Identity Management

1
DOCUMENT GSC15-PLEN-29
FOR Presentation or Information
SOURCE ITU-T
AGENDA ITEM 6.4
CONTACT(S) chen.jianyong_at_zte.com.cn
Identity Management
Jianyong CHEN SG 17 Vice Chairman
Global Standards Collaboration (GSC) GSC-15
2
Identity Management (IdM) for Telecom is an
Essential Part of IP-based Networks and Services

• Identity-based services are exponentially
  increasing and available on many different mobile
  platforms
• Internet is a part of telecommunication
  infrastructure
• Next-Generation business model for network
  operators demands subscriber-centric data
  consolidation

3
Highlight of IdM Current Activities (1/2)

• Per GSC-14/04 Resolution, ITU-T is progressing
  the development of a publically available
  Wiki-based inventory of major IdM initiatives and
  activities.
• ITU-T works collaboratively with other key
  bodies including ISO/IEC JTC 1/SC 27, ETSI,
  Kantara Initiative, FIDIS, OASIS
• The focus of ITU-Ts IdM work is on global trust
  and interoperability of diverse IdM capabilities
  in telecommunications to include leveraging and
  bridging existing solutions. It is not in the
  development of standards for new IdM solutions.
• ITU-Ts JCA-IdM (Joint Coordination Activity)
  coordinates IdM activities within ITU-T and
  amongst other major IdM standards bodies.

4
Highlight of IdM Current Activities (2/2)

• First ITU-T IdM Recommendation published early
  2009
• Y.2720, NGN identity management framework
• Joint ITU-T ISO/IEC common text Recommendation
  International Standard on Entity Authentication
  Assurance is approaching a stable document.
• Three ITU-T Recommendations were published and
  available for free download
• X.1250, Baseline capabilities for enhanced global
  identity management trust and interoperability
• X.1251, A framework for user control of digital
  identity
• X.1252, Basic IdM terms and definitions

5
Challenges for IdM

• Identity Federations based on standardized trust
  frameworks and global interoperability of diverse
  identity management solutions are major
  inhibitors to wide scale deployment of IdM
  capabilities
• Discovery of identity resources on a global level
  vs within an enterprise environment.
• Common IdM terminology
• Interoperability of Assurance Levels that are
  based on the risk assessment associated with the
  on-line transaction
• Privacy services

6
Next Step/Action for IdM
13 Recommendations are in developing. Among them,
X.evcert plan to be determined in December
meeting.
x.evcert Extended validation certificate (EVcert) framework
X.Eaa Information technology Security techniques Entity authentication assurance
X.idm-dm Common identity data model
X.idm-ifa Framework architecture for interoperable identity management systems
X.idmsg Security guidelines for identity management systems
X.priva Criteria for assessing the level of protection for personally identifiable information in identity management
X.authi Guideline to implement the authentication integration of the network layer and the service layer.
X.giim mechanisms to support interoperability across different IdM services.
X.idmgen Generic Frame for Interoperable IdM systems
X.sap-4 The general framework of combined authentication on multiple identity provider service environment
x.oitf Open Identity Trust Framework
x.discovery Discovery of identity management information
x.mobid Baseline Capabilities and mechanisms of Identity Management for Mobile applications and environment
7
Basic Concepts of Object Identifiers (OIDs)

• One of many identification schemes
• Basically very simple A tree
• Arcs are numbered and may have an associated
  alphanumeric identifier (beginning with a
  lowercase)
• Can also have Unicode labels (any language, any
  characters)
• Infinitely many arcs from each node (except at
  the root)
• Objects are identified by the path (OID) from the
  root to a node
• A Registration Authority (RA) allocates arcs
  beneath its node to subordinate RAs, and so on,
  to an infinite depth
• The OID tree is a hierarchical structure of RAs
• Standardized in the ITU-T X.660 ISO/IEC 9834
  series (ITU-T SG 17 and ISO/IEC JTC 1/SC 6)
• Originated in 1985, still in use, and still
  developing!
• Recent developments are use of the DNS to provide
  information about the node identified by an OID.

8
Next Step/Action for OIDOID Resolution system

• Provides information associated with any object
  identified by an OID
• access information
• child node information
• OID-IRI canonical form
• Joint work between ITU-T SG 17 and ISO/IEC JTC
  1/SC 6 since Oct. 2008 (draft Rec. ITU-T X.672
  (ex X.oid-res) ISO/IEC 29168-1)
• Get an OID identifier arc assigned for
  identifying cybersecurity organizations,
  information, and policies
• Specifies
• OID resolution architecture
• OID resolution protocol (based on DNS)
• operation of the OID resolution service
• security and trust of the OID resolution process
• etc.
• Associated is another joint work on procedures
  for the OID-RES operational agency Rec. ITU-T
  X.673 ISO/IEC 29168-2

9
Conclusions

• Developers can bet on identity as a capability
• User acceptance will gate success
• Privacy is not opposed to security it is a
  precondition of security
• GSC-15 should continue GSC14/04 Resolution with
  some necessary editorial updates

10
Summary

• Contributions from ATIS, ETSI, ISACC and ITU-T
• Highlight
• Interoperability, Federation, Discovery of IdM
  and Privacy are key issues to be further study.
• Leverage diverse IdM solutions are common
  objective among the SDOs.
• Collaboration among main SDOs need to be
  strengthened.
• Various important standards are in developing.
• Next step
• Challenge is to address the inconsistency of
  various IdM solutions from different SDOs.
• Continue to develop new standards and make
  revisions to existing standards.
• Stressed importance of cooperation among the
  SDOs.
• Focus on Identity management for RFIDs, sensors,
  wireless and near-field devices, on-board GSM
  NGN, IPTV, clouding computing, healthcare,
  emergency communications, e-government, disaster
  relief, and convergent network and service
• Recommendation
• Reaffirm the existing Resolution GSC-14/04
• Retain HIS for GSC-16

11
Supplementary Slides
12
Weblinks

• ITU-T
• SG17 - http//www.itu.int/ITU-T/studygroups/com17
  /index.asp
• Identity Management web page - http//www.itu.int/
  ITU-T/studygroups/com17/idm.html
• Join coordination activity for identity
  management http//www.itu.int/ITU-T/jca/idm/

13
Top of the OID Tree
root
joint-iso-itu-t(2)
itu-t(0)
iso(1)
tag-based(27)
recommendation(0)
identified-organisation(3)
member-body(2)
country(16)
ISO 3166 country codes
ISO 6523 ICD codes
ISO 3166 country codes
Example joint-iso-itu-t(2) tag-based(27)
mcode(1) Note The name of the 3 top-level arcs
does not imply a hierarchical dependency to ISO
or ITU-T.
14
Some Advantages of using OID

• Human-readable notation
• iso(1) member-body(2) us(840) rsadsi(113549)
  pkcs(1)
• Dot notation
• 1.2.840.113549.1
• URN notation
• urnoid1.2.840.113549.1
• Internationalized notation (IRI)
• oid/ISO/Member-Body/US/RSADSI/PKCS
• Used in a lot of ISO standards, ITU-T
  Recommendations and IETF RFCs, but not only!
• Very good take up 120,000 OIDs described
  athttp//www.oid-info.com much more exist
• Compact binary encoding (normally used in all
  computer communications)
• Allows transmission over constrained networks

15
Challenge for OIDUse of OIDs for the Internet of
Things

• ITU-T X.668 ISO/IEC 9834-9 (2008) is a way to
  unify the many identification schemes used for
  the Internet of Things (RFID, bar codes, ISBN,
  etc.)
• Does not cause existing tags to become obsolete
• Use case example a tag placed on a billboard
  poster can be read with a mobile phone and make
  it easy for the user to get additional multimedia
  (text, graphics, even voice or video) information
  about the content of the poster
• Other use cases in Rec. ITU-T F.771