Landscape of Web Identity Management
0 likes1,688 views
This document summarizes various technologies related to web identity management and user-centric data protection. It includes technologies for authentication, authorization, anonymity, credentials, access control, privacy, and identity federation. Formats include OAuth, OpenID Connect, U-Prove, Higgins, Shibboleth, and Idemix. Design principles are also covered, such as the 7 Laws of Identity and privacy by design. The landscape shows technologies that empower users to control their online identities and personal data.
Landscape of Web Identity Management
- 1. Landscape of Web Identity Management Surveillance User-centric Data Protection RFID Authentication Credentials Aggregation Data Protection Identity Theft Transparency Claims Tracking Confidentiality Access Control LBS Attributes Smartcards Anonymity Context-awareness GPS Loyalty Personalisation Cyber Security Biometry CRM Policies Privacy Profiling Interoperability Technologies Authorizing User Use Ca e Cases Manage Ma Control Kantara - UMA 2012 User-Managed Access is a protocol designed to give a web user a unified control point for authorizing who and what Host can get access to their online personal data (such as identity Protect Authorization PEP PDP Delegate attributes), content (such as photos), and services Manager Protected (such as viewing and creating status updates). Resource Shibboleth is an eGov eGov G nt eGovernment Internet2 Middleware ess ess eBusiness Initiative project that has created an architecture and Authorize open-source implementation for Access Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML. mar ma t art Smart h Shibbolet Requester ronments ronments nm m Environments eHealth 2.0 ect The OAuth 2.0 authorization proto- Identity Mixer (idemix) is an anonymous col enables a third-party application Ide credential system developed at IBM to obtain limited access to an HTTP service, either on behalf of a resource u th n mix Research that enables strong authentica- OA on owner by orchestrating an approval tion and privacy at the same time. With Social & Business C identity mixer, users can obtain from an C rd p CardSp interaction between the resource Hi owner and the HTTP service, or by issuer a credential containing all the Corporate e te Networks ID ig ve allowing the third-party application to information the issuer is ready to attest IdM obtain access on its own behalf. en about them. When a user later wants to gi gi Op (The OAuth 2.0 Authoriza- prove to a service provider a state- U-Pro ns tion Protocol draft-ietf- ment about her, she employs s oauth-v2-25, Higgins – identity mixer to securely March 8, OpenID Connect transform the initiated 2003 – is a e ac e 2012) OpenID Connect (based on the OAuth 2.0 protocol) is a framework that issued creden- a suite of lightweight specifications enables users and enterprises to tial. that provide a framework for identity integrate identity, profile, and User Empowerment interactions via RESTful APIs. The simp- relationship information across multi- lest deployment of OpenID Connect U-Prove is a Windows CardSpace ple systems. Applications can use Higgins allows for clients of all to request cryptographic tech- is Microsoft's client to create a unified, virtual view of and receive information about nology that enables software for the Identity identity, profile and relationship identities and currently the issuance and pre- Metasystem (canceled in information. A key focus of authenticated sessions. sentation of cryptogra- Feb 2011). CardSpace Higgins is providing a founda- (Implementer’s Draft, phically protected claims stores references to users' tion for new "user-centric Privacy by Design Feb. 14, 2012) in a manner that provides multi-party security. The goal digital identities for them. Resistance to phishing attacks identity" and personal information is to enable the exchange of and adherence to Kim management verified identity information Cameron's "7 Laws of Identity” applica- User-centric Services from sources (Claims Provider), under the user’s control (via the were goals in its design. Windows CardSpace 2.0 will be extended to tions. U-Prove Agent), to the recipients use the U-Prove protocol. (Relying Party). Data Protection Context-awareness Identity Management Threats Usable Security Identity Theft tamper Surveillance In the future internet users Profiling misinform will be downloaded as apps. en t s sm deny misuse Privacy Impact A sse Virtual identities will be created dynamically Compliance and context-aware. spy The to data protec- users master out tion laws and securi- Authorised Confirmed their identity life ty policies will subscribers subscribers cycle securely be built are up-to-date are authorised and confidentially. in. at any time. to access partial profiles. 7 Laws of Identity Contact: 1. User Control and Consent 5. Pluralism of Operators and Technologies Mario Hoffmann 2. Minimal Disclosure for a Constrained Use 6. Human Integration mario.hoffmann@aisec.fraunhofer.de 3. Justifiable Parties 7. Consistent Experience Across Contexts www.identity‐competence‐center.de 4. Directed Identity Kim Cameron (http://www.identityblog.com/stories/2004/12/09/thelaws.html)