International Telecommunication Union Geneva, 9(pm)-10 February 2009 Trend in User-Centric Identity Management Technology and its Standards Sangrae Cho([email protected])[email protected]

InternationalTelecommunicationUnion

Geneva, 9(pm)-10 February 2009

Trend in User-Centric Identity Management Technology and its

Standards

Sangrae Cho([email protected])Digital ID Security Research Team

ETRI

ITU-T Workshop on“New challenges for Telecommunication

Security Standardizations"

Geneva, 9(pm)-10 February 2009

InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 2

ContentsContentsContentsContents

2. User-Centric IdM Technology2. User-Centric IdM Technology2. User-Centric IdM Technology2. User-Centric IdM Technology

1. Introduction1. Introduction1. Introduction1. Introduction

3. Digital Identity Wallet3. Digital Identity Wallet3. Digital Identity Wallet3. Digital Identity Wallet

4. Conclusion4. Conclusion4. Conclusion4. Conclusion


Introduction


Identity Definition

IdentityIdentity

The attributes by which an entity is described, recognized or known (ITU-T)

The fundamental concept of uniquely identifying an object (person, computer, etc.) within a context. (OpenGroup)

A set of claims made by one party about another party. Claims are typically conveyed in Signed Security Tokens (Microsoft)

The essence of an entity. One's identity is often described by one's characteristics, among which may be any number of identifiers [Liberty & OASIS] Source: ITU-T Report on the Definition of the Term “Identity” 2008


Identity Management

Identity ManagementIdentity Management

Accounts & Policies

Registration/Creation

Propagation

Maintenance/Management

Termination

Source : Burton Group 2006

Architecture Template for IDM

Infrastructure that supports for authentication, authorization, audit and identity lifecycle including creation, update and termination of identity


Purpose of IdM

Geneva, 9(pm)-10 February 2009 6

Increase in personal identity as web services are increased : Improve usability 27 websites join, 7.5 account on average in Korea [Digital News, ’05.2.23]

IdM requirement in inter-domain organization as business relationship has been diversified : Increase in efficiency and productivity Increase of demand in SSO & EAM&IAM , Intranet -> Internet [DigitalIDWorld Newsletter,’05.3.31]

Increase in personalized service requirements : Create new IT service & increase in personal privacy Need privacy protection when new service is provided in web 2.0[ZDNet, ‘06.12]


User-Centric IdM

Technology


Evolution of IdM


User-centric

Identity Interchange

Subject for IdM Domain-centric

BidirectionalUnidirectional

Silo Centralized Federated User-Centric

System

Human

.com .net .org

.com .net .org

.com.net

.org

’08 Present

User-Centric : The user is in the middle of a data transaction and the data always flows through the user’s identity agent. This gives user control of his identity


User-Centric Identity Concept


User consentUser consent

User always can allow or deny whether information about them is released or not (reactive consent management)

User controlUser control

User-centeredUser-centered

Source : OASIS, The Core Concept of Identity 2.0

User has ability to policy-control all exchanges of identity information (proactive consent management)User delegates decisions to identity agents controlled through policy

Core subset of the previous two as ‘People in the protocol’User is actively involved in information disclosure policy decisions at run time


Main User-Centric IdM Technology


LibertyLiberty

AllianceAlliance

LibertyLiberty

AllianceAlliance

OpenIDOpenIDOpenIDOpenID

Card Card SpaceSpaceCard Card

SpaceSpacePermission-based attribute exchange

URL based user identifier & Select user’s IdP

Select User’s IdP using Identity Selector

User-Centric Characteristics in each technologyUser-Centric Characteristics in each technology


Trend in Standardization


Current View of IdM LandscapeCurrent View of IdM Landscape

Source : Report on Identity Management Use Cases and Gap Analysis, ITU-T FG IdM


Ongoing Standard Projectsin ITU-T SG17

X.1250(X.idmreq): Capabilities for global identity management trust and interoperability

Requirement for global interoperability among IdM systems

Currently in TAP after re-determined in September 2008

X.1251(X.idif): A Framework for User Control of Digital Identity

User control enhanced digital identity interchange framework

Currently in TAP after determined in September 2008

X.idm-dm: Common Identity Data ModelDevelop common identity data model to express identity

information between IdM systems Geneva, 9(pm)-10 February 2009 12


X.1251(X.idif) - Framework


Identity Sync Mgt


Digital Contract Mgt.

Authentication

Privacy Protection

User Identity Mgt.

Authorization

Identity Sync Mgt



Authentication

Privacy Protection

User Identity Mgt.

Authorization

Identity Sync Mgt



Authentication

Web Application Server 1

Web Application Server 2

Internet Wireless Mobile Comm.

Identity Web Server 1

Communication Layer

Application Layer

Identity Interchange Service

Identity Token

User Interface Manager

User Identity Mgt.

Credential Mgt.

Digital Identity Client

Token Transformer

Identity Web Server 2

Identity Interchange Layer


Ongoing Standard Projectsin ITU-T

NGN Identity ManagementSG13 Q15 NGN Security is responsible

Developing standards based on the result of IdM Focus Group

Y.ngnIdMuse: NGN identity management use cases

Study use cases when IdM is applied in NGN environment

Y.ngnIdMreq: NGN identity management requirements

IdM Requirements in NGN

Y.idmFramework: NGN identity management framework

Global interoperability framework among IdM systems in NGNGeneva, 9(pm)-10 February 2009 14


Ongoing Standard Projects in ISO


Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5

Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5

ISOISO

ITU-T / ISO Joint Workshop on identity management, Lucerne Sept. 2007

WGs within ISO/IEC JTC1/SC27 – IT Security Technologies A Framework for Identity Management (ISO/IEC 24760,

WD) A Privacy Framework (ISO/IEC 29100, CD) A Privacy Reference Architecture (ISO/IEC 29101, WD) Entity Authentication Assurance ( ISO/IEC 29115, WD) A Framework for Access Management (ISO/IEC 29146,

WD)


The Identity LandscapeThe Identity Landscape


The Identity Landscape 2006 ReconstructJohannes Ernst, CEO of NetMesh

Digital ID Security Research Team, ETRI

“Increase in the interest of User-Centric IdM technologyand collaborations between technologies”

URL-based(OpenID)

Invisible(SAML/Liberty)

Card-based

(WS-Trust)

DigitalIdentity

“MS, announce to support for OpenID.”CardSpace supports for Open ID, Plan to support for interoperability with CardSpace in Open ID(‘07.02)

“MS, announce to support for OpenID.”CardSpace supports for Open ID, Plan to support for interoperability with CardSpace in Open ID(‘07.02)

User-Centric

ConvenienceConvenience + Trust+ Trust


“ETRI, Research collaboration with MS for digital ID Wallet”(‘07.05)“ETRI, Research collaboration with MS for digital ID Wallet”(‘07.05)


+ Privacy Protection+ Privacy Protection + Identity Interchange+ Identity Interchange


+ Privacy Protection+ Privacy Protection + Identity Interchange+ Identity Interchange


Digital Identity Wallet


User RequirementsUser Requirements

Cumbersome every time personal information is typed in to join a website.Especially, worrying to enter national resident numberInconvenient when logging in to use web service, harder when mobile web is used in mobile phoneNot secure to enter ID/PWD in public placesSecure way to identify the phishing sitesHard to remember which websites I have joinedNot easy to update personal information when it is changedHard to move my information from A site to B site for better services



Overview


What is Digital Identity Wallet?•A digital wallet that helps users to use easily and keep securely their personal identity and authentication information distributed in the cyber space; Digital Identity Wallet is just like a real wallet we use in our daily life to keep ID cards and cash•System where users can have control over disclosure of their personal information by deciding whether he or she would provide data or not; unwanted disclosure or misuse of personal data can be prevented

Main functions of Digital Identity Wallet•Site registration and authentication•Identity share and synchronization•User privacy protection•Mobile Digital Identity Wallet

Internet Shopping mall

Website A

Identity verification organization

Payment organization

Linkdata

Payment history

Personaldata

Authentication information


Issue authentication information

Issue identity verification data

Issue payment information

Website C

Website D

Input personal data

Registration & login

Purchase & payment

Data share

Website B

Issue link data

Identityverification

data

Website registration information

Privacy protection server

Backup, roaming, consistency

Secure Internet usage with Digital Identity Wallet


Services


Site registration serviceSite registration service Identity authentication & verification serviceIdentity authentication & verification service

Share and synchronization serviceShare and synchronization service

Phishing site avoidance

One-click site registration

Registered site management

Replacement of national resident no. for ID verification

Support of various authentication methods

One-click! Mobile authentication

Secure identity sharing between sites

Automatic synchronization of updated personal data

Personalized mash-up service

Other applicationsOther applications

Credit card and point card utilization and reference

Connection with cyber world

Authentication on a web interoperating with home device


Supports for various authenticationSupports for various authentication



Use Case for Identity Interchange



Financial info

Bank

Stock

Real Estate

FinancialManagement

savings, loans info

Stock info

Estate info

Personal Finance Management ServicePersonal Finance Management Service


Conclusion

User-Centric is essential technologyConvenience

Privacy aware security for user

Convergence between IdM technologies

Full User Control Provide user with full power to control his identity

Enhance privacy

Efficient Identity Interchange Scalability

Independency

SeamlessGeneva, 9(pm)-10 February 2009 23


Thank You !!!Q & A

Documents

International Telecommunication Union Geneva, 9(pm)-10 February 2009 Trend in User-Centric Identity Management Technology and its Standards Sangrae Cho([email protected])[email protected]