as objects and groups?
• Do you have a policy of "one person, one ID"? If so, how do you ensure this?

B. Operational issues

• Are IDs ever reassigned?
• What identifiers are the keywords for directory accesses?
• Are IDs chosen by users or auto-generated?
• What proof does a real-world subject need to establish an ID?
• Can users change their IDs? If so, under what circumstances?

C. Interrelationships among identifiers

• Do you have policies about use of the central ID/authentication system by applications — for example, requiring central admin systems to use certain IDs?
• Do you have a policy restricting the use of central ID/authentication system by departmental or personal servers?
• Do you synchronize IDs among several authentication systems, such as Kerberos, NT, and Netware?
• Do all students/employees get an ID as part of entering the institution?
• What identifiers can be used to acquire other identifiers?