Updated Liberty Identity Assurance Framework - Essay Example

Up d Liberty Identity Assurance Framework (IAF) The vision of the Liberty Alliance is to enable a networked world in which individuals and businesses can more easily conduct transactions while protecting the privacy and security of vital identity information. To accomplish its vision, the Liberty Alliance will establish an open standard for federated network identity through open technical specifications that will support a broad range of identity-based products and services. The Service and Credential Assessment Criteria section in the Liberty Identity Assurance Framework (LIAF) will establish baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated. The LIAF will also establish Credential Assessment Profiles (CAPs) for each level of assurance that will be published and updated as needed to account for technological advances and preferred practice and policy updates. Managing risk in electronic transactions requires authentication and identity information management processes that provide an appropriate level of assurance of identity. Each level describes a different degree of certainty in the identity of the claimant, because different levels of risk are associated with different electronic transactions. For authentication purposes, the claimant is required to prove that he or she controls the token, through a secure authentication protocol. The claimant must also unlock the token first using a biometric or password, and use the password to establish 2-factor authentication in a secure authentication protocol. Whenever Long-term shared authentication secrets used, they are revealed only to the verifiers and claimant operated directly by the CSP (Credentials Service Provider), although temporary or session shared secrets may be disclosed to independent verifiers by the Credentials Service Provider. Approved cryptographic techniques are used for all operations. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties, or are obtained directly from a trusted party via a secure authentication protocol. (Updated Liberty Identity Assurance Framework (IAF) Based upon Public Review. Retrieved from http://xml.coverpages.org/LibertyIdentityAssuranceFramework-2008.html) Level 4 is based on proof of possession of a key through a cryptographic protocol. This Level is like to Level 3 but allows only hard cryptographic tokens, in the form of a physical token that cannot be copied readily. There is requirement of strong cryptographic authentication of every party involved in Level 4, including all sensitive transfer of data between the parties. Here, either symmetric key technology or public key technology can be used, and authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token. The protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks are prevented. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the Credentials Service Provider (CSP), however session (temporary) shared secrets may be provided to independent verifiers by the CSP. Strong Approved cryptographic techniques are used for all operations. All sensitive data transfers are cryptographically authenticated using keys bound to the authentication process. Liberty Alliance formed the Identity Assurance Expert Group (IAEG) to foster adoption of identity trust services. Utilizing initial contributions from the e-Authentication Partnership (EAP) and the US E-Authentication Federation, the IAEGs objective is to create a framework of baseline policies, business rules, and commercial terms against which identity trust services can be assessed and evaluated. The goal is to facilitate trusted identity federation to promote uniformity and interoperability amongst identity service providers. (Updated Liberty Identity Assurance Framework (IAF) Based upon Public Review. Retrieved from http://xml.coverpages.org/LibertyIdentityAssuranceFramework-2008.html) The basic deliverable of the IAEG is the Liberty Identity Assurance Framework (LIAF). The framework constitutes business rules, assurance levels, service assessment criterion, and accreditation and certification model. Signatories to these business rules agree that these rules govern the use and validation of Liberty Alliance IAEG certified credentials, the certification of such credentials and the accreditation of those who assess issuers of such credentials. These business rules are intended to cover use of credentials for purposes of authentication and not specifically for the application of a legal signature, which may be subject to other rules depending upon the parties and transactions involved. The IAEG will employ a phased approach to establishing business rules and assessment criteria for identity trust service providers, starting with credential service providers, then rolling out to include federations. The term Liberty Web Services comprises the Identity Web Services Framework (ID-WSF) and the Identity Service Interface Specifications (ID-SIS) that take advantage of that framework. Together, these two pieces enable identity-based services – web services associated with the identity attributes of individual users. ID-WSF builds on many existing standards for networking and distributed computing, and adds specialized capabilities for handling identity-related information and tasks and for ensuring privacy and security. Following are some of the identity based application features that developer can incorporate. • Authentication – The provider of a service might need to know who is requesting services in order to control access or provide personalized features. Thus, service requesters typically need to be authenticated, and messages sent between the parties need to be verified as coming from the claimed senders. Authentication depends on the notion of identity: Who is accessing my service, and who is this message from? • Message protection – All web service endpoints, including both the providers of identity-based services and the services that use them in turn, need to know that messages they send cannot be intercepted by a malicious entity and then either modified or cached and then replayed. • Privacy protection – Unless special care is taken, identifiers used to label you in web service calls can allow your actions and true identity to be inappropriately correlated and exposed • Policy – Service providers may have particular requirements that apply to service requesters. These requirements, which can be quite varied, can be grouped in the general category of policy • Data access and management – Multiple applications might define similar operations. For example, a “query” message could equally apply to the insurance system and the corporate address book system within a single organization. ID-WSF offers a standard interface that can then be used and extended by application systems. • Social identity – It is useful to describe and manage your relationships with other people –such as friends, family, and colleagues – through your respective online identities. • Transport protocols – Web services are made available over networks, and services are frequently offered over the Internet using the HTTP protocol and carried in a standard SOAP message. ID-WSF provides a binding of application messages to SOAP that may be carried over HTTP. Electronic authentication (E-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network, for the purpose of electronic government and commerce. This recommendation provides technical guidance to agencies to allow an individual person to remotely authenticate his/her identity to a Federal IT system. With these methods, the individual to be authenticated proves that he or she knows or possesses some secret information. The main objective of the Liberty Alliance is to enable a networked world in which individuals and businesses can more easily conduct transactions while protecting the privacy and security of vital identity information and managing cost and minimizing complexities of the transaction and the whole process. Conclusion The issue of identity is indeed, a multi-faceted problem. Attempting to compress the various aspects of digital identity alone into a few principles will probably cause oversimplification and omission errors. However, it might be useful to abstract from the complex problems that are inherent in identity, so as to be able to address and classify the issues with digital identity. It is also possible to introduce some simple parameters which can help in the classification of the various applications domains and identity systems aspects. Digital identity involves a collection of accounts, and in the future most accounts will probably come to adopt a shared identity, because identities are not managed in a holistic sense, but are managed on the basis of a relationship with an organization. Also, different identity systems possess different characteristics, and some of these characteristics affect the working of the system, while others are of relatively small importance. Identity systems are typically used for certain types of applications, based on their particular aspect. For example, in Web applications (e.g. wikis and blogs) identity systems would typically have a limited number of attributes (most times, just an e-mail address), and quite a high degree of user control. Whereas large systems like the Liberty Alliance have contained attribute information and a great variety of user control, but usage makes sense only on a fairly global scale. References Neuman, C., and T. Ts’o, Kerberos: “An Authentication Service for Computer Networks”, IEEE Communications, 32.9, 1994 NIST Special Publication, Intrusion Detection Systems (IDS), November 2001: 800-31 C. E. Shannon, “Prediction and Entropy of Printed English”, Bell System Technical Journal, 30.1, (1951): 50-64 Information technology - Code of practice for information security management, ISO/IEC 17799:2000, first edition, 2000-12-01 Updated Liberty Identity Assurance Framework (IAF) Based upon Public Review. XML Daily Newslink. Thursday, 14 February 2008 (Retrieved from http://xml.coverpages.org/LibertyIdentityAssuranceFramework-2008.html) Read More