Identity management

Faysal Boukayoua

What is identity?

... How much time do we have?

What is digital identity?

ITU X.1250 standard: “The representation of an entity in the

form of one or more information elements which allow the

entity to be sufficiently distinguished within context”

Entities and contexts

Entity: human or machine

Type of communication Contexts

Human to human Analog world:

• Family

• Circles of friends

• Leisure clubs

• Civil society movements

...

Human to machine Digitised services:

• Tax e-filing

• Banking

• Vending machines with age verification

• Social networking sites

…

Machine to machine • Internet of (smart) Things (IoT)

• Server-to-server communication

• …

Partial identity • Political views

• Ethnicity

• Religious identity

• Gender identity

• Involvement in civil society

• Medical information

• Philosophical views

• Career trajectory

• Social links

• Hobbies

• Online surfing behaviour

• …

Partial identity vs. context

Shapes the notion of privacy

Digital trust

Access control and confidentiality rely

on determining (part of) the digital

identity

Digital trust

Determining the digital identity,

depends on having reliable assertions

Digital trust

Having reliable assertions, requires a

trusted asserting entity

Digital trust

Assertions of trust about each

unknown asserter are required

… until a known trusted link

(individual or organisation) is reached

Digital trust

Trust is enforced online,

but -typically- originates offline.

Trust is not necessarily bilateral

Digital trust

Making trust scalable has been a

challenge, ever since the advent of digital

services

Digital trust models: transitive trust

• “If A trusts B, and B trusts C, then A trusts C”

• Centralised

Organisational trust Browser trust

Digital trust models: social trust

• Decentralised

• Typically humans online

• Criteria

o How much do I trust an

entity?

o Social distance

(~degrees of separation)

o How many people have

corroborated the

trustworthiness of an entity?

• F.i. PGP

What is identity management?

Admini-stration

Manage-ment & mainte-nance

Communi-cation &

discovery

Correlation & binding

Policy enforce-

ment

Authenti-cation & assertion

• Assurance of

identity information:

credentials, identifiers,

attributes,…

of an entity: individuals, groups,

devices, service providers

• Enabling business and

security applications

Identity management: actors

User

• Wants ubiquitous Web services

• Concerned about security and privacy

• Personalisation for convenience

Relying party

• Google, Facebook,…

• Offers a service

• Attribute-based personalisation and access control

• Incentives: revenue and legal

Identity provider

• Provide reliable user info

• Trusted assertions

Identity management: trust

Identity management: the old days University A

Library B

University C

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

e-Journals

Authorization User Administration

Authentication Resource Credentials

Identity management: now University A

Library B

University C

AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

e-Journals

Authorization User Administration

Authentication Resource Credentials

Privacy and user-centricity

Anonymity level

o identifiablility

o pseudonymity

• Global

• Per service

o anonymity

User control

o Consent

o Selective attribute disclosure

Privacy and user-centricity

Network-based identity management

1. Request service

2. Authenticate at RP

3. Return token

Privacy and user-centricity

Claim-based identity management

3. Supply claims

2. Send policy

1. Request service

Privacy: 7 laws of identity (Kim Cameron)

1. User control and consent

2. Minimal disclosure for constrained use

3. Justifiable parties

4. Directed identity

5. Pluralism of operators and technologies

6. Human integration

7. Consistent experience across contexts