ITU-T Workshop on “New challenges for Telecommunication Security Standardization" V1.0 Geneva, 9(pm)-10 February 2009 Identity Management Anthony M. Rutkowski V-P, Regulatory Affairs and Standards VeriSign, Inc. Geneva, 9(pm)-10 February 2009 International Telecommunication Union The challenge of relevance: Why is IdM important? Identity Management is the foundation and core for all security An explosively expanding and vast array of "network nomadic" individuals, providers, and objects has challenged our ability to effectively manage identities and their “trust anchors” Geneva, 9(pm)-10 February 2009 International Telecommunication Union 2 The challenge of a common concept: What is identity? Identities consist of: an ensemble of four possible identity “elements” a binding to an Entity (or Entities) instantiated or asserted at some specific time Entity identity From the ITU-T Report of the Correspondence Group on the Definition of Identity Complex Version Simple Version International Telecommunication Union 3 The challenge of diversity: Disparate identity communities Operators and providers Focussed on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation Business end-users Focussed on minimizing costs, employee support, fraud mitigation, inventory and supply chain management Individual end-users Focussed on social networking, convenience, identity services (esp. location based services) and portability, controlling unwanted intrusions and mitigating identity theft Security Focussed on infrastructure protection, homeland security, NS/EP needs, consumer protection, law enforcement forensics, meeting public policy and legal mandates including personal identity credentials and biometrics Privacy and anonymity Spans a broad spectrum from personal identity protection and intrusion minimization to extreme views on complete anonymity, anti-government paranoia and control of all personal identity elements International Telecommunication Union 4 The challenge of focus and vision: What is important? Discovery of authoritative sources of identities and structured means to query source information Structured identity ontologies and data models for interoperability Critical to sharing of identities Protected identity management “signalling” infrastructure in NGNs Means to support inter & intra federation identity capabilities Inter-federation mechanisms are non-existent Providing for a range of trust relationships (no trust to PKI-based high assurance trust) Supporting Peer-to-Peer platforms Implementing trusted Open Identity Architectures as a means of achieving “Identity Network Neutrality” Achieving effective “trust anchors” Identity Identity Identity Identity Identity proofing lifecycle management status checking on-demand security management auditing International Telecommunication Union 5 Capabilities that will make a difference in 2009 THE CHALLENGE OF DELIVERABLES International Telecommunication Union 6 Provider Identity Trust Anchors Number one “low-hanging” Identity Management/cybersecurity capability with far reaching positive impact A universal global means for establishing trust in all organizations that have a network presence For communications, transactions, software, and secure transport layer Significant implementation has already occurred Based on Extended Validation (EV) Digital Certificate standard implementation of ITU-T X.509 platform (also known as EV SSL) Developed in 2007 by the CA/Browser Forum Certificates initially issued and browser updates pushed out to most computers in 2008 Consists of the best combination of identity assurance techniques and platforms Initial identity proofing based on ETSI standards Basis for organization trust in Liberty Alliance assurance specifications Used by the ITU itself! Upcoming EV enhancements in 2009 Being extended to all kinds of services and software distribution in 2009, including SIP Being introduced into ITU-T SG17 through liaison process Substantial ongoing regional activity to meet localization requirements worldwide Being considered as an NGN network address enhancement Cryptography being upgraded to ECC Embeds many diverse organization identifiers, including ITU-T Object Identifiers (OIDs) that have become Internet global “enterprise ID” of choice Enhances individual privacy and broadly benefits everybody May become a global regulatory mandate for cybersecurity International Telecommunication Union 7 Object trust anchors Real-time Object IDentifier resolution system Provides a DNS-based means for discovering information about any Object Id OIDs becoming increasingly important for Network elements (especially forensic acquisition locations in a network) Terminal devices, software, RFID tagged objects, sensors, biometric scanners, e-health, power management, and intellectual property Creation of a new DNS top level domain – OID Initial implementations occurring in 2009 based on specifications developed in ITU-T and ISO Real-time token validation protocol systems Verifying the current status of all object credentials is essential Allows implementation of “when things go wrong” capabilities Online Certificate Status Protocol (OCSP) has emerged as means of choice and being mandated by some trust implementations Similar RSA protocols for token use are being extended International Telecommunication Union 8 Personal identity trust anchors The world is awash in a sea of countless personal identities Many personal identities have little or no trust anchors Diverse expectations exist among people, organizations, and nations concerning the use and availability of identities – many subject to law Expectations are highly context dependent and often conflicting Potential “identity network neutrality” challenges abound Significant contemporary personal identity needs eHealth Homeland security Nomadicity and social networking Significant technical platforms are emerging Interoperable and Trust Third Party platforms OpenID Personal Identity Portals National eIDs, especially the EU’s STORK (Secure Identity Across Borders Linked) initiative One time password tokens Encrypted biometrics A major impediment for personal identity trust is lifecycle maintenance Bears the initial and lifecycle costs, including indemnification Providing real-time status checking Accommodating enormously broad assurance spectrum International Telecommunication Union 9 Whose trust anchor: Identity Assurance Interoperability Many different schema exist to achieve identity assurance The schema can cover broad ranges from zero trust to very high trust Expressed as trust levels Includes diverse context dependencies How to achieve global identity assurance interoperability among all the existing and potential schema Possible solution is using ITU-T X.1141 (SAML) to capture and exchange the many different schema via TSB and other bodies Geneva, 9(pm)-10 February 2009 International Telecommunication Union 10 Trust Anchors begin at home: Standards and spawned identities Challenge is to enhance identity management trust anchors by enabling structured discovery and on-demand public access to Standards Registrations and assignments specified in standards Real-time access to standards Most standards bodies now allow global public access to their specifications Network IdM/security standards not publicly available have little value Next step is make them discoverable, versioned, and accessible with a click Real-time access to registrations and assignments Standards result in many secretariats and other bodies creating identities Few provide structured, real-time means for discovery and access Both ITU TSB and IETF IANA are building capabilities Can serve as models for other bodies and administrators worldwide International Telecommunication Union 11 2008 ITU-T IdM Roadmap Generic Specifications NGN Specifications Application Specifications • Initial IdM Focus Group + IdM definition reports • Living List of IdM Terms and References • X.1250, Capabilities for enhanced global IdM trust & interoperability • X.1251, Framework for user control of digital identity interchange framework • X.eaa, Entity authentication assurance • X.idm-ifa, Framework architecture for interoperable IdM systems • X.idm-dm, Common identity data model • X.idmsg, Security guidelines for IdM systems • X.priva, Criteria for assessing level of protection for PII in IdM • Y.ngnIdMuse, IdM use-cases • Y. 2720, NGN IdM framework • Y.ngnIdMmechanisms, NGN IdM mechanisms • E.157, International Calling Party Number Delivery • X.ott, Authentication Framework with One-time Telebiometric Template • X.668, Registration of object identifier arcs for applications and services using tag-based identification • X.1171, Framework for Protection of Personally Identifiable Information in Applications using Tagbased Identification • X.rfpg, Guideline on protection for PII in RFID application Bold = accomplished International Telecommunication Union A New IdM Capabilities Roadmap Provider Identity Trust • A global standard (mandate) for Provider Identity Trust as an evolution of the CAB Forum specification • Service and regional extensions for Provider Identity Trust • Implementation of globally unique provider “identifiers” using OIDs • Enhanced network addresses for NGN Object Identity Trust • OID Resolver System extensions for objects (Ubiquitous Sensor Networks, Network Elements, e-Health, and distributed power systems, terminal devices, biometrics, and IPR) • Lightweight object certificate specifications • Application of ECC to IdM certificates Person Identity Trust • Globally interoperable personal identity specifications • Enhanced International Caller-ID capabilities • Service and application specific personal identity extensions, including “youth” attributes • Encrypted telebiometric specifications • Interoperable Trusted Third Party & Bridge platform specifications • Interoperable Personal Identity Portal specifications Support Capabilities • Adoption of DNS-based realtime OID Resolution System specifications • Adoption of OID directory service specifications • Adoption of global online certificate status verification specifications • Service extensions to certificate status specifications • A Global IdM Data Dictionary • Global identity proofing specifications • Global Identity security specifications • Global IdM management auditing specifications • Real-time access to identity management and related security specifications • Real-time access to assigned identifier lookup systems International Telecommunication Union