GlobaliD Privacy concerns on a Federated Identity Provider Associated with the Users’ National Citizen’s Card

Frank Pimenta, Cláudio Teixeira, Joaquim Sousa Pinto

Department of Electronics, Telecommunications and Informatics

University of Aveiro

Aveiro, Portugal

{frank, claudio, jsp}@ua.pt Abstract - Personal information sharing is one of the most

common online activities. Most of the times we feel forced to give up about some privacy in order to share a piece of information with others. This paper reflects on the anonymity, integrity, privacy of users’ personal information and it’s scattering across the Web by taking an approach to digital identity management concept. Consequently it also reflects on the users’ information certification and accountability. In this paper we purpose a Federated Identity Management solution for the Web to decrease the privacy issues and avoid the lost of anonymity that may occur when users exchange their particular information within web contexts. We will use a collection of publicly available strong identification mechanisms, such as the users (Portuguese) National Electronic Citizen Identity Card, and a Federated Identity initiative to create the GlobaliD, a Federated Identity Provider to address the previously mentioned reflections. Our aim with the development of GlobaliD is to take a step further in the digital identity management and therefore in the privacy and anonymity safety of the users identity Online by making it more versatile, responsible, trustworthy, integrity and privacy safe, anonym and thus secure.

Keywords – Identity Federation; Citizen Card; Privacy;

Anonymity; Accountability; Trustworthiness;

I. INTRODUCTION

The Web offers a myriad of services to registered users. Usually, when users are registered at several websites, they have several digital identities (assessment credentials) to manage. With the boost of Web 2.0 and e-business, web applications started to request increasingly more personal information to allow users to use the service, whether to create a social network or to buy products at some e-business. The rise of personal information exchanging between users and services required for far better management of the their personal information [1-2]. More secure and reliable channels of communications are also required in order to keep the integrity of the information exchanged and the users’ privacy and anonymity. More secure and efficient authentication mechanisms are mandatory in the next generation of digital identity management as well [3].

Federated Identity Management (FIM) was the Identity

Management Model introduced to address the

interoperability of services regarding the users’ personal

information acquiring, exchanging and scattering, and the

users’ seamless access to the services [4-5].

Throughout this paper we will introduce, describe,

explain and analyze two different Identity Management

Models for the management of the users' digital identities

(UDIs) on the Web regarding the privacy of their

information and their anonymity. The pros and cons of each

one will be analyzed. Further, we will introduce, describe,

explain and analyze the proposed GlobaliD framework.

Furthermore, we discuss the benefits and risks of using

publicly available means for implementing strong

authentication and provide certified information. The

GlobaliD characteristics are discussed in comparison to

other identity management initiatives by taking the users’

privacy, anonymity and the integrity of their personal

information as the main concerns.

II. IDENTITY MANAGEMENT

The lack of an Identity Layer in the Network ISO Framework with the dynamization and the user customization of web applications forced the creation of systems and mechanisms to manage users’ digital identities [2]. Several models were created to tackle the identity management task. The next sections explain the most representative models present on the Web these days.

A. Traditional Identity Management Model

Up until recently, the existing model for the users identity and access management was one having the identity provider (IP) and the service provider (SP) equivalent, SP+IP, attached in a united working block [4]. Figure 1 illustrates the structure of the Traditional Identity Management Model. Within this context, each SP has their own integrated IP in order to control the users’ access to the services and to manage their personal data, as well. Users cannot use the digital identity they possess in one system to login in another, thus for every system the users want to use they must have a (different) digital identity, meaning one more credential to be managed and more personal information to be provided [4].

The huge burden of having multiple access credentials to manage, leads users to be sloppier about it, as well as reluctant at the moment of adopting (other) online commerce solutions. This limits the scalability and the cost efficiency of the services [4-6]. Less frequently used credentials are easily forgotten and may even get in the possession of others very easily [7-8]. Generally, solutions based on this model implement the traditional password-based authentication mechanism to access the digital identity and very often the channels of communication used for exchanging the users’ credentials and personal

2010 Third International Conference on Advances in Human-Oriented and Personalized Mechanisms, Technologies and Services

978-0-7695-4141-9/10 $26.00 © 2010 IEEE

DOI 10.1109/CENTRIC.2010.26

16

2010 Third International Conference on Advances in Human-Oriented and Personalized Mechanisms, Technologies and Services

978-0-7695-4141-9/10 $26.00 © 2010 IEEE

DOI 10.1109/CENTRIC.2010.26

16

information are not secure, making it easy to obtain sensitive data [9].

John Smith

Name: John Smith

Age: 12-12-1980

Address: abc

Email: johns@x.com

johnny.boy@y.com

gamer.js@z.comNationality: Portugal

John Smith

Username: JohnS

Password: xpto1Name: John Smith

Age: 12-12-1980

Address: abc

Email: johns@x.com

John Smith

Username: LordZ

Password: “#df5Email: gamer.js@z.com

ShopX: IP+SP GameX: IP+SP

Figure 1 - Traditional Identity Management Scenario

Furthermore this model does not offer users full control over the disclosure and dissemination of their information to others. Since users' identity information is scattered across several systems and there is no means by which users can monitor the scrutiny and displacement of the disclosed information, their privacy may not be protected and their anonymity cannot be guaranteed. The concern of the whereabouts of their identity data, leads users to provide false information, affecting the credibility of both users and services [10]. The services by themselves do not implement any mechanisms to certify that the information users provide is either true or accurate. Therefore, users prefer losing credibility rather than giving up on their privacy, which makes the whole system less or not reliable at all. On top of these problems, this model suffers of redundancy and scalability limitations as explained in [11].

Despite of all the flaws, it is the most used by web applications nowadays, as it can be realized by our experience as Web users and by the number of credentials each one of us has to manage in order to keep accessing the services we are registered at.

1) Passwords managers Passwords managers are programs that concentrate

digital identity credentials in a single repository, giving users a means by which they can manage the plurality of their digital identity credentials in a more efficient manner, and avoid typing the credentials data in the login form when accessing the web applications.

This kind of applications is still not avoiding the multi-credentialism of the users and, in order to use it, the use of some kind of software application is mandatory. Users still have to register at the services in the traditional way, by filling information forms. This piece of software is just a way to manage the users’ credentials and not a solution to strength the users’ privacy, anonymity and information scattering control. Even though it is a value for identity theft prevention, it brings no relevant value to the protection of the privacy and anonymity of the users whatsoever (see lastpass.com).

B. Towards a unified login approach

In order to alleviate the users’ credentials management burden, the SPs started to request an email address as the credential’s username (digital identity identifier) to access the services. This way, users only have to manage the different passwords they have for every digital identity they hold, when systems request a different and specific password format. It also decreases the probability of loosing access to services and eases the digital identity recovery. Using the users’ email does not protect both the users’ privacy and anonymity. Rather, it increases the risks of a stolen identity as well as the probability of users loosing either their privacy or anonymity because the use of the users’ email enables the discernment of users by correlating these (unique) identifiers. Users are still required to provide their particular information by filling forms. As this is only an approach to the identifiers used by the users’ digital identities on the Traditional Identity Management Model, all its flaws remain unchanged.

1) Multiple services provider Some multiple service providers request users for an

email address that is used as the service account identifier. These services only accept assertions from their own identity management system. So, if a certain user wants to access a service outside the company’s realm, he must create a specific ID in the other service. The most used services online created the so called “silo identity issue” [12]. The benefit of this kind of specific ID on the Traditional Identity Management Model is that it only reduces the number of the identity credentials users must have to use, but all the flaws remain unchanged on this approach.

2) Single Sign On Single Sign On provides users with seamless access to

web applications, by the intermediation of an OpenID IP. It gives users a way to suppress the amount of digital identities (access credentials) to manage by providing them one with single sign on features. The protocol has mechanisms to support strong authentication. However, it does not have any means by which the users' information accuracy and correctness can be confirmed. The introduction of the identifier select in the version 2.0 of the protocol provided a pseudonym mechanism to avoid the discerning of users by the correlation of identity data. The implementation of this mechanism is not mandatory in the protocol.

Another SSOn initiative for the Web is the Windows Live ID [13]. It uses per-site specific unique identifiers (unique pseudonym) for the representation of users [14]. Moreover, it became an OpenID IP recently. Any other information that the web applications request about the users must be provided by themselves by typing it in the forms the services provide for it, or by authorizing the IP to allow the services to access it [15] .

C. Federated Identity Management Model

The Federated Identity concept was introduced to address both users and systems need of portability of authentication without requirements of new registration. It establishes a set of rules and standards in order to create a

1717

reliable and secure namespace for the exchanging of identity information between source (usually users via their IP) and target (usually web applications), allowing users to access several web applications seamlessly by using only one digital identity [4-5].

The Federated Identity Management Model is characterized for its user centric-basis, focusing directly on the seamless user cross-domain authentication and authorization to improve the operational efficiency of all services within a federated domain. For users to cross domains seamlessly, a set of agreements, standards and technologies must be enabled by the federated members. Some sort of circle of trust existence between the SPs and the IPs depends highly of the context and the type of assertions being exchanged among them. Within a company context, a higher trust requisite makes more sense than in a e-commerce one, since the later one wants to maximize the numbers of clients [6, 16]. Within a Federated Identity context, the IP and the SP are detached [4-5]. This way the SPs only have to direct their attention to the service provisioning. The IPs take care of providing digital identities to users, managing their personal information and being the responsible agents for sending users' information and authentication assertions to the SPs in order to enable users to access the services they want to.

Figure 2 - Federated Identity Management Scenario

Figure 2 illustrates the information arrangement on this model. In the illustration, users have a digital identity in the IP and delegate on the IP the responsibility of securing the exchange of their identity information to the SPs, as well as the task of authenticating them at the services they want to use. In this case users only have one set of credentials to manage, the credentials to access their digital identity in the IP in order to access all the services belonging to the federation seamlessly. The IPs can focus on improving the management of the users' information, by implementing mechanisms to protect the users’ privacy and anonymity, such as control over the disclosure and dissemination of the information, its scrutiny and displacement monitoring. The IP can also focus on the improvement of mechanisms to certify the accuracy of the users' information as well as on the implementation of strong authentication and account recover mechanisms for strengthening the security on the access to the digital identity.

By focusing efforts on the service rather than on the identities, SPs lower their maintenance and management costs at the same time that they reach a bigger audience for their services. These features make the federated identity model a leverage to boost the e-commerce [6, 17].

According to the standards in use, certain security recommendations must be followed to avoid several kinds of attacks to the identity data, such as eavesdropping, man-in-the-middle attacks and ill-intended IPs, etc. Channel communications protection from attackers must be assured to guarantee the integrity of the information and prevent its unauthorized disclosure [18-21]. Moreover certain federations may not enable users to select the particular information they would like to share, restricting users’ information on the IP. Despite the benefits of this model, the up-front costs of modifying existing applications and systems can be an obstacle to its implementation and diffusion across the web applications. A system might have to implement a series of protocols and to apply to different sets of rules in order to interact with different federations. The risks of having an identity overtaken is much higher than in a Traditional Identity Management Model, since whoever gets in the possession of a federated identity gains full access to all the services the identity is federated with and also to the users’ private information.

III. GLOBAL IDENTITY: A FEDERATED IDENTITY

FRAMEWORK

The aim of the GlobaliD is to take a step further in the Identity Management Model, by making it more versatile, responsible, trustworthy, anonym and secure. The GlobaliD will try to accomplish this by providing:

• A federated identity management solution (based on standards) for secure and seamless access to Web applications.

• A relatively simple interface that allows users to selectively choose the pieces of personal information they want to share.

• A mechanism to verify the truthfulness of the information.

• A mechanism on which users can monitor their personal information scrutiny and displacement.

• A tool for the association of publicly available means of identification users may have to the GlobaliD digital identities.

• Strong authentication.

• Pseudonymity when representing them in Web applications.

• A ranking mechanism to classify the veracity of the digital identity and/or personae and tell about the trustworthiness of the user.

A. Features

In this section we will describe how to reach the proposed goals for GlobaliD.

1) Adopted Standards SAML [20] is widely seen as a secure and reliable

standard to enable federation between members. Many other

1818

initiatives converged into the SAML specifications. GlobaliD uses SAML for implementing identity federation in a secure way. SAML implements pseudonymity by default for the representation of users. This avoids the user discerning from the correlation of identity information by the web applications, protecting the users’ privacy and anonymity. SAML specifications implement mutual authentication, and strong authentication factors, protecting users against ill-intended services, which is great for the use of the users’ CC (together) with the other possible means of association. SAML implements signature and encryption of the information.

The Microsoft Metasystem (MS)[2, 22] approaches the Federation Identity Management Model by creating a layer for identity data translation with the idea that a universal identity system is unlikely to ever exist. It uses encrypted Xml objects to distribute the users’ identity data under the information cards (ICs) concept. ICs are a good analogy of the paper cards users use every day in their daily life to provide personal information to others. ICs could be a good technology to incorporate on the GlobaliD framework if the list of available claims would not be so limited in comparison to the one created for the GlobaliD framework. However the concept of IC as the group of user’s personal information to send to web applications is very clear and straightforward. Therefore GlobaliD treats the users’ personal information to send to each web application as an IC. The users’ personal information is sent to the web applications encrypted i.e., as SAML encrypted attributes.

2) Profiling The GlobaliD offers users a relatively simple interface

by which they can organize their personal data and selectively share it with web applications and others. Users will organize their information by profiling it in a digital identity.

3) Information Discrimination The information users provide to their profile may be of

several types, such as name, date of birth, age and address. Users tend to have several pieces of information of the same type, such as home address and work address. Additionally they may have two home addresses. Therefore the personal information users provide may be discriminated according to Figure 3.

Figure 3 - Information discrimination scheme.

The Type may be any of the available claims. The Label is a reference users gives to the information, the index is the cardinal order for the information. The value is the information. The Validity and Veracity tells about the validity of the information and its veracity, respectively.

4) Information Claims Currently available claims are: Address, CV, Date,

Email, File, FingerPrint, Gender, GPG, IM, Name,

Nationality, Telephone, Photo, Profession, Status, Title, and URL.

5) Information cards structure

The GlobaliD names the information group sent to web applications as IC. applications as IC. GlobaliD organizes the information cards in Self cards

in Self cards and Managed Cards (MICs). Self cards are created by the created by the user. Self cards may be either Real or Fake. Real Self Cards Real Self Cards (RICs) only have real information. The real information is

information is inherited from the user’s citizen card. Fake Self Cards Self Cards (FICs) may have real and false information. Managed cards

Managed cards (MICs) are asserted to the user by an outside entity in order entity in order to enable him/her to access or to use any of the services of the services of the entity. An overview of possible information cards is

information cards is presented in

Figure 4. Users can use RICs or FICs to organize the information

they send to the services they use according to the services demands, and other cards, MICs can be asserted by others authorities, such as banks and shops, to authorize the user to access their services, or to pay shops online, as an IC asserted by the user's bank would be nice to accomplish it. The FICs can be used in websites that do not request real information from the users, such as the websites of news, in order to protect their privacy when commenting any news. The SAML pseudonym association will force users to behave, since they can be easy accountable for his/her actions taken within the public areas of the web application. The use of FICs can be an analogy of the masquerade balls, people use the masks to conceal their identity during the ball and only take it when it is appropriated and using appropriated manners [23].

Figure 4 - "ICs" structure scenario.

6) Public available means for strong authentication

implementation GlobaliD associates the digital identities with several

PAMI users own, such as their CCs [24], their finger print readers (FP), mobiles (UM) [25] and @s. The aim of these associations is to certify the users really exist and to obtain real information from users for their GlobaliD digital identities. The use of PAMIs aims to implement strong means of authentication and (digital identity) account recover.

7) Public available means for strong authentication

implementation GlobaliD associates the digital identities with several

publicly available means of identification (PAMI) users own, such as their CCs , their finger prints (FP), mobiles (UM) and @s. The aim of these associations is to certify the users really exist and to obtain real information from users for their GlobaliD digital identities. The use of PAMIs

1919

aims to implement strong means of authentication and (digital identity) account recover.

8) Information Ranking GlobaliD users are given the possibility to manually

provide other information to their profiles besides the one on their CCs or on any other PAMI accepted. The information users provide manually may be asserted as true or false. In order to tell apart which information of the profile is provided by the users’ CCs and which is manually supplied by the user, a numerical ranking mechanism is created to assert about it. The ranking mechanism has three levels: 0, 10 and 20; where 0 means false, 10 means true by the user and 20 means true by the CC or any other publicly available mean. This way, services will be able to discern whether information from the user was provided manually by him/her or by any of the PAMIs he/she holds. By doing so the GlobaliD asserts a true ranking level to each information card based on the function in Equation 1.

������ =� ���� �

� (1)

The VR in the formula is the veracity ranking of the information card. The veracity ranking range is from 0 to 20. ���� is the veracity value for a given information piece.

B. GlobaliD advantages and disadvantages

The use of PAMI for associating the users with their GlobaliD identities assures that the holders of the GlobaliD digital identities really exist and part of their identity data is accurate. It also accounts users for the action they taken on the services they use since now they are anonymous identified i.e., they are identified by the SAML pseudonym asserted at the moment of the federation with the web application. Impersonation of others is either easily prevented or discovered on the GlobaliD framework. The use of such method allows the implementation of strong authentication mechanisms, strongly securing the access to the digital identity. The use of SAML for implementing federation between users and services creates a secure layer of communication for exchanging identity information between IP and SP. Users have a fluent mechanism to selectively share the pieces of information they want to and seamlessly access the web applications as well. Users are able to know the whereabouts of their information as well. The discernment of users by identity data correlation is not possible due to the use of SAML pseudonyms for the representation of the users at the web applications.

GlobaliD is a Federated Identity Management Model, therefore it maintains the drawbacks mentioned previously on its own section. Also, users may fear that the association of their GlobaliD digital identity to any of their PAMIs may make them more vulnerable. Big brother effect or honey pot creating from the concentration of too much personal data in one place is of concern. From the moment the web applications have the users’ information the GlobaliD cannot control its authorized disclosure.

C. State of the Art Comparison

When comparing to other models for Federated Identity Management, GlobaliD has features that strengthen the

users’ privacy, anonymity, accountability and trustworthiness as well as the services and the whole federation, taking them to a higher level. Instead of using unique identifiers for the representation of the users’ digital identities, GlobaliD uses the SAML pseudonyms. It avoids the discerning of users by the correlation of identity identifiers and protects the privacy and anonymity of users as well. GlobaliD categorizes the information of the users in terms of false and true data, demanding the use of ICs to represent it. This classification implements a ranking (veracity) over the users’ IC by the IP as well as the services providers may create their own several identities ranking over the IC i.e., behavioral ranking. By using ICs users can organize the information they send to the web applications they want to use and monitor it whereabouts as well. By using the users' PAMIs, GlobaliD validates the information of the users and implements strong (mutual) authentication mechanisms. Nevertheless, in its absence they may use the traditional authentication forms to access their GlobaliD digital identity. The association of the users' digital identities with their PAMIs makes users credible, reliable and accountable about the actions they take in the services they use, preventing their misbehavior in the first place.

D. GlobaliD Framework Scenario

represents a set of user profiles in the GlobaliD IP. Part of the information of the profile was extracted from the user’ PAMIs (CC, FP, UM and @), and kept marked as real information of the profile. The user can add more information to his/her profile and mark it either as false or true. The trustworthiness and security of the user GlobaliD identity is taken higher by the association with the several PAMIs user owns. Profiles are digital identities, allowing users to federate themselves with web applications (SP1, SP2 and SP3), using SAML assertions.

Figure 5 - GlobaliD Framework Scenario.

The user will use categorized ICs to selectively send his/her personal information to web applications he/she is federating/want to federate with. Other authorities, such as banks and shops, may assert ICs to the user, authorizing him/her to access their services or to pay shops online, as an IC asserted by the user's bank would be nice to accomplish it.

Users can use IC not only to selectively send information to web applications but also to selectively share it with other users or entities (user centric address book always up to date).

2020

E. Towards a first GlobaliD IP Prototype

As a first development stage of a GlobaliD IP, we addressed it to the Portuguese CC. The users' CCs are used to register and authenticate the users at the GlobaliD IP as well as to certify their digital identity and its information.

The interface named "MaskiD" was developed by using the information cards concept to enable users with a structure to organize their personal information and the information they sent to the web applications they want to use. The GlobaliD IP uses the SAML specifications to establish federation between the users and the web applications as well as to send them the users’ ICs. SAML pseudonyms are used for the representation of the users in their association with the web applications for reasons of privacy and to avoid users discerning by the correlation of identity data (users privacy and anonymity protection). The transport protocol use for establishing a communicating channel with the Web application will be the TLS.

IV. CONCLUSION

The use of a coordinated collection of federated identity management initiatives enabled us to smooth and improve the users’ digital identity management online. Users are able to selectively choose the pieces of information to share with web applications when federating with them, protecting their privacy and anonymity in the first place. We also managed to strengthen the users’ privacy and anonymity by creating a SAML encrypted layer for exchanging users’ information on top of the encrypted transport layer TLS . By using PAMIs we assured the holder of the GlobaliD digital identity exists and at least part of its information is accurate. We also implemented strong and mutual means of authentication, strengthening the security of the access to the digital identities. Thus, the authorized access to the digital identity is assured and the security safety against identity theft is strengthened. Users are also accountable about the action they take on the web applications by their pseudonymity association with the web applications. Impersonation of others is easily discovered. The SPs are set free from the identity management of their users, decreasing their maintenance costs and the costs due to users’ misbehavior.

We believe that GlobaliD framework fulfill our initial goal of taking a step further in the digital identity management world by making it more versatile, responsible, trustworthy, integrity and privacy safe, anonym and thus secure.

V. REFERENCES

[1] K. Chen, "Protecting Personal Infomation Online: A Survey of

User Privacy Concerns and Control Techniques," The Journal

of Computer Information Systems 2004.

[2] O. T. Seierstad, "Microsoft Windows CardSpace and the

Identity Metasystem," Telektronikk, vol. 103, p. 9, 10/2009

2007.

[3] F. a. foll and J. Baragry, "Next Generation of Digital Identity,"

Telektronikk, vol. 103, p. 4, 2007.

[4] A. Jøsang and S. Pope, "User Centric Identity Management,"

presented at the AusCERT - Asia Pacific Information

Technology Security Conference Refereed R&D Stream, Gold

Coast, Australia, 2005.

[5] CA. (2007, 10/2009). Identity Federation: Concepts, Use Cases

and Industry Standards. Available:

http://images.vnunet.com/v7_static/itw/pdf/identity_federation_

wp.pdf

[6] CA. (2007, 10/2009). The bussiness value of Identity

Federation. Available:

http://www.comnews.com/WhitePaper_Library/Security/pdfs/C

Afedbiz_drivers.pdf

[7] M. Corporation. (2008, Online Identity Theft: Changing the

Game Protecting Personal Information on the Internet.

Available:

http://download.microsoft.com/download/0/d/3/0d34ccfa-5498-

4fab-bb32-16c881bafba7/Online%20ID%20Theft-

%20Changing%20the%20Game.pdf

[8] SpendOnLife.com. (2009, 10/2009). 2009 Identity Theft

Statistics. Available: http://www.spendonlife.com/guide/2009-

identity-theft-statistics

[9] R. Semančik, "Revised World Wide Web Architecture," Phd.

Phd, Faculty of Informatics and Information Technologies,

Slovak University of Technology and Bratislava, 2008.

[10] P. Gray. 10/2009). Protecting Privacy and Security of Personal

Information in the Global Electronic Marketplace. Available:

http://www.ftc.gov/bcp/icpw/comments/ico2.htm

[11] M. Alsaleh and C. Adams, "Enhancing Consumer Privacy in the

Liberty Alliance Identity Federation andWeb Services

Frameworks," presented at the 6th Workshop on Privacy

Enhancing Technologies, Robinson College, Cambridge, United

Kingdom 2006.

[12] S. Brands, "An Introduction to Digital Identity," ed: Google

Talks, 2007.

[13] M. Corporation. (2006, 23th October 2009). Introduction to

Windows Live ID. Available: http://msdn.microsoft.com/en-

us/library/bb288408.aspx

[14] K. Young. (2009, 11/2009). Windows Live ID Identity gateway

for Microsoft online services. Available:

http://winliveid.spaces.live.com/

[15] C. J. V. Teixeira, "Infra-estrutura para portal internet integrador

de serviços," PhD PhD, Departamento de Electrónica ,

Telecomunicações e Informática, University of Aveiro, Aveiro,

2009.

[16] R. A. d. C. Ferreira, "Privacy and Identity Selection,"

Engenharia de Electrónica e Telecomunicações Masters,

Departamento de Electrónica, Telecomunicações e Telemática,

University of Aveiro, Aveiro, 2008.

[17] M. Gupta and R. Sharman, "Dimensions of Identity federation:

A Case Study in Finacial Services," Journal of Information

Assurance and Security 3, p. 13, 2008.

[18] T. L. Alliance, "Specifications," March of 2005 2005.

[19] OASIS, "Security and Privacy Considerations for the OASIS

Security Assertion Markup Language (SAML) V2.0," ed, 2005,

p. 33.

[20] O. Standards. (2005, 11/2009). Saml Specifications. Available:

http://saml.xml.org/saml-specifications

[21] O. Foundation. (2007, 10/2009). OpenID Authentication 2.0 -

Final. Available: http://openid.net/specs/openid-authentication-

2_0.html

[22] K. Cameron, et al., "Proposal for a Common Identity

Framework: A User-Centric Identity Metasystem," ed, 2008, p.

30.

[23] B. Ford and J. Strauss, "An offline foundation for online

accountable pseudonyms," presented at the Proceedings of the

1st Workshop on Social Network Systems, Glasgow, Scotland,

2008.

[24] A. p. a. M. Administrativa. (2007, November 3th 2009). Cartão

de Cidadão (Portuguese Citizen Card). Available:

http://www.cartaodecidadao.pt/

[25] I. Jørstad, et al., "Strong Authentication for Internet

Applications with the GSM SIM," Telektronikk, vol. 103, p. 9,

2007.

2121