Layered identity infrastructure model for identity meta systems

There are several Identity Meta Systems emerging in the identity management field, such as CardSpace and Higgins Trust Framework. The goal of an Identity Meta System (IMetS) is to integrate existing or new Identity Management System (IMS) to provide users with seamless interoperability and a consistent user experience. IMetS is a complex system that tries to integrate the already complicated IMS services. With such a complex system, we need a way to assess IMetS in order to determine how well an IMetS integrates the various IMS services. However, as IMetS is a rela- tively new concept, there is no framework to identify the properties that an ideal IMetS should have. The contribution of this paper is to introduce the Layered Identity Infrastructure Model (LIIM) that can be used as a framework to assess IMetS. In addition, the LIIM framework can also be used to identify the missing components of an IMetS, to guide and improve the design of an existing IMetS, to serve as a design benchmark for a new IMetS, as well as to aid the understanding of a complicated IMetS

Analysis of Windows Cardspace Identity Management System

The Internet, which was originally developed for academic purposes, has expanded and been applied to commercial and business enterprises. It is possible to purchase airline tickets, check bank balances and communicate through e-mail with each other through the Internet. These services can all be performed relatively easily with the proliferation of Internet Service Providers and the lower cost of Personal Computers. The development of the Internet has also had a huge impact on businesses with the growth of e-commerce, e-banking and the tremendous growth in email traffic. There is however a negative impact to this development of the Internet with the rise in on-line criminal activity. The increasing use of the Internet has resulted in the development of on-line identities for users. There can be a great deal of sensitive and personal information associated with an on-line identity and gaining access to these privileges can provide cyber criminals with access to personal resources such as bank account details, credit card information etc. This type of activity has given rise to the term identity theft . This project will present an introduction to Microsoft Cardspace and how it relates to dealing with identity theft, the theory behind the application and present practical demonstrations of how the technology can be implemented using Microsoft© .NET framework technology

Federated Identity Management Systems: A Privacy-based Characterization

Identity management systems store attributes associated with users and facilitate authorization on the basis of these attributes. A privacy-driven characterization of the principal design choices for identity management systems is given, and existing systems are fit into this framework. The taxonomy of design choices also can guide public policy relating to identity management, which is illustrated using the United States NSTIC initiative

Managing Identity Management Systems

Although many identity management systems have been proposed, in- tended to improve the security and usability of user authentication, major adoption problems remain. In this thesis we propose a range of novel schemes to address issues acting as barriers to adoption, namely the lack of interoper- ation between systems, simple adoption strategies, and user security within such systems. To enable interoperation, a client-based model is proposed supporting in- terworking between identity management systems. Information Card systems (e.g. CardSpace) are enhanced to enable a user to obtain a security token from an identity provider not supporting Information Cards; such a token, after en- capsulation at the client, can be processed by an Information Card-enabled relying party. The approach involves supporting interoperation at the client, while maximising transparency to identity providers, relying parties and iden- tity selectors. Four specific schemes conforming to the model are described, each of which has been prototyped. These schemes enable interoperation be- tween an Information Card-enabled relying party and an identity provider supporting one of Liberty, Shibboleth, OpenID, or OAuth. To facilitate adoption, novel schemes are proposed that enable Informa- tion Card systems to support password management and single sign on. The schemes do not require any changes to websites, and provide a simple, intu- itive user experience through use of the identity selector interface. They fa- miliarise users with Information Card systems, thereby potentially facilitating their future adoption. To improve user security, an enhancement to Information Card system user authentication is proposed. During user authentication, a one-time pass- word is sent to the user's mobile device which is then entered into the com- puter by the user. Finally, a universal identity management tool is proposed, designed to support a wide range of systems using a single user interface. It provides a consistent user experience, addresses a range of security issues (e.g. phishing), and provides greater user control during authentication.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Digital Identity Interoperability and eInnovation

This paper, one of three case studies in a transatlantic research project exploring the connection between Information and Communication Technology interoperability and eInnovation, considers the current state and possible evolution of Digital Identity. While consumers would undoubtedly reap convenience benefits from an ubiquitous single sign-on (SSO) technology, the potential for privacy and security issues makes Digital ID a complex issue. The user-centric, federated, and centralized models of Digital ID each have their advantages and drawbacks. While a few companies have previously attempted to establish a single Digital ID standard that they would control, the failure of those efforts has led to a situation where most players in the industry seem to see interoperability as essential to build up the market in the face of frequent ambivalence from consumers, e-commerce merchants, and other potential users. Broadly, Digital ID could enable a wide range of new Web-based applications, increasing consumers' flexibility and reducing transactions costs. However, having Digital ID be too ubiquitous could threaten the continued viability of anonymous speech in some contexts. It could also lead to more entities having greater access to personal data of consumers, raising the stakes of potential data breaches. The paper concludes that the route to interoperability most likely to lead to innovation would include continued collaboration among industry players to settle on one or a few consolidated efforts. Except in special areas, governments can best play a peripheral role, encouraging coordination through soft regulatory approaches like bringing stakeholders together and using their market power as major data holders and users. If privacy and security issues are addressed (and current stakeholders seem acutely aware of them), Digital ID interoperability has the potential to be extremely generative, creating new markets and enabling interoperability among other applications and services. If, however, coordination breaks down among market leaders and rival technologies emerge, it seems likely that user adoption will remain low and the benefits will be limited

Reducing the integration tax of cross-organizational identity-based services with identity federation platforms.

The Internet has become an incomparable communication channel to reach old and new customers and to offer innovative services. Due to the increasing interest in Internet-based services, enterprises are trying to make the best use of the advantages provided by an online presence. Moreover, they collaborate in order to provide crossorganizational identity-based services, giving an added value to their traditional services. This poses new challenges regarding identity management between domains. An option to overcome them is to integrate an identity-federation platform with that type of services, but it is a very complex task. In this paper we propose to extend the capabilities of an Open Source application server in order to make it compatible with an identity-federation platform as a basis to support cross-organizational identity-based services, reducing dramatically the integration tax

Summary

20090506_fidis_D3.12 final 1.0.od

Client-based CardSpace-Shibboleth Interoperation

Whilst the growing number of identity management systems have the potential to reduce the threat of identity attacks, major deployment problems remain because of the lack of interoperability between such systems. In this paper we propose a simple, novel scheme to provide interoperability between two of the most widely discussed identity systems, namely CardSpace and Shibboleth. In this scheme, CardSpace users are able to obtain an assertion token from a Shibboleth-enabled identity provider that can be processed by a CardSpace-enabled relying party. We specify the operation of the scheme and also describe an implementation of a proof-of-concept prototype. Additionally, security and operational analyses are provided

CardSpace-OpenID Integration for CardSpace Users

Whilst the growing number of identity management systems have the potential to reduce the threat of identity attacks, major deployment problems remain because of the lack of interoperability between such systems. In this paper we propose a novel, simple scheme to provide interoperability between two of the most widely discussed identity management systems, namely CardSpace and OpenID. In this scheme, CardSpace users are able to obtain an assertion token from an OpenIDenabled identity provider, the contents of which can be processed by a CardSpace-enabled relying party. The scheme, based on a browser extension, is transparent to OpenID providers and to the CardSpace identity selector, and only requires minor changes to the operation of a CardSpace-enabled relying party. We specify its operation and also describe an implementation of a proof-of-concept prototype. Additionally, security and operational analyses are provided