1 / 16

Identity Management Based on P3P

Identity Management Based on P3P. Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project. Selected Pages For Presentation. This presentation is based on the First 9 pages of the paper and the conclusion at the end of the paper.

nellie
Download Presentation

Identity Management Based on P3P

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management Based on P3P • Authors: Oliver Berthold and Marit Kohntopp • P3P = Platform for Privacy Preferences Project

  2. Selected Pages For Presentation • This presentation is based on the First 9 pages of the paper and the conclusion at the end of the paper. • Section 3.2 “Realization of Some Pseudonym Properties” On page 9th page is not included.

  3. Outline • Introduction • Identity Management System • Criteria For Identity Management System • Functionality Of P3P • P3P and Criteria For Identity Management System • Conclusion • Questions

  4. Introduction • Identity Management is what we do in a normal conversation. We consider the role and relationship and identify our selves accordingly. • Different names or pseudonyms can be used. This preserves the real identity of a individual. • Anonymous Communication Networks like the internet require an Identity Management System. This Paper proposes a scheme for an Identity Management System based on P3P.

  5. Identity Management System • A mechanism for managing, disclosing and negotiating personal data, • To give users the choice between anonymity, pseudonymity and optional self identification. • Prior to P3P other Identity Management Systems have been proposed, however non have been implemented. But now the requirements of an underlying anonymous network and appropriate infrastructure become more and more available.

  6. Criteria For Identity Management System • Privacy Protection Baseline • Anonymous communication network • Trustworthy user device • Independent experts to validate data security level. • Security of data in communication with other parties • User has restricted access to identity manager.

  7. Criteria For Identity Management System • Empowering the user • Convenient user interface to manage identity and control privacy facilities like grant of consent or removal of consent. • Storage of personal data under user control • Negotiation tool for disclosure of information. • Negotiation tool for other aspects like security configuration. • Support from privacy protection authorities, e.g. help with configuration

  8. Criteria For Identity Management System • Representation of pseudonyms/roles/identity cards with different properties through cryptographic means (blind signatures…) • Based on standardized protocols and open data structures. • Possibility for easy monitoring • Compliance with legal framework

  9. Functionality of P3P • P3P is a standard for exchange of personal data. It Enables web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. • P3P user agents can inform users of the websites practices and automate decision making based on these practices.

  10. Determine Action Based On Policy Request Web Page Return Reference To Policy Bob P3P At Work Service • Bob’s agent requests a web page from a Service. • The Service provider responds by sending a reference to a P3P policy in the header of its HTTP response. The policy consists of one or more statements about the services privacy practices • Bob’s agent fetches the policy , evaluates it and depending on the preferences that have been set by Bob determines the action it should take: e.g. request, limit or block the required transfer.

  11. P3P Policy Expressed as XML <STATEMENT> <PURPOSE><current/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref=“#user.name”/> <DATA ref=“#user.home-info.postal”/> <DATA ref=“# user.home-info.telecom.telephone” optional=“yes”/> <DATA ref=“#dynamic.miscdata> <CATEGORIES><financial/><CATEGORIES/> </DATA> </DATAGROUP>

  12. Other Features Of P3P • P3P provides a flexible and powerful mechanism to extend its syntax and semantics using the “<EXTENSION>” element. • P3P allows the optional use of a Persona. Persona is a unique identifier for a set of data elements values. • It Allows for the representation of pseudonyms

  13. P3P and Criteria For Identity Management System • Privacy protection baseline • P3P can only act as a module in larger context, thus it does not realize the full privacy protection itself, but may be integrated. • Empowering the user • Negotiation is not Addressed in this version of P3P however future releases will add to this facility.

  14. P3P and Criteria For Identity Management System • Representation of pseudonyms is addressed by the persona concept. • An Open standard protocol that coacts with other commonly used standards (like HTTP, XML) • Allows for Online monitoring and comparison of privacy policies, but cannot guarantee companies follow them. • Complies With Legal Frame Work

  15. Conclusion • P3P essentially provides the means for contract making between two parties where one agrees to provide information and the other agrees to process this information only within the negotiation limits. • To make P3P function, a legal framework is required to make these contracts legally binding and internationally enforceable.

  16. Questions • How are pseudonyms supported in P3P? • Is it necessary for contracts between User agents and the Service’s to be legally binding? Why?

More Related