Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 25, 2005 PEP Workshop, UM 2005 1 A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab.

Similar presentations


Presentation on theme: "July 25, 2005 PEP Workshop, UM 2005 1 A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab."— Presentation transcript:

1 July 25, 2005 PEP Workshop, UM 2005 1 A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab Department of Computer Science University of Saskatchewan

2 July 25, 2005 PEP Workshop, UM 20052 Overview Purpose: Purpose: To create a personal information management system for online businesses/consumers To create a personal information management system for online businesses/consumers Why? Why? Help users manage their personal information and be aware of who has it Help users manage their personal information and be aware of who has it Help businesses comply with some areas of privacy legislation Help businesses comply with some areas of privacy legislation

3 July 25, 2005 PEP Workshop, UM 20053 Motivation Legislation: Legislation: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Concerns: Privacy Concerns: The increasing concerns of Internet users about what information online businesses record The increasing concerns of Internet users about what information online businesses record Tool Support: Tool Support: The lack of an available privacy tool that allows for management of multiple identities The lack of an available privacy tool that allows for management of multiple identities

4 July 25, 2005 PEP Workshop, UM 20054 Privacy Tools and Research P3P P3P TRUSTe TRUSTe Privacy Critics Privacy Critics PISA PISA PPCS PPCS EPA EPA EPAL EPAL SAML FIM PRIME FIDIS Liberty Alliance MS.NET Passport MS Infocards

5 July 25, 2005 PEP Workshop, UM 20055 Design Goals Goal: try to design a personal information service, but with the following restrictions: Does NOT: Does NOT: use a third-party for management of personal information use a third-party for management of personal information require passing identity information between businesses require passing identity information between businesses Does permit: Does permit: multiple identities from within a single user account multiple identities from within a single user account greater access for users managing their personal information greater access for users managing their personal information businesses to comply with disclosure rules defined by PIPEDA businesses to comply with disclosure rules defined by PIPEDA

6 July 25, 2005 PEP Workshop, UM 20056 Identity Management Architecture (IMA) The IMA system has two main components: 1. IMA Toolbar/Manager (Client): An application that attaches to the user’s web browser and handles the management of all user identities and web browsing history. An application that attaches to the user’s web browser and handles the management of all user identities and web browsing history. 2. IMA Web Service (Business): A web service that each participating business provides to allow users of the IMA Manager to send and receive identity information. A web service that each participating business provides to allow users of the IMA Manager to send and receive identity information.

7 July 25, 2005 PEP Workshop, UM 20057 Architecture Overview IMA User Machine with IMA Toolbar installed IMA Participating Business Visits participating business’s web site Browsing the Internet Store identities and profiles Communicate with business through web service interface Create/Update identities, view profile information, etc.

8 July 25, 2005 PEP Workshop, UM 20058 Key Features The three key features of the IMA system:  Provides for the creation and management of multiple discrete personal identities.  Allows users to restrict the access that businesses have to identifying information.  Provides users with the ability to request from a business what personal information is stored

9 July 25, 2005 PEP Workshop, UM 20059 Hypothesis The two key questions this research answers are: – Does the IMA System provide users with more flexibility and control over the management of their personal information than a third-party system does? – Does the IMA System support business compliance with current privacy legislation?

10 July 25, 2005 PEP Workshop, UM 200510.NET Passport Passport User Passport Business.NET Passport Return user’s passport account Provide user’s sign-in information Sign-in using passport Create a passport account

11 July 25, 2005 PEP Workshop, UM 200511 Liberty Alliance User Liberty Alliance Business A Provides user’s account Liberty Alliance Business B Requests user’s account User creates an account with a business they trust User logs in at business B which has a relationship with business A

12 July 25, 2005 PEP Workshop, UM 200512 IMA IMA User IMA Business Provides user with access to update And review personal information IMA client provides authentication info to business if an established relationship exists

13 July 25, 2005 PEP Workshop, UM 200513 Identity-to-Business Associations IMA Manager Identity Anonymous Identity Personal Identity Work Business ABusiness BBusiness C

14 July 25, 2005 PEP Workshop, UM 200514 Managed Relationships.NET Passport Liberty Alliance IMA Passport Liberty Alliance IMA

15 July 25, 2005 PEP Workshop, UM 200515 Implementation IMA Toolbar IMA Toolbar IMA Manager IMA Manager IMA Web Service IMA Web Service Example participating business web site Example participating business web site XML Data XML Data

16 July 25, 2005 PEP Workshop, UM 200516 IMA Toolbar Participation Icon Participation Icon Account logged in Account logged in Identity list Identity list “Go” (associate identity) “Go” (associate identity) Eye logo, opens the IMA Manager application Eye logo, opens the IMA Manager application

17 July 25, 2005 PEP Workshop, UM 200517 IMA Manager

18 July 25, 2005 PEP Workshop, UM 200518 IMA Web Service public bool Authenticate( … ) public bool Authenticate( … ) public void AddIdentity( … ) public void AddIdentity( … ) public Ima.Manage.Identity GetIdentity(.. ) public Ima.Manage.Identity GetIdentity(.. ) public void UpdateIdentity( … ) public void UpdateIdentity( … )  public void AddProfile( … )  public Ima.Manage.Profiles GetProfile( … )  public void UpdateProfile( … )  public void AddHistoryItem( … )  public void AddVisitor( … )

19 July 25, 2005 PEP Workshop, UM 200519 Participating Business

20 July 25, 2005 PEP Workshop, UM 200520 XML Data

21 July 25, 2005 PEP Workshop, UM 200521 Evaluation The IMA system was evaluated on two criteria to show how it answers the research questions posed by this thesis: The IMA system was evaluated on two criteria to show how it answers the research questions posed by this thesis: 1. Access to Personal Information 2. Privacy Legislation Compliance

22 July 25, 2005 PEP Workshop, UM 200522 Access to Personal Information Comparison Criteria 1. Ability to edit information 2. Tracking of business to identity associations 3. Viewing of information stored at a business 4. Removing of information stored at a business 5. The creation of multiple discrete identities 6. The ability to link an identity to a business 7. No reliance on third party storage 8. Tracking of information provided to a business 9. Automatically pushes out information updates to businesses that information has been used at

23 July 25, 2005 PEP Workshop, UM 200523 Access to Personal Information Comparison Results

24 July 25, 2005 PEP Workshop, UM 200524 Privacy Legislation Compliance Comparison Criteria Based on PIPEDA and DPA principles Based on PIPEDA and DPA principles 1. Consent must be obtained 2. Limit collection of personal data 3. Limit use, disclosure, and retention 4. Ensure the accuracy of information 5. Give individuals access to their information

25 July 25, 2005 PEP Workshop, UM 200525 Privacy Compliance Comparison Summary

26 July 25, 2005 PEP Workshop, UM 200526 Benefits of the IMA System For Internet Users: For Internet Users: More control over personal information More control over personal information Stay informed of what information has been given to a business Stay informed of what information has been given to a business Ability to view, add, modify, and remove personal information Ability to view, add, modify, and remove personal information Update information for multiple businesses by entering it once Update information for multiple businesses by entering it once For Businesses: Improved compliance with privacy legislation Identity information managed and updated by users More accurate contact information since users can correct mistakes Improves business’s ability to personalize content

27 July 25, 2005 PEP Workshop, UM 200527 Challenges Issues in the IMA system that will need to be addressed: Issues in the IMA system that will need to be addressed: Security of information Security of information Information stored on client machine Information stored on client machine Account theft Account theft Posing as another user to retrieve their personal information from a business Posing as another user to retrieve their personal information from a business Leaching Leaching Businesses using the IMA web service to gather identity information but not: Businesses using the IMA web service to gather identity information but not: making their participation public making their participation public providing users with access to their profile providing users with access to their profile

28 July 25, 2005 PEP Workshop, UM 200528 Contributions Lack of reliance on third party for management of personal information Lack of reliance on third party for management of personal information Use of multiple discrete identities all managed from a single user account Use of multiple discrete identities all managed from a single user account Identity-to-Business associations, managed for you by the IMA system Identity-to-Business associations, managed for you by the IMA system Disclosure, correction, and removal of personal information managed by user Disclosure, correction, and removal of personal information managed by user Improved compliance for businesses with privacy legislation disclosure requirements Improved compliance for businesses with privacy legislation disclosure requirements

29 July 25, 2005 PEP Workshop, UM 200529 Future Work IMA system: IMA system: Address security issues Address security issues Account access from multiple locations Account access from multiple locations Possible focus switch: Possible focus switch: look at how existing systems (i.e., Passport and Liberty Alliance) could be adapted to support: look at how existing systems (i.e., Passport and Liberty Alliance) could be adapted to support: Multiple identities Multiple identities Disclosure on demand Disclosure on demand


Download ppt "July 25, 2005 PEP Workshop, UM 2005 1 A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab."

Similar presentations


Ads by Google