Friday, December 19, 2014
ITU-T Study Group 17 IdM Landscape Wiki
Minimize
IdM Landscape test page

1.      Introduction

This IdM landscape is an informative resource that organizes identity management-related documents in ITU-T and other standard organizations classified by categories, organizations and providing the status of their development (stage). The coordinated set of detailed requirements and various questions involved in IdM work would be clarified by using this landscape.

 

2.      Document History

Date

Version

Comments

Changes

02/25/10

Q.10 interim meeting

Rev 0.x

1. Add editorial history table

(Helmut, Germany)

done

01/19/10

JCA-IdM 7thmeeting

First published version

(TD-PLEN-0707/JCA-IdM DOC-0053)

1.Correct ISO/IEC JTC 1/SC27/WG5 IdM standard activities (ISO/IEC liaison)

See section III and V.2

12/08/09

Original version sent to Q.10 maillist for comments

1. Add OID recommendations

(Tony, US)

See section I.2

2. Add x.509 recommendations

(Erik, Denmark)

See section V.1

3. Add DNS recommendations

(Erik, Denmark)

See section I.2

4. Removed PRIME project

(Mike, UK)

done

5. Further scoping and granularity

(Mike, UK)

Need to be discussed during April meeting

6. Add OASIS identity in Clouds

(Abbie, Canada)

See VII.1

 

3.      IdM Landscape

The following tables organize the identity management technologies and related Recommendations.  There are seven main categories in the tables:

-            The first part is general issues, including:

·           terms and definition,

·           identity addressing and format,

·           data model.

-            The second part is use cases and requirements;

-            The third part is framework and architecture;

-            The fourth part is interface and protocol;

-            The fifth part is security issues, including:

·           security technology and mechanisms;

·           privacy management.

-            The sixth part is interoperability issues, including:

·           data model and interface;

·           framework and architecture;

·           technology and mechanisms;

·           identity-based web services.

-            The seventh part is deployment and application, including:

·           Internet application;

·           social service.

 

 

 

4.      Identity Management Landscape Table

 

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

I.General Issues

I.1 Terms and definitions

ITU-T

ITU-T SG 17

Draft Recommendation

ITU-T X.1252

Baseline identity management terms and definitions

This Recommendation provides a collection of terms and definitions used in Identity Management. They are drawn from many sources; all are believed to be in common use in IdM. These definitions are to be used as a baseline for IdM Recommendations throughout ITU-T; they may be expanded if necessary to provide greater clarity for a specific context. This will ensure the main features of IdM are consistent, aligned and understood.

 

Determined in Sept. 2009

 

OASIS

OASIS

Standard

SAML Glossary (2005.03)

Glossary for the OASIS SecurityAssertion Markup Language (SAML) V2.0

This specification defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents.

 

 

 

I.2 Identity Addressing and Format

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 17

Draft Recommendation

X.oid-res

Information technology – Object identifier resolution system

This Recommendation | International Standard specifies OID (Object Identifier) resolution system which provides information associated with any object identified by an object identifier. This associated information can be access information, child node information, or the canonical form of the OID-IRI. The OID Resolution System consists of two processes:  a general OID resolution process and an application-specific OID resolution process. The general OID resolution process utilizes the DNS (Domain Name System) protocol.

ISO/IEC 29168

 

 

ITU-T SG 17

Draft Recommendation

X.oid-exp

Object identifier repository export format

(Subject to Agreement with ISO TC 215 on collaborative work)

This Recommendation | International Standard specifies both an XML and a binary export format for object identifier repositories, including additional requirements for e-health repositories.

ISO 13582

 

 

ETSI

ETSI

Technical Specification

TS 184 002 V1.1.1 (2006)

Identifiers (IDs) for NGN

The present document provides an overview of the identifiers used within 3GPP which are considered applicable to NGN.

 

 

 

3GPP

3GPP

Technical Specification

TS 23.003 (2009.09)

Numbering, addressing and identification (Release 9)

The present document defines the principal purpose and use of International Mobile station Equipment Identities (IMEI) within the digital cellular telecommunications system and the 3GPP system.

 

 

 

3GPP

Technical Specification

TS 23.008 (2009.09)

Organization of subscriber data (Release 9)

The present document provides details concerning information to be stored in home subscriber servers, visitor location registers, GPRS Support Nodes and Call Session Control Function (CSCF) concerning mobile subscriber.

 

 

 

IETF

IETF

RFC 2141
(1997)

Uniform Resource Name (URN)

This document defines persistent, location-independent, resource identifiers. This RFC defines the canonical syntax for URNs and discusses existing legacy and new namespaces and requirements for URN presentation and transmission.

 

 

 

IETF

RFC2822
(2001)

Internet Message Format

This standard specifies a syntax for text messages that are sent between computer users, within the framework of "electronic mail" messages.

 

 

 

IETF

RFC 3986
(2005)

Uniform Resource Identifier (URI): Generic Syntax

This specification defines the generic URI syntax and a process for   resolving URI References that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet.

 

 

 

IETF

RFC 3987
(2005)

Internationalized Resource Identifiers (IRIs)

This document defines a new protocol element, the Internationalized   Resource Identifier (IRI), as a complement to the Uniform Resource Identifier (URI). 

 

 

 

IETF

RFC4122
(2005)

A Universally Unique IDentifier (UUID) URN Namespace

This specification defines a Uniform Resource Name namespace for UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier).

 

 

 

IETF

RFC881
(1983)

The Domain Names Plan and Schedule

This RFC outlines a plan and schedule for the implementation of domain style names throughout the DDN/ARPA Internet community. The introduction of domain style names will impact all hosts on the DDN/ARPA Internet.

 

 

 

IETF

RFC897
(1984)

Domain Name System Implementation Schedule

This memo is a policy statement on the implementation of the Domain Style Naming System in the Internet. This memo is a partial update of RFC 881. This is an official policy statement of the ICCB and the DARPA. The intent of this memo is to detail the schedule for the implementation for the Domain Style Naming System. The explanation of how this system works is to be found in the references.

 

 

 

IETF

RFC921
(1984)

Domain Name System Implementation Schedule – Revised

This memo is a policy statement on the implementation of the Domain Style Naming System in the Internet. This memo is an update of RFC 881, and RFC 897. This is an official policy statement of the IAB and the DARPA. Distribution of this memo is unlimited. The intent of this memo is to detail the schedule for the implementation for the Domain Style Naming System. The explanation of how this system works is to be found in the references.

 

 

 

IETF

RFC1034
(1987)

Domain Names – Concepts and Facilities

This RFC introduces domain style names, their use for Internet mail and host address support, and the protocols and servers used to implement domain name facilities.

 

 

 

IETF

RFC1035
(1987)

Domain Names – Implementation and Specification

This RFC describes the details of the domain system and protocol, and assumes that the reader is familiar with the concepts discussed in a companion RFC, “Domain Names – Concepts and Facilities”.

 

 

 

IETF

RFC1101
(1989)

DNS Encoding of Network Names and Other Types

This RFC proposes two extensions to the Domain Name System: 1) a specific method for entering and retrieving RRs which map between network names and numbers, and 2) ideas for a general method for describing mappings between arbitrary identifiers and numbers. The method for mapping between network names and addresses is a proposed standard, the ideas for a general method are experimental. This RFC assumes that the reader is familiar with the DNS [RFC 1034, RFC 1035] and its use. The data shown is for pedagogical use and does not necessarily reflect the real Internet.

 

 

 

IETF

RFC1591
(1994)

Domain Name System Structure and Delegation

This memo provides some information on the structure of the names in the Domain Name System (DNS), specifically the top-level domain names; and on the administration of domains. The Internet Assigned Numbers Authority (IANA) is the overall authority for the IP Addresses, the Domain Names, and many other parameters, used in the Internet. The day-to-day responsibility for the assignment of IP Addresses, Autonomous System Numbers, and most top and second level Domain Names are handled by the Internet Registry (IR) and regional registries.

 

 

 

IETF

RFC1712
(1994)

DNS Encoding of Geographical Location

This document defines the format of a new Resource Record (RR) for the Domain Naming System (DNS), and reserves a corresponding DNS type mnemonic and numerical code. This definition deals with associating geographical host location mappings to host names within a domain. The data shown in this document is fictitious and does not necessarily reflect the real Internet.

 

 

 

IETF

RFC2870 
(2000)

Root Name Server Operational Requirements

As the internet becomes increasingly critical to the world’s social and economic infrastructure, attention has rightly focused on the correct, safe, reliable, and secure operation of the internet infrastructure itself. The root domain name servers are seen as a crucial part of that technical infrastructure. The primary focus of this document is to provide guidelines for operation of the root name servers. Other major zone server operators (gTLDs, ccTLDs, major zones) may also find it useful. These guidelines are intended to meet the perceived societal needs without overly prescribing technical details.

 

 

 

IETF

RFC2916
(2000)

E.164 number and DNS

This document discusses the use of the Domain Name System (DNS) for storage of E.164 numbers. More specifically, how DNS can be used for identifying available services connected to one E.164 number. Routing of the actual connection using the service selected using these methods is not discussed.

 

 

 

IETF

RFC3007
(2000)

Secure Domain Name System (DNS) Dynamic Update

This document proposes a method for performing secure Domain Name System (DNS) dynamic updates. The method described here is intended to be flexible and useful while requiring as few changes to the protocol as possible. The authentication of the dynamic update message is separate from later DNSSEC validation of the data. Secure communication based on authenticated requests and transactions is used to provide authorization.

 

 

 

IETF

RFC3401
(2002)

Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS

This document specifies the exact documents that make up the complete Dynamic Delegation Discovery System (DDDS). DDDS is an abstract algorithm for applying dynamically retrieved string transformation rules to an application-unique string.

This document along with RFC 3402, RFC 3403 and RFC 3404 obsolete RFC 2168 and RFC 2915, as well as updates RFC 2276.

 

 

IETF

RFC3402
(2002)

Dynamic Delegation Discovery System (DDDS) Part Two: The Algorithm

This document describes the Dynamic Delegation Discovery System (DDDS) algorithm for applying dynamically retrieved string transformation rules to an application-unique string. Well-formed transformation rules will reflect the delegation of management of information associated with the string. This document is also part of a series that is completely specified in "Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS" (RFC 3401).

 

 

 

IETF

RFC3403
(2002)

Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database

This document describes a Dynamic Delegation Discovery System (DDDS) Database using the Domain Name System (DNS) as a distributed database of Rules. The Keys are domain-names and the Rules are encoded using the Naming Authority Pointer (NAPTR) Resource Record (RR).

This document obsoletes RFC 2915. It is also part of a series that is completely specified in "Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS" (RFC 3401).

 

 

IETF

RFC3404
(2002)

Dynamic Delegation Discovery System (DDDS) Part Four: The Uniform Resource Identifiers (URI) Resolution Application

This document describes a specification for taking Uniform Resource Identifiers (URI) and locating an authoritative server for information about that URI. The method used to locate that authoritative server is the Dynamic Delegation Discovery System.

This document is part of a series that is specified in "Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS" (RFC 3401).

 

 

IETF

RFC3405
(2005)

Dynamic Delegation Discovery System (DDDS) Part Five: URI.ARPA Assignment Procedures

This document is fifth in a series that is completely specified in "Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS" (RFC 3401).

This document is fifth in a series that is completely specified in "Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS" (RFC 3401).

 

 

IETF

RFC3467
(2003)

Role of the Domain Name System (DNS)

This document reviews the original function and purpose of the domain name system (DNS). It contrasts that history with some of the purposes for which the DNS has recently been applied and some of the newer demands being placed upon it or suggested for it. A framework for an alternative to placing these additional stresses on the DNS is then outlined. This document and that framework are not a proposed solution, only a strong suggestion that the time has come to begin thinking more broadly about the problems we are encountering and possible approaches to solving them.

 

 

 

IETF

RFC3764
(2004)

enumservice registration for Session Initiation Protocol (SIP) Addresses-of-Record

This document registers an Electronic Number (ENUM) service for the Session Initiation Protocol (SIP), pursuant to the guidelines in RFC 3761. Specifically, this document focuses on provisioning SIP addresses-of-record in ENUM.

 

 

 

OASIS

OASIS

Working Draft

SAML Profile (2009.12)

Profiles for the OASIS SecurityAssertion Markup Language (SAML)V2.0 – Errata Composite

The SAML V2.0 Profiles specification defines profiles for the use of SAML assertions and request response messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions.

 

 

 

OASIS

Standard

xri-syntax-V2.0-cs (2005)

Extensible Resource Identifier (XRI) Syntax V2.0

This document is the normative technical specification for XRI generic syntax.

 

 

 

OASIS

Standard

xri-resolution-V2.0
(2008)

Extensible Resource Identifier (XRI) Resolution Version 2.0

This document defines a simple generic format for resource description (XRDS documents), a protocol for obtaining XRDS documents from HTTP(S) URIs, and generic and trusted protocols for resolving Extensible Resource Identifiers (XRIs) using XRDS documents and HTTP(S) URIs.

 

 

 

W3C

W3C

xml:id Version 1.0
(2005)

xml:id Version 1.0

This document defines the meaning of the attribute xml:id as an ID attribute in XML documents and defines processing of this attribute to identify IDs in the absence of validation, without fetching external resources, and without relying on an internal subset.

 

 

 

I.3 Data Model

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ETSI

ETSI

Draft Technical Specification

DTS 188 002-2 V2.0.0
(2008)

NGN Management;SubscriptionManagement Information Model

The purpose of the present document is the definition of the SuM Information model which is paramount for the NGN service delivery within TISPAN NGN.

 

 

 

3GPP

3GPP

Technical Specification

TS 31.102 (2009.09)

Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 9)

The present document defines the Universal Subscriber Identity Module (USIM) application. This application resides on the UICC, an IC card specified in TS 31.101.

 

 

 

3GPP

Technical Specification

TS 31.103 (2009.06)

Characteristics of the IP Multimedia Services Identity Module (ISIM) application (Release 8)

The present document defines the IM Services Identity Module (ISIM) application. This application resides on the UICC, an IC card specified in TS 31.101

 

 

 

OASIS

OASIS

Working Draft

SAML Profile (2009.12)

Profiles for the OASIS SecurityAssertion Markup Language (SAML)V2.0 – Errata Composite

The SAML V2.0 Profiles specification defines profiles for the use of SAML assertions and request response messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions.

 

 

 

OASIS

Working Draft

SAML Metadata (2009.12)

Metadata for the OASIS SecurityAssertion Markup Language (SAML) V2.0 – Errata Composite

The SAML V2.0 Metadata document defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles.

 

 

 

II. Usecases and Requirements

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 13

Recommendation

ITU-T Y.2701

Security requirements for NGN release 1

This Recommendation providessecurity requirements for Next Generation Networks (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs) by applying ITU-TRecommendation X.805Security architecture for systems providing end-to-end communications to ITU-T Recommendation Y.2201,NGN release 1 requirements and ITU-T Recommendation Y.2012,Functional requirements and architecture of the NGN

The foundation for the standards work within Q.16/13

In force

NGN Specific

ITU-T SG 13

Recommendation

ITU-T Y.2702

Authentication and authorization requirements for NGN release 1

This Recommendation specifies authentication and authorization requirements for next generation networks (NGNs)

Based on Y.2701

In force

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN IdM Requirements

NGN identity management requirements

This Recommendation provides Identity Management (IdM) objectives and requirements for the Next Generation Network (NGN) and its interfaces.

Specifies IdM requirements based on the IdM framework of Y.2720

Targeted for determination in 01/2010

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN trusted SP requirements

NGN requirements and use cases for trusted service provider identity

This Recommendation provides NGN use cases and requirements for trusted identification of service providers

The requirements are based on the concepts of Y.2701

Targeted for determination in 4Q/2010

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN mobile financial requirements

Security requirements for mobile remote financial transactions in the next generation networks (NGN)

This Recommendation specifies security requirements and levels of security for the System of Mobile Commerce and Mobile Banking in the NGN

Based on the requirements of Y.2701 and architecture of Y.NGN mobile financial architecture

Targeted for determination in 2Q/2010

NGN mobile financial

ITU-T SG 17

Recommendation

ITU-T X.1250

Baseline capabilities for enhanced global identity management and interoperability

This Recommendation describes baseline capabilities for global identity management (IdM) interoperability (i.e., to enhance exchange and trust in the identifiers used by entities in telecommunication/information technology IT networks and services).  The definitions and need for IdM are highly context dependent and often subject to very different policies and practices in different countries.  The capabilities include the protection and control of personally identifiable information (PII).

 

Approved in Sept. 2009

 

ETSI

ETSI

Drat Technical Specification

DTS 188 002-1 V3.1.1
(2009)

NGN Subscription Management; Part 1: Requirements

The purpose of the present document is the definition of the necessary requirements for the Subscription Management (SuM) which is paramount for the NGN service delivery within TISPAN NGN. The present document contains the specification of the requirements for the following:

- An end-to-end information model to cover all the mandatory/optional information related to Subscription Management (SuM) that shall be provisioned on the NGN Network.

- A Subscription Management (SuM) functional architecture which hides the complexity of the different functional entities to be configured including the CPE and the AS.

 

 

 

OMA

OMA

OMA-RD-Identity_Management_Framework-V1_0-20050202-C

Identity Management Framework Requirements

The intention of this specification is to integrate existing efforts relating to Identity within the OMA to create a single Identity Management (IdM) enabler to be used by all OMA enablers. This specification sets requirements for all technical working groups of OMA, and all Identity Management related functions should be satisfied according to the resulting enabler. The benefits of a single Identity Management enabler for all OMA enablers are:

- Management and use of Identity or personal information is easier for all stakeholders: End Users, mobile operators, enterprises and Service Providers;

- End Users do not have the burden of having to understand different service-specific Identity solutions;

- The same Identities and personal information can be utilised by multiple services;

- Privacy protection can be enabled more easily using a common Identity Management enabler;

- The OMA will not be seen to publish specifications with disparate, conflicting Identity Management solutions;

- Identity needs are the same (or very similar) for all enablers and so, by creating a single Identity Management enabler, duplication of work is kept to a minimum;

- New enablers with Identity requirements will be able to benefit from the existing Identity Management enabler;

- Greater interoperability between enablers;

- Improved time to market for those enablers that use the Identity Management enabler.

 

 

Mobile network environment

III. Framework and Architecture

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 13

Recommendation

ITU-T Y.2720

NGN identity management framework

This Recommendation provides a framework for Identity Management (IdM) in Next Generation Networks (NGN). The primary purpose of this framework is to describe a structured approach for designing, defining, and implementing IdM solutions and for facilitating interoperability in a heterogeneous environment

Based on the requirements of Y.2701 and Y.2702 specifiesframework for IdM

Published

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.mobSec

Mobility security framework in NGN

This Recommendation specifies the mobility security framework in NGN transport stratum. It addresses the security requirements, security mechanisms and procedures for mobility management and control in NGN

Based on the requirements of Y.2701

Targeted for determination in 3Q/2010

NGN Mobile Specific

ITU-T SG 17

Draft Recommendation

X.idmgen

Generic identity management framework

This Recommendation provides a generic framework for Identity Management (IdM) that is independent of network types, technology or vendor specific products used to provide solutions, and operating environment. In addition, this Recommendation is independent of any service or scenarios specific model (e.g., web services, third party or federated models), assumptions or solution specifications. The primary purpose of this framework is to describe a structured approach for designing, defining, and implementing IdM solutions and facilitate interoperability in heterogeneous environments.

 

 

 

ITU-T SG 17

Recommendation

ITU-T X.1251

framework foruser control ofdigital identity

This Recommendation defines a framework to enhance user control and exchange of their digital identity related information. The Recommendation also defines user and functional requirements of the digital identity information exchange. The work includes providing the user with the ability to control the release of personally identifiable information.

 

Approved in Sept. 2009

 

ISO/IEC

ISO/IEC

24760

A Framework for Identity Management

This standard aims to provide a framework for the definition of identity and the secure, reliable, and private management of identity information. This framework should be applicable to individuals as well as organizations of all types and sizes, in any environment and regardless of the nature of the activities they are involved in.

ITU-T Y.2720 “NGN identity management framework” Approved 01/09

ITU-T X.1250 “Baseline capabilities for enhanced global identity management

and interoperability” Approved 09/09

Draft ITU-T X.1252 “Baseline identity management terms and definitions

IS

(05-2011)

- In its current liaison statement to SG 13 ISO/IEC/JTC 1/SC 27/WG 5 is pointing out that there seem to be conceptual differences between concepts depicted in Y.2720 and the work of WG 5 with regard to the concepts of uniqueness and linkability.

- In its current liaison statement to SG 17 ISO/IEC/JTC 1/SC 27/WG 5 is pointing out that in X.1252 seem to be some discrepancies from the terms used within WG 5 specifically regarding the terms closely related to Identity and Context.

ISO/IEC

29146

A Framework for Access Management

Provides a framework for the definition of Access Management and the secure management of the process to access information. This framework is applicable to any kind of users, individuals as well as organizations of all types and sizes, and should be useful to organizations at any location and regardless of the nature of the activities they are involved in.

 

IS

(05-2012)

 

3GPP

3GPP

Technical Specification

TS 33.220 (2009.09)

Generic Authentication Architecture (GAA);Generic bootstrapping architecture (Release 9)

The present document describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3GPP AKA mechanism. Candidate applications to use this bootstrapping mechanism include but are not restricted to subscriber certificate distribution TS 33.221.

 

 

 

3GPP

Technical Specification

TS 33.223 (2009.09)

Generic Bootstrapping Architecture (GBA) Push Function(Release 8)

The present document specifies a Push Function as a functional add-on for the Generic Authentication Architecture (GAA).

 

 

 

3GPP

Technical Specification

TS 33.919 (2008.12)

Generic Authentication Architecture (GAA); System description (Release 8)

This 3GPP Technical Report aims to give an overview of the different mechanisms that mobile applications can rely upon for authentication between server and client (i.e. the UE). Additionally it provides guidelines related to the use of GAA and to the choice of authentication mechanism in a given situation and for a given application.

 

 

 

ETSI

ETSI

Draft Technical Specification

DTS 188 002-3 V2.0.0
(2008)

NGN Subscription Management; Part 3: Functional Architecture

The purpose of the SuM Functional Architecture is the design of the NGN OSS Service Interfaces (NOSIs) needed for the management of a specific Subscriber, User, Service Profile and User Services within TISPAN NGN. The SuM Functional Architecture shall deliver the necessary NOSIs for the Resource Provisioning and Service Activation processes.

 

 

 

IV. Interface and Protocol

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

IETF

IETF

RFC 4474
(2006)

Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)

The existing security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP messages.

 

 

 

IETF

RFC4484
(2006)

Trait-Based Authorization Requirements for the Session Initiation Protocol (SIP)

This document lays out a set of requirements related to trait-based   authorization for the Session Initiation Protocol (SIP). While some authentication mechanisms are described in the base SIP specification, trait-based authorization provides information used to make policy decisions based on the attributes of a participant in a session.  This approach provides a richer framework for   authorization, as well as allows greater privacy for users of an identity system.

 

 

 

IETF

RFC 2865
(2000)

Remote Authentication Dial In User Service (RADIUS)

This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared   Authentication Server.

 

 

 

IETF

RFC 3588
(2003)

Diameter Base Protocol

The Diameter base protocol is intended to provide an Authentication,   Authorization and Accounting (AAA) framework for applications such as   network access or IP mobility.  Diameter is also intended to work in both localAuthentication, Authorization & Accounting and roaming situations. This document specifies the message format, transport, error reporting, accounting and security services to be used by all Diameter applications. The Diameter base application needs to be supported by all Diameter implementations.

 

 

 

IETF

RFC 3829
(2004)

Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls

This document extends the Lightweight Directory Access Protocol (LDAP) bind operation with a mechanism for requesting and returning the authorization identity it establishes. Specifically, this document defines the Authorization Identity Request and Response controls for use with the Bind operation.

 

 

 

IETF

RFC 4370
(2006)

Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control

This document defines the Lightweight Directory Access Protocol (LDAP) Proxy Authorization Control. The Proxy Authorization Control allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.

 

 

 

IETF

RFC 4532
(2006)

Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation

This specification provides a mechanism for Lightweight Directory Access Protocol (LDAP) clients to obtain the authorization identity the server has associated with the user or application entity. This mechanism is specified as an LDAP extended operation called the LDAP "Who am I?" operation.

 

 

 

IETF

RFC 4422
(2006)

Simple Authentication and Security Layer (SASL)

This document describes how a SASL mechanism is structured, describes how protocols include support for SASL, and defines the protocol for carrying a data security layer over a connection. In addition, this document defines one SASL mechanism, the EXTERNAL mechanism.

 

 

 

IETF

RFC 4505
(2006)

Anonymous Simple Authentication and Security Layer (SASL) Mechanism

This document defines an anonymous mechanism for the Simple Authentication and Security Layer ([SASL]) framework.  The name associated with this mechanism is "ANONYMOUS".

 

 

 

IETF

RFC 3798
(2004)

Extensible Authentication Protocol (EAP)

This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods.

 

 

 

IETF

RFC 5247
(2008)

Extensible Authentication Protocol (EAP) Key Management Framework

This document specifies the EAP key hierarchy and provides a framework for the transport and usage of keying material and parameters generated by EAP authentication algorithms, known as "methods". It also provides a detailed system-level security analysis, describing the conditions under which the key management guidelines described in RFC 4962 can be satisfied.

 

 

 

IETF

RFC 3893
(2004)

Session Initiation Protocol (SIP) Authenticated Identity Body (AIB) Format

This document provides a more specific mechanism to derive integrity and authentication properties from an 'authenticated identity body', a digitally-signed SIP message, or message fragment. A standard format for such bodies (known as Authenticated Identity Bodies, or AIBs) is given in this document.

 

 

 

IETF

draft

draft-ietf-oauth-authentication-01
(2009)

The OAuth Protocol: Authentication

This document specifies the OAuth protocol authentication method. OAuth allows clients to access server resources on behalf of another party (such a different client or an end user). This document defines an HTTP authentication method which supports the ability to include two sets of credential with each request, one identifying the client and another identifying the resource owner on whose behalf the request is made.

 

 

 

IETF

draft

draft-ietf-oauth-web-delegation-01
(2009)

The OAuth Protocol: Web Delegation

This document specifies the OAuth protocol web delegation method. OAuth allows clients to access server resources on behalf of another party (such a different client or an end user). This document defines a redirection-based user-agent process for end users to authorize access to clients by substituting their credentials (typically, a username and password pair) with a different set of delegation-specific credentials.

 

 

 

IETF

draft

draft-ietf-keyprov-dskpp-09
(2009)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

DSKPP is a client-server protocol for initialization (and configuration) of symmetric keys to locally and remotely accessible cryptographic modules. This draft deals with how symmetric key based authentication credentials are provisioned (and connected with an existing identity), especially in the context of one-time password tokens.

 

 

 

3GPP

3GPP

Technical Specification

TS 33.222
(2008.06)

Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)(Release 8)

The present document specifies secure access methods to Network Application Functions (NAF) using HTTP over TLS in the Generic Authentication Architecture (GAA), and provides Stage 2 security requirements, principles and procedures for the access. The present document describes both direct access to an Application Server (AS) and access to an Application Server through an Authentication Proxy (AP).

 

 

 

3GPP

Technical Specification

TS 24.109
(2009.06)

Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details (Release 8)

The present document defines stage 3 for the HTTP Digest AKAbased implementation of Ub interface (UE-BSF), the Disposable-Ks model based implementation of Upa interface (NAF-UE) and the HTTP Digest and the PSK TLS based implementation of bootstrapped security association usage over Ua interface (UE-NAF) in Generic Authentication Architecture (GAA).

 

 

 

3GPP

Technical Specification

TS 29.109
(2009.09)

Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Stage 3(Release 9)

The present stage 3 specification defines the Diameter based implementation for bootstrapping Zh interface (BSF-HSS) and Dz interface (BSF-SLF) for HSS resolution for the BSF, the MAP based implementation for bootstrapping Zh' interface (BSF-HLR) and GAA Application Zn interface (BSF-NAF) in Generic Authentication Architecture (GAA). This specification also defines the Web Services based implementation for GAA Application Zn reference point (BSF-NAF). The definition contains procedures, message contents and coding. The procedures for bootstrapping and usage of bootstrapped security association are defined in 3GPP TS 33.220.

 

 

 

3GPP

Technical Specification

TS 33.221
(2008.12)

Generic Authentication Architecture (GAA); Support for subscriber certificates (Release 8)

The present document describes subscriber certificate distribution by means of generic bootstrapping architecture (GBA) TS 33.220. Subscriber certificates support services whose provision the mobile operator assists, as well as services that are offered by the mobile operator.

The scope of this specification presents signalling procedures for support of issuing certificates to subscribers and the standard format of certificates and digital signatures.

 

 

 

3GPP

Technical Specification

TS 33.222
(2008.06)

Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS) (Release 8)

The present document specifies secure access methods to Network Application Functions (NAF) using HTTP over TLS in the Generic Authentication Architecture (GAA), and provides Stage 2 security requirements, principles and procedures for the access. The present document describes both direct access to an Application Server (AS) and access to an Application Server through an Authentication Proxy (AP).

 

 

 

OASIS

OASIS

Standard

SAML Core
(2005)

Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

This specification defines the syntax and semantics for XML-encoded assertions aboutauthentication, attributes, and authorization, and for the protocols that convey this information.

 

 

 

OASIS

Working Draft

SAML Bindings
(2009.12)

Bindings for the OASIS SecurityAssertion Markup Language (SAML)V2.0 – Errata Composite

The SAML V2.0 Bindings specification defines protocol bindings for the use of SAML assertions and request-response messages in communications protocols and frameworks.

 

 

 

OASIS

Working Draft

SAML Conformance Requirements
(2009.12)

Conformance Requirements for the OASIS Security Assertion MarkupLanguage (SAML) V2.0 – ErrataComposite

The SAML V2.0 Conformance specification provides the technical requirements for SAML V2.0conformance and specifies the entire set of documents comprising SAML V2.0.

 

 

 

OASIS

Standard

SAML Authentication Context
(2005.03)

Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0

This specification defines a syntax for the definition of authentication context declarations and an initial list of authentication context classes for use with SAML.

 

 

 

V. Security Issues

V.1 Security Technology and Mechanisms

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 17

Recommendation

ITU-T X.509

Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks

ITU-T Recommendation X.509 | ISO/IEC 9594-8 defines a framework for public-key certificates and attribute certificates. These frameworks may be used by other standards bodies to profile their application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation | International Standard defines a framework for the provision of authentication services by Directory to its users. It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed using cryptographic techniques. While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services.

ISO/IEC 9594-8

Published

 

ITU-T SG 13

Recommendation

ITU-T Y.2703

The application of AAA service in NGN

This Recommendation provides an application of authentication, authorization and accounting (AAA) for NGN release 1

Specifies AAA based on the recommendations of Y.2701 and Y.2702

Published

NGN Specific

ITU-T SG 13

Draft Recommendation

ITU-T Y.2704

NGN security mechanisms and procedures

This Recommendation describes security mechanisms that can be used to fulfill the requirements described in Y.2701, Security requirements for NGN release 1,and specifies a suite of options for a mechanism if that particular mechanism is selected

Specifies security mechanisms in support of the requirements of Y.2701

Determined at 09/2009 meeting of SG 13

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN Certificate Management

Certificate management

This Recommendation defines the procedures for managing X.509 certificates used for NGN security

Specifies management of the X.509 certificates in support of the requirements of Y.2720

Targeted for determination in 4Q/2010

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN IdM Mechanisms

NGN identity management mechanisms

This Recommendation describes the specific IdM mechanisms andsuites of options that should be used to meet the requirements specified in Y.NGN IdM Requirements

Specifies mechanisms in support of the requirements of Y.NGN IdM Requirements

Targeted for determination in 3Q/2010

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN mobile financial architecture

Architecture of secure mobile financial transactions in the next generation networks (NGN)

This Recommendation specifies the general architecture of the security solution for mobile commerce and mobile banking

Serves as a base for deriving the requirements of Y.NGN mobile financial requirements

Targeted for determination in 2Q/2010

NGN Specific

ITU-T SG 13

Draft Recommendation

Y.NGN Sec. Risk

Security risk assessment in NGN

This Recommendation specifies the security risk assessment in NGN. It addresses the security requirements, architecture and procedures for security riskassessment and control in NGN.

The document is based on the concepts of Y.2701

Targeted for determination in 2011

NGN Specific

ITU-T SG 17

Draft Recommendation

X.eaa

Information technology – Security techniques – Entity authentication assurance

This Recommendation International Standard addresses: methods for authentication; enables organizations to be better informed when making appropriate authentication design decisionsthrough the assignment of objective and consistent solutions to the various components ofauthentication; and provides guidelines for levels of assurance.

ISO/IEC WD 29115
(2009.07)

 

 

ITU-T SG17

Draft Recommendation

X.sap-4

The general framework of strong authentication on multiple authentication authorities environment

This Recommendation provides the general framework of strong authentication on multiple authentication authorities (AAs) environment for service provider to achieve strong authentication like multi-factor authentication. The framework in this Recommendation describes models, basic operations and security requirements against each model components and each messages between model components to keep the total assurance of authentication in case of the combination of multiple AAs. In addition, the framework also describes models, basic operations and security requirements to support the authentication service that manages combination of multiple AAs.

 

 

 

ETSI(Need to be supplemented)

 

 

 

 

 

 

IETF

IETF

RFC 4158
(2005)

Internet X.509 Public Key Infrastructure:Certification PathBuilding

This document provides guidance and recommendations to developers building X.509 public-key certification paths within their applications. By following the guidance and recommendations defined in this document, an application developer is more likely to develop a robust X.509 certificate-enabled application that can build valid certification paths across a wide range of PKI environments.

ITU-T X.509

 

 

IETF

RFC 3156
(2001)

MIME Security with OpenPGP

This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847.

 

 

 

IETF

RFC 4158
(2005)

Internet X.509 Public Key Infrastructure:Certification PathBuilding

This document provides guidance and recommendations to developers building X.509 public-key certification paths within their applications.

 

 

 

W3C

W3C

XML Signature Recommendations
(2008)

XML Signature Syntax and Processing (Second Edition)

This document specifies XML digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.

 

 

 

W3C

XML Encryption Recommendations
(2002)

XML Encryption Syntax and Processing

This document specifies a process for encrypting/decrypting digital content (including XML documents and portions thereof) and an XML syntax used to represent the (1) encrypted content and (2) information that enables an intended recipient to decrypt it.

 

 

 

W3C

XML Key Management Specification (XKMS)
(2001)

XML Key Management Specification (XKMS)

This document specifies protocols for distributing and registering public keys, suitable for a client to obtain key information (values, certificates, management or trust data) from a web service.

 

 

 

V.2 Privacy Management

ITU-T

ITU-T SG 17

Draft Recommendation

X.priva

Criteria for assessing the level of protection for personally identifiable information in identity management

This Recommendation defines the criteria for assessing the level of protection for personally identifiable information (PII) of the identity provider and the relying party concerned in identity service, depending on the protection for personally identifiable information requested by them to the requesting/asserting party, and the type and use purpose of PII and maintain period of PII, as well as the technical and administrative measures for protection for PII.

 

Planned for determination in 2011

 

ITU-T SG 17

Draft Recommendation

ITU-T X.1275

Guidelines on protection of personally identifiable information in the application of RFID technology

This Recommendation recognizes that as RFID greatly facilitates the access and dispersion of information pertaining specifically to the merchandise that individuals wear and/or carry; it creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation develops guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect the privacy rights of the general public within national policies.

 

Determined in Sept. 2009

 

ISO/IEC

ISO/IEC

29100

Privacy Framework

This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment. This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.

 

IS

(11-2011)

 

ISO/IEC

29190

A Privacy Capability Maturity Model

Provides guidance to organizations for assessing how mature they are with respect to their processes for collecting, using, disclosing, retaining and disposing of personal information. The document may also be used by third parties for the purpose of maturity assessment. This document also provides guidance to the use of group signatures for data minimization and user convenience.

 

IS

(11-2012)

 

ISO/IEC

29101

Privacy Reference Architecture

This International Standard provides a reference architecture that guides in the implementation of controls associated with a privacy framework to ensure the proper handling of personal identifiable information within an information and communication technology environment.

 

IS

(05-2011)

 

ISO/IEC

29115

Entity Authentication Assurance

This Recommendation | International Standard provides a life cycle framework for the assurance of an entity’s identities in given contexts which include:

Processes and procedures for enrollment, proofing, vetting, issuance, credentialing, management, usage, auditing, and revocation of an identity;

Guidelines for the evaluation of the strength of an authentication of identity;

the basis for a set of identity authentication assurance measures that are general and applicable to the entire entity’s identity life cycle.

ITU-T, X.eaa

IS

(11-2011)

Common text project with ITU-T

ISO/IEC

29191

Requirements on relative anonymity with identity escrow

Defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques. It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

 

IS

(11-2012)

 

ISO/IEC

24745

Biometric template protection

The following topics are within the scope of this International Standard:

 - Biometric template generation mechanisms which meet the requirements.

 - The raw biometric data should not be recoverable so that a third party can not guess the original biometric data from the template.

- The generated template from the raw data should be changeable so that the different template can be generated when it is exposed.

- Biometric template use but not in detail. Item considered out of scope and not addressed in this Standard include:

 - Usage of biometric template for detail.

This International Standard focuses on the privacy issue of biometric template.

 

IS

(11-2010)

 

ISO/IEC

24761

2009-05-15

1stEdition

Authentication on context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), by which the service provider (verifier) can judge whether the biometric verification result is acceptable or not.

 

1stPre Review in 2012

 

OASIS

OASIS

Standard

Security and Privacy Considerations
(2005.03)

Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0

This non-normative specification describes and analyzes the security and privacy properties ofSAML.

 

 

 

VI. Interoperability Issues

VI.1 Data Model and Interface

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 17

Draft Recommendation

X.idm-dm

Common identity data model

This Recommendation specifies a common data model for identity data that could be used to express identity related information among IdM systems

 

Planned for determination in Dec. 2010

 

Liberty Alliance

Liberty Alliance

Liberty Alliance ID-SIS 1.0 Specifications

Liberty ID-SIS Geolocation Service Specific V1.0

The Liberty ID-SIS Geolocation (ID-SIS-GL) defines a web service. It offers geolocation information regarding a Principal. ID-SIS-GL is an instance of a data oriented identity web service. ID-SIS-GL is using the Liberty ID-WSF Data Services Template and readers of this document should be familiar with that as well as the rest of the Liberty ID-WSF framework. The geolocation related data is mostly from the Mobile Location Protocol version 3.1 specified by the Open Mobile Alliance and readers should be familiar with that also.

 

 

 

Liberty ID-SIS Directory Access Protocol Specification V1.0

Describes a web service offering directory information as an instance of a data-oriented identity web service, based on the Liberty ID-WSF Data Services Template.

 

 

 

Liberty ID-SIS Content SMS and MMS Specification V1.0

Describes a web service that layers the ID-WSF 1.1 framework on MM7 to add identity-based invocation and addressing.

 

 

 

Liberty ID-SIS Personal Profile Service Specification V1.1

Describes a web service that provides a Principal's basic profile information, such as their contact details, or name.

 

 

 

Liberty ID-SIS Employee Profile Service Specification V1.1

Describes a web service that provides a Employee's basic profile information, such as their contact details, or name.

 

 

 

Liberty ID-SIS Contact Book Service Specification V1.0

Specifies a web identity service that allows a Principal to manage contacts for private and business acquaintances, friends, family members, and even for the Principal.

 

 

 

VI.2 Framework and Architecture

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 17

Draft Recommendation

X.idm-ifa

Framework architecture for interoperable identity management systems

This Recommendation proposes a blueprint for a modular framework architecture for identity management systems. The architecture is expected to serve as a reference while discussing, designing and developing future interoperable identity management (IdM) systems. The architecture is intended to be generic in order to satisfy versatile requirements of user-centric, network-centric and service-centric IdM systems.

 

Planned for determination in 2011

 

3GPP

3GPP

Technical Report

TR 33.980 (2008.12)

Liberty Alliance and 3GPP security interworking; Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Services Framework (ID-WSF) and Generic Authentication Architecture (GAA) (Release 8)

The present document provides guidelines on the interworking of the Generic Authentication Architecture (GAA) and the Liberty Alliance architecture. The document studies the details of possible interworking methods between the Security Assertion Markup Language v2.0, SAML v2.0 (or alternatively the Liberty Alliance Identity Federation Framework, ID-FF), the Identity Web Services Framework (ID-WSF) , the Security Assertion Markup Language (SAML) and a component of GAA called the Generic Bootstrapping Architecture (GBA). This document only applies if Liberty Alliance and GBA or SAML v2.0 and GBA are used in combination.

 

 

 

3GPP

Technical Specification

TS 33.328

Identity Management and 3GPP Security Interworking; Identity Management  and Generic Authentication Architecture (GAA) Interworking

(Release 9)

The objective is to extend the current identity management as outlined in TS 33.220, TS 33.222, TS 29.109 and TR 33.980 with the latest developments on identity management outside of the 3GPP sphere. This will allow a better integration and usage of identity management for services in 3GPP and seamless integration with existing services that are not standardized in 3GPP. This report outlines the interworking of GBA and OpenID.

 

 

 

Liberty Alliance

Liberty Alliance

Liberty Alliance Identity Assurance Framework (IAF) 1.1 Specification

Liberty AllianceIdentity Assurance Framework (IAF) 1.1 Specification

Liberty Alliance formed the Identity Assurance Expert Group (IAEG) to foster adoption of identity trust services. The goal is to facilitate trusted identity federation and to promote uniformity and interoperability amongst identity service providers, with a specific focus on the level of trust, or assurance, associated with identity assertions.

 

 

 

Liberty Alliance

Liberty Alliance ID-FF 1.2 Specifications

Liberty ID-FF Architecture Overview V1.2

This document presents an overview of the Liberty Identity Federation Framework (ID-FF), which offers a viable approach for implementing such a single sign-on with federated identities. This overview first summarizes federated network identity, describes two key Liberty ID-FF user experience scenarios, summarizes the ID-FF engineering requirements and security framework, and then provides a discussion of the Liberty ID-FF architecture.

 

 

 

Liberty ID-FF Bindings and Profiles Specification V1.2

This specification defines the bindings and profiles of the Libertyprotocols and messages to HTTP-based communication frameworks. This specification relies on the SAML core framework in SAML Core V1.1 and makes use of adaptations of the SAML profiles in SAML Bindings V1.1.

 

 

 

Liberty ID-FF Protocols and Schema Specification V1.2

This specification defines a core set of protocols that collectively provide a solution for identity federation management, cross-domain authentication, and session management. This specification contains the core protocols and schema for Liberty identity federation. The reader is presumed to be generally familiar with the SAML specifications.

 

 

 

Liberty ID-FF Guidelines V1.2

This document defines some recommended implementation guidelines for implementors of Liberty-based services.

 

 

 

Liberty ID-FF 1.2 Static Conformance Requirements V1.0

Static conformance requirements (SCR) describe features that are mandatory and optional for implementations conforming to the Liberty Alliance Identity Federation Framework Specifications (ID-FF version 1.2). This document defines these requirements.

 

 

 

VI. 3 Technology and Mechanisms

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

ITU-T

ITU-T SG 17

Draft Recommendation

X.giim

Generic identity management interoperability mechanisms

This Recommendation defines mechanisms to support interoperability across different IdM services. Consider current IdM approaches. This Recommendation describes the similarity and commonality of the different models while interoperating across domain boundaries.

 

 

Across different IdM systems

ITU-T SG 17

Draft Recommendation

X.authi

Authentication integration in identity management

This Recommendation provides a guideline for the telecom operators to implement the authentication integration of the network layer and the service layer, so that a user needn't to be re-authenticated again in the service layer if (s)he has been strictly authenticated when access the operator's network.

 

 

Across different layers

OASIS

OASIS

Standard

IMI1.0
(2009.07)

Identity Metasystem Interoperability

This document is intended for developers and architects who wish to design identity systems and applications that interoperate using the Identity Metasystem Interoperability specification.

 

 

Identity metasystem interoperability

IETF

IETF

RFC 5056
(2007)

On the Use of Channel Bindings to Secure Channels

The concept of channel binding allows applications to establish that the two end-points of a secure channel at one network layer are the same as at a higher layer by binding authentication at the higher layer to the channel at the lower layer. This allows applications to delegate session protection to lower layers, which has various performance benefits. This document discusses and formalizes the concept of channel binding to secure channels.

 

 

Different layers

VI.4 Identity-based Web Services

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

Liberty Alliance

Liberty Alliance ID-WSF 2.0 Specifications

Liberty ID-WSF Security & Privacy Overview V1.0

Provides an overview of the security and privacy issues in ID-WSF technology and briefly explains potential security and privacy ramifications of the technology used in ID-WSF. It is assumed that the audience is familiar with the Liberty Identity Federation Framework.

 

 

 

Liberty ID-WSF Discovery Service Specification V2.0

Describes protocols and schema for the description and discovery of ID-WSF identity services.

 

 

 

Liberty ID-WSF SOAP Binding Specification V2.0

Defines the Liberty Identity Web Services Framework (ID-WSF) SOAP binding. It specifies simple SOAP message correlation, consent claims, and usage directives.

 

 

 

Liberty ID-WSF Security Mechanisms Specification V2.0

Specifies security mechanisms that protect identity services.

 

 

 

Liberty ID-WSF Interaction Service Specification V2.0

Specifies an identity service that allows providers to pose simple questions to a Principal.

 

 

 

Liberty ID-WSF 2.0 Static Conformance Requirements V2.0

Defines what features are mandatory and optional for implementations conforming to this version of the Liberty Alliance Specifications.

 

 

 

Liberty ID-WSF Data Services Template Specification V2.1

Provides protocols for the querying and modifying of data attributes when implementing a data service using the Liberty Identity Web Services Framework (ID-WSF).

 

 

 

Liberty ID-WSF Architecture Overview V2.0

This primer is a non-normative document intended to provide an overview of the relevant features of the Liberty ID-WSF Version 2.0 Specifications.

 

 

 

Liberty ID-WSF Client Profiles Specification V2.0

Specifies profiles for some cases where a client performs an active role in such transactions, other than performing the functions of a standard browser.

 

 

 

Liberty ID-WSF Authentication, Single Sign-On, and Identity Mapping Services Specification V2.0

Defines a SASL-based ID-WSF Authentication Protocol, along with an ID-WSF Authentication Service and ID-WSF Single Sign-On Service, based on the Authentication Protocol.

 

 

 

Liberty ID-WSF People Service Specification V1.0

Defines a secure, privacy-respecting access service by one user to another's identity information.

 

 

 

Liberty ID-WSF Subscriptions and Notifications Specification V1.0

Provides protocols for subscription and notification.

 

 

 

VII. Deployment and Application

VII.1 Internet Application

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

OpenID

OpenID

OpenID Authentication 2.0

 

OpenID Authentication provides a way to prove that an end user controls an Identifier. It does this without the Relying Party needing access to end user credentials such as a password or to other sensitive information such as an email address.

 

 

 

OpenID

OpenID Attribute Exchange 1.0

 

OpenID Attribute Exchange is an OpenID service extension for exchanging identity information between endpoints. Messages for retrieval and storage of identity information are provided.

 

 

 

OpenID

OpenID Simple Registration Extension 1.0

 

OpenID Simple Registation is an extension to the OpenID Authentication protocol that allows for very light-weight profile exchange. It is designed to pass eight commonly requested pieces of information when an End User goes to register a new account with a web service.

 

 

 

 

OpenID

OpenID Provider Authentication Policy Extension 1.0

 

This extension to the OpenID Authentication protocol provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User. This extension also provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant or multi-factor authentication method.

This extension also provides a mechanism by which a Relying Party can request that the OpenID Provider communicate the levels of authentication used, as defined within one or more sets of requested custom Assurance Levels, and for the OpenID Provider to communicate the levels used.

 

 

 

OpenID

OpenID User Interface Extension 1.0 - DRAFT 0.4

 

This specification defines a mechanism to support OpenID user interfaces optimized for different environments and languages.

 

 

 

OpenID

OpenID Trust Exchange Extension 1.0 - Draft 1

 

This extension to the OpenID Authentication protocol enables arbitrary parties to negotiate and create the mutually digitally signed legally binding "contract" that include the purpose and terms of use of the data being transfered from a party to another based on this contract. The digital signagure used is public key cryptography based so that it will give "non-repudiation" in addition to "confidentiality" and "integrity".

Also, this protocol extension aims to be "mobile friendly" by being very light weight on the indirect communication and most transaction happening as the direct communications.

 

 

 

OpenID

OpenID OAuth Extension

 

This draft describes a mechanism to combine an OpenID authentication request with the approval of an OAuth request token.

 

 

 

OpenID

Services and Metadata Discovery

 

OpenID Discovery, including a sub-spec for Trusted OpenID Discovery, and a best-practices guidance document for migration.

XRD 1.0 spec, being drafted by the OASIS XRI TC

 

 

Information Cards

CardSpace(Need to be supplemented)

 

 

 

 

 

 

Higgins

 

Higgins

A framework that will enable users and enterprises to integrate identity, profile, and relationship information across multiple systems. Using context providers, existing and new systems such as directories, collaboration spaces, and communications technologies (e.g. Microsoft/IBM WS-*, LDAP, email, IM, etc.) can be plugged into the Higgins framework. Applications written to the Higgins API can virtually integrate the identity, profile, and relationship information across these heterogeneous systems. A design goal is that Higgins be useful in the development of applications accessed through browsers, rich clients, and web services. Our intent is to define the Higgins framework in terms of service descriptions, messages and port types consistent with an SOA model and to develop a Java binding and implementation as an initial reference.

 

 

 

OASIS

New Technical Committee established

Identity in the Clouds

The purpose of the TC is to harmonize definitions/terminologies/vocabulary of Identity in the context of Cloud Computing. The work will define use cases and profiles to identify gaps in existing Identity Management standards as they apply in the cloud.

The TC may identify existing definitions, terminologies and vocabulary of Identity in the context of Cloud Computing for harmonizing the definitions, terminologies and vocabulary as the TC determines.

The TC may define use cases for Identity in the Clouds.

The TC may define profiles of existing interoperability protocols and formats for usage of Identity in the Clouds, based on the identified use cases. Profiles are subsets of specifications and combinations of such subsets.

The TC may identify gaps in existing Identity Management interoperability protocols and formats standards at OASIS and other standards bodies and utilize the OASIS liaison process for communicating the gaps.

In all of its work, the TC should, to the extent feasible, prefer widely implementable, widely interoperable, modular standards, extensions, profiles and methods that permit use by a variety of participants.

The TC will build on and use existing standards and specifications when possible.

 

 

Identity and Cloud Comput-ing

VII.2 Social Service

Type (standard, work in progress…)

Title of the (draft) standard

Summary of the (draft) standard

Relationship with other (draft) standards

Status and milestones

Remarks

EU eIDM

FIDIS

Future of Identity in the Information Society

Future of Identity in the Information Society is a NoE (Network of Excellence) supported by the European Union. FIDIS objectives are shaping the requirements for the future management of identity in the EIS and contributing to the technologies and infrastructures needed.

 

 

Future Network

STORK

Secure Identity Across Borders Linked

STORK (Secure identity across borders linked) will enable businesses, citizens and government employees to use their national electronic identities in any member state.

STORK aims to simplify administrative formalities by providing online access to public services across EU borders. STORK’s objectives are to:
Define common rules and specifications to assist mutual recognition of eIDs across national borders;
Test in real life environments, secure and easy-to-use eID solutions for citizens and businesses;
Interact with other EU initiatives to maximize the usefulness of eID services.

 

 

eGov

IDABC

 

IDABC stands for Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens. It uses the opportunities offered by information and communication technologies to encourage and support the delivery of cross-border public sector services to citizens and enterprises in Europe, to improve efficiency and collaboration between European public administrations and to contribute to making Europe an attractive place to live, work and invest.

 

 

eGov

GUIDE

Government User IDentity for Europe- creating an European standard for interoperable and secure identity management architecture for eGovernment

GUIDE is conducting research and technological development with the aim of creating architecture for secure and interoperable e-government electronic identity services and transactions for Europe. The project's approach is multi-disciplinary and includes technology, procedural and policy development across Europe. GUIDE consists of 23 organizations from 13 countries. There are many documents created by GUIDE, for example: 
Identity Interoperability Services Report: Core Services Descriptions - the purpose of this document is to identify the full set of ‘core’ services that GUIDE should specify in order to achieve the required objective of creating a Pan-European architecture for identity interoperability.(IST-2003-507498)

 

 

eGov

TURBINE

Trusted revocable biometric identities

TURBINE (TrUsted Revocable Biometric IdeNtitiEs) is a research project awarded 6.3 Million Euro funding by the European Union under the Seventh Framework Programme (FP7) for Research and Technology Development.

TURBINE aims at defining, developing and demonstrating that fingerprint biometrics can be used in identity management systems for increasing the security while preserving at the same time privacy.  The researched identity management solution will provide for the creation and verification of secure multiple identities (pseudo-identities), based on fingerprint protected templates, with the capability to revoke and renew such identity based on the same fingerprint in case of need.

 

 

ebanking, eGovernment, eHealth, physical access control, and mobile telecommunications

PRIMELIFE

Privacy and identity management in Europe for life

PrimeLife will address the core privacy and trust issues pertaining to the aforementioned challenges. Its long-term vision is to counter the trend to life-long personal data trails without compromising on functionality. It will build upon and expand the FP6 project Prime that has shown how privacy technologies can enable citizens to execute their legal rights to control personal information in on-line transactions. The main objective of the project is to bring sustainable privacy and identity management to future networks and services:

Fundamentally understand privacy-enhancing identity management ‘for life' (practical life, throughout life & beyond)
Bring Privacy to the Web and its Applications
Develop and make tools for privacy friendly identity management widely available -privacy live!

 

 

privacy

PICOS

Privacy and identity management for community services

With the emergence of services for professional and private on-line collaboration via the Internet, many European citizens spend work and leisure time in on-line communities. Users consciously leave private information; they may also leave personalized traces they are unaware of. PICOS will develop and build a state-of-the-art platform for providing the trust, privacy and identity management aspects of community services and applications on the Internet and in mobile communication networks.

 

 

Privacy

SWIFT

Secure widespread identities for federated Telecommunications

Identity Management is considered key to private, legal and business transactions as in the European eIDM2010. IdM frameworks are however currently confined to the web services domain. SWIFT goes beyond this by including user centricity and network operators as additional interdependent domains with IdM at the core.

This new view of user centricity provides a novel perspective: Identity as central for legal, business and network development trends. To enable this vision, SWIFT aims to build a cross-layer identity framework with emphasis on networks and services using identity also as key enabler to convergence.

 

 

Telecom.

OpenID & Infocard

Open Trust Government Framework

 

To bring open identity technologies and open government together, the OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

 

 

eGov

Kantara Initiative(Need to be supplemented)

 

 

 

 

 

 

 

 




 |   |  View Topic History  |



ITU-T Study Group 17 (Study Period 2009-2012)

Lead study group on telecommunication security
Lead study group on identity management (IdM)
Lead study group on languages and description techniques

Contact for Study Group 17: tsbsg17@itu.int

ITU-T Study Group 17 - Security

Work on telecommunication security continues to intensify to meet today's challenges for more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published. And recently added emphasis was given to the topic when attendees to a cybersecurity symposium asked ITU-T to accelerate its work in the field.

Within ITU-T, Study Group 17 coordinates security-related work across all study groups.

One key reference for security standards in use today is the ITU-T Recommendation X.509 for electronic authentication over public networks. X.509, a cornerstone for designing applications related to public key infrastructure (PKI), and is widely used in a wide range of applications from securing the connection between a browser and a server on the web to providing digital signatures that enable e-commerce transactions to be conducted with the same confidence as in a traditional system. Without wide acceptance of the standard, the rise of e-business would have been impossible.

Work highlights

A more recent achievement of SG17's is Recommendation X.805, which will give telecom network operators and enterprises the ability to provide an end-to-end architecture description from a security perspective. Key players from telecom network operators, manufacturers and governments have defined the specifications that will alter the way that companies look at their networks. The Recommendation will allow operators to pinpoint all vulnerable points in a network and mitigate them.

SG 17 is also the place to study technical languages and description techniques. An example is the formal language Abstract Syntax Notation One (ASN.1) an important component for much protocol specification or systems design. ASN.1 is an extremely important part of today's networks. ASN.1 is used, for example, in the signalling system (SS7) for most telephone calls, package tracking, credit card verification and digital certificates and in many of the most used software programs. And today's work is progressing towards the development of unified modeling language profiles (UML) for ITU-T languages.


 


Privacy Statement  |  Terms Of Use
(C) 2010 International Telecommunication Union