ITU-T X 1255-2013 Framework for discovery of identity management information (Study Group 17)《身份管理信息发现框架 17号研究组》.pdf

1、 International Telecommunication Union ITU-T X.1255TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2013) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Framework for discovery of identity management information Recommendation ITU-T X.1255

2、 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699

3、OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND S

4、ERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X

5、.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.153

6、9 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1255 (09/20

7、13) i Recommendation ITU-T X.1255 Framework for discovery of identity management information Summary The purpose of Recommendation ITU-T X.1255 is to provide an open architecture framework in which identity management information can be discovered. This IdM information will necessarily be represente

8、d in different ways and supported by various trust frameworks or other IdM systems using different metadata schemas. This framework will enable, for example, entities operating within the context of one IdM system to have identifiers from other IdM systems accurately resolved. Without the capability

9、 for discovering such information, users and organizations (or programs operating on their behalf) are left to determine how best to establish the credibility and authenticity of a suitable identity, whether for a user, a system resource, information or other entities. Based on this information, it

10、is up to the user or organization to determine whether or not to rely on a given trust framework or other IdM system for such purposes. The core components of the framework set forth in this Recommendation include: 1) a digital entity data model, 2) a digital entity interface protocol, 3) one or mor

11、e identifier/resolution systems and 4) one or more metadata registries. These components form the basis of the open architecture framework. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1255 2013-09-04 17 ii Rec. ITU-T X.1255 (09/2013) FOREWORD The International Telecommunication U

12、nion (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions

13、 and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on

14、these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the e

15、xpression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or appli

16、cability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with t

17、he Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicab

18、ility of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implemen

19、t this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means

20、 whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1255 (09/2013) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions 3 6 Recommendation 3 6.1

21、Notions of trust . 4 6.2 Trust information 4 6.3 Federated registries for discovery 5 7 Interoperability architecture for federated registries 7 7.1 Digital entity data model 7 7.2 Digital entity interface protocol 10 7.3 Interactions with a registry . 11 7.4 Resolution systems . 12 7.5 Distributed

22、queries and aggregated metadata in federated registries . 12 7.6 Metadata schemas . 15 7.7 Metadata interoperability 15 8 Types and type attributes 15 9 Hierarchical federation and peer-to-peer federation . 17 Appendix I Scenarios of usage 20 Appendix II BNF notation for a Type record . 24 Bibliogra

23、phy. 26 Rec. ITU-T X.1255 (09/2013) 1 Recommendation ITU-T X.1255 Framework for discovery of identity management information 1 Scope Discovery of identity management information deals with the fact that one must have the ability to obtain relevant information about identifiers, including those utili

24、zing e-mail address syntax and those that are URLs, as well as persistent identifiers. Such discovery is a key element for enabling interoperability across heterogeneous information systems. The scope of this Recommendation is for a framework that: enables the discovery of identity-related informati

25、on and its provenance, including information being identified such as services, processes and entities; enables the discovery of identity-related information attributes including, but not limited to visual logos and human-readable site names; enables the discovery of attributes and the functionality

26、 of applications; describes a data model and a protocol to enable meta-level interoperability for representation, access and discovery of the information referenced above in heterogeneous IdM environments. 2 References The following ITU-T Recommendations and other references contain provisions which

27、, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of app

28、lying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ISO

29、8601 ISO 8601:2004, Data elements and interchange formats Information interchange Representation of dates and times. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 entity b-ITU-T Y.2720: Anything that has a separate and distinct existe

30、nce that can be uniquely identified. In the context of IdM, examples of entities include subscribers, users, network elements, networks, software applications, services and devices. An entity may have multiple identifiers. 3.1.2 identity provider b-ITU-T Y.2720: An entity that creates, maintains and

31、 manages trusted identity information of other entities (e.g., users/subscribers, organizations and devices) and offers identity-based services based on trust, business and other types of relationship. 3.1.3 relying party b-ITU-T Y.2720: An entity that relies on an identity representation or claim b

32、y a requesting/asserting entity. 3.1.4 trust b-ITU-T Y.2720: A measure of reliance on the character, ability, strength or truth of someone or something. 2 Rec. ITU-T X.1255 (09/2013) 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 association: A relati

33、onship, if any, between two identified entities. 3.2.2 digital entity: An entity represented as, or converted to, a machine-independent data structure consisting of one or more elements in digital form that can be parsed by different information systems; the structure helps to enable interoperabilit

34、y among diverse information systems in the Internet. 3.2.3 discovery: The act or process of seeking or locating target information, i.e., obtaining knowledge pertaining to the target. 3.2.4 element: Part of a digital entity consisting of a type-value pair, where the type is represented by a resolvab

35、le persistent identifier and the value is the relevant digital information for that type. 3.2.5 federated registries: A collection of interoperable registries that register metadata and participate in a common set of methods to share information reliably and in a commonly understood format. 3.2.6 id

36、entifier: A sequence of bits used to obtain state information about the digital entity being identified; typically, this is done via an appropriate resolution system. 3.2.7 identity management: A means by which identity management information, whether for a user, a system resource, information or ot

37、her entities, can be validated. 3.2.8 identity management information: Identity-related information including all types of metadata associated with identity, provenance, association and trust. 3.2.9 metadata: Structured information that pertains to the identity of users, systems, services, processes

38、, resources, information or other entities. 3.2.10 persistent identifier: A unique identifier that resolves to state information about a digital entity and that is resolvable for at least as long as the digital entity exists. 3.2.11 provenance: Information pertaining to any source of information inc

39、luding the party or parties involved in generating it, introducing it and/or vouching for it. 3.2.12 registry: A mechanism for registering metadata about digital entities and storing metadata schemas, and which provides an ability to search the registry for persistent identifiers based on the use of

40、 the metadata schemas. 3.2.13 repository: An interface that accepts deposits of digital entities, enables their retention, and provides secure access to the digital entities via their identifiers. 3.2.14 resolution system: A system that accepts identifiers known to the system as input, and provides

41、relevant state information about the entity being identified. 3.2.15 touch point: A registry within a system of federated registries that is selected to interface with a designated registry in another federation, typically for the purposes of peering. 3.2.16 trust framework: An IdM system where a se

42、t of verifiable commitments are made by each of the various parties in a transaction to their counter parties, and these commitments necessarily include: (a) controls to help ensure commitments are met and (b) remedies for failure to meet such commitments. Rec. ITU-T X.1255 (09/2013) 3 4 Abbreviatio

43、ns and acronyms This Recommendation uses the following abbreviations and acronyms: API Application Program Interface Bits Binary Digits BNF Backus Normal Form DE Digital Entity DEIP Digital Entity Interface Protocol DNA Deoxyribonucleic acid HTTP Hypertext Transfer Protocol ID Identifier IdM Identit

44、y Management IdP Identity Provider MAC Media Access Control P2P Peer-to-Peer PKI Public Key Infrastructure RP Relying Party TCP Transmission Control Protocol TF Trust Framework URL Uniform Resource Locator XML Extensible Markup Language 5 Conventions None. 6 Recommendation This Recommendation is for

45、 an open architecture framework to support the discovery of identity management information. It addresses the following subjects: a) the concept of trust, which is an important aspect of identity management; b) trust information, which may be used to determine how much reliance to place on any piece

46、 of IdM information; c) federated registries for discovery; d) an interoperability architecture for federation; and e) a discussion of both hierarchical and peer-to-peer federations. Discovery of identity management information is based on the use of metadata obtained from a registry or a system of

47、federated registries. The framework includes the existence of a means of resolving persistent identifiers. In general, federated registries will be operated by multiple parties and shall support the digital entity data model to represent metadata records and the digital entity interface protocol to

48、achieve the interoperability of such registries. The use of multiple schemas is presumed and each registry shall provide details of its publicly and/or privately supported metadata schemas by their respective persistent identifiers. The persistent identifiers of privately supported 4 Rec. ITU-T X.12

49、55 (09/2013) schema may be made known publicly, if desired, or they may be maintained privately along with the associated metadata schemas for limited use within restricted communities. Appendices I and II respectively provide an overview of scenarios of usage and an example BNF description of a type record (BNF is a standard notation for representing context-free grammars). 6.1 Notions of trust The word trust is a term of art and carries a number of connotations. To trust a person or process generally means to ha