22I/ Person schema design — Doing it Wrong? @nytimes

From IIW

Person Schema Design - Doing it Wrong? @nytimes

Thursday 22I

Convener: David Wheeler

Notes-taker(s): Gaëlle Sharma

Tags for the session - technology discussed/ideas considered:

schema, schema design, person, user, credential, attribute, entitlement, claim, attestation, assertion, identity, persona

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps


Johannes Ernst

  • Do you have organizations?

  • What is the target architecture?

    • Relational database?

    • DW: store JSON with a bunch of indexes / columns -- slightly fancy key value store

  • Email addresses

    • How many authentication methods?

    • What is the user experience? Do users use multiple authentication methods?

  • Github

    • Developers have two accounts -- one personal, and one corporate, to keep their two worlds separate

  • Go and ask people about their schemas

    • Could be helpful. They may have some attributes you would never think of.

  • I’m in California - CCPA

    • You may want to download the data

    • The better ones may show you structure

    • The higher profile of the company, the better they are organized

    • Might be useful to see how FB/Amazon represent marketing information

  • Claim

    • As a programmer: claim is just a field

    • In an identity scenario: a claim is [something] stating that an entity has an attribute

      • A claim can be verifiable

      • Can verify who has made what claim

      • You can’t verify that the claim is true, just verify who made the claim

Sebastian Posth

  • Is there anything that relates a user to the content?

    • Claim that you own the right to that content

    • Attestation that you want to verify a claim

    • Attributing a piece of content to a rights holder

  • A user with a specific credential, would have a credential to use a specific set of features

    • This is what I would associate with the relationship between the user and the content


OIDC specs

  • Says that “names are specs” but I thought that was just an attribute of a person

Aaron Goldman

  • OWASP - founded because people did use the same terminology

  • Should have definitions for words