Post on 27-Sep-2020
The Identity Management Ecosystem: minding the gaps
Tony RutkowskiVP – Regulatory-Standards, VeriSignmailto:trutkowski@verisign.comEditor: ITU-T SG17 draft Rec. X.IdMDistinguished Senior Research Fellow, Center for International Strategy Technology and Policy, Georgia Institute of Technology
1
Workshop on Identity ManagementTrondheim, Norway, 8-9 May 2007
V. 1.3
Summary
Identity Management (IdM) is treated quite differently among the many different "stovepiped" communities of network operators, service providers, and usersInitiatives underway in the ITU-T and critical infrastructure venues are aimed at implementing trusted means to bridge the gaps among these different platforms (the framework)
by encouraging collaboration and a common global framework of capabilitiesespecially discovery and trusted interoperability
This global framework is increasingly essential for an array of government, industry, and consumers needsInitial success is being achieved with an Identity Provider oriented model and open identity protocols
2
Identity Management Ecosystem - Expansive
3
ITU-TJCA-NID
Yaddis
IBMHiggins
OID/OHN
EPCONS
OpenID
OSGi
LibertyWSF
ISOSC27WG5
OASISSAML
ETSITISPAN
MsoftCardspace
OracleIGF
ITU/IETFE.164ENUM
OASISxACML
ETSILI-RDH
CNRIhandles
ITU-TSG13
ITU-TSG17
ITU-TFG IdM
IdentyMetaSystem
NISTFIPS201 WS
FederationSXIP
FIDISDaidalos
Modinis
SourceID
XDI.ORG
VIP/PIP CoSign
IETFOSCP
PubcookiePassel
ANSIIDSP
ANSIHSSP
ITU-TSG4
OpenGroupIMF
ParlayPAM
3GPPIMS
3GPPGBA
OMARD-IMF
OASISSPML
Eclipse
Shibboleth
IETFIRIS ITU-IETF
LDAP
ITUX.500
ITUE.115v2
ZKP
MAGNET
ETSIIdM STF
ETSIUCI
OASISXRI
CNRIDOI
UID
W3C/IETRURI
ANSIZ39.50
NetMeshLID
TCG
ITU-TSG2
ITU-TSG11
ITU-TSG16
Object-Identifier CentricObject-Identifier Centric
Broad IdM CentricBroad IdM CentricDiscovery CentricDiscovery Centric
Attribute CentricAttribute Centric
Mobile Operator CentricMobile Operator Centric
Project CentricProject Centric
Network Operator CentricNetwork Operator Centric
Authentication CentricAuthentication Centric App Service Provider CentricApp Service Provider Centric User CentricUser Centric
LibertyI*
Identity Management Ecosystem – DiverseSeek capabilities to allow user control of personal identifiers, roles and privacy attributes
Seek capabilities that maximize and protect network assets
Seek capabilities that maximize and protect application assets
Identity Management begins with entities
Entities
LegalPersons
RealPersons
Objects -Devices
Includes terminals, network elements, cards, intellectual
property, agents, RFIDs, sensors, control devices (are emerging as
dominant network end-users)
Especially public Network Network OperatorsOperators, and Service Service Providers Providers including Identity Identity ProvidersProviders
Capabilities by which an entity is described, recognized or known
Identity Management Basic Capabilities
6
Credentials Identifiers
Identifier information
attributes and bindings
Identity patterns and reputation
Entities
Physical: passport #Network: eMail address
Physical: passportNetwork: digital cert
Physical: passport stamps
Network: web search, logs, blacklists
Physical: name, place/ date of birth, visas, …
Network: contact info, location, permissions,..,..
Identity Management Framework Essentials
7
Credentials Identifiers
Identifier information
attributes and bindings
Identity patterns and reputation
Trusted ability to query identity capabilities with some degree of assurance in the response
Ability to locate authoritative relevant identity capabilities
Challenge:Global discovery capabilities are rapidly diminishing
Challenge:Challenge:Global Global discovery discovery capabilities capabilities are rapidly are rapidly diminishingdiminishing
Challenge:Global query capabilities and assurance metrics are diminishing
Challenge:Challenge:Global query Global query capabilities capabilities and and assurance assurance metrics are metrics are diminishingdiminishing
A common global Identity Management framework
Not a new need – was realized and undertaken 25 years ago in the Open Systems Interconnection initiatives
It is where digital certificates, and open network management code emerged
The current framework is newly driven bya growing realization by critical infrastructure protection communities of the vulnerabilities of today’s ubiquitous nomadic use of public IP-Enabled network infrastructuresan array of other significant government, consumer, and industry needs
The objectiveA trusted ability to manage ICT credentials, assigned identifiers, attribute information and reputation/patternsAbility to exchange trust level informationAccommodation of platform diversity, autonomy, and constant evolution
8
Existing government, industry, & consumer requirements for Identity Management
Business needs+ Network interoperability + Roaming + Fraud , identity theft, and distribution management+ Intercarrier compensation
Critical Infrastructure protection; NS/EP+ Public network infrastructure protection+ Incident Response+ Priority access during emergencies + Services restoration after emergencies
Public Safety+ Citizen emergency calls/messages+ Authority emergency alert messages
Assistance to lawful authority+ Lawful Interception+ Retained Data+ Cybercrime forensics+ Anonymity
Identifier resource management+ Identifier/numbering allocation+ Administrative requirements+ Number portability; unbundling
Consumer needs+ Universal service; social good funding + Preventing unwanted intrusions | + DoNotCall| + CallerID| + Prevention of SPAM| + Anti-CyberStalking| + Anti-CyberPredators+ User CPNI protection and privacy | + Transparency| + Use controls| + Notice+ Anonymity+ Prevention of identity theft; repudiation+ Disability assistance
Digital rights management
Legal liability; discovery; evidence
Privacy enhancement
Trusted Identity Management platforms significantly enhance privacy and CPNI (personal and use information) protection by
Enabling authentication of parties that possess and access user informationEnabling audits
A significant identified “gap” is notice and transparency to users; solutions lay in enabling
Users to receive standard, understandable personal information management noticesUsers to specify how their personal information may be used
10
InitiatingEntity
RelyingParty Entity(Provider)
IdentityProvider(s)
Identity Assertion
Auditing
Query(ies) to Identity Resources
Timestampedrecord
Access or Service
Initial results:an Identity Provider model and open protocols
11
Introduce the concept of discoverable Identity Providers
Platform-independent query-
response options depending on level
of desired trust
Trust and privacy protection enhanced through auditing
OpenID as a competition enhancing unbundled open IdM enabling protocol
Enables Identity Provider modelAllows trust to be assessed at various stages of the flowsAllows for, but does not require pre-existing relationships between Identity Providers and Relying PartiesLow deployment cost
12
openidID.net
InitiatingEntity
(amr@verisign)
RelyingParty dude(Provider)
OpenIDIdentity
Provider(s)Auditing
Here’s your service
hey dude, I’m using OpenID identifier
amr@verisign
OK, we support OpenID, will verify
amr@verisignis OK
Audit recorded at [time]
query(ies) to verify amr@verisign is ok
Dude queried amr@verisign at
[time]
thanks dude
The Identity Management Focus Group:bringing the ecosystem together to find common ground
13
2007 2008
ITU-T SG13 Q.15 Rec. Y.IdMsec Draft Group
ITU-T SG17 Q.6 X.Idmf Draft Group
ITU-T Identity Management Focus Group
Created Geneva13-16 Feb
Geneva23-25 Apr
Mountain View17-18 May
Tokyo18-20 Jul
GenevaSep
ISO SC27
Next steps going forward
Continued outreach, and consensus building on needed IdM global framework capabilities and “gaps”
Watch and participate in ITU-T IdM Focus Group – see the informal Wiki <www.ituwiki.com> and ITU formal <www.itu.int/ITU-T/studygroups/com17/fgidm/index.htmlsites>Reports produced in Sep 2007, possible continuance
Specifications introduced in standards bodies X.IdM in ITU-T SG17 Q.6 (Cybersecurity)Y.IdMsec in ITU-T SG13 Q.15 (NGN Security)Report ISO/SC27 (Security Techniques)Many others
Implementation and evolution by industry of capabilitiesRecognition and closing of IdM “regulatory gaps” through any necessary requirements at national and international levels, especially
Discovery and trust/accuracy are essentialNational Critical Infrastructure Protection, NS/EP, and Cybersecurity requirementsImplementation of new treaty instruments like Cybercrime Convention and ITU Plenipotentiary resolutions
14