ABSTRACT
Security and trust play key roles in enabling the
emerging global information society. Identity management, a
cornerstone of establishing trust in the evolving Information and
Communications Technologies (ICT) infrastructure, is necessary to
control access to services and infrastructures, to protect personal
information, to perform online transactions, and to comply with legal
and regulatory requirements. A diverse set of identity management (IdM)
solutions existing for specific market segments and perspectives. Many
of these solutions are highly distributed and autonomous, resulting in
a need to establish a trusted, global, and interoperable IdM
capability.
This contribution provides an overview of key
concepts associated with identity management, outlines current
activities related to identity management, and recommends future work
on identity management within the PCC.I Working Group on Technology.
1. INTRODUCTION
A global information society is emerging, a society
based on fundamental principles, including the unimpeded ability to
communicate with others. New forms of media, ubiquitous devices, and
broadband interconnectivity are allowing all members of society to
create innovative content and to share their creations with others.
The global information society is also inducing major changes in our
global economic structure, enabling companies to conduct business, to
access information for critical decision making and to gain
competitive advantage. Small and medium enterprises (SMEs)
productivity and revenue growth requires access to the global
information society. Governments are also leveraging the emerging
information society to deliver services and information to its
citizenry, thus enabling a citizen’s access to their government.
Information and Communications Technologies (ICTs)
power this global information society. ICTs and associated
infrastructures are critical to a nation’s competitiveness and to the
global marketplace. ICT infrastructures also support and enable
society’s critical infrastructures, such as transportation, energy,
public safety, communications, etc. Our society – both economically
and socially – is inextricably tied to ICTs.
An evolution of the ICT infrastructure is underway.
Formerly separate networks delivering voice, data, and broadcast
services are converging into a unified IP network that enables the
emerging global information society, where everyone and everything is
connected. Paradoxically, this new converged network is inherently
more complex because of the increased number of interconnections
between components.
Fundamentally, security and trust play key roles in
enabling the global information society. For example, users must have
the confidence that online transactions, either with business or
government services, are security and trustworthy. SMEs must also have
trust and confidence in their e-business transactions. Security and
trust become even more important factors with the use of ubiquitous
wireless devices, allowing access to new media and services, where
everyone is connected to everything.
Security in the emerging hyper-connected society
requires, in part, robust management of digital identities to
establish trust, to protect personal information, to control access to
services and infrastructures, to perform online transactions, and to
comply with legal and regulatory requirements. ICT infrastructures and
services have typically evolved with a diverse set of identity
management (IdM) solutions, many of which are highly distributed and
autonomous. There is a need to establish a trusted, global, and
interoperable IdM capability.
This contribution provides an overview of key
concepts associated with identity management and outlines current
activities related to identity management.
2. IDENTITY MANAGEMENT CONCEPTS
Identity may be viewed as an attribute of a
specific entity – a human, an organization, a service provider, an
application, a process, a sensor – in a specific context. While the
term “identity” has been used extensively in international standards
documents, it is often never explicitly defined.
The ITU-T has recently initiated an activity
related to identity management (see Section 3 for more details). As
part of this effort, one objective is to develop a common
understanding of the term “identity” that can be expressed in one or
more ways to meet the needs and expectations of ITU members. Recent (draft)
conclusions of this work indicate that identity, as used in current
standards, is a concept that allows for various kinds of
representations of an entity at some point in time and space with some
degree of desired consistency. An ontology of identity is proposed as
shown in Figure 1.
Figure 1: Ontology of
Identity
[Reference: ITU-T
Correspondence Group Report on the
Definition of the Term “Identity”, draft version 0.7, 22 February 2008]
According to this ontology, an entity is a real
person, legal person or object – which in turn can consist of anything
physical, network elements, or software or content. Identity is a
set of representations that are either asserted (e.g., an entity
saying “this is my identity”) or manifested by an entity.
Representations take some kind of physical or electro-optical form –
some of which may consist of digital expressions. There are four
distinct kinds of representations: identifiers, authenticators or
credentials, attributes, and patterns.
Identifiers are universally regarded as “names,
numbers, or addresses” which may arise in two different ways, such as
assigned, registered by some authority, or self-issued.
Authenticators or credentials are certificates (e.g., ITU‑T X.509
digital certificates) or tokens which may be issued by established
authority or self-issued. Attributes consist of any kind of
information with a binding to an identifier or authenticator that is
either registered or captured in conjunction with their use (e.g.,
geospatial location, transactional activity, and images). Patterns
take the form of either signatures derived from activity or reputation
when asserted by an entity for identity purposes.
Based on this ontology, the ITU-T Correspondence
Group Draft Report defines identity as [Reference:
ITU-T Correspondence Group Report
on the Definition of the Term “Identity”, draft version 0.7, 22
February 2008]:
identity. The assertion or manifestation of a structured
representation of an entity in the form of one or more credentials,
identifiers, attributes, or patterns. Such representations can take
any physical or electro-optical form or syntax, and have associated
implicit or explicit time-stamp and location specifications.
It should also be
noted that at the TSAG meeting December 2007, it was agreed, for ITU-T
purposes, that the identity asserted by an entity represents the
uniqueness of that entity in a specific context and is not intended to
indicate positive validation of a person. The recent results of the
Correspondence Group activity will be presented to TSAG for further
deliberation.
The
Correspondence Group Draft Report also defined identity management as:
identity management. The diverse arrays of different technical,
operational, and legal systems and practices involving the structured
capture, syntactical expression, storage, tagging, retrieval, and
destruction of entity identities.
A large number of industry groups and
standards organizations are working on standardizing aspects of
identity management (see Section 3). Generally, different groups
develop optimum solutions for specific market segments and
perspectives (e.g., user-centric, application-centric [web services
and electronic commerce], and network-centric perspectives). The
result is a variety of identity-based solutions that ultimately should
interoperate with each other.
The ITU-T surveyed many of these
initiatives and identified seven groups of common global IdM
requirements, although there were diverse existing capabilities within
each group [Reference: ITU-T Focus Group Identity Management
Output: Report on Requirements for Global Interoperable
Identity Management, September 2007]:
1. A
common, structured identity management model and identity management
plane.
2. Provision
of core credential, identifier, attribute, and pattern identity
services with known assurance levels to all entities.
3. Discovery
of authoritative identify provider resources, services, and
federations.
4. Interoperability
among authorization privilege management platforms, identity providers
and provider federations, including identity bridge providers.
5. Security
and other measures for reduction of identity threats and risks,
including protection of identity resources and personally identifiable
information.
6. Auditing
and compliance, including policy enforcement protection of personally
identifiable information.
7. Usability,
scalability, performance, reliability, availability,
internationalization, and disaster recovery.
Identity management
therefore provides assurance of identity information that supports
secure, trusted access control. Identity management supports a
multitude of identity-based services that includes targeted
advertising, personalized services based on geo-location and interest,
and authenticated services to decrease fraud and identity theft.
A trusted, global, interoperable IdM
capability is a goal that would help meet the needs of the evolving,
hyper-connected ICT infrastructure and services.
3. ACTIVITIES RELATED TO IDENTITY
MANAGEMENT
As previously noted, there are many
activities that relate to identity management standardization. A non-exhaustive
list of identity management activities is presented below in three
categorizes:
-
Standardization bodies and similar
organizations: de jure/de facto standards including standard
development organizations such as ITU-T, partnership projects such
as 3GPP, and well-established open communities such as IETF and
Liberty Alliance Project.
-
Research activities: aimed at developing
IdM technologies.
-
Other IdM related activities: examples
include open source projects and advocacy groups.
-
3GPP: Developed specifications related to
Subscription Management (SuM);
-
ATIS: Packet Technologies and Systems
Committee (PTSC) is studying IdM;
-
ETSI: TIPSAN developed specifications
related to Subscription Management (SuM);
-
IETF: Developed many resource/entity
identification specifications, including Uniform Resource Identifier/Name,
Internationalized Resource Identifier, Uniform Resource Name,
Universally Unique Identifier, Enhancements for Authenticated
Identity Management in the Session Initiation Protocol, etc.
-
ISO/IEC: ISO/IEC JTC 1/SC 27 (Information
Technology – Security Techniques) has approved a new project on IdM.
-
ITU-T: a number of Study Groups deal with
various aspects of Identity Management. The Telecommunication
Standardization Bureau has recently created the Identity Management
Global Standards Initiative (IdM-GSI) to focus on developing the
detailed standards necessary for deployment of IdM capabilities that
enables secure and trustworthy assertions about digital identities
used in telecommunications, control networks, and a variety of
service offerings. IdM-GSI harmonizes, in collaboration with other
bodies, different approaches to IdM worldwide.
-
Liberty Alliance Project: Specified an
open standard for federated network identity that is intended to
support current and emerging network devices, offering a secure way
to control digital identity information.
-
OASIS (Organization for the Advancement
of Structured Information Standards): Developed identity management
platforms including: Security Assertion Markup Language, eXtensible
Access Control Markup Language, Service Provisioning Markup Language,
eXtensible Resource Identifier, and Web Services Security.
-
OECD: Identity
management in the online environment is seen as a key enabler for
electronic business and electronic government because it facilitates
the expansion of information systems and network boundaries and
increases access points. A workshop was held and brought together
experts from government, industry and civil society to explore the
main information security and privacy issues surrounding digital
identity management.
-
Open Mobile Alliance: Developed
specifications related to IdM including Identity Management
Framework Requirements document.
-
World Wide Web Consortium (W3C):
Developed recommendations for XML aspects of IdM.
Research activities
-
Archival Resource Key is naming scheme is
designed to facilitate the high-quality and persistent
identification of information objects.
-
The European Union / European Commission
supports a number of projects relating to IdM, including:
-
Future of Identity in the Information
Society (FIDIS): shaping the requirements for the future
management of identity in the European Information Society and
contributing to the technologies and infrastructures needed;
-
GUIDE: conducting research and
technological development with the aim of creating architecture
for secure and interoperable e-government electronic identity
services and transactions for Europe
-
Privacy and Identity Management for
Europe (PRIME): aims to develop a working prototype of a privacy-enhancing
Identity Management System
Other IdM related
activities
-
Higgins: A framework that will enable
users and enterprises to integrate identity, profile, and
relationship information across multiple systems. Using context
providers, existing and new systems such as directories,
collaboration spaces, and communications technologies (e.g.
Microsoft/IBM WS-*, LDAP, email, IM, etc.) can be plugged into the
Higgins framework. Applications written to the Higgins API can
virtually integrate the identity, profile, and relationship
information across these heterogeneous systems.
-
OpenID: open source community solution
for IdM. It is a lightweight method of identifying individuals that
uses the same technology framework that is used to identify websites.
-
Shibboleth: Standards-based, open source
middleware software which provides Web Single SignOn (SSO) across or
within organizational boundaries. The Shibboleth software implements
the OASIS SAML specification, providing a federated Single-SignOn
and attribute exchange framework.
This list is only a sample of the many
activities underway in the identity management area. Harmonization of
these different approaches, while leveraging research and deployment
experiences, is a key goal for the international community.
4. Conclusions and Recommendations
Security and trust play key roles in enabling the
emerging global information society. Identity management, a
cornerstone of establishing trust in the evolving ICT infrastructure,
is necessary to control access to services and infrastructures, to
protect personal information, to perform online transactions, and to
comply with legal and regulatory requirements. A diverse set of
identity management (IdM) solutions existing for
specific market segments and
perspectives. Many of these solutions are highly
distributed and autonomous, resulting in a need to establish a
trusted, global, and interoperable IdM capability.
The ITU-T is leading the international community to
harmonize IdM solutions through its recently created Identity
Management Global Standards Initiative (IdM-GSI). The IdM-GSI is also
focused on developing the detailed standards necessary for deployment
of IdM capabilities to enable secure and trustworthy assertions about
digital identities used in telecommunications, control networks, and a
variety of service offerings.
It is recommended that the PCC.I Working Group on
Technology consider initiating a study of identity management in the
countries of the region. In addition, it is recommended that the PCC.I
Rapporteur group on Standards Coordination monitor identity management
related activities, especially the work of the IdM-GSI in the ITU-T,
with a view of proposing Coordinated Standards Documents when
appropriate.
5. References
[1] ITU-T Correspondence Group
Report on the Definition of the Term “Identity”, draft
version 0.7, 22 February 2008.
[2] ITU-T Focus Group Identity
Management Output: Report on Requirements for Global
Interoperable Identity Management, September 2007.
[3] ITU-T Focus Group Identity
Management Output: Report on Identity Management Ecosystem and Lexicon,
September 2007.
Oscar
Avellaneda
Senior Manager, NGN Architecture
and
Lewis
Robart
Senior Analyst, IP Telecom and Security
Additional Information: Published as document
CCP.I-TEL/doc. 1249/08.
|
|