Identity Management - PowerPoint PPT Presentation

About This Presentation

Title:

Identity Management

Description:

is the foundation and core for all security ... National eIDs, especially the EU's STORK (Secure Identity Across Borders Linked) initiative ... – PowerPoint PPT presentation

Number of Views:253

Avg rating:3.0/5.0

Slides: 14

Provided by: Pro127

Category:

more less

Transcript and Presenter's Notes

Title: Identity Management

1
Identity Management
V1.0
ITU-T Workshop onNew challenges for
Telecommunication Security Standardization"
Geneva, 9(pm)-10 February 2009

Anthony M. Rutkowski
V-P, Regulatory Affairs and Standards
VeriSign, Inc.

2
The challenge of relevanceWhy is IdM important?

Identity Management
is the foundation and core for all security
An explosively expanding and vast array of
"network nomadic" individuals, providers, and
objects
has challenged our ability to effectively manage
identities and their trust anchors

3
The challenge of a common concept What is
identity?

Identities consist of
an ensemble of four possible identity elements
a binding to an Entity (or Entities) instantiated
or asserted at some specific time

From the ITU-T Report of the Correspondence Group
on the Definition of Identity
Complex Version
Simple Version
4
The challenge of diversityDisparate identity
communities

Operators and providers
Focussed on revenue opportunities, infrastructure
protection, network management forensics, fraud
mitigation
Business end-users
Focussed on minimizing costs, employee support,
fraud mitigation, inventory and supply chain
management
Individual end-users
Focussed on social networking, convenience,
identity services (esp. location based services)
and portability, controlling unwanted intrusions
and mitigating identity theft
Security
Focussed on infrastructure protection, homeland
security, NS/EP needs, consumer protection, law
enforcement forensics, meeting public policy and
legal mandates including personal identity
credentials and biometrics
Privacy and anonymity
Spans a broad spectrum from personal identity
protection and intrusion minimization to extreme
views on complete anonymity, anti-government
paranoia and control of all personal identity
elements

5
The challenge of focus and visionWhat is
important?

Discovery of authoritative sources of identities
and structured means to query source information
Structured identity ontologies and data models
for interoperability
Critical to sharing of identities
Protected identity management signalling
infrastructure in NGNs
Means to support inter intra federation
identity capabilities
Inter-federation mechanisms are non-existent
Providing for a range of trust relationships (no
trust to PKI-based high assurance trust)
Supporting Peer-to-Peer platforms
Implementing trusted Open Identity Architectures
as a means of achieving Identity Network
Neutrality
Achieving effective trust anchors
Identity proofing
Identity lifecycle management
Identity status checking on-demand
Identity security
Identity management auditing

6
The Challenge of Deliverables

Capabilities that will make a difference in 2009

7
Provider Identity Trust Anchors

Number one low-hanging Identity
Management/cybersecurity capability with far
reaching positive impact
A universal global means for establishing trust
in all organizations that have a network presence
For communications, transactions, software, and
secure transport layer
Significant implementation has already occurred
Based on Extended Validation (EV) Digital
Certificate standard implementation of ITU-T
X.509 platform (also known as EV SSL)
Developed in 2007 by the CA/Browser Forum
Certificates initially issued and browser updates
pushed out to most computers in 2008
Consists of the best combination of identity
assurance techniques and platforms
Initial identity proofing based on ETSI standards
Basis for organization trust in Liberty Alliance
assurance specifications
Used by the ITU itself!
Upcoming EV enhancements in 2009
Being extended to all kinds of services and
software distribution in 2009, including SIP
Being introduced into ITU-T SG17 through liaison
process
Substantial ongoing regional activity to meet
localization requirements worldwide
Being considered as an NGN network address
enhancement
Cryptography being upgraded to ECC
Embeds many diverse organization identifiers,
including ITU-T Object Identifiers (OIDs) that
have become Internet global enterprise ID of
choice
Enhances individual privacy and broadly benefits
everybody

8
Object trust anchors

Real-time Object IDentifier resolution system
Provides a DNS-based means for discovering
information about any Object Id
OIDs becoming increasingly important for
Network elements (especially forensic acquisition
locations in a network)
Terminal devices, software, RFID tagged objects,
sensors, biometric scanners, e-health, power
management, and intellectual property
Creation of a new DNS top level domain OID
Initial implementations occurring in 2009 based
on specifications developed in ITU-T and ISO
Real-time token validation protocol systems
Verifying the current status of all object
credentials is essential
Allows implementation of when things go wrong
capabilities
Online Certificate Status Protocol (OCSP) has
emerged as means of choice and being mandated by
some trust implementations
Similar RSA protocols for token use are being
extended

9
Personal identity trust anchors

The world is awash in a sea of countless personal
identities
Many personal identities have little or no trust
anchors
Diverse expectations exist among people,
organizations, and nations concerning the use and
availability of identities many subject to law
Expectations are highly context dependent and
often conflicting
Potential identity network neutrality
challenges abound
Significant contemporary personal identity needs
eHealth
Homeland security
Nomadicity and social networking
Significant technical platforms are emerging
Interoperable and Trust Third Party platforms
OpenID
Personal Identity Portals
National eIDs, especially the EUs STORK (Secure
Identity Across Borders Linked) initiative
One time password tokens
Encrypted biometrics
A major impediment for personal identity trust is
lifecycle maintenance
Bears the initial and lifecycle costs, including
indemnification
Providing real-time status checking

10
Whose trust anchorIdentity Assurance
Interoperability

Many different schema exist to achieve identity
assurance
The schema can cover broad ranges from zero trust
to very high trust
Expressed as trust levels
Includes diverse context dependencies
How to achieve global identity assurance
interoperability among all the existing and
potential schema
Possible solution is using ITU-T X.1141 (SAML) to
capture and exchange the many different schema
via TSB and other bodies

11
Trust Anchors begin at homeStandards and
spawned identities

Challenge is to enhance identity management trust
anchors by enabling structured discovery and
on-demand public access to
Standards
Registrations and assignments specified in
standards
Real-time access to standards
Most standards bodies now allow global public
access to their specifications
Network IdM/security standards not publicly
available have little value
Next step is make them discoverable, versioned,
and accessible with a click
Real-time access to registrations and assignments
Standards result in many secretariats and other
bodies creating identities
Few provide structured, real-time means for
discovery and access
Both ITU TSB and IETF IANA are building
capabilities
Can serve as models for other bodies and
administrators worldwide

12
2008 ITU-T IdM Roadmap
GenericSpecifications
NGN Specifications
Application Specifications

Initial IdM Focus Group IdM definition reports
Living List of IdM Terms and References
X.1250, Capabilities for enhanced global IdM
trust interoperability
X.1251, Framework for user control of digital
identity interchange framework
X.eaa, Entity authentication assurance
X.idm-ifa, Framework architecture for
interoperable IdM systems
X.idm-dm, Common identity data model
X.idmsg, Security guidelines for IdM systems
X.priva, Criteria for assessing level of
protection for PII in IdM

Y.ngnIdMuse, IdM use-cases
Y. 2720, NGN IdM framework
Y.ngnIdMmechanisms, NGN IdM mechanisms

E.157, International Calling Party Number
Delivery
X.ott, Authentication Framework with One-time
Telebiometric Template
X.668, Registration of object identifier arcs for
applications and services using tag-based
identification
X.1171, Framework for Protection of Personally
Identifiable Information in Applications using
Tag-based Identification
X.rfpg, Guideline on protection for PII in RFID
application

Bold accomplished
13
A New IdM Capabilities Roadmap
Provider IdentityTrust
Object IdentityTrust
Person IdentityTrust
Support Capabilities

A global standard (mandate) for Provider Identity
Trust as an evolution of the CAB Forum
specification
Service and regional extensions for Provider
Identity Trust
Implementation of globally unique provider
identifiers using OIDs
Enhanced network addresses for NGN

OID Resolver System extensions for objects
(Ubiquitous Sensor Networks, Network Elements,
e-Health, and distributed power systems, terminal
devices, biometrics, and IPR)
Lightweight object certificate specifications
Application of ECC to IdM certificates

Globally interoperable personal identity
specifications
Enhanced International Caller-ID capabilities
Service and application specific personal
identity extensions, including youth attributes
Encrypted telebiometric specifications
Interoperable Trusted Third Party Bridge
platform specifications
Interoperable Personal Identity Portal
specifications