1、 ETSI GS INS 006 V1.1.1 (2011-11) Identity and access management for Networks and Services; Study to Identify the need for a Global, Distributed Discovery Mechanism Disclaimer This document has been produced and approved by the Identity and access management for Networks and Services (INS) ETSI Indu
2、stry Specification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. Group Specification ETSI ETSI GS INS 006 V1.1.1 (2011-11) 2Reference DGS/INS-006 Keywords access, control, ID, management,
3、 network, service ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the pres
4、ent document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case
5、of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and
6、other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized
7、 by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM a
8、nd LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS INS 006 V1.1.1 (2011-11) 3Contents Intellectual Property Rights 4g3Foreword . 4g3Introducti
9、on 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Abbreviations . 7g34 Scenarios 7g35 Current landscape . 9g35.1 Federated Identity Management Frameworks 9g35.2 User-Centric Identity Management Frameworks . 10g35.3 Discovery Frameworks . 12g35.3.1 DNS, DD
10、NS, DNSSEC . 12g35.3.2 HANDLE . 12g35.3.3 IF-MAP 13g35.3.4 Plutarch 13g36 Use Cases . 13g36.1 UC1: Users identity data are scattered across unassociated administrative domains 13g36.1.1 Description 13g36.1.2 Actors 14g36.1.2.1 Actors specific Issues 14g36.1.2.2 Identified gaps . 15g36.1.2.3 Alternat
11、ive Solutions based on existing literature . 15g36.2 UC2: Unknown user authentication . 16g36.2.1 Description 16g36.2.2 Actors 16g36.2.2.1 Actors specific Issues 16g36.2.2.2 Identified gaps . 16g36.3 UC3: Contacting an offline user . 17g36.3.1 Description 17g36.3.2 Actors 17g36.3.2.1 Actors specific
12、 Issues 17g36.3.2.2 Identified gaps . 17g36.3.2.3 Alternative Solutions based on existing literature . 17g37 Conclusion 18g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest up
13、dates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web serv
14、er) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Identity and access management for Networks and Services (INS). Introduction Today, discovery of identity data across domains is g
15、enerally realized with two different ways. Discovery Service (DS): A service defined by a group of network entities (providers) which participate in a federation. Identity data (actual data or mappings) are registered in the service and can be provided to all the participants of the group. The locat
16、ion of the discovery service and the protocol for exchanging messages is static and known to the participants of the group (federated model). The “userlocation“ format: By using an identifier of this format, a user directly points to a network point that holds identity information about him (user-ce
17、ntric model). This location may hold information for only one profile of the user (id = email) or for many profiles (id = Virtual Identity i.1). However both of the above ways provide limited discovery of users identity information. For the federated model, only the identity data which exist within
18、the federation of providers can be discovered (and-or associated). Information outside the federation cannot be discovered. Providers that participate in the federation, have previous knowledge of the location of the DS (where to ask for information), and how to exchanged data with it (how to ask fo
19、r information). Efforts to locate data outside predefined federations are usually hampered by the proprietary design of the discovery services and the customized identity formats and protocols that each federation uses. For the User-centric model the use of a specific predefined format instantly exc
20、ludes the discovery of identity data from providers that are not familiar with it. Even though the adoption of a globally accepted identifier would solve major identity issues, this seems to be inapplicable mainly for business reasons and severe protocol modifications in various networks and technol
21、ogies. This work item assumes that all data and attributes required to provide a service are not available within a single service provider. For example proof of residence is required to access online streaming services. An acceptable issuer of this attribute may not be known to the streaming servic
22、es provider beforehand and must be discovered. The purpose of the present document is to investigate the current landscape on the IdM area and evaluate if there is a need for such a discovery mechanism, or whether this can be covered by existing solutions. ETSI ETSI GS INS 006 V1.1.1 (2011-11) 51 Sc
23、ope The present document will focus on gap analysis for global distributed discovery mechanism of identifiers, providers and capabilities. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references,
24、 only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any
25、 hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following r
26、eferenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Designing Advanced network Interfaces for the Delivery and Administration of Location independent, Optimised personal Services. NOTE: See http:/www
27、.ist-daidalos.org. i.2 Libery Alliance Project, Projectliberty. NOTE: See http:/www.projectliberty.org. i.3 Kantara InitiativeTM, Shaping the Future of Digital Identity. NOTE: See http:/kantarainitiative.org. i.4 Libery Alliance Project, Liberty ID-WSF Discovery Service Specification. NOTE: See http
28、:/projectliberty.org/liberty/content/download/3450/22976/file/liberty-idwsf-disco-svc-v2.0-original.pdf. i.5 Internet2 Middleware Initiative, Shibboleth. NOTE: See http:/shibboleth.internet2.edu. i.6 DiscoveryService. NOTE: See https:/ i.7 Eduserv, OpenAthens. NOTE: See http:/. ETSI ETSI GS INS 006
29、V1.1.1 (2011-11) 6i.8 Microsoft Windows CardSpace. NOTE: See http:/ i.9 Higgins, Personal Data Service. NOTE: See http:/www.eclipse.org/higgins. i.10 OpenID. NOTE: See http:/. i.11 XDI.org. NOTE: See http:/www.xdi.org. i.12 OASIS, Extensible Resource Identifier (XRI). NOTE: See http:/www.oasis-open.
30、org/committees/download.php/15377. i.13 OASIS, Extensible Resource Identifier (XRI) Resolution Version 2.0. NOTE: See http:/docs.oasis-open.org/xri/2.0/specs/xri-resolution-V2.0.html. i.14 SWIFT. NOTE: See http:/www.ist-swift.org. i.15 STORK Project. NOTE: See https:/www.eid-stork.eu. i.16 M. Dabrow
31、ski, P. Pacyna, “Cross-Identifier Domain Discovery Service for Unrelated User Identities“, DIM Workshop, 2008. i.17 Wikipedia, Domain Name System. NOTE: See http:/en.wikipedia.org/wiki/Domain_Name_System. i.18 Wikipedia, Dynamic DNS. NOTE: See http:/en.wikipedia.org/wiki/Dynamic_DNS. i.19 DNSSEC: DN
32、S Security Extensions. NOTE: See http:/ i.20 Wikipedia, DNS cache poisoning. NOTE: See http:/en.wikipedia.org/wiki/DNS_cache_poisoning. i.21 Handle System. NOTE: See http:/. i.22 IF-MAP.com. NOTE: See http:/www.if-. i.23 Jon Crowcroft, Steven Hand, Richard Mortier, Timothy Roscoe, Andrew Warfield, “
33、Plutarch: An Argument for Network Pluralism“, ACM SIGCOMM, 2003. ETSI ETSI GS INS 006 V1.1.1 (2011-11) 73 Abbreviations For the purposes of the present document, the following abbreviations apply: DDNS Dynamic DNS DNS Domain Name System DNSSEC DNS Security Extension DS Discovery Service EU European
34、Union GHR Global Handle Registry IANA Internet Assigned Numbers Authority IdM Identity Management IdP Identity Provider ID-WSF Identity Web Services Framework IF Interstitial Function IF-MAP Interface for Metadata Access Points IM Instant Messaging IP Internet Protocol ISG Industry Specification Gro
35、up LHS Local Handle Registry MAC Media Access Control OASIS Organization for the Advancement of Structured Information Standards OWL Web Ontology Language SAML Security Assertion Markup Language SMS Short Message Service SP Service Provider SSO Single Sign On STORK Secure IdenTity AcrOss BoRders Lin
36、Ked TCG Trusted Computing Group TNC Trusted Network Connect UDP User Datagram Protocol URL Uniform Resource Locator VID Virtual Identity WLAN Wireless Local Area Network WS Web Service WSC Web Service Consumer WSP Web Service Producer XDI XRI Data Interchange XML EXtensible Markup Language XRDS EXte
37、nsible Resource Descriptor Sequence XRI EXtensible Resource Identifier 4 Scenarios The vast majority of existing identity management systems can provide identity solutions only if specific requirements are met. Such requirements may be that, during a network operation, all participants trust each ot
38、her, have established common protocols and formats, share or know where to find the desired information, etc. These assumptions however do not always apply and in some cases the desired identity information does not exist in places where the IdM systems presume. For these cases the interested party
39、may need to dynamically discover and acquire the desired data. Figure 1 illustrates a situation where a party needs to dynamically discovery identity information about a user. User ““ logs in on a service provider ““ with a pre-registered account and requests a specific service (e.g. an online purch
40、ase). In order to complete the transaction, provider ““ must contact other providers (e.g. , etc) which all participate in Federation A. Among them, the ““ provider needs to validate users age against a trusted entity before completing its part of the service. This information however does not exis
41、t in any of the providers forming the Federation A but resides in the organization ““ which is member of the Federation B. ETSI ETSI GS INS 006 V1.1.1 (2011-11) 8Even though “S“ and ““ participate in a common federation (Federation B), existing literature fails to support the above operation. “S“ ca
42、nnot autonomously discover where the desired information resides (is restricted to use only information that exist in Federation A and are associated with the username ““) and even if it somehow knew that the desired information existed in the ““ domain, the username ““ means nothing to ““. g38g286g
43、282g286g396g258g410g349g381g374g3g39g396g381g437g393g3g4g38g286g282g286g396g258g410g349g381g374g3g39g396g381g437g393g3g17g449g286g271g400g410g381g396g286g856g272g381g373g894g400g286g286g3g374g381g410g286g895g400g437g393g393g367g349g286g396g856g272g381g373g3g894g400g286g286g3g374g381g410g286g895g437g
44、400g286g396g923g449g286g271g400g410g381g396g286g856g272g381g373g336g381g448g856g272g381g373g3g894g400g286g286g3g374g381g410g286g895g87g396g381g448g349g282g286g396g3g400g437g393g393g367g349g286g396g856g272g381g373g3g393g258g396g410g349g272g349g393g258g410g286g400g3g349g374g3g38g286g282g286g396g258g41
45、0g349g381g374g400g3g3g4g3g258g374g282g3g17NOTE: The end user has a registered account with this provider. Figure 1: Locating identity information about a user outside a Federation Figure 2 presents a second scenario where a network entity (e.g. a WLAN hotspot provider) needs to dynamically discover
46、identity data about a mobile user in a roaming setting. The user switches on his laptop and connects to a public Hot Spot. He opens his web browser and is redirected to a predefined web page (HotSpot Providers web page) to be authenticated. If the user does not have an active account with the HotSpo
47、t Provider, existing practices provide the means to authenticate him through a collaborative party (trusted 3rd party). The selection of this collaborative party is usually held through a static procedure, mainly by asking the end user to choose among a predefined set of parties (a procedure known a
48、s WAYF - “Where Are You From“). Each case though, assumes different security requirements, policy agreements, trust levels etc which inexperienced users may not judge correctly during their selection. Furthermore the predefined set of collaborative parties may not always include the most appropriate provider for a specific given case, or include providers which are unknown to the roaming user. ETSI ETSI GS INS 006 V1.1.1 (2011-11) 9g38g286g282g286g
