160 likes | 241 Views
Identity Management Based on P3P. Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project. Selected Pages For Presentation. This presentation is based on the First 9 pages of the paper and the conclusion at the end of the paper.
E N D
Identity Management Based on P3P • Authors: Oliver Berthold and Marit Kohntopp • P3P = Platform for Privacy Preferences Project
Selected Pages For Presentation • This presentation is based on the First 9 pages of the paper and the conclusion at the end of the paper. • Section 3.2 “Realization of Some Pseudonym Properties” On page 9th page is not included.
Outline • Introduction • Identity Management System • Criteria For Identity Management System • Functionality Of P3P • P3P and Criteria For Identity Management System • Conclusion • Questions
Introduction • Identity Management is what we do in a normal conversation. We consider the role and relationship and identify our selves accordingly. • Different names or pseudonyms can be used. This preserves the real identity of a individual. • Anonymous Communication Networks like the internet require an Identity Management System. This Paper proposes a scheme for an Identity Management System based on P3P.
Identity Management System • A mechanism for managing, disclosing and negotiating personal data, • To give users the choice between anonymity, pseudonymity and optional self identification. • Prior to P3P other Identity Management Systems have been proposed, however non have been implemented. But now the requirements of an underlying anonymous network and appropriate infrastructure become more and more available.
Criteria For Identity Management System • Privacy Protection Baseline • Anonymous communication network • Trustworthy user device • Independent experts to validate data security level. • Security of data in communication with other parties • User has restricted access to identity manager.
Criteria For Identity Management System • Empowering the user • Convenient user interface to manage identity and control privacy facilities like grant of consent or removal of consent. • Storage of personal data under user control • Negotiation tool for disclosure of information. • Negotiation tool for other aspects like security configuration. • Support from privacy protection authorities, e.g. help with configuration
Criteria For Identity Management System • Representation of pseudonyms/roles/identity cards with different properties through cryptographic means (blind signatures…) • Based on standardized protocols and open data structures. • Possibility for easy monitoring • Compliance with legal framework
Functionality of P3P • P3P is a standard for exchange of personal data. It Enables web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. • P3P user agents can inform users of the websites practices and automate decision making based on these practices.
Determine Action Based On Policy Request Web Page Return Reference To Policy Bob P3P At Work Service • Bob’s agent requests a web page from a Service. • The Service provider responds by sending a reference to a P3P policy in the header of its HTTP response. The policy consists of one or more statements about the services privacy practices • Bob’s agent fetches the policy , evaluates it and depending on the preferences that have been set by Bob determines the action it should take: e.g. request, limit or block the required transfer.
P3P Policy Expressed as XML <STATEMENT> <PURPOSE><current/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref=“#user.name”/> <DATA ref=“#user.home-info.postal”/> <DATA ref=“# user.home-info.telecom.telephone” optional=“yes”/> <DATA ref=“#dynamic.miscdata> <CATEGORIES><financial/><CATEGORIES/> </DATA> </DATAGROUP>
Other Features Of P3P • P3P provides a flexible and powerful mechanism to extend its syntax and semantics using the “<EXTENSION>” element. • P3P allows the optional use of a Persona. Persona is a unique identifier for a set of data elements values. • It Allows for the representation of pseudonyms
P3P and Criteria For Identity Management System • Privacy protection baseline • P3P can only act as a module in larger context, thus it does not realize the full privacy protection itself, but may be integrated. • Empowering the user • Negotiation is not Addressed in this version of P3P however future releases will add to this facility.
P3P and Criteria For Identity Management System • Representation of pseudonyms is addressed by the persona concept. • An Open standard protocol that coacts with other commonly used standards (like HTTP, XML) • Allows for Online monitoring and comparison of privacy policies, but cannot guarantee companies follow them. • Complies With Legal Frame Work
Conclusion • P3P essentially provides the means for contract making between two parties where one agrees to provide information and the other agrees to process this information only within the negotiation limits. • To make P3P function, a legal framework is required to make these contracts legally binding and internationally enforceable.
Questions • How are pseudonyms supported in P3P? • Is it necessary for contracts between User agents and the Service’s to be legally binding? Why?