Landscape of Web Identity Management
-
Upload
fraunhofer-aisec -
Category
Technology
-
view
462 -
download
0
Transcript of Landscape of Web Identity Management
User Empowerment
Use Cases
eBusiness eGovernment
Smart EnvironmentseHealth
Social & Business NetworksCorporate
IdMCorporate ete
IdM
Privacy by Design
User-centric Services
Data Protection
Context-awareness
Identity Management
Usable Security
ThreatsThreats
tamperIdentity Theft
Surveillance
Profiling
deny misuse
misinform
spy out
OpenID ConnectOpenID Connect (based
on the OAuth 2.0 protocol) is a suite of lightweight specifications
that provide a framework for identity interactions via RESTful APIs. The simp-
lest deployment of OpenID Connect allows for clients of all to request
and receive information about identities and currently
authenticated sessions. (Implementer’s Draft,
Feb. 14, 2012)
Shibboleth is an Internet2 Middleware
Initiative project that has created an architecture and
open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML.
Identity Mixer (idemix) is an anonymous credential system developed at IBM Research that enables strong authentica-tion and privacy at the same time. With
identity mixer, users can obtain from an issuer a credential containing all the
information the issuer is ready to attest about them. When a user later wants to
prove to a service provider a state-ment about her, she employs
identity mixer to securely transform the
issued creden-tial.
Higgins – initiated 2003 – is
a framework that enables users and enterprises to
integrate identity, profile, and relationship information across multi-
ple systems. Applications can use Higgins to create a unified, virtual view of
identity, profile and relationship information. A key focus of
Higgins is providing a founda-tion for new "user-centric
identity" and personal information
management applica-
tions.
Windows CardSpace is Microsoft's client software for the Identity Metasystem (canceled in Feb 2011). CardSpace stores references to users' digital identities for them. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity” were goals in its design. Windows CardSpace 2.0 will be extended to use the U-Prove protocol.
U-Prove is a cryptographic tech-
nology that enables the issuance and pre-
sentation of cryptogra-phically protected claims
in a manner that provides multi-party security. The goal
is to enable the exchange of verified identity information
from sources (Claims Provider), under the user’s control (via the U-Prove Agent), to the recipients
(Relying Party).
Shibboleth
IdemixHiggins
OAuth 2.0
Card
SpaceU
-Pro
ve
OpenID
ConnectThe OAuth 2.0 authorization proto-
col enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. (The OAuth 2.0 Authoriza-tion Protocol draft-ietf-oauth-v2-25, March 8, 2012)
OpenID ConnectOpenID Connect (based
on the OAuth 2.0 protocol) is a suite of lightweight specifications
that provide a framework for identity interactions via RESTful APIs. The simp-
lest deployment of OpenID Connect allows for clients of all to request
and receive information about identities and currently
authenticated sessions. (Implementer’s Draft,
Feb. 14, 2012)
Shibboleth is an Internet2 Middleware
Initiative project that has created an architecture and
open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML.
Identity Mixer (idemix) is an anonymouscredential system developed at IBM Research that enables strong authentica-tion and privacy at the same time. With
identity mixer, users can obtain from an issuer a credential containing all the
information the issuer is ready to attest about them. When a user later wants to
prove to a service provider a state-ment about her, she employs
identity mixer to securely transform the
issued creden-tial.
Higgins – initiated 2003 – is
a framework that enables users and enterprises to
integrate identity, profile, and relationship information across multi-
ple systems. Applications can use Higginsto create a unified, virtual view of
identity, profile and relationship information. A key focus of
Higgins is providing a founda-tion for new "user-centric
identity" and personal information
management applica-
tions.
Windows CardSpace is Microsoft's clientsoftware for the Identity Metasystem (canceled in Feb 2011). CardSpace stores references to users' digital identities for them. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity” were goals in its design. WindowsCardSpace 2.0 will be extended touse the U-Prove protocol.
U-Prove is a cryptographic tech-
nology that enables the issuance and pre-
sentation of cryptogra-phically protected claims
in a manner that providesmulti-party security. The goal
is to enable the exchange of verified identity information
from sources (Claims Provider), under the user’s control (via the U-Prove Agent), to the recipients
(Relying Party).
Shibboleth
IdemixHiggins
OAuth 2.0
Card
SpaceU
-Pro
ve
OpenID
ConnectttThe OAuth 2.0 authorization proto-
col enables a third-party application to obtain limited access to an HTTPservice, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. (The OAuth 2.0 Authoriza-tion Protocol draft-ietf-oauth-v2-25, March 8, 2012)
Technologies
Kantara - UMA 2012User-Managed Access is a protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates).
AuthorizingUser
Authorization Manager
Requester
Host
Protected Resource
Delegate
Authorize
Access
Manage
Protect
Control
PDPPEP
In the future internet users will be downloaded as apps.
The users master
their identity life cycle securely
and confidentially.
Virtual identities will be created dynamically
and context-aware.
Confirmed subscribers are authorised to access partial profiles.
Authorised subscribers
are up-to-date at any time.
Compliance to data protec-
tion laws and securi-ty policies will
be built in.
7 Laws of Identity1. User Control and Consent 5. Pluralism of Operators and Technologies2. Minimal Disclosure for a Constrained Use 6. Human Integration3. Justifiable Parties 7. Consistent Experience Across Contexts4. Directed Identity Kim Cameron (http://www.identityblog.com/stories/2004/12/09/thelaws.html)
Privacy Impact Assessment
Host
MaMaeeee CCCCaaaa
esesss GeGeGeGovovov nntt
ma ttt mmmararartttroro mnmenentstsroronmnm
Tran
spare
ncy
GPS Anonymity Cla
ims
Use
r-ce
ntr
ic
Biometry
Iden
tity
Th
eft
Smartcards
Policies
Credentials
CRM
Tracking
Loyalt
y Attributes
Data Protection
LBS
Context-awareness
Aggregation Authentication
Interoperability
Cyber Security
Access Control
Privacy
Data
Pro
tect
ion
Surveillance
Confidentiality R
FID
Personalisation
Profiling
Landscape of
Contact: Mario [email protected] www.identity‐competence‐center.de
Web Identity Management