toward global interoperable identity management€¦ · service provider or network operator –...
TRANSCRIPT
InternationalTelecommunication
UnionGeneva, 10-11 September 2007
ITU-T Workshop onMultimedia in NGN
Anthony-Michael RutkowskiVice-President, VeriSign
Chair, ITU-T IdM FG Requirements WG
V0.9, 7 Sep 2007
Toward global Interoperable Identity Management
Toward global Interoperable Toward global Interoperable Identity ManagementIdentity Management
InternationalTelecommunication
Union
Outline
What is Identity Management and why was a Focus Group created?Significant recent IdM industry development examplesSuccess of the Initial FG IdM workTimeline ContextFocus Group Products
Requirements structure and summary
IdM for object communicationsImplications for NGN and other developments
Multimedia in NGNGeneva, 10-11 September 2007
2
InternationalTelecommunication
Union
What is Identity ManagementWhy an ITU-T Focus Group
Management of digital identityAll trusted ICT and network capabilities and resources for
Authentication (e.g., certificates)Identifiers (e.g., E.164 nos., URIs, OIDs, IP addresses, domain names)Attributes (e.g., names, location)Patterns and reputation
For entities of any kindPeopleOrganizationsObjects (e.g., devices, SIMs, RFIDs, content..)
Common global needs for interoperability
Platforms, discovery, practices, and trust modelsVery diverse activities and stakeholders worldwideAutonomous networks for nomadic always-on, anytime, anywhere servicesEssential for network/cybersecurityOne of the most important development areas in industry today
An open ITU-T Focus Group enjoys a unique value proposition
Outreach and bringing all IdM perspectives and communities togetherAnalysing use cases, platforms, gapsProviding initial requirements, framework(s), reference informationFollowup actions remain with ITU and other industry forums
Multimedia in NGNGeneva, 10-11 September 2007
3
InternationalTelecommunication
Union
Shift to Identity Providers
4
Wireline
Legacy Identity Management
Multimedia in NGNGeneva, 10-11 September 2007
Wireline
Next Generation Identity Management
InternationalTelecommunication
Union
Significant recent IdM industry development examples
5
OpenID emerged as a large-scale, open, non-proprietary means to implement IdM as•a fully decentralized system. •a much lighter cost structure
InfoCard emerged as a large-scale, open, proprietary (Microsoft) means to implement IdM on a large-scale with ubiquitous computer/ commercial wireless operating systems
Multimedia in NGNGeneva, 10-11 September 2007
InternationalTelecommunication
Union
The Challenge: Different Perspectives on IdM
Multimedia in NGNGeneva, 10-11 September 2007
6
UsersUsers NetworkNetworkOperatorsOperators
GovernmentGovernmentApplicationApplicationProvidersProviders
IdentityIdentityBridgesBridges
InternationalTelecommunication
Union
Identity ManagementFocus Group Basics
Participants and their diversity139 different people, 88 different organizations in 22 countries
Meeting location diversityGeneva (2), Mountain View, Tokyo, Boston
Contributions and their diversity114 input contributions from 41 different companies and organizations
Outreach diversityDiscovered, analyzed, and in many cases contacted more than 100 different IdM forums within more than 60 different organizationsMade use of unofficial IdM Focus Group Wiki; extensive teleconferencing for meetings
Four Major ReportsRequirements for Global Interoperability: structure & provisions
73 Requirements and Recommendations in seven sectorsIdentity Management Use Cases, Platforms, Gaps
Scores of Use CasesIdentity Management Framework(s)
Initial draft frameworkIdentity Management Ecosystem and Lexicon
Three IdM Reference Compendiums/Living ListsEcosystem (60 organizations)LexiconLegal & regulatory (35 IdM requirements in 9 topical groupings)
Multimedia in NGNGeneva, 10-11 September 2007
7
InternationalTelecommunication
Union
IdM Focus Group Timeline Context
8Multimedia in NGNGeneva, 10-11 September 2007
20062006 20072007 20082008
Identity Management Focus Group
CreatedDec
CreatedDec
1 - Geneva13-16 Feb1 - Geneva13-16 Feb
2 - Geneva23-25 Apr2 - Geneva23-25 Apr
5 - Cambridge27-30 Aug
5 - Cambridge27-30 Aug
4 -Tokyo17-20 Jul4 -Tokyo17-20 Jul
Phase 1
Phase 1
3- MountainView
17-18 May
3- MountainView
17-18 May
Phase 2
Phase 2
SG13 Q.15 Rec. Y.IdMsec Draft Group
SG17Q.6
X.Idmf Draft Group
WTSA
TSAG
InternationalTelecommunication
Union
Focus Group Products
Requirements structure and provisionsUse cases, platforms, gapsDraft framework(s)Reference materials
EcosystemLexiconLegal & regulatory compendium
Multimedia in NGNGeneva, 10-11 September 2007
9
InternationalTelecommunication
Union 10Multimedia in NGNGeneva, 10-11 September 2007
InternationalTelecommunication
Union
Requirements for Global Interoperable IdM: the Seven Pillars
Multimedia in NGNGeneva, 10-11 September 2007
11
PeoplePeopleOrganizationsOrganizations
Objects, Sensors
and Control Systems
Objects, Sensors
and Control Systems
InternationalTelecommunication
Union
IDM ModelIDM Model
Multimedia in NGNGeneva, 10-11 September 2007
12
IDM PlaneIDM Plane
Requesting/Asserting
Entity
RelyingParty Entity
IdentityProvider(s)
Identity Assertion
Query(ies) to Identity Resources
Response Response
Man
agem
ent Fun
ctions
Iden
tity M
anagem
ent
Identity Model Based Interoperability
Service Stratum
Transport Stratum
Applications
Relying Party is most often the service provider or network operator – which may also be an Identity Provider
InternationalTelecommunication
Union
16 requirements/recommendations concerning support for identified entities below21 requirements/recommendations applicable to IdPs for credential, identifier, attribute, pattern and assurance servicesEspecially important
Interoperable protocols, including objectsAssurance/confidence metricsDelegationLifecycle managementImproved identity proofing and discovery for public network identifiers in hierarchical assignment identifier structures
Multimedia in NGNGeneva, 10-11 September 2007
13
End-User Entities
(Requesting/Asserting Identities)
• Real persons• Legal persons
• Institutions• Organizations• Guardians/agents• Group
• Objects• Physical
• Terminal devices• Network equipment• SIM or Smart Card
• Virtual • Software• Geospatial• Content
Identity Providers
(to End-Users)
• Credential provider• Identifier provider• Attribute provider• Pattern/reputation
provider• Discovery provider• Identity Bridge
provider• Auditing or Policy
Enforcement provider• Federations
Relying Parties(Using asserted
identities)
• Service or resource provider
• Alliances
InternationalTelecommunication
UnionMultimedia in NGNGeneva, 10-11 September 2007
14
3 requirements and recommendationsEspecially important
Global mechanisms for discovery of asserted forms of identityDetermining source for “authoritative” identitiesInterfederation bridging capabilities
Should include characteristics and policies of the interfaces, dynamic registration and de-registration of federation relationships, authentication, permissions, and attributes
Provider business agreements and federation based policies
InternationalTelecommunication
UnionMultimedia in NGNGeneva, 10-11 September 2007
15
7 recommendations concerning platform interoperabilityIncludes the use of federations and Identity Bridge providers by end usersImportant recommendations
Support for authentication domains within alliances and federations
InternationalTelecommunication
UnionMultimedia in NGNGeneva, 10-11 September 2007
16
13 recommendations applicable to IdPs security of identity resources, including 4 specifically related to protection of personally identifiable informationImportant recommendations
Support for non-repudiation of assertionsConsider adopted global standards in ITU, ISO and other bodies for Identity Assurance and AuthenticationDynamic establishment of time-limited trust mechanisms for transient and changed relationshipsSupport for terminal device objects (e.g., SIM cards)Notification of compromised identity resources to affected partiesSupport for multi-factor authenticationIdM identity proofing matching different authentication contexts, especially when requestedProvide levels of identity protection, including support for relevant OECD privacy guidelinesProvide end user transparency and notification capabilities relevant to protection of personally identifiable information
InternationalTelecommunication
UnionMultimedia in NGNGeneva, 10-11 September 2007
17
3 requirements/recommendations for auditing and complianceEspecially important
Support for use of auditing mechanisms and exchange of information about those mechanismsRecommended time-stamp accuracy
Area where more work would occur in Phase II of the Focus Group
InternationalTelecommunication
UnionMultimedia in NGNGeneva, 10-11 September 2007
18
3 recommendations applicable to Useability, Scaleability, Performance, Reliability, Availability, Accounting, Internationalization, and Disaster RecoveryImportant recommendation include support for accounting mechanismsArea where more work would occur in Phase II of the Focus Group
InternationalTelecommunication
Union
Object Communications
Most Identity Management capabilities apply equally to all object communicationsSome objects that are terminal based (e.g., SIM cards, physical credential readers, geospatial units, and sensors readers) both support and require significant IdM capabilitiesSupport for autonomous networked object IdM interoperabilitys requires further study together with JCA-NID, SG4 (OA&M), and other object-oriented bodies
How will competing object demands for network resources be prioritized and managed, especially during emergency conditions or network failuresWhat legal responsibilities and rights are associated with objects and how they expressed globally and discoveredThis work is an important part of proposed FG IdM Phase II remit
Multimedia in NGNGeneva, 10-11 September 2007
19
InternationalTelecommunication
Union
Implications for NGN and other developments
Almost every ITU-T Study Group has new Identity Management action items
Unclear how to coordinateSignificant WTSA 2008 implications
Actions also essential network/cyber securityRequirements include changes to IdM administrative practices TSB IdM responsibilities and ITU organs are similarly implicatedincluding responding to global IdM needs at WTSA and other venues
How is global discovery of authoritative identifiers and other identity resources going to occur
GSC-12 resolution calls for an ITU global coordinating role across array of standards bodiesNumerous new and evolved
Opportunities for businessActions for government
Second Phase of Focus Group IdM aimed atCompleting frameworkAssisting implication assessmentDealing with objectsFacilitating transfer of work to Study Groups and other forums
Multimedia in NGNGeneva, 10-11 September 2007
20