Identity Management Jianyong CHEN SG 17 Vice Chairman Global Standards Collaboration (GSC)

advertisement
DOCUMENT #:
GSC15-PLEN-29
FOR:
Presentation or Information
SOURCE:
ITU-T
AGENDA ITEM:
6.4
CONTACT(S):
chen.jianyong@zte.com.cn
Identity Management
Jianyong CHEN
SG 17 Vice Chairman
Global Standards Collaboration (GSC)
GSC-15
Identity Management (IdM) for Telecom is an
Essential Part of IP-based Networks and
Services
Wireline



Identity-based services are exponentially increasing and available on many
different mobile platforms
Internet is a part of telecommunication infrastructure
Next-Generation business model for network operators demands
subscriber-centric data consolidation
2
Highlight of IdM Current Activities (1/2)
 Per GSC-14/04 Resolution, ITU-T is progressing
the development of a publically available Wikibased inventory of major IdM initiatives and
activities.
 ITU-T works collaboratively with other key bodies
including: ISO/IEC JTC 1/SC 27, ETSI, Kantara
Initiative, FIDIS, OASIS
 The focus of ITU-T’s IdM work is on global trust
and interoperability of diverse IdM capabilities in
telecommunications to include leveraging and
bridging existing solutions. It is not in the
development of standards for new IdM solutions.
 ITU-T’s JCA-IdM (Joint Coordination Activity)
coordinates IdM activities within ITU-T and amongst
other major IdM standards bodies.
3
Highlight of IdM Current Activities (2/2)
 First ITU-T IdM Recommendation published early
2009:
• Y.2720, NGN identity management framework
 Joint ITU-T | ISO/IEC common text
Recommendation | International Standard on Entity
Authentication Assurance is approaching a stable
document.
 Three ITU-T Recommendations were published
and available for free download
• X.1250, Baseline capabilities for enhanced global
identity management trust and interoperability
• X.1251, A framework for user control of digital
identity
• X.1252, Basic IdM terms and definitions
4
Challenges for IdM
Identity Federations based on standardized trust
frameworks and global interoperability of diverse identity
management solutions are major inhibitors to wide scale
deployment of IdM capabilities
Discovery of identity resources on a global level vs within
an enterprise environment.
Common IdM terminology
Interoperability of Assurance Levels that are based on the
risk assessment associated with the on-line transaction
Privacy services
5
Next Step/Action for IdM
13 Recommendations are in developing. Among them, X.evcert plan to be determined in December meeting.
x.evcert
Extended validation certificate (EVcert) framework
X.Eaa
Information technology – Security techniques – Entity authentication assurance
X.idm-dm
Common identity data model
X.idm-ifa
Framework architecture for interoperable identity management systems
X.idmsg
Security guidelines for identity management systems
X.priva
Criteria for assessing the level of protection for personally identifiable information in identity
management
X.authi
Guideline to implement the authentication integration of the network layer and the service
layer.
X.giim
mechanisms to support interoperability across different IdM services.
X.idmgen
Generic Frame for Interoperable IdM systems
X.sap-4
The general framework of combined authentication on multiple identity provider service
environment
x.oitf
Open Identity Trust Framework
x.discovery
Discovery of identity management information
x.mobid
Baseline Capabilities and mechanisms of Identity Management for Mobile applications and
environment
Basic Concepts of Object Identifiers (OIDs)
 One of many identification schemes
 Basically very simple: A tree
 Arcs are numbered and may have an associated alphanumeric
identifier (beginning with a lowercase)
 Can also have Unicode labels (any language, any characters)
 Infinitely many arcs from each node (except at the root)
 Objects are identified by the path (OID) from the root to a node
 A Registration Authority (RA) allocates arcs beneath its node to
subordinate RAs, and so on, to an infinite depth
 The OID tree is a hierarchical structure of RAs
 Standardized in the ITU-T X.660 | ISO/IEC 9834 series (ITU-T
SG 17 and ISO/IEC JTC 1/SC 6)
 Originated in 1985, still in use, and still developing!
 Recent developments are use of the DNS to provide
information about the node identified by an OID.
7
Next Step/Action for OID
OID Resolution system
 Provides information associated with any object identified by an OID:
• access information
• child node information
• OID-IRI canonical form
 Joint work between ITU-T SG 17 and ISO/IEC JTC 1/SC 6 since Oct.
2008 (draft Rec. ITU-T X.672 (ex X.oid-res) | ISO/IEC 29168-1)
 Get an OID identifier arc assigned for identifying cybersecurity
organizations, information, and policies
 Specifies:
• OID resolution architecture
• OID resolution protocol (based on DNS)
• operation of the OID resolution service
• security and trust of the OID resolution process
• etc.
 Associated is another joint work on procedures for the OID-RES
8
operational agency Rec. ITU-T X.673 | ISO/IEC 29168-2
Conclusions
 Developers can bet on identity as a capability
 User acceptance will gate success
 Privacy is not opposed to security – it is a
precondition of security
 GSC-15 should continue GSC14/04 Resolution
with some necessary editorial updates
9
Supplementary Slides
10
Weblinks
ITU-T
 SG17 - http://www.itu.int/ITUT/studygroups/com17/index.asp
 Identity Management web page http://www.itu.int/ITUT/studygroups/com17/idm.html
 Join coordination activity for identity management
http://www.itu.int/ITU-T/jca/idm/
Top of the OID Tree
root
itu-t(0)
joint-iso-itu-t(2)
iso(1)
tag-based(27)
recommendation(0)
member-body(2)
identified-organisation(3)
country(16)
ISO 3166 country codes
ISO 6523 ICD codes
ISO 3166 country codes
Example: {joint-iso-itu-t(2) tag-based(27) mcode(1)}
Note: The name of the 3 top-level arcs does not imply a hierarchical dependency to ISO or ITU-T.
12
Some Advantages of using OID
 Human-readable notation:
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)}
 Dot notation:
1.2.840.113549.1
 URN notation:
urn:oid:1.2.840.113549.1
 Internationalized notation (IRI):
oid:/ISO/Member-Body/US/RSADSI/PKCS
 Used in a lot of ISO standards, ITU-T Recommendations
and IETF RFCs, but not only!
 Very good take up: 120,000+ OIDs described at
http://www.oid-info.com; much more exist
 Compact binary encoding (normally used in all computer
communications)
 Allows transmission over constrained networks
13
Challenge for OID
Use of OIDs for the Internet of Things
 ITU-T X.668 | ISO/IEC 9834-9 (2008) is a way to unify the
many identification schemes used for the Internet of Things
(RFID, bar codes, ISBN, etc.)
 Does not cause existing tags to become obsolete
 Use case example: a tag placed on a billboard poster can
be read with a mobile phone and make it easy for the user
to get additional multimedia (text, graphics, even voice or
video) information about the content of the poster
 Other use cases in Rec. ITU-T F.771
14
Download