Location as an attribute – sorry, ‘claim’, – of identity has been buzzing around the identity blogosphere these past few days. This comment by Bob Blakley (I’m guessing this is the right Bob Blakley – somebody please correct me if I’m wrong!) on Kim Cameron’s Identity Blog is particularly interesting:
The ISO 10181-3 Access Control framework was very clear about this, so there’s really no need to be unclear. 10181-3 divided authorization attributes into categories: (1) subject attributes, (2) target attributes, (3) request attributes, (4) context attributes. The POLICY took all these attributes into account when making a decision. Identity claims are subject attributes. Location claims, because they are not unique to a subject and because a subject’s location may change (and because the protocols carrying requests usually do not natively support location) are context attributes. Trying to make location an identity (=subject) attribute will greatly complicate the storage and management of identity information, with no gain in functionality over what is already gained by treating location (properly) as a context attribute. Time, as you point out, Mark, is also a context attribute, as is “client device capability”.
It struck me tonight that the answer to the question of whether location is a subject attribute or a context attribute is (as usual) “it depends”. In applications where a policy requires that a subject’s location meet some criterion to gain access to a resource, location is indeed a context attribute. However, it isn’t quite that simple.
Consider a simple weather service for cellphone users. The user sends the word ‘forecast’ as an SMS message to the service. The service responds with an SMS message containing the day’s forecast (and probably also an ad targeted at your current location). As far as the weather service is concerned, your only identity is your location. It doesn’t care who you really are, or even if you are the same you that requested a forecast from a different location yesterday. I would contend that, in this context, location is a subject attribute.
UPDATE: See comments – Alan Nichols clears this up with the concept of the anonymous user.