User Empowerment Use Cases eBusiness eGovernment Smart Environments eHealth Social & Business Networks Corporate IdM Corporate e te IdM Privacy by Design User-centric Services Data Protection Context-awareness Identity Management Usable Security Threats Threats tamper Identity Theft Surveillance Profiling deny misuse misinform spy out OpenID Connect OpenID Connect (based on the OAuth 2.0 protocol) is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. The simp- lest deployment of OpenID Connect allows for clients of all to request and receive information about identities and currently authenticated sessions. (Implementer’s Draft, Feb. 14, 2012) Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML. Identity Mixer (idemix) is an anonymous credential system developed at IBM Research that enables strong authentica- tion and privacy at the same time. With identity mixer, users can obtain from an issuer a credential containing all the information the issuer is ready to attest about them. When a user later wants to prove to a service provider a state- ment about her, she employs identity mixer to securely transform the issued creden- tial. Higgins – initiated 2003 – is a framework that enables users and enterprises to integrate identity, profile, and relationship information across multi- ple systems. Applications can use Higgins to create a unified, virtual view of identity, profile and relationship information. A key focus of Higgins is providing a founda- tion for new "user-centric identity" and personal information management applica- tions. Windows CardSpace is Microsoft's client software for the Identity Metasystem (canceled in Feb 2011). CardSpace stores references to users' digital identities for them. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity” were goals in its design. Windows CardSpace 2.0 will be extended to use the U-Prove protocol. U-Prove is a cryptographic tech- nology that enables the issuance and pre- sentation of cryptogra- phically protected claims in a manner that provides multi-party security. The goal is to enable the exchange of verified identity information from sources (Claims Provider), under the user’s control (via the U-Prove Agent), to the recipients (Relying Party). Shibboleth Idemix Higgins OAuth 2.0 CardSpace U-Prove OpenID Connect The OAuth 2.0 authorization proto- col enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. (The OAuth 2.0 Authoriza- tion Protocol draft-ietf- oauth-v2-25, March 8, 2012) OpenID Connect OpenID Connect (based on the OAuth 2.0 protocol) is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. The simp - lest deployment of OpenID Connect allows for clients of all to request and receive information about identities and currently authenticated sessions. (Implementer’s Draft, Feb. 14, 2012) Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML. Identity Mixer (idemix) is an anonymous credential system developed at IBM Research that enables strong authentica - tion and privacy at the same time. With identity mixer, users can obtain from an issuer a credential containing all the information the issuer is ready to attest about them. When a user later wants to prove to a service provider a state - ment about her, she employs identity mixer to securely transform the issued creden - tial. Higgins – initiated 2003 – is a framework that enables users and enterprises to integrate identity, profile, and relationship information across multi - ple systems. Applications can use Higgins to create a unified, virtual view of identity, profile and relationship information. A key focus of Higgins is providing a founda - tion for new "user-centric identity" and personal information management applica - tions. Windows CardSpace is Microsoft's client software for the Identity Metasystem (canceled in Feb 2011). CardSpace stores references to users' digital identities for them. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity” were goals in its design. Windows CardSpace 2.0 will be extended to use the U-Prove protocol. U-Prove is a cryptographic tech - nology that enables the issuance and pre - sentation of cryptogra - phically protected claims in a manner that provides multi-party security. The goal is to enable the exchange of verified identity information from sources (Claims Provider), under the user’s control (via the U-Prove Agent), to the recipients (Relying Party). S h i b b o l e t h I d e m i x H i g g i n s O A u t h 2 . 0 C a r d S p a c e U - P r o v e O p e n I D C o n n e c t t t The OAuth 2.0 authorization proto - col enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. (The OAuth 2.0 Authoriza - tion Protocol draft-ietf - oauth-v2-25, March 8, 2012) Technologies Kantara - UMA 2012 User-Managed Access is a protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates). Authorizing User Authorization Manager Requester Host Protected Resource Delegate Authorize Access Manage Protect Control PDP PEP In the future internet users will be downloaded as apps. The users master their identity life cycle securely and confidentially. Virtual identities will be created dynamically and context-aware. Confirmed subscribers are authorised to access partial profiles. Authorised subscribers are up-to-date at any time. Compliance to data protec- tion laws and securi- ty policies will be built in. 7 Laws of Identity 1. User Control and Consent 5. Pluralism of Operators and Technologies 2. Minimal Disclosure for a Constrained Use 6. Human Integration 3. Justifiable Parties 7. Consistent Experience Across Contexts 4. Directed Identity Kim Cameron (http://www.identityblog.com/stories/2004/12/09/thelaws.html) P riv a c y I m p a c t A s s e s s m e n t Host Ma Ma e e e e C C C Ca a a a es ess s G eG eG eGov ov ov n nt t ma t t t m m mar ar art t t ro ro m nmen ents ts ro ronm nm Transparency GPS Anonymity Claims User-centric Biometry Identity Theft Smartcards Policies Credentials CRM Tracking Loyalty Attributes Data Protection LBS Context-awareness Aggregation Authentication Interoperability Cyber Security Access Control Privacy Data Protection Surveillance Confidentiality RFID Personalisation Profiling Landscape of Contact: Mario Hoffmann [email protected] www.identity‐competence‐center.de Web Identity Management