International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identity Management Anthony M. Rutkowski V-P, Regulatory Affairs and Standards VeriSign, Inc. ITU-T Workshop on “New challenges for Telecommunication Security Standardization" Geneva, 9(pm)-10 February 2009 V1.0
V1.0. ITU-T Workshop on “New challenges for Telecommunication Security Standardization" Geneva, 9(pm)-10 February 2009. Identity Management. Anthony M. Rutkowski V-P, Regulatory Affairs and Standards VeriSign, Inc. The challenge of relevance: Why is IdM important?. Identity Management - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
InternationalTelecommunicationUnion
Geneva, 9(pm)-10 February 2009
Identity Management
Anthony M. RutkowskiV-P, Regulatory Affairs and Standards
VeriSign, Inc.
ITU-T Workshop on“New challenges for Telecommunication
Security Standardization"
Geneva, 9(pm)-10 February 2009
V1.0
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 2
The challenge of relevance:Why is IdM important?
Identity Managementis the foundation and core for all security
An explosively expanding and vast array of "network nomadic" individuals, providers, and objects
has challenged our ability to effectively manage identities and their “trust anchors”
InternationalTelecommunicationUnion
The challenge of a common concept: What is identity?
3
Complex Version Simple Version
identityEntity
Identities consist of:
an ensemble of four possible identity “elements”
a binding to an Entity (or Entities) instantiated or asserted at some specific time
From the ITU-T Report of the Correspondence Group on the Definition of Identity
InternationalTelecommunicationUnion
The challenge of diversity:Disparate identity communities
Operators and providersFocussed on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation
Business end-usersFocussed on minimizing costs, employee support, fraud mitigation, inventory and supply chain management
Individual end-usersFocussed on social networking, convenience, identity services (esp. location based services) and portability, controlling unwanted intrusions and mitigating identity theft
SecurityFocussed on infrastructure protection, homeland security, NS/EP needs, consumer protection, law enforcement forensics, meeting public policy and legal mandates including personal identity credentials and biometrics
Privacy and anonymitySpans a broad spectrum from personal identity protection and intrusion minimization to extreme views on complete anonymity, anti-government paranoia and control of all personal identity elements
4
InternationalTelecommunicationUnion
The challenge of focus and vision:What is important?
Discovery of authoritative sources of identities and structured means to query source informationStructured identity ontologies and data models for interoperability
Critical to sharing of identitiesProtected identity management “signalling” infrastructure in NGNsMeans to support inter & intra federation identity capabilities
Inter-federation mechanisms are non-existentProviding for a range of trust relationships (no trust to PKI-based high assurance trust)Supporting Peer-to-Peer platformsImplementing trusted Open Identity Architectures as a means of achieving “Identity Network Neutrality”Achieving effective “trust anchors”
Identity proofingIdentity lifecycle managementIdentity status checking on-demandIdentity securityIdentity management auditing
5
InternationalTelecommunicationUnion
THE CHALLENGE OF DELIVERABLES
Capabilities that will make a difference in 2009
6
InternationalTelecommunicationUnion
Provider Identity Trust AnchorsNumber one “low-hanging” Identity Management/cybersecurity capability with far reaching positive impactA universal global means for establishing trust in all organizations that have a network presence
For communications, transactions, software, and secure transport layerSignificant implementation has already occurred
Based on Extended Validation (EV) Digital Certificate standard implementation of ITU-T X.509 platform (also known as EV SSL)Developed in 2007 by the CA/Browser ForumCertificates initially issued and browser updates pushed out to most computers in 2008Consists of the best combination of identity assurance techniques and platformsInitial identity proofing based on ETSI standardsBasis for organization trust in Liberty Alliance assurance specificationsUsed by the ITU itself!
Upcoming EV enhancements in 2009Being extended to all kinds of services and software distribution in 2009, including SIPBeing introduced into ITU-T SG17 through liaison processSubstantial ongoing regional activity to meet localization requirements worldwideBeing considered as an NGN network address enhancementCryptography being upgraded to ECC
Embeds many diverse organization identifiers, including ITU-T Object Identifiers (OIDs) that have become Internet global “enterprise ID” of choice Enhances individual privacy and broadly benefits everybodyMay become a global regulatory mandate for cybersecurity
7
InternationalTelecommunicationUnion
Object trust anchors
Real-time Object IDentifier resolution systemProvides a DNS-based means for discovering information about any Object IdOIDs becoming increasingly important for
Network elements (especially forensic acquisition locations in a network)Terminal devices, software, RFID tagged objects, sensors, biometric scanners, e-health, power management, and intellectual property
Creation of a new DNS top level domain – OIDInitial implementations occurring in 2009 based on specifications developed in ITU-T and ISO
Real-time token validation protocol systemsVerifying the current status of all object credentials is essentialAllows implementation of “when things go wrong” capabilitiesOnline Certificate Status Protocol (OCSP) has emerged as means of choice and being mandated by some trust implementationsSimilar RSA protocols for token use are being extended
8
InternationalTelecommunicationUnion
Personal identity trust anchors
The world is awash in a sea of countless personal identitiesMany personal identities have little or no trust anchorsDiverse expectations exist among people, organizations, and nations concerning the use and availability of identities – many subject to lawExpectations are highly context dependent and often conflictingPotential “identity network neutrality” challenges abound
Significant contemporary personal identity needseHealthHomeland securityNomadicity and social networking
Significant technical platforms are emergingInteroperable and Trust Third Party platforms
OpenIDPersonal Identity Portals
National eIDs, especially the EU’s STORK (Secure Identity Across Borders Linked) initiativeOne time password tokensEncrypted biometrics
A major impediment for personal identity trust is lifecycle maintenanceBears the initial and lifecycle costs, including indemnificationProviding real-time status checkingAccommodating enormously broad assurance spectrum
Many different schema exist to achieve identity assuranceThe schema can cover broad ranges from zero trust to very high trust
Expressed as trust levelsIncludes diverse context dependencies
How to achieve global identity assurance interoperability among all the existing and potential schema
Possible solution is using ITU-T X.1141 (SAML) to capture and exchange the many different schema via TSB and other bodies
Geneva, 9(pm)-10 February 2009 10
InternationalTelecommunicationUnion
Trust Anchors begin at home:Standards and spawned identities
Challenge is to enhance identity management trust anchors by enabling structured discovery and on-demand public access to
StandardsRegistrations and assignments specified in standards
Real-time access to standardsMost standards bodies now allow global public access to their specifications
Network IdM/security standards not publicly available have little valueNext step is make them discoverable, versioned, and accessible with a click
Real-time access to registrations and assignmentsStandards result in many secretariats and other bodies creating identitiesFew provide structured, real-time means for discovery and accessBoth ITU TSB and IETF IANA are building capabilities
Can serve as models for other bodies and administrators worldwide
11
InternationalTelecommunicationUnion
• Initial IdM Focus Group + IdM definition reports
• Living List of IdM Terms and References• X.1250, Capabilities for enhanced global
IdM trust & interoperability• X.1251, Framework for user control of
digital identity interchange framework• X.eaa, Entity authentication assurance• X.idm-ifa, Framework architecture for
interoperable IdM systems • X.idm-dm, Common identity data model • X.idmsg, Security guidelines for IdM systems• X.priva, Criteria for assessing level of protection
for PII in IdM
• Y.ngnIdMuse, IdM use-cases • Y. 2720, NGN IdM
framework• Y.ngnIdMmechanisms, NGN
IdM mechanisms
GenericSpecifications
NGNSpecifications
ApplicationSpecifications
• E.157, International Calling Party Number Delivery
• X.ott, Authentication Framework with One-time Telebiometric Template
• X.668, Registration of object identifier arcs for applications and services using tag-based identification
• X.1171, Framework for Protection of Personally Identifiable Information in Applications using Tag-based Identification
• X.rfpg, Guideline on protection for PII in RFID application
Bold = accomplished
2008 ITU-T IdM Roadmap
InternationalTelecommunicationUnion
• A global standard (mandate) for Provider Identity Trust as an evolution of the CAB Forum specification
• Service and regional extensions for Provider Identity Trust
• Implementation of globally unique provider “identifiers” using OIDs
• Enhanced network addresses for NGN
• OID Resolver System extensions for objects (Ubiquitous Sensor Networks, Network Elements, e-Health, and distributed power systems, terminal devices, biometrics, and IPR)
• Lightweight object certificate specifications
• Application of ECC to IdM certificates
Provider Identity
Trust
Object Identity
Trust
Person Identity
TrustSupport
Capabilities
• Globally interoperable personal identity specifications
• Enhanced International Caller-ID capabilities
• Service and application specific personal identity extensions, including “youth” attributes
• Encrypted telebiometric specifications
• Interoperable Trusted Third Party & Bridge platform specifications
• Interoperable Personal Identity Portal specifications
• Adoption of DNS-based real-time OID Resolution System specifications
• Adoption of OID directory service specifications
• Adoption of global online certificate status verification specifications
• Service extensions to certificate status specifications
• A Global IdM Data Dictionary• Global identity proofing
specifications• Global Identity security
specifications• Global IdM management
auditing specifications• Real-time access to identity
management and related security specifications
• Real-time access to assigned identifier lookup systems