Upload
cameron-bennett
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
InternationalTelecommunicationUnion
Geneva, 9(pm)-10 February 2009
Trend in User-Centric Identity Management Technology and its
Standards
Sangrae Cho([email protected])Digital ID Security Research Team
ETRI
ITU-T Workshop on“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 2
ContentsContentsContentsContents
2. User-Centric IdM Technology2. User-Centric IdM Technology2. User-Centric IdM Technology2. User-Centric IdM Technology
1. Introduction1. Introduction1. Introduction1. Introduction
3. Digital Identity Wallet3. Digital Identity Wallet3. Digital Identity Wallet3. Digital Identity Wallet
4. Conclusion4. Conclusion4. Conclusion4. Conclusion
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 3
Introduction
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 4
Identity Definition
IdentityIdentity
The attributes by which an entity is described, recognized or known (ITU-T)
The fundamental concept of uniquely identifying an object (person, computer, etc.) within a context. (OpenGroup)
A set of claims made by one party about another party. Claims are typically conveyed in Signed Security Tokens (Microsoft)
The essence of an entity. One's identity is often described by one's characteristics, among which may be any number of identifiers [Liberty & OASIS] Source: ITU-T Report on the Definition of the Term “Identity” 2008
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 5
Identity Management
Identity ManagementIdentity Management
Accounts & Policies
Registration/Creation
Propagation
Maintenance/Management
Termination
Source : Burton Group 2006
Architecture Template for IDM
Infrastructure that supports for authentication, authorization, audit and identity lifecycle including creation, update and termination of identity
InternationalTelecommunicationUnion
Purpose of IdM
Geneva, 9(pm)-10 February 2009 6
Increase in personal identity as web services are increased : Improve usability 27 websites join, 7.5 account on average in Korea [Digital News, ’05.2.23]
IdM requirement in inter-domain organization as business relationship has been diversified : Increase in efficiency and productivity Increase of demand in SSO & EAM&IAM , Intranet -> Internet [DigitalIDWorld Newsletter,’05.3.31]
Increase in personalized service requirements : Create new IT service & increase in personal privacy Need privacy protection when new service is provided in web 2.0[ZDNet, ‘06.12]
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 7
User-Centric IdM
Technology
InternationalTelecommunicationUnion
Evolution of IdM
Geneva, 9(pm)-10 February 2009 8
User-centric
Identity Interchange
Subject for IdM Domain-centric
BidirectionalUnidirectional
Silo Centralized Federated User-Centric
System
Human
.com .net .org
.com .net .org
.com.net
.org
’08 Present
User-Centric : The user is in the middle of a data transaction and the data always flows through the user’s identity agent. This gives user control of his identity
InternationalTelecommunicationUnion
User-Centric Identity Concept
Geneva, 9(pm)-10 February 2009 9
User consentUser consent
User always can allow or deny whether information about them is released or not (reactive consent management)
User controlUser control
User-centeredUser-centered
Source : OASIS, The Core Concept of Identity 2.0
User has ability to policy-control all exchanges of identity information (proactive consent management)User delegates decisions to identity agents controlled through policy
Core subset of the previous two as ‘People in the protocol’User is actively involved in information disclosure policy decisions at run time
InternationalTelecommunicationUnion
Main User-Centric IdM Technology
Geneva, 9(pm)-10 February 2009 10
LibertyLiberty
AllianceAlliance
LibertyLiberty
AllianceAlliance
OpenIDOpenIDOpenIDOpenID
Card Card SpaceSpaceCard Card
SpaceSpacePermission-based attribute exchange
URL based user identifier & Select user’s IdP
Select User’s IdP using Identity Selector
User-Centric Characteristics in each technologyUser-Centric Characteristics in each technology
InternationalTelecommunicationUnion
Trend in Standardization
Geneva, 9(pm)-10 February 2009 11
Current View of IdM LandscapeCurrent View of IdM Landscape
Source : Report on Identity Management Use Cases and Gap Analysis, ITU-T FG IdM
InternationalTelecommunicationUnion
Ongoing Standard Projectsin ITU-T SG17
X.1250(X.idmreq): Capabilities for global identity management trust and interoperability
Requirement for global interoperability among IdM systems
Currently in TAP after re-determined in September 2008
X.1251(X.idif): A Framework for User Control of Digital Identity
User control enhanced digital identity interchange framework
Currently in TAP after determined in September 2008
X.idm-dm: Common Identity Data ModelDevelop common identity data model to express identity
information between IdM systems Geneva, 9(pm)-10 February 2009 12
InternationalTelecommunicationUnion
X.1251(X.idif) - Framework
Geneva, 9(pm)-10 February 2009 13
Identity Sync Mgt
Identity Interchange
Digital Contract Mgt.
Authentication
Privacy Protection
User Identity Mgt.
Authorization
Identity Sync Mgt
Identity Interchange
Digital Contract Mgt.
Authentication
Privacy Protection
User Identity Mgt.
Authorization
Identity Sync Mgt
Identity Interchange
Digital Contract Mgt.
Authentication
Web Application Server 1
Web Application Server 2
Internet Wireless Mobile Comm.
Identity Web Server 1
Communication Layer
Application Layer
Identity Interchange Service
Identity Token
User Interface Manager
User Identity Mgt.
Credential Mgt.
Digital Identity Client
Token Transformer
Identity Web Server 2
Identity Interchange Layer
InternationalTelecommunicationUnion
Ongoing Standard Projectsin ITU-T
NGN Identity ManagementSG13 Q15 NGN Security is responsible
Developing standards based on the result of IdM Focus Group
Y.ngnIdMuse: NGN identity management use cases
Study use cases when IdM is applied in NGN environment
Y.ngnIdMreq: NGN identity management requirements
IdM Requirements in NGN
Y.idmFramework: NGN identity management framework
Global interoperability framework among IdM systems in NGNGeneva, 9(pm)-10 February 2009 14
InternationalTelecommunicationUnion
Ongoing Standard Projects in ISO
Geneva, 9(pm)-10 February 2009 15
Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5
Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5
ISOISO
ITU-T / ISO Joint Workshop on identity management, Lucerne Sept. 2007
WGs within ISO/IEC JTC1/SC27 – IT Security Technologies A Framework for Identity Management (ISO/IEC 24760,
WD) A Privacy Framework (ISO/IEC 29100, CD) A Privacy Reference Architecture (ISO/IEC 29101, WD) Entity Authentication Assurance ( ISO/IEC 29115, WD) A Framework for Access Management (ISO/IEC 29146,
WD)
InternationalTelecommunicationUnion
The Identity LandscapeThe Identity Landscape
Geneva, 9(pm)-10 February 2009 16
The Identity Landscape 2006 ReconstructJohannes Ernst, CEO of NetMesh
Digital ID Security Research Team, ETRI
“Increase in the interest of User-Centric IdM technologyand collaborations between technologies”
URL-based(OpenID)
Invisible(SAML/Liberty)
Card-based
(WS-Trust)
DigitalIdentity
“MS, announce to support for OpenID.”CardSpace supports for Open ID, Plan to support for interoperability with CardSpace in Open ID(‘07.02)
“MS, announce to support for OpenID.”CardSpace supports for Open ID, Plan to support for interoperability with CardSpace in Open ID(‘07.02)
User-Centric
ConvenienceConvenience + Trust+ Trust
ConvenienceConvenience + Trust+ Trust
“ETRI, Research collaboration with MS for digital ID Wallet”(‘07.05)“ETRI, Research collaboration with MS for digital ID Wallet”(‘07.05)
ConvenienceConvenience + Trust+ Trust
+ Privacy Protection+ Privacy Protection + Identity Interchange+ Identity Interchange
ConvenienceConvenience + Trust+ Trust
+ Privacy Protection+ Privacy Protection + Identity Interchange+ Identity Interchange
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 17
Digital Identity Wallet
InternationalTelecommunicationUnion
User RequirementsUser Requirements
Cumbersome every time personal information is typed in to join a website.Especially, worrying to enter national resident numberInconvenient when logging in to use web service, harder when mobile web is used in mobile phoneNot secure to enter ID/PWD in public placesSecure way to identify the phishing sitesHard to remember which websites I have joinedNot easy to update personal information when it is changedHard to move my information from A site to B site for better services
Geneva, 9(pm)-10 February 2009 18
InternationalTelecommunicationUnion
Overview
Geneva, 9(pm)-10 February 2009 19
What is Digital Identity Wallet?•A digital wallet that helps users to use easily and keep securely their personal identity and authentication information distributed in the cyber space; Digital Identity Wallet is just like a real wallet we use in our daily life to keep ID cards and cash•System where users can have control over disclosure of their personal information by deciding whether he or she would provide data or not; unwanted disclosure or misuse of personal data can be prevented
Main functions of Digital Identity Wallet•Site registration and authentication•Identity share and synchronization•User privacy protection•Mobile Digital Identity Wallet
Internet Shopping mall
Website A
Identity verification organization
Payment organization
Linkdata
Payment history
Personaldata
Authentication information
Digital Identity Wallet
Issue authentication information
Issue identity verification data
Issue payment information
Website C
Website D
Input personal data
Registration & login
Purchase & payment
Data share
Website B
Issue link data
Identityverification
data
Website registration information
Privacy protection server
Backup, roaming, consistency
Secure Internet usage with Digital Identity Wallet
InternationalTelecommunicationUnion
Services
Geneva, 9(pm)-10 February 2009 20
Site registration serviceSite registration service Identity authentication & verification serviceIdentity authentication & verification service
Share and synchronization serviceShare and synchronization service
Phishing site avoidance
One-click site registration
Registered site management
Replacement of national resident no. for ID verification
Support of various authentication methods
One-click! Mobile authentication
Secure identity sharing between sites
Automatic synchronization of updated personal data
Personalized mash-up service
Other applicationsOther applications
Credit card and point card utilization and reference
Connection with cyber world
Authentication on a web interoperating with home device
InternationalTelecommunicationUnion
Supports for various authenticationSupports for various authentication
Geneva, 9(pm)-10 February 2009 21
InternationalTelecommunicationUnion
Use Case for Identity Interchange
Geneva, 9(pm)-10 February 2009 22
Digital Identity Wallet
Financial info
Bank
Stock
Real Estate
FinancialManagement
savings, loans info
Stock info
Estate info
Personal Finance Management ServicePersonal Finance Management Service
InternationalTelecommunicationUnion
Conclusion
User-Centric is essential technologyConvenience
Privacy aware security for user
Convergence between IdM technologies
Full User Control Provide user with full power to control his identity
Enhance privacy
Efficient Identity Interchange Scalability
Independency
SeamlessGeneva, 9(pm)-10 February 2009 23
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 24
Thank You !!!Q & A