The Identity Management Ecosystem: minding the gaps

Tony RutkowskiVP – Regulatory-Standards, VeriSignmailto:trutkowski@verisign.comEditor: ITU-T SG17 draft Rec. X.IdMDistinguished Senior Research Fellow, Center for International Strategy Technology and Policy, Georgia Institute of Technology

1

Workshop on Identity ManagementTrondheim, Norway, 8-9 May 2007

V. 1.3

Summary

Identity Management (IdM) is treated quite differently among the many different "stovepiped" communities of network operators, service providers, and usersInitiatives underway in the ITU-T and critical infrastructure venues are aimed at implementing trusted means to bridge the gaps among these different platforms (the framework)

by encouraging collaboration and a common global framework of capabilitiesespecially discovery and trusted interoperability

This global framework is increasingly essential for an array of government, industry, and consumers needsInitial success is being achieved with an Identity Provider oriented model and open identity protocols

2

Identity Management Ecosystem - Expansive

3

ITU-TJCA-NID

Yaddis

IBMHiggins

OID/OHN

EPCONS

OpenID

OSGi

LibertyWSF

ISOSC27WG5

OASISSAML

ETSITISPAN

MsoftCardspace

OracleIGF

ITU/IETFE.164ENUM

OASISxACML

ETSILI-RDH

CNRIhandles

ITU-TSG13

ITU-TSG17

ITU-TFG IdM

IdentyMetaSystem

NISTFIPS201 WS

FederationSXIP

FIDISDaidalos

Modinis

SourceID

XDI.ORG

VIP/PIP CoSign

IETFOSCP

PubcookiePassel

ANSIIDSP

ANSIHSSP

ITU-TSG4

OpenGroupIMF

ParlayPAM

3GPPIMS

3GPPGBA

OMARD-IMF

OASISSPML

Eclipse

Shibboleth

IETFIRIS ITU-IETF

LDAP

ITUX.500

ITUE.115v2

ZKP

MAGNET

ETSIIdM STF

ETSIUCI

OASISXRI

CNRIDOI

UID

W3C/IETRURI

ANSIZ39.50

NetMeshLID

TCG

ITU-TSG2

ITU-TSG11

ITU-TSG16

Object-Identifier CentricObject-Identifier Centric

Broad IdM CentricBroad IdM CentricDiscovery CentricDiscovery Centric

Attribute CentricAttribute Centric

Mobile Operator CentricMobile Operator Centric

Project CentricProject Centric

Network Operator CentricNetwork Operator Centric

Authentication CentricAuthentication Centric App Service Provider CentricApp Service Provider Centric User CentricUser Centric

LibertyI*

Identity Management Ecosystem – DiverseSeek capabilities to allow user control of personal identifiers, roles and privacy attributes

Seek capabilities that maximize and protect network assets

Seek capabilities that maximize and protect application assets

Identity Management begins with entities

Entities

LegalPersons

RealPersons

Objects -Devices

Includes terminals, network elements, cards, intellectual

property, agents, RFIDs, sensors, control devices (are emerging as

dominant network end-users)

Especially public Network Network OperatorsOperators, and Service Service Providers Providers including Identity Identity ProvidersProviders

Capabilities by which an entity is described, recognized or known

Identity Management Basic Capabilities

6

Credentials Identifiers

Identifier information

attributes and bindings

Identity patterns and reputation

Entities

Physical: passport #Network: eMail address

Physical: passportNetwork: digital cert

Physical: passport stamps

Network: web search, logs, blacklists

Physical: name, place/ date of birth, visas, …

Network: contact info, location, permissions,..,..

Identity Management Framework Essentials

7

Credentials Identifiers

Identifier information

attributes and bindings

Identity patterns and reputation

Trusted ability to query identity capabilities with some degree of assurance in the response

Ability to locate authoritative relevant identity capabilities

Challenge:Global discovery capabilities are rapidly diminishing

Challenge:Challenge:Global Global discovery discovery capabilities capabilities are rapidly are rapidly diminishingdiminishing

Challenge:Global query capabilities and assurance metrics are diminishing

Challenge:Challenge:Global query Global query capabilities capabilities and and assurance assurance metrics are metrics are diminishingdiminishing

A common global Identity Management framework

Not a new need – was realized and undertaken 25 years ago in the Open Systems Interconnection initiatives

It is where digital certificates, and open network management code emerged

The current framework is newly driven bya growing realization by critical infrastructure protection communities of the vulnerabilities of today’s ubiquitous nomadic use of public IP-Enabled network infrastructuresan array of other significant government, consumer, and industry needs

The objectiveA trusted ability to manage ICT credentials, assigned identifiers, attribute information and reputation/patternsAbility to exchange trust level informationAccommodation of platform diversity, autonomy, and constant evolution

8

Existing government, industry, & consumer requirements for Identity Management

Business needs+ Network interoperability + Roaming + Fraud , identity theft, and distribution management+ Intercarrier compensation

Critical Infrastructure protection; NS/EP+ Public network infrastructure protection+ Incident Response+ Priority access during emergencies + Services restoration after emergencies

Public Safety+ Citizen emergency calls/messages+ Authority emergency alert messages

Assistance to lawful authority+ Lawful Interception+ Retained Data+ Cybercrime forensics+ Anonymity

Identifier resource management+ Identifier/numbering allocation+ Administrative requirements+ Number portability; unbundling

Consumer needs+ Universal service; social good funding + Preventing unwanted intrusions | + DoNotCall| + CallerID| + Prevention of SPAM| + Anti-CyberStalking| + Anti-CyberPredators+ User CPNI protection and privacy | + Transparency| + Use controls| + Notice+ Anonymity+ Prevention of identity theft; repudiation+ Disability assistance

Digital rights management

Legal liability; discovery; evidence

Privacy enhancement

Trusted Identity Management platforms significantly enhance privacy and CPNI (personal and use information) protection by

Enabling authentication of parties that possess and access user informationEnabling audits

A significant identified “gap” is notice and transparency to users; solutions lay in enabling

Users to receive standard, understandable personal information management noticesUsers to specify how their personal information may be used

10

InitiatingEntity

RelyingParty Entity(Provider)

IdentityProvider(s)

Identity Assertion

Auditing

Query(ies) to Identity Resources

Timestampedrecord

Access or Service

Initial results:an Identity Provider model and open protocols

11

Introduce the concept of discoverable Identity Providers

Platform-independent query-

response options depending on level

of desired trust

Trust and privacy protection enhanced through auditing

OpenID as a competition enhancing unbundled open IdM enabling protocol

Enables Identity Provider modelAllows trust to be assessed at various stages of the flowsAllows for, but does not require pre-existing relationships between Identity Providers and Relying PartiesLow deployment cost

12

openidID.net

InitiatingEntity

(amr@verisign)

RelyingParty dude(Provider)

OpenIDIdentity

Provider(s)Auditing

Here’s your service

hey dude, I’m using OpenID identifier

amr@verisign

OK, we support OpenID, will verify

amr@verisignis OK

Audit recorded at [time]

query(ies) to verify amr@verisign is ok

Dude queried amr@verisign at

[time]

thanks dude

The Identity Management Focus Group:bringing the ecosystem together to find common ground

13

2007 2008

ITU-T SG13 Q.15 Rec. Y.IdMsec Draft Group

ITU-T SG17 Q.6 X.Idmf Draft Group

ITU-T Identity Management Focus Group

Created Geneva13-16 Feb

Geneva23-25 Apr

Mountain View17-18 May

Tokyo18-20 Jul

GenevaSep

ISO SC27

Next steps going forward

Continued outreach, and consensus building on needed IdM global framework capabilities and “gaps”

Watch and participate in ITU-T IdM Focus Group – see the informal Wiki <www.ituwiki.com> and ITU formal <www.itu.int/ITU-T/studygroups/com17/fgidm/index.htmlsites>Reports produced in Sep 2007, possible continuance

Specifications introduced in standards bodies X.IdM in ITU-T SG17 Q.6 (Cybersecurity)Y.IdMsec in ITU-T SG13 Q.15 (NGN Security)Report ISO/SC27 (Security Techniques)Many others

Implementation and evolution by industry of capabilitiesRecognition and closing of IdM “regulatory gaps” through any necessary requirements at national and international levels, especially

Discovery and trust/accuracy are essentialNational Critical Infrastructure Protection, NS/EP, and Cybersecurity requirementsImplementation of new treaty instruments like Cybercrime Convention and ITU Plenipotentiary resolutions

14