Living List of Identity Management Forums

From ITUwiki

Jump to: navigation, search

NOTE: THIS LIST IS STILL UNDER DEVELOPMENT AND NOT COMPLETE

See also Living List of Identity Management Terminology

Forum Description URL Notes
ITU-T Identity Management Focus Group The scope of the Focus Group is Identity Management (IdM) for telecommunications/ICT in general; and specifically to facilitate and advance the development of a generic IdM framework and means of discovery of autonomous distributed identities and identity federations and implementations.

Part of the work involves the creation of a Living List containing details of IdM work in standards bodies, forums, and consortia dealing with Identity Management, including information concerning their activities and, where available, documents in the context of a generic IdM framework. This is that list. It was last updated on August 10th.

Comments on content, accuracy, omissions, errors etc are needed to help us improve the document. In particular, we need more information on relevant documents together with a brief description of the content and a link to the document itself. If you can help, please post the information on our collaboration page.

[1] .
ITU-T/TSB The International Telecommunication Union Standardization Sector has a number of Study Groups that deal with various aspects of Identity Management, including its Telecommunication Standardization Bureau which administers the allocation and assignment of numerous global identifiers.
  • SG2 Operational aspects of service provision, networks and performance
  • SG4 Telecommunication Management
  • SG13 Next Generation Network (NGN) work (e.g., authentication and authorization requirements). The Q.15/13 (NGN Security) editors group on the Y.IdMsec (IdM Security) specification in particular in especially significant.
  • SG16 Multimedia terminals, systems and applications
  • SG17 Security, languages and telecommunication software. The Q.6/17 (Cybersecurity) editors group on the X.IdM (IdM security) specification is especially significant.
[2] .
3GPP 3GPP has developed specifications related to Subscription Management (SuM), including:
  • 3GPP TS 32.140, Subscription Management (SuM) requirements. SuM for 3GPP is primarily concerned with the ability to define subscription profiles and associate the profile with subscribers, users and services that are authorized by agreements. The subscription profile may be used in the process of configuring various network resources (access and core) to make the service a reality for the user.
  • 3GPP TS 32.141, Subscription Management (SuM) architecture. This specification describes the SuM architecture that is consistent with the 3G Telecommunication Management Architecture.
  • 3GPP TS 32.171, Subscription Management (SuM) Network Resource Model (NRM) Integration Reference Point (IRP): Requirements.
  • 3GPP TS 32.172, Subscription Management (SuM) Network Resource Model (NRM) Integration Reference Point (IRP): Information Service (IS).
  • 3GPP TS 32.175, Subscription Management (SuM) Network Resource Model (NRM) Integration Reference Point (IRP): eXtensible Markup Language (XML) definition.
  • 3GPP TR 32.808 “Study of Common Profile Storage (CPS) Framework of User Data for network services and management Basic Structure of the Common Profile Storage Framework (CPSF)” addresses identity management of the end user.
  • 3GPP TS 33.220, Generic Authentication Architecture (GAA); Generic bootstrapping architecture. This specification describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3GPP AKA mechanism.
  • 3GPP TR 33.980, Liberty Alliance and 3GPP security interworking; Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Services Framework (ID-WSF) and Generic Authentication Architecture (GAA). The document provides guidelines on the interworking between the Generic Authentication Architecture (GAA) and the Liberty Alliance architecture Identity Federation Framework (ID-FF) and Identity Web Services Framework (ID-WSF).

Presentations were recently provided by Nokia and Siemens to the Feb. 2007 ITU-T Focus Group IdM meeting, entitled “Identity Management in 3GPP – An Overview”

[3] .
IETF The IETF has developed specifications for resource/entity identification, including:
  • Uniform Resource Identifier (URI) (www.ietf.org/rfc/rfc3986.txt) defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs. The URI syntax defines a specification is especially significant.

grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier.

  • Internationalized Resource Identifier (IRI) (www.ietf.org/rfc/rfc3987.txt) defines an IRI as a complement to the URI. An IRI is a sequence of characters from the Universal Character Set (Unicode/ISO 10646). A mapping from IRIs to URIs is defined, which allows IRIs to be used instead of URIs, where appropriate, to identify resources.
  • Internet Message Format (www.ietf.org/rfc/rfc2822.txt) – identification by email address – specifies a syntax for text messages that are sent among computer users, within the framework of electronic mail.
  • Uniform Resource Name (URN) (www.ietf.org/rfc/rfc2141.txt) defines persistent, location-independent, resource identifiers. This RFC defines the canonical syntax for URNs and discusses existing legacy and new namespaces and requirements for URN presentation and transmission.
  • Universally Unique IDentifier (UUID) (www.ietf.org/rfc/rfc4122.txt) defines a Uniform Resource Name namespace for UUIDs, also known as GUIDs (Globally Unique IDentifier). A UUID is 128 bits long, and can guarantee uniqueness across space and time.
  • Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) (http://www.rfc-editor.org/rfc/rfc4474.txt ) defines a mechanism for securely identifying originators of SIP messages.
  • Trait-Based Authorization Requirements for the Session Initiation Protocol (SIP) (http://www.rfc-editor.org/rfc/rfc4484.txt ) lays out a set of requirements related to trait-based authorization for the Session Initiation Protocol.
[4] .
ISO The Organization for International Standardization has developed specifications related to IdM, including:
  • ISO 9594-8: X.509 Public Key Infrastructure: Certificate and CRL Profile. This specification profiles the format and semantics of certificates and certificate revocation lists for the Internet PKI. Relevant work in IETF is covered in RFC 3280.
  • ISO/IEC 15944-1 Information technology -- Business agreement semantic descriptive techniques – Part 1: Operational aspects of Open-Electronic Data Interchange (EDI) for implementation. This specification addresses Open-EDI, identifies the electronic identities that may be for electronic transactions.
  • ISO/IEC 19794 deals with Biometric data interchange formats.
  • ISO/IEC JTC 1/SC 27 – Information Technology – Security Techniques – A Framework for Identity Management. This is a newly approved project on IdM.
[5] .
Liberty Alliance Project Liberty has specified an open standard for federated network identity that is intended to support current and emerging network devices, offering a secure way to control digital identity information. The Liberty Alliance Identity Federation Framework (ID-FF) Version 1.2 Specifications [6] are now part of SAML v2.
  • Liberty Alliance Approach to IDM - [7]
  • Liberty Alliance recently released draft specifications for an Advanced Client, a set of specifications and technologies that leverage the interoperability, security and privacy capabilities of Liberty Federation and Liberty Web Services to allow users to conduct a wide range of new identity-based transactions from any device. The set of platform independent specifications were developed to extend identity management capabilities such as single sign-on, access to Web Services, stronger authentication and user-controlled provisioning to client devices. [8]
[9] .
OASIS (Organization for the Advancement of Structured Information Standards) Identity Management platforms and technical committees of principal interest include:
  • Security Assertion Markup Language (SAML). SAML [10] defines the syntax and processing semantics of assertions made about a subject by a system entity. In the course of making, or relying upon such assertions, SAML system entities may use other protocols to communicate either regarding an assertion itself, or the subject of an assertion. The SAML protocol specification defines both the structure of SAML assertions, and an associated set of protocols, in addition to the processing rules involved in managing a SAML system. SAML assertions and protocol messages are encoded in XML and use XML namespaces.
  • eXtensible Access Control Markup Language (XACML). XACML [11] defines an XML-based common language for expressing security policy, allowing an enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems including some or all of writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving and enforcing policy.
  • Service Provisioning Markup Language (SPML). SPML [12] defines an XML-based framework for exchanging user, resource, and service provisioning information. This specification supports the provisioning of services such as user accounts and access privileges on systems, networks and applications.
  • eXtensible Resource Identifier: (XRI). XRI [13] defines a URI-compatible scheme and resolution protocol for abstract identifiers, i.e., identifiers that are location, application, and transport-independent, and thus can be used to identify and share resources across domains and applications. The OASIS technical committee developing XRI (XRI TC) is also defining an extension of the generic resolution protocol for trusted resolution, and a special set of identifiers for XRI metadata (identifiers that describe other identifiers).
  • Web Services Security (WS-Security). WS-Security [14] defines a standard method for attaching security data to a web services message and security mechanisms implemented in SOAP headers. These mechanisms are designed to enhance SOAP messaging by providing a quality of protection through message integrity, message confidentiality, and single message authentication.
[15] The Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) authored by OASIS have been consented as internationally recognized ITU-T Recommendations
Open Mobile Alliance The OMA has developed specifications related to IdM, including:
  • Identity Management Framework Requirements (OMA-RD-Identity_Management_Framework-V1_0-20050202-C). The intention of this specification is to integrate existing efforts relating to Identity within the OMA to create a single Identity Management (IdM) enabler to be used by all OMA enablers. This specification sets requirements for all technical working groups of OMA, and all Identity Management related functions should be satisfied according to the resulting enabler. The benefits of a single Identity Management enabler for all OMA enablers are:

Management and use of Identity or personal information is easier for all stakeholders: End Users, mobile operators, enterprises and Service Providers; End Users do not have the burden of having to understand different service-specific Identity solutions; The same Identities and personal information can be utilised by multiple services; Privacy protection can be enabled more easily using a common Identity Management enabler.

[16] .
World Wide Web Consortium (W3C) has developed recommendations for XML aspects of IdM, including:
  • xml:id Version 1.0 (http://www.w3.org/TR/2005/REC-xml-id-20050909/), which defines the meaning of the attribute xml:id as an ID attribute in XML documents and defines processing of this attribute to identify IDs in the absence of validation, without fetching external resources, and without relying on an internal subset.
  • XML Signature Recommendations (XML Signature WG), which specify an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages (that can be referenced by a URI) and procedures for computing and verifying such signatures.
  • XML Encryption Recommendations (XML Encryption WG), which specify a process for encrypting/decrypting digital content (including XML documents and portions thereof) and an XML syntax used to represent the (1) encrypted content and (2) information that enables an intended recipient to decrypt it.
  • XML Key Management Specification (XKMS). XKMS (www.w3.org/TR/xkms) specifies protocols for distributing and registering public keys, suitable for a client to obtain key information (values, certificates, management or trust data) from a web service.
[17] .
ETSI TISPAN has developed specifications related to Subscription Management (SuM), including:

• (Draft) ETSI DTS 188 002, Subscription Management Requirements. • (Draft) ETSI DTS 188 002-2, Subscription Management Information Model. • ETSI Specialist Task Force STF 330 (TB TISPAN / WG 7) on “Security and management of identity in the NGN”

[18] .
Concordia The Concordia project is a global initiative designed to drive interoperability across identity protocols in use today. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios, and encouraging and facilitating the creation of protocol solutions in the appropriate "homes" for those technologies. [19] .
FIDIS Future of Identity in the Information Society is a NoE (Network of Excellence) supported by the European Union. FIDIS objectives are shaping the requirements for the future management of identity in the EIS and contributing to the technologies and infrastructures needed. [20] .
FIRST FIRST is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents – reactive as well as proactive. [21] .
Guide A European Commission funded integrated project under the Information Society Technologies Programme (IST). GUIDE is GUIDE is conducting research and technological development with the aim of creating architecture for secure and interoperable e-government electronic identity services and transactions for Europe. The project's approach is multi-disciplinary and includes technology, procedural and policy development across Europe. GUIDE consists of 23 organizations from 13 countries. There are many documents created by GUIDE, for example:

Identity Interoperability Services Report: Core Services Descriptions - the purpose of this document is to identify the full set of ‘core’ services that GUIDE should specify in order to achieve the required objective of creating a Pan-European architecture for identity interoperability.(IST-2003-507498)

[22][23] .
Higgins A framework that will enable users and enterprises to integrate identity, profile, and relationship information across multiple systems. Using context providers, existing and new systems such as directories, collaboration spaces, and communications technologies (e.g. Microsoft/IBM WS-*, LDAP, email, IM, etc.) can be plugged into the Higgins framework. Applications written to the Higgins API can virtually integrate the identity, profile, and relationship information across these heterogeneous systems. A design goal is that Higgins be useful in the development of applications accessed through browsers, rich clients, and web services. Our intent is to define the Higgins framework in terms of service descriptions, messages and port types consistent with an SOA model and to develop a Java binding and implementation as an initial reference. [24] .
Light Weight Identity A family of quite simple, but powerful personal digital identity protocols that empower individuals to keep control over and manage all aspects of their digital identities on-line. Some of these protocols were created at NetMesh; others, such as OpenID originated elsewhere or, such as Yadis, in collaboration with other vendors and developers. [25]
MODINIS-IDM MODINIS-IDM is an EU sponsored study on Identity Management systems in eGovernment. Its aim is to build on expertise and initiatives in the EU Member States to progress towards a coherent approach in electronic identity management in eGovernment in the EU.

The conceptual framework described in this document is one of the building blocks identified in the pan-European eIDM roadmap for eGovernment services that was prepared in collaboration between the Modinis IDM Study Team and RAND Europe. A list of additional MODINIS documents is available.

[26]

[27] [28]

.
ORACLE IGF Oracle recently announced an Identity Governance Framework (IGF) open initiative to address governance of identity related information across enterprise IT systems. This initiative includes key initial draft specifications contributed by Oracle to the community. These specifications provide a common framework for defining usage policies, attribute requirements, and developer APIs pertaining to the use of identity related information. Founding participants include Oracle, Computer Associates, Layer 7 Technologies, HP, Novell, Ping Identity, Securent, and Sun Microsystems. Continuing work on IGF is now being carried on within the Liberty Alliance Project. Additional references include an IGF Overview and Frequently Asked Questions. In addition, Oracle® Identity Management allows enterprises to manage end-to-end lifecycle of user identities across enterprise resources and includes an Oracle® Identity and Access Management Suite. [29] .
The Open Group A vendor and technology neutral consortium with a goal to enable access to integrated information within and between enterprises based on open standards and global interoperability has an Identity Management Forum working group with over 40 members. [30] .
PAMPAS Pioneering Advanced Mobile Privacy and Security was a 2002 EU sponsored project focused on the areas of privacy and security for beyond 3G mobile systems and applications. [31] .
PERMIS PERMIS is an authorisation infrastructure. Given the distinguished name of a user, a target that the user wishes to access, the mode of access, plus optional environmental parameters such as time of day, PERMIS will say whether the user is authorised to access the target or not. [32] [33] .
PRIME Privacy and Identity Management for Europe – PRIME aims to develop a working prototype of a privacy-enhancing Identity Management System. The PRIME project receives research funding from the EU's Sixth Framework Programme and the Swiss Federal Office for Education and Science. [34] .
OSIS brings together many identity-related open-source projects, and synchronizes and harmonizes the construction of an interoperable identity layer for the internet from open-source parts. Its first deliverable is interoperability with Microsoft CardSpace, although OSIS also encompasses alternate technologies such as OpenID and SAML. [35] .
The Open Group A vendor and technology neutral consortium with a goal to enable access to integrated information within and between enterprises based on open standards and global interoperability has an Identity Management Forum working group with over 40 members. [36] .
Yadis A service discovery system allowing relying parties (aka identity consumers or membersites) to determine automatically, without end-user intervention, the most appropriate protocol to use. [37] .
ARK (Archival Resource Key) naming scheme is designed to facilitate the high-quality and persistent identification of information objects. A founding principle of the ARK is that persistence is purely a matter of service and is neither inherent in an object nor conferred on it by a particular naming syntax. The best that an identifier can do is to lead users to the services that support persistence. The term ARK itself refers both to the scheme and to any single identifier that conforms to it. The scheme, called the Archival Resource Key(ARK), is well suited to long-term access and identification of any information resources that accommodate reasonably regular electronic description. This includes digital documents, databases, software, and websites, as well as physical objects (books, bones, statues, etc.) and intangible objects (chemicals, diseases, vocabulary terms, performances). Hereafter the term "object" refers to an information resource. The term ARK itself refers both to the scheme and to any single identifier that conforms to it. [38] .
IDSP The Identity Theft Prevention and Identity Management Standards Panel (IDSP) is a cross-sector coordinating body whose objective is to facilitate the timely development, promulgation and use of voluntary consensus standards and guidelines that will equip and assist the private sector, government and consumers in minimizing the scope and scale of identity theft and fraud.

The IDSP has two main charges: First, it will endeavor to identify and catalogue in one place any existing, broadly-applicable identity theft and fraud prevention standards and guidelines. Second, it will identify areas where updated or new standards are needed. The panel’s recommendations for revised or additional standards shall serve as a call to action for further work by the standards development community.

[39] .
ITRC Identity Theft Resource Center (ITRC) is, a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [40] .
ISO TC46 Work on “parties” etc is related to user-centric id, which is an important part (but not the whole) of the wider ITU IdM issue. A working group meeting of the proposed ISPI (ISO TC46/SC9/WG6), made an important distinction in identities of individuals and organizations, between "party" and "public identity". This same distinction is also made in the Interparty project (www.interparty.org) also see FG IdM Doc 006 from the Geneva meeting in February 2007. The ISPI is aimed at the communities using the other ISO TC 46 identifiers (like ISBN) but there is a generally applicable lesson here. Although originally called the International Standard Party Identifier, it is now (subject to approval) precisely NOT that but an International Standard Public Identity. This ISPI activity is to be a formal liaison with the ITU IdM FG, via ISO TC46 SC9. . .
Handle The Handle System® is a general-purpose distributed information system used to assign, manage, and resolve persistent identifiers, known as "handles", for digital objects and other resources on the Internet. Some applications of this are in content, and others in a variety of identity management applications. The Corporation for National Research Initiatives manages this through its Handle System Advisory Committee (composed of external interested parties).

It is a non-commercial, openly available protocol and reference implementation of a general-purpose distributed information system used to assign, manage, and resolve persistent identifiers, developed at the Corporation for National Research Initiatives (US) by Robert Kahn, one of the co-inventors of TCP/IP and a pioneer of internet technologies. The Handle System can utilise existing or new numbering schemes and protocols, adding value to them.

Security is a major feature of the Global Handle Registry service:

  • Protected service information and public key pair used to sign global service information.
  • Handle protocol allows handle servers to authenticate their clients and to provide data integrity service on client request.
  • Handle servers can be set to explicitly asked to generate or return a digital signature for every service response
  • Public key and/or secret key cryptography may be used.
  • Server authentication may be used to prevent eavesdroppers from forging client requests or tampering with server responses.
  • Client applications can (if wished) only accept information from the authoritative Global Handle Registry (not any mirrors) and check its integrity on each update.

Future projected applications of particular relevance to identity management include:

  • Transient Network Architecture (Pervasive transient mobile network in which all communications occur between persistently identified entities. Under NSF’s FIND (Future Internet Network Design)
  • Using PKI for persistent trustworthy identity.
  • Representing Value as Digital Objects (“Transferable records" structured as digital objects; transferability and anonymity as attributes of digital representations of deeds of trust, mortgages, bills of lading, digital cash etc.)
  • Application of Handles to licences and parties
[41] [42] .
National Identity Card Schemes Many Countries are developing government certified national identity card schemes based on PKI certificates deployed in smartcards, mobile SIM solutions or soft certificates. The list of initiatives is very long, but information about European Initiatives can be found at the URL below.

Many countries are encouraging public-private partnerships using the eID cards within commercial applications. This has advantages for large-scale roll-out of strong authentication mechanisms since many commercial organisations are reluctant to underwrite the costs and liabilities involved in issuing tokens.

[43]
EU eID Roadmap The European Commission's eID roadmap. This is an initiative based on the 2005 Manchester declaration which states that:

By 2010 European citizens and businesses shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States but recognised across the EU.

Key elements are the

  • Funding of a Large Scale Pilots initiative - an interoperability initiative testing cross-border use of national ID cards in a number of application areas. The work will begin in 2008.
  • Common Model Design as a framework of specifications for interoperable eID between member states.
  • Definition of authentication levels for trust establishment
[44]
European Citizen Card The European Citizen Card is a CEN standard (TC224 WG 15) which includes a card specification, middleware layer and a set of card profiles describing properties of various common tokens to the middleware layer. [45]
Personal tools