ITU-T Workshop on
“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
Trend in User-Centric Identity
Management Technology and its
Standards
Sangrae Cho(sangrae@etri.re.kr)
Digital ID Security Research Team
ETRI
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
Contents
1. Introduction
2. User-Centric IdM Technology
3. Digital Identity Wallet
4. Conclusion
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
2
Introduction
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
3
Identity Definition
Identity
 The attributes by which an entity is
described, recognized or known
(ITU-T)
 The fundamental concept of
uniquely identifying an object
(person, computer, etc.) within a
context. (OpenGroup)
 A set of claims made by one party
about another party. Claims are
typically conveyed in Signed
Security Tokens (Microsoft)
 The essence of an entity. One's
identity is often described by one's
characteristics, among which may
be any number of identifiers
[Liberty & OASIS]
Geneva, 9(pm)-10 February 2009
Source: ITU-T Report on the Definition of the Term “Identity” 2008
International
Telecommunication
Union
4
Identity Management
Identity Management
Infrastructure that supports for
authentication, authorization, audit and
identity lifecycle including creation,
update and termination of identity
Registration/
Creation
Propagation
Accounts
& Policies
Termination
Maintenance/
Management
Architecture Template for IDM
Source : Burton Group 2006
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
5
Purpose of IdM
 Increase in personal identity as web services are increased :
Improve usability 27 websites join, 7.5 account on average in Korea [Digital
News, ’05.2.23]
 IdM requirement in inter-domain organization as business
relationship has been diversified : Increase in efficiency and
productivity
Increase of demand in SSO & EAM&IAM , Intranet -> Internet
[DigitalIDWorld Newsletter,’05.3.31]
 Increase in personalized service requirements : Create new IT
service & increase in personal privacy
Need privacy protection when new
service is provided in web 2.0[ZDNet, ‘06.12]
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
6
User-Centric
IdM Technology
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
7
Evolution of IdM
Human
’08 Present
.com
.net
.org
.org
.com
.com
System
Silo
Subject for IdM
Identity
Interchange
.net
.org
Centralized
.net
Federated
User-Centric
Domain-centric
User-centric
Unidirectional
Bidirectional
User-Centric : The user is in the middle of a data transaction and the data always flows
through the user’s identity agent. This gives user control of his identity
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
8
User-Centric Identity Concept
Source : OASIS, The Core Concept of Identity 2.0
User consent
User always can allow or deny whether information about them is released
or not (reactive consent management)
User control
User has ability to policy-control all exchanges of identity information
(proactive consent management)
User delegates decisions to identity agents controlled through policy
User-centered
Core subset of the previous two as ‘People in the protocol’
User is actively involved in information disclosure policy decisions at run
time
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
9
Main User-Centric IdM Technology
User-Centric Characteristics in each technology
OpenID
URL based user identifier &
Select user’s IdP
Liberty
Alliance
Permission-based
attribute exchange
Geneva, 9(pm)-10 February 2009
Card
Space
Select User’s IdP
using Identity Selector
International
Telecommunication
Union
10
Trend in Standardization
Current View of IdM Landscape
Source : Report on Identity Management Use Cases and Gap Analysis, ITU-T FG IdM
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
11
Ongoing Standard Projects
in ITU-T SG17
X.1250(X.idmreq): Capabilities for global identity
management trust and interoperability
Requirement for global interoperability among IdM systems
Currently in TAP after re-determined in September 2008
X.1251(X.idif): A Framework for User Control of
Digital Identity
User control enhanced digital identity interchange framework
Currently in TAP after determined in September 2008
X.idm-dm: Common Identity Data Model
Develop common identity data model to express identity
information between IdM systems
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
12
X.1251(X.idif) - Framework
Application Layer
Web Application
Server 1
Digital Identity Client
User Interface Manager
Web Application
Server 2
User Identity Mgt.
Identity Interchange Layer
Identity Web
Server 1
Credential Mgt.
Identity
Token
Identity Web
Server 2
User Identity Mgt.
User Identity Mgt.
Privacy Protection
Privacy Protection
Authorization
Identity
Interchange Service
Authorization
Authentication
Authentication
Authentication
Digital Contract Mgt.
Identity Interchange
Identity Sync Mgt
Token Transformer
Digital Contract Mgt.
Digital Contract Mgt.
Identity Interchange
Identity Interchange
Identity Sync Mgt
Identity Sync Mgt
Communication Layer
Internet
Geneva, 9(pm)-10 February 2009
Wireless
Mobile Comm.
International
Telecommunication
Union
13
Ongoing Standard Projects
in ITU-T
NGN Identity Management
SG13 Q15 NGN Security is responsible
Developing standards based on the result of IdM Focus Group
Y.ngnIdMuse: NGN identity management use
cases
Study use cases when IdM is applied in NGN environment
Y.ngnIdMreq: NGN identity management
requirements
IdM Requirements in NGN
Y.idmFramework: NGN identity management
framework
Global interoperability framework among IdM systems in NGN
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
14
Ongoing Standard Projects in ISO
ISO
 Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5
ITU-T / ISO Joint Workshop on identity
management, Lucerne Sept. 2007
WGs within ISO/IEC JTC1/SC27 – IT Security Technologies
 A Framework for Identity Management (ISO/IEC 24760, WD)
 A Privacy Framework (ISO/IEC 29100, CD)
 A Privacy Reference Architecture (ISO/IEC 29101, WD)
 Entity Authentication Assurance ( ISO/IEC 29115, WD)
 A Framework for Access Management (ISO/IEC 29146, WD)
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
15
The Identity Landscape
“Increase in the interest of User-Centric IdM technology
and collaborations between technologies”
“MS, announce to support for OpenID.”
CardSpace supports for Open ID, Plan to
support for interoperability with CardSpace in
Convenience + Trust
Open ID(‘07.02)
+ Privacy Protection
+ Identity Interchange
Convenience
+ Trust
User-Centric
URL-based
(OpenID)
“ETRI, Research collaboration with MS for digital ID
Wallet”(‘07.05)
Digital
Identity
Invisible
(SAML/Liberty)
Card-based
(WS-Trust)
The Identity Landscape 2006 Reconstruct
Johannes Ernst, CEO of NetMesh
Digital ID Security Research Team, ETRI
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
16
Digital Identity Wallet
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
17
User Requirements
Cumbersome every time personal information is
typed in to join a website.
Especially, worrying to enter national resident
number
Inconvenient when logging in to use web service,
harder when mobile web is used in mobile phone
Not secure to enter ID/PWD in public places
Secure way to identify the phishing sites
Hard to remember which websites I have joined
Not easy to update personal information when it is
changed
Hard to move my information from A site to B site
International
for
better
services
Telecommunication
Geneva, 9(pm)-10 February 2009
Union
18
Overview
What is Digital Identity Wallet?
•A digital wallet that helps users to use
easily and keep securely their personal
identity and authentication information
distributed in the cyber space; Digital
Identity Wallet is just like a real wallet we
use in our daily life to keep ID cards and
cash
•System where users can have control over
disclosure of their personal information by
deciding whether he or she would provide
data or not; unwanted disclosure or misuse
of personal data can be prevented
Main functions of Digital Identity
Wallet
•Site registration and authentication
•Identity share and synchronization
•User privacy protection
•Mobile Digital Identity Wallet
Geneva, 9(pm)-10 February 2009
Secure Internet usage with
Digital Identity Wallet
Issue authentication
information
Website A
Issue link data
Registration
& login
Input personal data
Website C
Purchase
& payment
Internet
Shopping mall
Website B
Issue identity
verification data
Data share
Digital Identity Wallet
Identity
verification
organization
Payment
organization
Issue payment
information
Backup,
roaming,
consistency
Identity
Website Personal
verification registration
data
data
information
Authenticatio
n information
Link
data
Website D
Privacy protection
server
Payment
history
International
Telecommunication
Union
19
Services
Site registration service
Identity authentication & verification service
One-click site registration
Support of various
authentication methods
Registered site management
One-click! Mobile
authentication
Phishing site avoidance
Replacement of national
resident no. for ID verification
Secure identity sharing
between sites
Credit card and point card
utilization and reference
Automatic synchronization of
updated personal data
Authentication on a web
interoperating with home
device
Connection with cyber world
Personalized mash-up service
Share and synchronization service
Geneva, 9(pm)-10 February 2009
Other applications
International
Telecommunication
Union
20
Supports for various authentication
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
21
Use Case for Identity Interchange
Personal Finance Management Service
savings, loans info
Bank
Financial info
Stock info
Stock
Estate info
Real Estate
Geneva, 9(pm)-10 February 2009
Digital
Identity Wallet
Financial
Management
International
Telecommunication
Union
22
Conclusion
User-Centric is essential technology
Convenience
Privacy aware security for user
Convergence between IdM technologies
Full User Control
Provide user with full power to control his identity
Enhance privacy
Efficient Identity Interchange
Scalability
Independency
Seamless
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
23
Thank You !!!
Q&A
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
24