Title: Identity Management
1Identity Management
V1.0
ITU-T Workshop onNew challenges for
Telecommunication Security Standardization"
Geneva, 9(pm)-10 February 2009
- Anthony M. Rutkowski
- V-P, Regulatory Affairs and Standards
- VeriSign, Inc.
2The challenge of relevanceWhy is IdM important?
- Identity Management
- is the foundation and core for all security
- An explosively expanding and vast array of
"network nomadic" individuals, providers, and
objects - has challenged our ability to effectively manage
identities and their trust anchors
3The challenge of a common concept What is
identity?
- Identities consist of
- an ensemble of four possible identity elements
- a binding to an Entity (or Entities) instantiated
or asserted at some specific time
From the ITU-T Report of the Correspondence Group
on the Definition of Identity
Complex Version
Simple Version
4The challenge of diversityDisparate identity
communities
- Operators and providers
- Focussed on revenue opportunities, infrastructure
protection, network management forensics, fraud
mitigation - Business end-users
- Focussed on minimizing costs, employee support,
fraud mitigation, inventory and supply chain
management - Individual end-users
- Focussed on social networking, convenience,
identity services (esp. location based services)
and portability, controlling unwanted intrusions
and mitigating identity theft - Security
- Focussed on infrastructure protection, homeland
security, NS/EP needs, consumer protection, law
enforcement forensics, meeting public policy and
legal mandates including personal identity
credentials and biometrics - Privacy and anonymity
- Spans a broad spectrum from personal identity
protection and intrusion minimization to extreme
views on complete anonymity, anti-government
paranoia and control of all personal identity
elements
5The challenge of focus and visionWhat is
important?
- Discovery of authoritative sources of identities
and structured means to query source information - Structured identity ontologies and data models
for interoperability - Critical to sharing of identities
- Protected identity management signalling
infrastructure in NGNs - Means to support inter intra federation
identity capabilities - Inter-federation mechanisms are non-existent
- Providing for a range of trust relationships (no
trust to PKI-based high assurance trust) - Supporting Peer-to-Peer platforms
- Implementing trusted Open Identity Architectures
as a means of achieving Identity Network
Neutrality - Achieving effective trust anchors
- Identity proofing
- Identity lifecycle management
- Identity status checking on-demand
- Identity security
- Identity management auditing
6The Challenge of Deliverables
- Capabilities that will make a difference in 2009
7Provider Identity Trust Anchors
- Number one low-hanging Identity
Management/cybersecurity capability with far
reaching positive impact - A universal global means for establishing trust
in all organizations that have a network presence - For communications, transactions, software, and
secure transport layer - Significant implementation has already occurred
- Based on Extended Validation (EV) Digital
Certificate standard implementation of ITU-T
X.509 platform (also known as EV SSL) - Developed in 2007 by the CA/Browser Forum
- Certificates initially issued and browser updates
pushed out to most computers in 2008 - Consists of the best combination of identity
assurance techniques and platforms - Initial identity proofing based on ETSI standards
- Basis for organization trust in Liberty Alliance
assurance specifications - Used by the ITU itself!
- Upcoming EV enhancements in 2009
- Being extended to all kinds of services and
software distribution in 2009, including SIP - Being introduced into ITU-T SG17 through liaison
process - Substantial ongoing regional activity to meet
localization requirements worldwide - Being considered as an NGN network address
enhancement - Cryptography being upgraded to ECC
- Embeds many diverse organization identifiers,
including ITU-T Object Identifiers (OIDs) that
have become Internet global enterprise ID of
choice - Enhances individual privacy and broadly benefits
everybody
8Object trust anchors
- Real-time Object IDentifier resolution system
- Provides a DNS-based means for discovering
information about any Object Id - OIDs becoming increasingly important for
- Network elements (especially forensic acquisition
locations in a network) - Terminal devices, software, RFID tagged objects,
sensors, biometric scanners, e-health, power
management, and intellectual property - Creation of a new DNS top level domain OID
- Initial implementations occurring in 2009 based
on specifications developed in ITU-T and ISO - Real-time token validation protocol systems
- Verifying the current status of all object
credentials is essential - Allows implementation of when things go wrong
capabilities - Online Certificate Status Protocol (OCSP) has
emerged as means of choice and being mandated by
some trust implementations - Similar RSA protocols for token use are being
extended
9Personal identity trust anchors
- The world is awash in a sea of countless personal
identities - Many personal identities have little or no trust
anchors - Diverse expectations exist among people,
organizations, and nations concerning the use and
availability of identities many subject to law - Expectations are highly context dependent and
often conflicting - Potential identity network neutrality
challenges abound - Significant contemporary personal identity needs
- eHealth
- Homeland security
- Nomadicity and social networking
- Significant technical platforms are emerging
- Interoperable and Trust Third Party platforms
- OpenID
- Personal Identity Portals
- National eIDs, especially the EUs STORK (Secure
Identity Across Borders Linked) initiative - One time password tokens
- Encrypted biometrics
- A major impediment for personal identity trust is
lifecycle maintenance - Bears the initial and lifecycle costs, including
indemnification - Providing real-time status checking
10Whose trust anchorIdentity Assurance
Interoperability
- Many different schema exist to achieve identity
assurance - The schema can cover broad ranges from zero trust
to very high trust - Expressed as trust levels
- Includes diverse context dependencies
- How to achieve global identity assurance
interoperability among all the existing and
potential schema - Possible solution is using ITU-T X.1141 (SAML) to
capture and exchange the many different schema
via TSB and other bodies
11Trust Anchors begin at homeStandards and
spawned identities
- Challenge is to enhance identity management trust
anchors by enabling structured discovery and
on-demand public access to - Standards
- Registrations and assignments specified in
standards - Real-time access to standards
- Most standards bodies now allow global public
access to their specifications - Network IdM/security standards not publicly
available have little value - Next step is make them discoverable, versioned,
and accessible with a click - Real-time access to registrations and assignments
- Standards result in many secretariats and other
bodies creating identities - Few provide structured, real-time means for
discovery and access - Both ITU TSB and IETF IANA are building
capabilities - Can serve as models for other bodies and
administrators worldwide
122008 ITU-T IdM Roadmap
GenericSpecifications
NGN Specifications
Application Specifications
- Initial IdM Focus Group IdM definition reports
- Living List of IdM Terms and References
- X.1250, Capabilities for enhanced global IdM
trust interoperability - X.1251, Framework for user control of digital
identity interchange framework - X.eaa, Entity authentication assurance
- X.idm-ifa, Framework architecture for
interoperable IdM systems - X.idm-dm, Common identity data model
- X.idmsg, Security guidelines for IdM systems
- X.priva, Criteria for assessing level of
protection for PII in IdM
- Y.ngnIdMuse, IdM use-cases
- Y. 2720, NGN IdM framework
- Y.ngnIdMmechanisms, NGN IdM mechanisms
- E.157, International Calling Party Number
Delivery - X.ott, Authentication Framework with One-time
Telebiometric Template - X.668, Registration of object identifier arcs for
applications and services using tag-based
identification - X.1171, Framework for Protection of Personally
Identifiable Information in Applications using
Tag-based Identification - X.rfpg, Guideline on protection for PII in RFID
application
Bold accomplished
13A New IdM Capabilities Roadmap
Provider IdentityTrust
Object IdentityTrust
Person IdentityTrust
Support Capabilities
- A global standard (mandate) for Provider Identity
Trust as an evolution of the CAB Forum
specification - Service and regional extensions for Provider
Identity Trust - Implementation of globally unique provider
identifiers using OIDs - Enhanced network addresses for NGN
- OID Resolver System extensions for objects
(Ubiquitous Sensor Networks, Network Elements,
e-Health, and distributed power systems, terminal
devices, biometrics, and IPR) - Lightweight object certificate specifications
- Application of ECC to IdM certificates
- Globally interoperable personal identity
specifications - Enhanced International Caller-ID capabilities
- Service and application specific personal
identity extensions, including youth attributes - Encrypted telebiometric specifications
- Interoperable Trusted Third Party Bridge
platform specifications - Interoperable Personal Identity Portal
specifications
- Adoption of DNS-based real-time OID Resolution
System specifications - Adoption of OID directory service specifications
- Adoption of global online certificate status
verification specifications - Service extensions to certificate status
specifications - A Global IdM Data Dictionary
- Global identity proofing specifications
- Global Identity security specifications
- Global IdM management auditing specifications
- Real-time access to identity management and
related security specifications - Real-time access to assigned identifier lookup
systems