130 likes | 138 Views
This workshop discusses the importance of identity management, the diverse identity communities, and the focus and vision for effective identity management. It also explores deliverables and capabilities that can make a difference in 2009.
E N D
V1.0 ITU-T Workshop on“New challenges for Telecommunication Security Standardization"Geneva, 9(pm)-10 February 2009 Identity Management Anthony M. Rutkowski V-P, Regulatory Affairs and Standards VeriSign, Inc.
The challenge of relevance:Why is IdM important? • Identity Management • is the foundation and core for all security • An explosively expanding and vast array of "network nomadic" individuals, providers, and objects • has challenged our ability to effectively manage identities and their “trust anchors”
The challenge of a common concept: What is identity? • Identities consist of: • an ensemble of four possible identity “elements” • a binding to an Entity (or Entities) instantiated or asserted at some specific time From the ITU-T Report of the Correspondence Group on the Definition of Identity Complex Version Simple Version
The challenge of diversity:Disparate identity communities • Operators and providers • Focussed on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation • Business end-users • Focussed on minimizing costs, employee support, fraud mitigation, inventory and supply chain management • Individual end-users • Focussed on social networking, convenience, identity services (esp. location based services) and portability, controlling unwanted intrusions and mitigating identity theft • Security • Focussed on infrastructure protection, homeland security, NS/EP needs, consumer protection, law enforcement forensics, meeting public policy and legal mandates including personal identity credentials and biometrics • Privacy and anonymity • Spans a broad spectrum from personal identity protection and intrusion minimization to extreme views on complete anonymity, anti-government paranoia and control of all personal identity elements
The challenge of focus and vision:What is important? • Discovery of authoritative sources of identities and structured means to query source information • Structured identity ontologies and data models for interoperability • Critical to sharing of identities • Protected identity management “signalling” infrastructure in NGNs • Means to support inter & intra federation identity capabilities • Inter-federation mechanisms are non-existent • Providing for a range of trust relationships (no trust to PKI-based high assurance trust) • Supporting Peer-to-Peer platforms • Implementing trusted Open Identity Architectures as a means of achieving “Identity Network Neutrality” • Achieving effective “trust anchors” • Identity proofing • Identity lifecycle management • Identity status checking on-demand • Identity security • Identity management auditing
Capabilities that will make a difference in 2009 The Challenge of Deliverables
Provider Identity Trust Anchors • Number one “low-hanging” Identity Management/cybersecurity capability with far reaching positive impact • A universal global means for establishing trust in all organizations that have a network presence • For communications, transactions, software, and secure transport layer • Significant implementation has already occurred • Based on Extended Validation (EV) Digital Certificate standard implementation of ITU-T X.509 platform (also known as EV SSL) • Developed in 2007 by the CA/Browser Forum • Certificates initially issued and browser updates pushed out to most computers in 2008 • Consists of the best combination of identity assurance techniques and platforms • Initial identity proofing based on ETSI standards • Basis for organization trust in Liberty Alliance assurance specifications • Used by the ITU itself! • Upcoming EV enhancements in 2009 • Being extended to all kinds of services and software distribution in 2009, including SIP • Being introduced into ITU-T SG17 through liaison process • Substantial ongoing regional activity to meet localization requirements worldwide • Being considered as an NGN network address enhancement • Cryptography being upgraded to ECC • Embeds many diverse organization identifiers, including ITU-T Object Identifiers (OIDs) that have become Internet global “enterprise ID” of choice • Enhances individual privacy and broadly benefits everybody • May become a global regulatory mandate for cybersecurity
Object trust anchors • Real-time Object IDentifier resolution system • Provides a DNS-based means for discovering information about any Object Id • OIDs becoming increasingly important for • Network elements (especially forensic acquisition locations in a network) • Terminal devices, software, RFID tagged objects, sensors, biometric scanners, e-health, power management, and intellectual property • Creation of a new DNS top level domain – OID • Initial implementations occurring in 2009 based on specifications developed in ITU-T and ISO • Real-time token validation protocol systems • Verifying the current status of all object credentials is essential • Allows implementation of “when things go wrong” capabilities • Online Certificate Status Protocol (OCSP) has emerged as means of choice and being mandated by some trust implementations • Similar RSA protocols for token use are being extended
Personal identity trust anchors • The world is awash in a sea of countless personal identities • Many personal identities have little or no trust anchors • Diverse expectations exist among people, organizations, and nations concerning the use and availability of identities – many subject to law • Expectations are highly context dependent and often conflicting • Potential “identity network neutrality” challenges abound • Significant contemporary personal identity needs • eHealth • Homeland security • Nomadicity and social networking • Significant technical platforms are emerging • Interoperable and Trust Third Party platforms • OpenID • Personal Identity Portals • National eIDs, especially the EU’s STORK (Secure Identity Across Borders Linked) initiative • One time password tokens • Encrypted biometrics • A major impediment for personal identity trust is lifecycle maintenance • Bears the initial and lifecycle costs, including indemnification • Providing real-time status checking • Accommodating enormously broad assurance spectrum
Whose trust anchor:Identity Assurance Interoperability • Many different schema exist to achieve identity assurance • The schema can cover broad ranges from zero trust to very high trust • Expressed as trust levels • Includes diverse context dependencies • How to achieve global identity assurance interoperability among all the existing and potential schema • Possible solution is using ITU-T X.1141 (SAML) to capture and exchange the many different schema via TSB and other bodies
Trust Anchors begin at home:Standards and spawned identities • Challenge is to enhance identity management trust anchors by enabling structured discovery and on-demand public access to • Standards • Registrations and assignments specified in standards • Real-time access to standards • Most standards bodies now allow global public access to their specifications • Network IdM/security standards not publicly available have little value • Next step is make them discoverable, versioned, and accessible with a click • Real-time access to registrations and assignments • Standards result in many secretariats and other bodies creating identities • Few provide structured, real-time means for discovery and access • Both ITU TSB and IETF IANA are building capabilities • Can serve as models for other bodies and administrators worldwide
2008 ITU-T IdM Roadmap GenericSpecifications NGN Specifications Application Specifications • Initial IdM Focus Group + IdM definition reports • Living List of IdM Terms and References • X.1250, Capabilities for enhanced global IdM trust & interoperability • X.1251, Framework for user control of digital identity interchange framework • X.eaa, Entity authentication assurance • X.idm-ifa, Framework architecture for interoperable IdM systems • X.idm-dm, Common identity data model • X.idmsg, Security guidelines for IdM systems • X.priva, Criteria for assessing level of protection for PII in IdM • Y.ngnIdMuse, IdM use-cases • Y. 2720, NGN IdM framework • Y.ngnIdMmechanisms, NGN IdM mechanisms • E.157, International Calling Party Number Delivery • X.ott, Authentication Framework with One-time Telebiometric Template • X.668, Registration of object identifier arcs for applications and services using tag-based identification • X.1171, Framework for Protection of Personally Identifiable Information in Applications using Tag-based Identification • X.rfpg, Guideline on protection for PII in RFID application Bold = accomplished
A New IdM Capabilities Roadmap Provider IdentityTrust Object IdentityTrust Person IdentityTrust Support Capabilities • A global standard (mandate) for Provider Identity Trust as an evolution of the CAB Forum specification • Service and regional extensions for Provider Identity Trust • Implementation of globally unique provider “identifiers” using OIDs • Enhanced network addresses for NGN • OID Resolver System extensions for objects (Ubiquitous Sensor Networks, Network Elements, e-Health, and distributed power systems, terminal devices, biometrics, and IPR) • Lightweight object certificate specifications • Application of ECC to IdM certificates • Globally interoperable personal identity specifications • Enhanced International Caller-ID capabilities • Service and application specific personal identity extensions, including “youth” attributes • Encrypted telebiometric specifications • Interoperable Trusted Third Party & Bridge platform specifications • Interoperable Personal Identity Portal specifications • Adoption of DNS-based real-time OID Resolution System specifications • Adoption of OID directory service specifications • Adoption of global online certificate status verification specifications • Service extensions to certificate status specifications • A Global IdM Data Dictionary • Global identity proofing specifications • Global Identity security specifications • Global IdM management auditing specifications • Real-time access to identity management and related security specifications • Real-time access to assigned identifier lookup systems