International Telecommunication Union Geneva, 9(pm)-10 February 2009 Trend in User-Centric Identity Management Technology and its Standards Sangrae Digital ID Security Research Team ETRI ITU-T Workshop on New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009

International Telecommunication Union Geneva, 9(pm)-10 February ContentsContents 2. User-Centric IdM Technology 1. Introduction 3. Digital Identity Wallet 4. Conclusion

International Telecommunication Union Geneva, 9(pm)-10 February Introduction

International Telecommunication Union Geneva, 9(pm)-10 February Identity DefinitionIdentity The attributes by which an entity is described, recognized or known (ITU-T) The fundamental concept of uniquely identifying an object (person, computer, etc.) within a context. (OpenGroup) A set of claims made by one party about another party. Claims are typically conveyed in Signed Security Tokens (Microsoft) The essence of an entity. One's identity is often described by one's characteristics, among which may be any number of identifiers [Liberty & OASIS] Source: ITU-T Report on the Definition of the Term Identity 2008

International Telecommunication Union Geneva, 9(pm)-10 February Identity Management Accounts & Policies Registration/ Creation Propagation Maintenance/ Management Termination Source : Burton Group 2006 Architecture Template for IDM Infrastructure that supports for authentication, authorization, audit and identity lifecycle including creation, update and termination of identity

International Telecommunication Union Purpose of IdM Geneva, 9(pm)-10 February Increase in personal identity as web services are increased : Improve usability 27 websites join, 7.5 account on average in Korea [Digital News, ] IdM requirement in inter-domain organization as business relationship has been diversified : Increase in efficiency and productivity Increase of demand in SSO & EAM&IAM, Intranet -> Internet [DigitalIDWorld Newsletter, ] Increase in personalized service requirements : Create new IT service & increase in personal privacy Need privacy protection when new service is provided in web 2.0[ZDNet, 06.12]

International Telecommunication Union Geneva, 9(pm)-10 February User-Centric IdM Technology

International Telecommunication Union Evolution of IdM Geneva, 9(pm)-10 February User-centric Identity Interchange Subject for IdM Domain-centric Bidirectional Unidirectional Silo Centralized Federated User-Centric System Human.com.net.org.com.net.org.com.net.org 08 Present User-Centric : The user is in the middle of a data transaction and the data always flows through the users identity agent. This gives user control of his identity

International Telecommunication Union User-Centric Identity Concept Geneva, 9(pm)-10 February User consent User always can allow or deny whether information about them is released or not (reactive consent management) User control User-centered Source : OASIS, The Core Concept of Identity 2.0 User has ability to policy-control all exchanges of identity information (proactive consent management) User delegates decisions to identity agents controlled through policy Core subset of the previous two as People in the protocol User is actively involved in information disclosure policy decisions at run time

International Telecommunication Union Main User-Centric IdM Technology Geneva, 9(pm)-10 February LibertyAllianceLibertyAlliance OpenIDOpenID Card Space Permission-based attribute exchange URL based user identifier & Select users IdP Select Users IdP using Identity Selector User-Centric Characteristics in each technology

International Telecommunication Union Trend in Standardization Geneva, 9(pm)-10 February Current View of IdM Landscape Source : Report on Identity Management Use Cases and Gap Analysis, ITU-T FG IdM

International Telecommunication Union Ongoing Standard Projects in ITU-T SG17 X.1250(X.idmreq): Capabilities for global identity management trust and interoperability Requirement for global interoperability among IdM systems Currently in TAP after re-determined in September 2008 X.1251(X.idif): A Framework for User Control of Digital Identity User control enhanced digital identity interchange framework Currently in TAP after determined in September 2008 X.idm-dm: Common Identity Data Model Develop common identity data model to express identity information between IdM systems Geneva, 9(pm)-10 February

International Telecommunication Union X.1251(X.idif) - Framework Geneva, 9(pm)-10 February

International Telecommunication Union Ongoing Standard Projects in ITU-T NGN Identity Management SG13 Q15 NGN Security is responsible Developing standards based on the result of IdM Focus Group Y.ngnIdMuse: NGN identity management use cases Study use cases when IdM is applied in NGN environment Y.ngnIdMreq: NGN identity management requirements IdM Requirements in NGN Y.idmFramework: NGN identity management framework Global interoperability framework among IdM systems in NGN Geneva, 9(pm)-10 February

International Telecommunication Union Ongoing Standard Projects in ISO Geneva, 9(pm)-10 February Identity Management & Privacy Standard in ISO/IEC JTC1 SC27 WG5 ISO ITU-T / ISO Joint Workshop on identity management, Lucerne Sept WGs within ISO/IEC JTC1/SC27 – IT Security Technologies A Framework for Identity Management (ISO/IEC 24760, WD) A Privacy Framework (ISO/IEC 29100, CD) A Privacy Reference Architecture (ISO/IEC 29101, WD) Entity Authentication Assurance ( ISO/IEC 29115, WD) A Framework for Access Management (ISO/IEC 29146, WD)

International Telecommunication Union The Identity Landscape Geneva, 9(pm)-10 February The Identity Landscape 2006 Reconstruct Johannes Ernst, CEO of NetMesh Digital ID Security Research Team, ETRI Increase in the interest of User-Centric IdM technology and collaborations between technologies URL-based (OpenID) Invisible (SAML/Liberty) Card-based (WS-Trust) Digital Identity MS, announce to support for OpenID. CardSpace supports for Open ID, Plan to support for interoperability with CardSpace in Open ID(07.02) User-Centric Convenience + Trust ETRI, Research collaboration with MS for digital ID Wallet(07.05) Convenience + Trust + Privacy Protection + Identity Interchange Convenience + Trust + Privacy Protection + Identity Interchange

International Telecommunication Union Geneva, 9(pm)-10 February Digital Identity Wallet

International Telecommunication Union User Requirements Cumbersome every time personal information is typed in to join a website. Especially, worrying to enter national resident number Inconvenient when logging in to use web service, harder when mobile web is used in mobile phone Not secure to enter ID/PWD in public places Secure way to identify the phishing sites Hard to remember which websites I have joined Not easy to update personal information when it is changed Hard to move my information from A site to B site for better services Geneva, 9(pm)-10 February

International Telecommunication Union Overview Geneva, 9(pm)-10 February What is Digital Identity Wallet? A digital wallet that helps users to use easily and keep securely their personal identity and authentication information distributed in the cyber space; Digital Identity Wallet is just like a real wallet we use in our daily life to keep ID cards and cash System where users can have control over disclosure of their personal information by deciding whether he or she would provide data or not; unwanted disclosure or misuse of personal data can be prevented Main functions of Digital Identity Wallet Site registration and authentication Identity share and synchronization User privacy protection Mobile Digital Identity Wallet Internet Shopping mall Website A Identity verification organization Payment organization Link data Payment history Personal data Authenticatio n information Digital Identity Wallet Issue authentication information Issue identity verification data Issue payment information Website C Website D Input personal data Registration & login Purchase & payment Data share Website B Issue link data Identity verification data Website registration information Privacy protection server Backup, roaming, consistency Secure Internet usage with Digital Identity Wallet

International Telecommunication Union Services Geneva, 9(pm)-10 February Site registration service Identity authentication & verification service Share and synchronization service Phishing site avoidance One-click site registration Registered site management Replacement of national resident no. for ID verification Support of various authentication methods One-click! Mobile authentication Secure identity sharing between sites Automatic synchronization of updated personal data Personalized mash-up service Other applications Credit card and point card utilization and reference Connection with cyber world Authentication on a web interoperating with home device

International Telecommunication Union Supports for various authentication Geneva, 9(pm)-10 February

International Telecommunication Union Use Case for Identity Interchange Geneva, 9(pm)-10 February Digital Identity Wallet Financial info Bank Stock Real Estate Financial Management savings, loans info Stock info Estate info Personal Finance Management Service

International Telecommunication Union Conclusion User-Centric is essential technology Convenience Privacy aware security for user Convergence between IdM technologies Full User Control Provide user with full power to control his identity Enhance privacy Efficient Identity Interchange Scalability Independency Seamless Geneva, 9(pm)-10 February

International Telecommunication Union Geneva, 9(pm)-10 February Thank You !!! Q & A