The identity management (IdM) ecosystem: minding the gaps

Transcription

1 The identity management (IdM) ecosystem: minding the gaps Tony Rutkowski Georges Sebek Telecommunication Standardization Sector (ITU-T) International Telecommunication Union International Telecommunication Union

2 Summary Identity Management (IdM) is treated quite differently among the many different "stovepiped" communities of network operators, service providers, and users Initiatives underway in the ITU-T and critical infrastructure venues are aimed at implementing trusted means to bridge the gaps among these different platforms (the framework) by encouraging collaboration and a common global framework of capabilities especially discovery and trusted interoperability This global framework is increasingly essential for an array of government, industry, and consumers needs Initial success is being achieved with an Identity Provider oriented model and open identity protocols 2

3 Expansive ecosystem Discovery Centric Broad IdM Centric Mobile Operator Centric Project Centric CNRI handles Yaddis XDI.ORG OASIS XRI ITU-T FG IdM ISO SC27WG5 ITU-T SG17 Network Operator Centric 3GPP GBA 3GPP IMS OMA RD-IMF Daidalos FIDIS MAGNET Modinis ITU/IETF E.164ENUM IETF IRIS CNRI DOI W3C/IETR URI UID Attribute Centric ITU X.500 ITU-IETF LDAP ITU-T JCA-NID EPC ONS ITU E.115v2 Object-Identifier Centric OSGi OID/OHN OASIS SPML NetMesh LID IETF OSCP ZKP ANSI Z39.50 ITU-T SG2 ETSI TISPAN NIST FIPS201 ANSI IDSP OASIS SAML ITU-T SG4 ETSI UCI Authentication Centric ANSI HSSP ITU-T SG13 ETSI IdM STF ITU-T SG11 ETSI LI-RDH ITU-T SG16 Parlay PAM WS Federation SXIP VIP/PIP OASIS xacml App Service Provider Centric OpenGroup IMF Liberty WSF Eclipse IBM Higgins Shibboleth CoSign Identy MetaSystem Liberty I* Oracle IGF User Centric Source ID Passel OpenID Msoft Cardspace Pub cookie TCG 3

4 Seek capabilities to allow user control of personal identifiers, roles and privacy attributes Diverse ecosystem Seek capabilities that maximize and protect network assets Seek capabilities that maximize and protect application assets 4

5 Id(entity)M begins with entities Capabilities by which an entity is described, recognized or known Real Persons Entities Objects - Devices Legal Persons Especially public Network Operators, and Service Providers including Identity Providers Includes terminals, network elements, cards, intellectual property, agents, RFIDs, sensors, control devices (are emerging as dominant network end-users) 5

6 Physical: passport Network: digital cert IdM basic capabilities Physical: passport # Network: address Credentials Identifiers Physical: passport stamps Network: web search, logs, blacklists Entities Physical: name, place/ date of birth, visas... Network: contact info, location, permissions.. Identity patterns and reputation Identifier information attributes and bindings 6

7 A common global IdM framework Not a new need was realized and undertaken 25 years ago in the Open Systems Interconnection initiatives It is where digital certificates, and open network management code emerged The current framework is newly driven by a growing realization by critical infrastructure protection communities of the vulnerabilities of today s ubiquitous nomadic use of public IP-Enabled network infrastructures an array of other significant government, consumer, and industry needs The objective A trusted ability to manage ICT credentials, assigned identifiers, attribute information and reputation/patterns Ability to exchange trust level information Accommodation of platform diversity, autonomy, and constant evolution 7

8 Current requirements for IdM Critical Infrastructure protection; ETS, DTR, EW + Public network infrastructure protection + Incident Response + Priority access during emergencies + Services restoration after emergencies Public Safety + Citizen emergency calls/messages + Authority emergency alert messages Assistance to lawful authority + Lawful Interception + Retained Data + Cybercrime forensics + Anonymity Identifier resource management + Identifier/numbering allocation + Administrative requirements + Number portability; unbundling Digital rights management Legal liability; discovery; evidence Consumer needs + Universal service; social good funding + Preventing unwanted intrusions + DoNotCall + CallerID + Prevention of spam + Anti-CyberStalking + Anti-CyberPredators + Customer records protection and privacy + Transparency + Use controls + Notice + Anonymity + Prevention of identity theft; repudiation + Disability assistance Business needs + Network interoperability + Roaming + Fraud, identity theft, and distribution management + Intercarrier compensation 8

9 Privacy enhancement Trusted identity management platforms significantly enhance privacy and customer records (personal and use information) protection by Enabling authentication of parties that possess and access user information Enabling audits A significant identified gap is notice and transparency to users; solutions lay in enabling Users to receive standard, understandable personal information management notices Users to specify how their personal information may be used 9

10 Initial results: an identity provider model and open protocols Initiating Entity Relying Party Entity (Provider) Identity Provider(s) Auditing Identity Assertion Query(ies) to Identity Resources Timestamped record Access or Service Platformindependent queryresponse options depending on level of desired trust Trust and privacy protection enhanced through auditing 10

11 ITU-T Focus Group on Identity Management Established December 2006 by ITU-T SG 17 Objectives of the FG IdM perform requirements analysis based on uses case scenarios identify generic IdM framework components complete a standards gap analysis identify new standards work and who should perform the work FG IdM met in February, April, May, July,, next and last (?) meeting in September 2007 FG IdM structure Ecosystem and Lexicon Working Group Use Cases Working Group Requirements Working Group Framework Working Group 11

12 FG IdM Timing ITU-T SG 13 Q.15 Rec. Y.IdMsec ITU-T SG 17 Q.6 Recs. X.Idmr,f,s ITU-T Focus Group Identity Management Geneva Apr Cambridge Aug Established Geneva Feb Mountain View May Tokyo Jul Geneva Sept ISO/IEC JTC 1/SC 27 12

13 FG IdM deliverables 13

14 Going forward Continued outreach, and consensus building on needed IdM global framework capabilities and gaps Watch and participate in ITU-T FG IdM see informal Wiki: formal FG IdM wb page: T/studygroups/com17/fgidm/ Deliverables to be forwarded to ITU-T SG 17 in September 2007, possible continuance of the FG Specifications developed in standards bodies Recs. X.idmr,f,s in ITU-T Q.6/17 (Cyber security) Y.IdMsec in ITU-T Q.15/13 (NGN Security) Report ISO/IEC JTC 1/SC 27 (Security Techniques) Many others 14

15 Going forward Implementation and evolution by industry of capabilities Recognition and closing of IdM regulatory gaps through any necessary requirements at national and international levels, especially Discovery and trust/accuracy are essential National critical infrastructure protection, (ETS, DTR, EW), and cybersecurity requirements Implementation of new treaty instruments like Cybercrime Convention and ITU Plenipotentiary resolutions 15

16 International Telecommunication Union Helping the World Communicate 16