toward global interoperable identity management€¦ · service provider or network operator –...

InternationalTelecommunication

UnionGeneva, 10-11 September 2007

ITU-T Workshop onMultimedia in NGN

Anthony-Michael RutkowskiVice-President, VeriSign

Chair, ITU-T IdM FG Requirements WG

V0.9, 7 Sep 2007

Toward global Interoperable Identity Management

Toward global Interoperable Toward global Interoperable Identity ManagementIdentity Management


Union

Outline

What is Identity Management and why was a Focus Group created?Significant recent IdM industry development examplesSuccess of the Initial FG IdM workTimeline ContextFocus Group Products

Requirements structure and summary

IdM for object communicationsImplications for NGN and other developments

Multimedia in NGNGeneva, 10-11 September 2007

2


Union

What is Identity ManagementWhy an ITU-T Focus Group

Management of digital identityAll trusted ICT and network capabilities and resources for

Authentication (e.g., certificates)Identifiers (e.g., E.164 nos., URIs, OIDs, IP addresses, domain names)Attributes (e.g., names, location)Patterns and reputation

For entities of any kindPeopleOrganizationsObjects (e.g., devices, SIMs, RFIDs, content..)

Common global needs for interoperability

Platforms, discovery, practices, and trust modelsVery diverse activities and stakeholders worldwideAutonomous networks for nomadic always-on, anytime, anywhere servicesEssential for network/cybersecurityOne of the most important development areas in industry today

An open ITU-T Focus Group enjoys a unique value proposition

Outreach and bringing all IdM perspectives and communities togetherAnalysing use cases, platforms, gapsProviding initial requirements, framework(s), reference informationFollowup actions remain with ITU and other industry forums


3


Union

Shift to Identity Providers

4

Wireline

Legacy Identity Management


Wireline

Next Generation Identity Management


Union

Significant recent IdM industry development examples

5

OpenID emerged as a large-scale, open, non-proprietary means to implement IdM as•a fully decentralized system. •a much lighter cost structure

InfoCard emerged as a large-scale, open, proprietary (Microsoft) means to implement IdM on a large-scale with ubiquitous computer/ commercial wireless operating systems



Union

The Challenge: Different Perspectives on IdM


6

UsersUsers NetworkNetworkOperatorsOperators

GovernmentGovernmentApplicationApplicationProvidersProviders

IdentityIdentityBridgesBridges


Union

Identity ManagementFocus Group Basics

Participants and their diversity139 different people, 88 different organizations in 22 countries

Meeting location diversityGeneva (2), Mountain View, Tokyo, Boston

Contributions and their diversity114 input contributions from 41 different companies and organizations

Outreach diversityDiscovered, analyzed, and in many cases contacted more than 100 different IdM forums within more than 60 different organizationsMade use of unofficial IdM Focus Group Wiki; extensive teleconferencing for meetings

Four Major ReportsRequirements for Global Interoperability: structure & provisions

73 Requirements and Recommendations in seven sectorsIdentity Management Use Cases, Platforms, Gaps

Scores of Use CasesIdentity Management Framework(s)

Initial draft frameworkIdentity Management Ecosystem and Lexicon

Three IdM Reference Compendiums/Living ListsEcosystem (60 organizations)LexiconLegal & regulatory (35 IdM requirements in 9 topical groupings)


7


Union

IdM Focus Group Timeline Context

8Multimedia in NGNGeneva, 10-11 September 2007

20062006 20072007 20082008

Identity Management Focus Group

CreatedDec

CreatedDec

1 - Geneva13-16 Feb1 - Geneva13-16 Feb

2 - Geneva23-25 Apr2 - Geneva23-25 Apr

5 - Cambridge27-30 Aug

5 - Cambridge27-30 Aug

4 -Tokyo17-20 Jul4 -Tokyo17-20 Jul

Phase 1

Phase 1

3- MountainView

17-18 May

3- MountainView

17-18 May

Phase 2

Phase 2

SG13 Q.15 Rec. Y.IdMsec Draft Group

SG17Q.6

X.Idmf Draft Group

WTSA

TSAG


Union

Focus Group Products

Requirements structure and provisionsUse cases, platforms, gapsDraft framework(s)Reference materials

EcosystemLexiconLegal & regulatory compendium


9


Union 10Multimedia in NGNGeneva, 10-11 September 2007


Union

Requirements for Global Interoperable IdM: the Seven Pillars


11

PeoplePeopleOrganizationsOrganizations

Objects, Sensors

and Control Systems

Objects, Sensors

and Control Systems


Union

IDM ModelIDM Model


12

IDM PlaneIDM Plane

Requesting/Asserting

Entity

RelyingParty Entity

IdentityProvider(s)

Identity Assertion

Query(ies) to Identity Resources

Response Response

Man

agem

ent Fun

ctions

Iden

tity M

anagem

ent

Identity Model Based Interoperability

Service Stratum

Transport Stratum

Applications

Relying Party is most often the service provider or network operator – which may also be an Identity Provider


Union

16 requirements/recommendations concerning support for identified entities below21 requirements/recommendations applicable to IdPs for credential, identifier, attribute, pattern and assurance servicesEspecially important

Interoperable protocols, including objectsAssurance/confidence metricsDelegationLifecycle managementImproved identity proofing and discovery for public network identifiers in hierarchical assignment identifier structures


13

End-User Entities

(Requesting/Asserting Identities)

• Real persons• Legal persons

• Institutions• Organizations• Guardians/agents• Group

• Objects• Physical

• Terminal devices• Network equipment• SIM or Smart Card

• Virtual • Software• Geospatial• Content

Identity Providers

(to End-Users)

• Credential provider• Identifier provider• Attribute provider• Pattern/reputation

provider• Discovery provider• Identity Bridge

provider• Auditing or Policy

Enforcement provider• Federations

Relying Parties(Using asserted

identities)

• Service or resource provider

• Alliances


UnionMultimedia in NGNGeneva, 10-11 September 2007

14

3 requirements and recommendationsEspecially important

Global mechanisms for discovery of asserted forms of identityDetermining source for “authoritative” identitiesInterfederation bridging capabilities

Should include characteristics and policies of the interfaces, dynamic registration and de-registration of federation relationships, authentication, permissions, and attributes

Provider business agreements and federation based policies



15

7 recommendations concerning platform interoperabilityIncludes the use of federations and Identity Bridge providers by end usersImportant recommendations

Support for authentication domains within alliances and federations



16

13 recommendations applicable to IdPs security of identity resources, including 4 specifically related to protection of personally identifiable informationImportant recommendations

Support for non-repudiation of assertionsConsider adopted global standards in ITU, ISO and other bodies for Identity Assurance and AuthenticationDynamic establishment of time-limited trust mechanisms for transient and changed relationshipsSupport for terminal device objects (e.g., SIM cards)Notification of compromised identity resources to affected partiesSupport for multi-factor authenticationIdM identity proofing matching different authentication contexts, especially when requestedProvide levels of identity protection, including support for relevant OECD privacy guidelinesProvide end user transparency and notification capabilities relevant to protection of personally identifiable information



17

3 requirements/recommendations for auditing and complianceEspecially important

Support for use of auditing mechanisms and exchange of information about those mechanismsRecommended time-stamp accuracy

Area where more work would occur in Phase II of the Focus Group



18

3 recommendations applicable to Useability, Scaleability, Performance, Reliability, Availability, Accounting, Internationalization, and Disaster RecoveryImportant recommendation include support for accounting mechanismsArea where more work would occur in Phase II of the Focus Group


Union

Object Communications

Most Identity Management capabilities apply equally to all object communicationsSome objects that are terminal based (e.g., SIM cards, physical credential readers, geospatial units, and sensors readers) both support and require significant IdM capabilitiesSupport for autonomous networked object IdM interoperabilitys requires further study together with JCA-NID, SG4 (OA&M), and other object-oriented bodies

How will competing object demands for network resources be prioritized and managed, especially during emergency conditions or network failuresWhat legal responsibilities and rights are associated with objects and how they expressed globally and discoveredThis work is an important part of proposed FG IdM Phase II remit


19


Union

Implications for NGN and other developments

Almost every ITU-T Study Group has new Identity Management action items

Unclear how to coordinateSignificant WTSA 2008 implications

Actions also essential network/cyber securityRequirements include changes to IdM administrative practices TSB IdM responsibilities and ITU organs are similarly implicatedincluding responding to global IdM needs at WTSA and other venues

How is global discovery of authoritative identifiers and other identity resources going to occur

GSC-12 resolution calls for an ITU global coordinating role across array of standards bodiesNumerous new and evolved

Opportunities for businessActions for government

Second Phase of Focus Group IdM aimed atCompleting frameworkAssisting implication assessmentDealing with objectsFacilitating transfer of work to Study Groups and other forums


20

toward global interoperable identity management€¦ · service provider or network operator –...

Documents