Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

Identity Convergence for NGN Platform and Business Hidehito Gomi Identity Architect, NEC Corporation

advertisement 
International Telecommunication Union
ITU-T
Identity Convergence for
NGN Platform and Business
Hidehito Gomi
Identity Architect, NEC Corporation
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
Outline
ITU-T
o Existing IdM Framework on the Internet
o IdM Framework for NGN
o Identity Fragmentation
o IdM Requirements for NGN
o Identity Convergence
o Technologies for Identity Convergence
• Group Signature
• Context Obfuscation
• Privacy Policy Negotiation
o NGN Business based on IdM
o Summary
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
2
Existing IdM Framework on the Internet
ITU-T
o SAML models roles of entities and
interactions between them
Users
Service/network access
PEP (Policy Enforcement Point)
Publication of
Certificates
(Attributes)
Publication of
Certificates
(AuthN)
Issuance of
Certificates
Registration/
AuthN Req.
Verification
Authentication
Authority
Publication of
Certificates
(AuthZ)
Verification
Verification
Attribute
Authority
PDP
(Policy Decision
Point)
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
3
IdM Framework for NGN
ITU-T
o Home operator publishes interfaces for service/network access
with SPs and partner operators.
o SPs (3rd party providers, enterprises, & ISPs) provide IT/network
services with users.
o Operators provide network services in a cooperative manner.
Users
Service/network access
3rd Party
Provider
Publication of
Certificates
(AuthN, Attributes)
Issuance of
Certificates
Registration/
AuthN Req.
Enterprise
Delegation Req. of
Identity related services
Verification
ISP
SPs (Service Providers)
Identity Related Services
Such as Charging/billing
Home
Operator
Network services
Partner
Operators
IdP (Identity Provider)
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
4
Identity Fragmentation
ITU-T
o So far, identity info of a user is distributed & duplicated among
different platforms, therefore
• There is need to have multiple sign-on procedures for a wide
range of services.
• It is difficult to make good use of user’s identity info (trail,
presence, geo-location) across different platforms.
• It is troublesome for users to provide, retrieve and update all
privacy info managed at each platform separately.
3rd Party Platforms
Credit history
Identity is missing
Content Providers
Buying history
User’s Identity
User’s Identity
Partner Operator’s Platform
Home Operator’s NGN Platform
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
ISP Platform
Presence data
Enterprise Platform
5
IdM Requirements for NGN
ITU-T
o Seamlessness
• Consistent access to IT/network services at
any platform without interruption
o Context-aware & Personalization
• Personalized service utilizing users’ context
info managed by providers in various domains
o Privacy Protection
• Management of users’ personal attributes
based on their policy, minimizing the risk of
leakage
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
6
Identity Convergence
ITU-T
o In order to solve identity fragmentation,
• Build bridges between platforms
— introduction of multi-personas per user
— optimum deployment & life cycle mgt of personas
• Filter identity info when crossing the bridges
— minimization of identity info disclosure
— obfuscation of identity info
Content Providers
3rd Party Platforms
Identity Creation
Identity Federation
Identity Exchange
Partner Operator’s Platform
ISP Platform
User’s persona
Home Operator’s NGN Platform
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
Enterprise Platform
7
Technologies for Identity Convergence
ITU-T
Bridging identities
Simplified Sign-On
(SAML, Liberty ID-FF)
Provisioning (SPML)
Session Mgt & Transfer
Trust Mgt (PKI)
Filtering identities
Attributes Exchange
(Liberty ID-WSF)
Attributes Discovery Access Control
(XACML)
(Liberty ID-WSF)
Anonymization of owner
Information Obfuscation
Privacy Practice
Restriction & Enforcement
Fundamental Technologies
o
Anonymization of owner
•
o
Group Signature
Information Obfuscation
•
o
Blocks the owner info but passes authenticated group membership
Blocks exact context information but passes only obscured data
Privacy Practice Restriction & Enforcement
•
Negotiates type of filtering to be performed between sending &
receiving platforms
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
Context Obfuscation
Privacy Policy
Negotiation
8
Group Signature
ITU-T
o Authentication mechanism that allows a
verifier to verify the group membership of a
user without identifying the user.
Always-on connection
for active verification
Learns ID
and passwd
Current
ID, Passwd
Visited
Operator
ID,Passwd
Home
Operator
Can be off-line
Verify membership
of ISP
New
Group signature
Visited
Operator
accounting
ID?
Home
Operator
accounting
Encrypted ID
Authentication data
(ZKIP)
Offline transfer
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
ID
Usage log
9
Context Obfuscation
ITU-T
Social Ctx:
Blurring of
Friends near by
Ctx Information
(Ann, Bob, Fred, Julie)
Blurring of
Ctx Information
Ctx Exchange
Social Ctx:
Friends Near By
(Some Friends close by)
Ctx Provider
Domain A
Ctx Provider
Ctx Exchange
Social Ctx:
Friends near by
(4 Friends)
Domain B
Domain C
o
Policy Management
Context Obfuscation Technology
• supports privacy of context information based on user preferences
• handles context exchange within and across domains uniformly
o
Context Obfuscation Challenges
•
•
•
•
•
Context requires a structure that translates naturally to a blurring mechanism
Semantics for context blurring need to be defined
Adequate context distortion filters are required
User interface must be simple and support decisions in a dynamic environment
User must trust obfuscation behaviour
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
10
Privacy Policy Negotiation
ITU-T
o Privacy policy confirmation for attributes exchange
• Types of personal attributes to be exchanged
• Limited recipients and usage of the personal attributes
o Disclose the minimum set of attributes allowed by a user &
providers
o Make a mutual agreement on accountability between a sender
& receiver
Attribute
Receiver
Attribute
Sender
(A) Send usage policy
Policy
(B)Policy
(C) Return the result of comparison Comparison
(D)Result
Verification
Sender
R_Policy
(E) Request attributes
User
Result
Receiver
R_Policy
Policy
Policy
(F) Send Attributes
Attributes
Attributes
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
Register policies
and attributes
11
NGN Business based on IdM
ITU-T
o Identity Convergence enables service orchestration,
which bring about more value & profit than the sum
of individual component services
Value & profit
Business Layer
Service Layer
Orchestrated service
Orchestrated service
Content Providers
3rd Party Platforms
Identity Layer
ISP Platform
User’s Converged Identity
Partner Operator’s Platform
Home Operator’s NGN Platform
Enterprise Platform
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
12
Summary
ITU-T
o Identity convergence concept enables the
following properties of NGN services:
• Seamless
• Context-aware & personalized
• Privacy protected
o NEC will contribute to the standardization of
identity management for NGN through the
ITU-T.
ITU-T Workshop on “Digital Identity for NGN“
Geneva, 5 December 2006
13
Related documents
Chae Sub LEE
Chae Sub LEE
ITU-T/ ATIS Workshop “Next Generation Technology and Standardization” Abstract
ITU-T/ ATIS Workshop “Next Generation Technology and Standardization” Abstract
Download
advertisement