Olli Jussila Adaptive R

1

Olli JussilaAdaptive RDTeliaSonera
2
Agenda

• TeliaSonera at a glance
• Project presentation
• Technical results
• Business model and actor benefits
• End user experience
• Dissemination activities
• Conclusion

3
The Nordic and Baltic leader in telecommunications
Net sales 2006 EUR 9790 million Strong positions
in mobile in Eurasia, Russia and Turkey through
subsidiaries and associated companies Mobile
services launched in Spain at the end of 2006
23.5 million customers
Number of employees 28,000
Number of Customers as of December, 2006
4
Identity Management Nightmare !
Multiple accounts, multiple credentials everywhere
5
The Liberty solution
6
FIDELITY project assumptions

• Potential Identity Providers and Circles of Trust
  are numerous
• Users will navigate among these Circles of Trust
• One CoT should be able to establish trust
  relations with another CoT to allow Identity
  roaming

7
FIDELITY project in a nutshell

• Set up 4 heterogeneous Circles of Trust
• Deploy strong authentication mechanisms
• Demonstrate the inter-operability of these
  Circles of Trust regarding
• Liberty Alliance technical specifications
• Business model
• EU legal constraints
• User experience
• Provide standardisation and implementation
  contributions

8
FIDELITY project members

• 4 telcos, setting up the CoTs
• France Telecom, Amena, Telenor, TeliaSonera
• 3 industrial partners, providing ID platforms and
  software
• Ericsson, Gemalto, Italtel
• 3 SMEs, and 1 university, providing specific
  skills and software
• TB-Security, Linus, Moviquity, Oslo university
  college

9
FIDELITY final results Technical results
10
Implementation of principal COTs/interCOT
infrastructure and services

• The four CoTs in France, Finland, Norway and
  Spain have been established.
• Each CoT has
• an Identity Provider
• some Service Providers with Web service consumers
  WSC
• and some Attribute Providers (Web service
  providers WSP)
• In each COT
• ID-FF V1.2 (Identity Federation and SSO) has been
  fully tested
• ID-WSF V1.1(Identity Web Service Framework) has
  been tested
• Product from different vendors have been used in
  order to test interoperability of Liberty
  software implementation

11
Architecture and Information flow (simplified
view)
1. A user access a service
V-CoT
2. SP re-directs user to V-IDP
3. V-IDP re-directs/proxies user to H-IDP
4. H-IDP maps the authentication context request
of V-IDP and authenticates a user.
5-6. Auth. assertion including DS info is
returned and to V-IDP and V-SP
H-CoT
7-8. SP (WSC) requests end point of H-WSP from
H-DS.
9-10. SP (WSC) requests service from H-WSP
11. According privacy settings H-WSP initiates
user-consent process via SP and Interaction
service. WSP is also able to request stronger
authentication via WSC/SP
12
The French CoT
User/passord
EAP/SIM password
Software PKI
13
The Finnish CoT
User/passord
OT sms ( password)
WPKI
EAP / SIM
GPRS
HLR
14
InterCoT Single Sign On

• Authentication Contexts

6. Authentication with the user
User Agent
15
InterCoT attribute sharing (ID-WSF)

• InterCoT Discovery Service
• Direct Access. By using this method, the V-WSC
  requests directly the Discovery Service of the
  H-CoT (H-DS)
• DS-proxying. By using this method, the Discovery
  Service of the V-CoT (V-DS) acts as a DS-proxy
  between the V-WSC and the H-DS.
• DS-chaining. By using this method, the V-WSC
  requests first the V-DS which redirects it to the
  H-DS.
• If direct access is used, then we recommend the
  deployment of a Trust model based on PKI

Tested
16
ID-WSF trust model for attribute sharing
IntraCoT vs. InterCoT

• In IntraCoT, every (H-)SP (H-)WSP pair has a
  direct business agreement implying direct trust
  relationship
• Technically, the trust between ID-WSF entities is
  established by exchanging metadatas on a
  bilateral basis
• In InterCoT, the business agreements are
  established only between IDPs but there is no
  direct business relationship between V-SP and
  H-WSP
• Technically, exchanging metadatas between every
  V-SP H-WSP pair would be far too exhaustive ?
  provisioning of metadatas would require too much
  effort
• Fidelity PKI trust model enables business model
  for InterCoT attribute sharing between V-SP and
  H-WSP
• Technically, this is implemented by using
  hierarchical certificate path validation (RFC3280)

17
InterCoT Relationship Establishment
Root
--------- ---------

• CA certificate exchange

CoT CA
--------- ---------
Root
SP
SP
--------- ---------
IDP 2
IDP 1
WSP
WSP
CoT CA
--------- ---------

• IDPs exchange the CA certificate chains, and
  delivers them to their other IntraCoT entities
  (SPs and WSPs)

18
InterCoT Relationship Establishment
Root CA cert
--------- ---------
Compliant with RFC3280
CoT CA cert
--------- ---------
is associated with
trusts
CoT CA
SP cert
--------- ---------
WSP
SP / WSC
CoT CRL
includes
Home CoT
Visited CoT
--------- ---------
Service request
Certification revocation status check
19
FIDELITY final results Business Scenarios, Actors
benefits
20
Business scenarios

• Closed Scenario
• Single Company IDP and SP
• Open Scenario
• Telecom as IDP for external SP
• Inter-CoT Scenario
• Telecom Operator alliances with internal and
  external SPs
• Inter-CoT Scenario Multi-domains
• Multi domain IDP alliances with internal and
  external SPs

21
Actors Benefits

• Identity Provider
• Large user base
• Attract new user
• Enforce their trust relation with the user
• Offer (sell) strong and complex authentication
  methods
• Service Providers
• Attract users
• Simplify local user management
• Use Strong authentication
• Rely on user identity attributes
• User
• Simple and secure authentication
• Ease of attribute management, control of data
  dissemination
• Respect of his privacy

The virtuous circle
22
FIDELITY final results End User Experience
23
Circle of Trust (CoT) and Circle of CoT (CoCoT)

• Concepts explanation and representation
• Explain to the user what is a CoT, what is CoCoT
• Represent concepts with pictures

• CoT Homepage
• Disclaimer
• SSO description
• Attribute sharing description
• List of the SP belonging to the CoT
• Map of the CoT and the CoT's partners (CoCoT)
• Registration area
• Personal area for registered users

24
FIDELITY final results Dissemination activities
25
Fidelity Dissemination

• Advisory Boards in each telco
• Liberty Meetings (plenary, TEG)
• 3GSM World Congress 2007
• IST 2006
• E challenge
• ISSE in Roma
• Internet Global Congress Barcelona
• Security and identity management event in
  Barcelone
• France Telecom RD result event in Paris
• Telecom ID, Madrid
• Celtic and Eureka events
• Website www.celtic-fidelity.org
• Demo Kit www.celtic-fidelity.org/fidelity/flash/
  
• Public documents www.celtic-fidelity.org/fidelit
  y/Documentation.jsp
• Standardization activities (Wallet calendar
  ID-WSF Serv. Interf. spec)

26
Conclusion of the FIDELITY project

• From a technical, business, legal and ergonomic
  point of view, Liberty solves the IDM issue and
  can be extended to InterCoT.
• But read our public recommendations anyway
• The very good cooperation and acceptance between
  all partners was the basis for the success of the
  project.
• The consortium is satisfied with the results
  obtained and will now begin to exploit them.

27
Thank you for your attention Any questions?