mature digital trust infrastructure - are we there yet?
DESCRIPTION
Presented at the European e-Identity Management Conference 2011 in Tallinn, Estonia:Reflections on current Government approaches to Trust, federation and identity management. What needs to change as we move forward. We have come a long way with PKI, federation standards, trust frameworks, etc. but are we there yet? Where is there still work to be done and mindsets to be changed?TRANSCRIPT
![Page 1: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/1.jpg)
Mature Digital Trust Infrastructure Are we there yet?
Søren Peter Nielsen, Chief IT ArchitectDanish National IT and Telecom Agency
presented June 9th atEuropean e-Identity Management
Conference 2011Tallinn, Estonia
![Page 2: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/2.jpg)
Identities in eGovernment - a look to the future
• Mature Digital Trust Infrastructure - Are we there yet?Reflections on current Government approaches to Trust, federation and identity management. What needs to change as we move forward. We have come a long way with PKI, federation standards, trust frameworks, etc. but are we there yet? Where is there still work to be done and mindsets to be changed?
![Page 3: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/3.jpg)
Conceptually – It seems simple
![Page 4: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/4.jpg)
Web SSO Model
1 4
5
6
3
IdentityProvider
“Circle of Trust”ServiceProvider Authentication Authority
Attribute Authority7
2
![Page 5: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/5.jpg)
Federation Building Blocks
Business &Operating Rules
Operational Infrastructure
Service Providers/
Identity Providers
PolicyTechnical Standards
Aud
iting
/
Acc
redi
tatio
n
![Page 6: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/6.jpg)
Factor Token
Very High
High
Medium
Low
Employee Screening for a High Risk Job
Obtaining Govt. Benefits
Applying for a Loan
Online
Access to Protected
Website
PIN/User ID-
Knowledge
Strong Password
-Based
PKI/ Digital Signature
Multi-
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Authentication Assurance Levels
![Page 7: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/7.jpg)
Areas that determine the Level of Assurance
• Tokens (typically a cryptographic key or password) for proving identity,
• Identity proofing, registration and the delivery of credentials which bind an identity to a token,
• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of a remote authentication to other parties.
![Page 8: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/8.jpg)
EU eGov Benchmark 2010 Fundamental IT enablersKey Horizontal Enablers
![Page 9: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/9.jpg)
Have we crossed the chasm for eID?
![Page 10: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/10.jpg)
Do we have full adoption?
Credit to: Simon Wardley
![Page 11: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/11.jpg)
Do we have the right assumptions?
IntendedStrategy
RealisedStrategy
Fix This! Fixed!
DeliberateStrategy
IDM dev
![Page 12: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/12.jpg)
The world is not standing still
IntendedStrategy Realised
Strategy
DeliberateStrategy
Unrealised Strategy
EmergentStrategy
Fixed! ???
![Page 13: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/13.jpg)
No organisation is an Island anymore
![Page 14: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/14.jpg)
But the approach to Identity and Access management is still rooted in industrial age thinking
Architecture and mindsets are locked into the identification-oriented paradigm
![Page 15: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/15.jpg)
Areas with requirements determining Assurance level
• Tokens (typically a cryptographic key or password) for proving identity,
• Identity proofing, registration and the delivery of credentials which bind an identity to a token,
• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of a remote authentication to other parties.
![Page 16: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/16.jpg)
Architecture and mindsets
• Are locked into the identification-oriented paradigm
• To grow adoption beyond what can be accomplished using current approaches an architecture that supports both the identification- and validation-oriented paradigms is needed
![Page 17: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/17.jpg)
Validation-oriented paradigm
(i.e. the user can prove that he represents a pseudonym via a secret key).
Bruger(fysisk person)
Serviceudbydere
Virtuelleidentiteter
Instead of all applications identifying the users and coupling local data to the identity (e.g. SSN), data is coupled to virtual identities (pseudonyms), which are subject to validation
![Page 18: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/18.jpg)
Credit to: Simon Wardley
![Page 19: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/19.jpg)
Credit to: Simon Wardley
![Page 20: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/20.jpg)
Credit to: Simon Wardley
identification- and validation-oriented paradigms
identification- oriented paradigm
![Page 21: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/21.jpg)
Credit to: Simon Wardley
Digital Trust Infrastructure
![Page 22: Mature Digital Trust Infrastructure - Are we there yet?](https://reader034.vdocuments.us/reader034/viewer/2022052410/547989adb4af9f09148b474f/html5/thumbnails/22.jpg)
Are We There Yet?
• There is still a long way to go before we reach maturity
• On the short run– We need to re-think our architecture to support a
validation-orientated paradigm as well as an identification-oriented paradigm
• On the long run– We need to be conscious that the world is not
standing still while working on the Next Big IDM Thing