Workshop on Identity Management Trondheim, Norway, 8-9 May Tony Rutkowski VP Regulatory-Standards, VeriSign

Transcription

1 V. 1.3 Workshop on Identity Management Trondheim, Norway, 8-9 May 2007 The Identity Management Ecosystem: minding the gaps Tony Rutkowski VP Regulatory-Standards, VeriSign Editor: SG17 draft Rec. X.IdM Distinguished Senior Research Fellow, Center for International Strategy Technology and Policy, Georgia Institute of Technology 1 Summary Identity Management (IdM) is treated quite differently among the many different "stovepiped" communities of network operators, service providers, and users Initiatives underway in the and critical infrastructure venues are aimed at implementing trusted means to bridge the gaps among these different platforms (the framework) by encouraging collaboration and a common global framework of especially discovery and trusted interoperability This global framework is increasingly essential for an array of government, industry, and consumers needs Initial success is being achieved with an Identity Provider oriented model and open identity protocols 2

2 Identity Management Ecosystem - Expansive Broad IdM Centric Discovery Centric CNRI XDI.ORG handles OASIS XRI Yaddis ISO SC27WG5 FG IdM SG17 Mobile Operator Centric SG2 Attribute Centric ITU/IETF E.164ENUM IETF IRIS OASIS SPML OSGi NetMesh LID Authentication Centric Object-Identifier Centric CNRI DOI OID/OHN JCA-NID UID EPC ONS W3C/IETR URI SG13 SG4 ITU ITU E.115v2 X.500 ITU-IETF LDAP 3GPP GBA Network Operator Centric IETF OSCP NIST FIPS201 ZKP ANSI Z39.50 ANSI IDSP ANSI OASIS HSSP SAML TISPAN UCI 3GPP IMS SG16 Project Centric SG11 FIDIS Parlay PAM IdM STF OMA RD-IMF MAGNET LI-RDH VIP/PIP Liberty I* Liberty WSF IBM Higgins Eclipse OpenID Identy Passel MetaSystem Pub cookie Msoft Cardspace CoSign Shibboleth OASIS OpenGroup IMF xacml Modinis User Centric App Service Provider Centric WS Federation SXIP Daidalos Source ID TCG Oracle IGF 3 Identity Management Ecosystem Diverse Seek to allow user control of personal identifiers, roles and privacy attributes Seek that maximize and protect network assets Seek that maximize and protect application assets

3 Identity Management begins with entities Capabilities by which an entity is described, recognized or known Real Persons Entities Objects - Devices Legal Persons Especially public Network Operators, and Service Providers including Identity Providers Includes terminals, network elements, cards, intellectual property, agents, RFIDs, sensors, control devices (are emerging as dominant network end-users) Identity Management Basic Capabilities Physical: passport Network: digital cert Physical: passport # Network: address Credentials Identifiers Physical: passport stamps Network: web search, logs, blacklists Entities Physical: name, place/ date of birth, visas, Network: contact info, location, permissions,.. Identity patterns and reputation Identifier information attributes and bindings 6

4 Identity Management Framework Essentials Ability to locate authoritative relevant identity Trusted ability to query identity with some degree of assurance in the response Challenge: Global discovery are rapidly diminishing Credentials Identity patterns and reputation Identifiers Identifier information attributes and bindings Challenge: Global query and assurance metrics are diminishing 7 A common global Identity Management framework Not a new need was realized and undertaken 25 years ago in the Open Systems Interconnection initiatives It is where digital certificates, and open network management code emerged The current framework is newly driven by a growing realization by critical infrastructure protection communities of the vulnerabilities of today s ubiquitous nomadic use of public IP-Enabled network infrastructures an array of other significant government, consumer, and industry needs The objective A trusted ability to manage ICT credentials, assigned identifiers, attribute information and reputation/patterns Ability to exchange trust level information Accommodation of platform diversity, autonomy, and constant evolution 8

5 Existing government, industry, & consumer requirements for Identity Management Critical Infrastructure protection; NS/EP + Public network infrastructure protection + Incident Response + Priority access during emergencies + Services restoration after emergencies Public Safety + Citizen emergency calls/messages + Authority emergency alert messages Assistance to lawful authority + Lawful Interception + Retained Data + Cybercrime forensics + Anonymity Identifier resource management + Identifier/numbering allocation + Administrative requirements + Number portability; unbundling Digital rights management Legal liability; discovery; evidence Consumer needs + Universal service; social good funding + Preventing unwanted intrusions + DoNotCall + CallerID + Prevention of SPAM + Anti-CyberStalking + Anti-CyberPredators + User CPNI protection and privacy + Transparency + Use controls + Notice + Anonymity + Prevention of identity theft; repudiation + Disability assistance Business needs + Network interoperability + Roaming + Fraud, identity theft, and distribution management + Intercarrier compensation Privacy enhancement Trusted Identity Management platforms significantly enhance privacy and CPNI (personal and use information) protection by Enabling authentication of parties that possess and access user information Enabling audits A significant identified gap is notice and transparency to users; solutions lay in enabling Users to receive standard, understandable personal information management notices Users to specify how their personal information may be used 10

6 Initial results: an Identity Provider model and open protocols Introduce the concept of discoverable Identity Providers Initiating Entity Relying Party Entity (Provider) Identity Provider(s) Auditing Identity Assertion Query(ies) to Identity Resources Timestamped record Access or Service Platformindependent queryresponse options depending on level of desired trust Trust and privacy protection enhanced through auditing 11 OpenID as a competition enhancing unbundled open IdM enabling protocol Initiating Entity (amr@verisign) hey dude, I m using OpenID identifier amr@verisign OK, we support OpenID, will verify Here s your service thanks dude Relying Party dude (Provider) query(ies) to verify amr@verisign is ok amr@verisign is OK OpenID Identity Provider(s) Dude queried amr@verisign at [time] Audit recorded at [time] Auditing Enables Identity Provider model Allows trust to be assessed at various stages of the flows Allows for, but does not require preexisting relationships between Identity Providers and Relying Parties Low deployment cost openidid.net 12

7 The Identity Management Focus Group: bringing the ecosystem together to find common ground SG13 Q.15 Rec. Y.IdMsec Draft Group SG17 Q.6 X.Idmf Draft Group Identity Management Focus Group Created Geneva Feb Geneva Apr Mountain View May Tokyo Jul Geneva Sep ISO SC27 13 Next steps going forward Continued outreach, and consensus building on needed IdM global framework and gaps Watch and participate in IdM Focus Group see the informal Wiki < and ITU formal < Reports produced in Sep 2007, possible continuance Specifications introduced in standards bodies X.IdM in SG17 Q.6 (Cybersecurity) Y.IdMsec in SG13 Q.15 (NGN Security) Report ISO/SC27 (Security Techniques) Many others Implementation and evolution by industry of Recognition and closing of IdM regulatory gaps through any necessary requirements at national and international levels, especially Discovery and trust/accuracy are essential National Critical Infrastructure Protection, NS/EP, and Cybersecurity requirements Implementation of new treaty instruments like Cybercrime Convention and ITU Plenipotentiary resolutions 14