1、 International Telecommunication Union ITU-T X.1250TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2009) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Baseline capabilities for enhanced global identity management and interoperability Rec
2、ommendation ITU-T X.1250 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SY
3、STEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 S
4、ECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURI
5、TY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1250
6、(09/2009) i Recommendation ITU-T X.1250 Baseline capabilities for enhanced global identity management and interoperability Summary Recommendation ITU-T X.1250 describes baseline capabilities for global identity management (IdM) interoperability (i.e., to enhance exchange and trust in the identifiers
7、 used by entities in telecommunication/information technology IT networks and services). The definitions and need for IdM are highly context-dependent and often subject to very different policies and practices in different countries. The capabilities include the protection and control of personally
8、identifiable information (PII). Source Recommendation ITU-T X.1250 was approved on 25 September 2009 by ITU-T Study Group 17 (2009-2012) under the WTSA Resolution 1 procedure. ii Rec. ITU-T X.1250 (09/2009) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized ag
9、ency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a vie
10、w to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendat
11、ions is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for concisen
12、ess to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation
13、is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTEL
14、LECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, wh
15、ether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are
16、cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission
17、 of ITU. Rec. ITU-T X.1250 (09/2009) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations 3 5 Conventions 4 6 General 4 7 Capabilities for global identity management and interoperability . 5 7.1 Example
18、s of possible identity management transaction models 5 7.2 An interoperable set of identity management (IdM) capabilities . 8 7.3 Four basic identity components 9 7.4 Discovery of identity capabilities . 11 7.5 Interoperability and bridging 12 7.6 IdM security 13 7.7 Protection, control and use of p
19、ersonally identifiable information (PII) 14 7.8 Auditing and compliance 15 7.9 Performance, reliability and availability 16 7.10 Internationalization . 16 Bibliography. 17 Rec. ITU-T X.1250 (09/2009) 1 Recommendation ITU-T X.12501Baseline capabilities for enhanced global identity management and inte
20、roperability 1 Scope This Recommendation describes baseline capabilities for enhancing global identity management and interoperability using public telecommunication networks and services. These baseline capabilities are grouped into functional areas: Common, structured identity management models. P
21、rovision of attributes (including identifier), credential and capabilities. Discovery of identity service provider resources, capabilities, and federations. Interoperability among management platforms, identity service providers and provider federations, including identity service bridge providers.
22、Security and other measures to mitigate identity threats and risks, including protection of identity resources, personally identifiable information and privacy. Auditing and compliance, including policy enforcement and protection of personally identifiable information. Performance, reliability, and
23、availability of identity management capabilities. Todays telecommunication/IT networks and services are very diverse, highly distributed, highly interconnected, yet substantially autonomous in identity management (IdM). While these networks and capabilities are evolving, their size and complexity ma
24、y inhibit interoperability among IdM capabilities. For this reason, IdM capabilities in this Recommendation rely substantially on existing network capabilities and general models including what are effectively best practices. However, to achieve global identity management and interoperability, this
25、Recommendation describes an evolution path and how to build on existing capabilities, where possible. It also defines an identity bridge capability that can be employed in many IdM systems and support architectures to integrate existing IdM capabilities. The implementation of IdM capabilities in ind
26、ividual countries is subject to requirements specific to the national jurisdiction. NOTE The use of the term “identity“ in this Recommendation relating to IdM does not indicate its absolute meaning. In particular, it does not constitute any positive validation of a person. 2 References None. 3 Defin
27、itions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 claimant b-ITU-T Y.2720 and b-ITU-T X.811: An entity which is or represents a principal for the purposes of authentication. A claimant includes the functions necessary for engaging in authenticat
28、ion exchanges on behalf of a principal. _ 1This Recommendation may not be applicable in some countries due to their domestic legislation. 2 Rec. ITU-T X.1250 (09/2009) 3.1.2 personally identifiable information (PII) b-ITU-T Y.2720: The information pertaining to any living person, which makes it poss
29、ible to identify such individual (including the information capable of identifying a person when combined with other information, even if the information does not clearly identify the person). 3.1.3 relying party b-ITU-T Y.2720: An entity that relies on an identity representation or claim by a reque
30、sting/asserting entity within some request context. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 agent: An entity that acts on behalf of another entity. 3.2.2 anonymity: The property that an entity cannot be identified within a set of entities. NOTE
31、 Anonymity prevents the tracing of entities or their behaviour such as user location, frequency of a service usage, and so on. 3.2.3 attribute: Information bound to an entity that specifies a characteristic of the entity. 3.2.4 authentication: See entity authentication. 3.2.5 authentication assuranc
32、e: Confidence reached in the authentication process that the communication partner is the entity which it claims to be or is expected to be. 3.2.6 binding: An explicit established association, bonding, or tie. 3.2.7 claim: An assertion made by a claimant of the value or values of one or more identit
33、y attributes of a digital subject, typically an assertion which is disputed or in doubt. 3.2.8 entity: Anything that has separate and distinct existence and that can be identified in context. NOTE An entity can be a physical person, an animal, a juridical person, an organization, an active or passiv
34、e thing, a device, a software application, a service, etc., or a group of these individuals. In the context of telecommunications, examples of entities include access points, subscribers, users, network elements, networks, software applications, services and devices, interfaces, etc. 3.2.9 entity au
35、thentication: A process to achieve sufficient confidence in the binding between the entity and the presented identity. 3.2.10 federation: An association of users, service providers and identity providers. 3.2.11 identifier: One or more attributes used to identify an entity within a context. 3.2.12 i
36、dentity: The representation of an entity in the form of one or more information elements which allow the entity(s) to be sufficiently distinguished within context. For IdM purposes, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attributes is limi
37、ted by a framework with defined boundary conditions (the context) in which the entity exists and interacts. NOTE Each entity is represented by one holistic identity, which comprises all possible information elements characterizing such entity (the attributes). However, this holistic identity is a th
38、eoretical issue and eludes any description and practical usage because the number of all possible attributes is indefinite. 3.2.13 identity service bridge provider: An identity service provider that acts as an intermediary among other identity service providers. Rec. ITU-T X.1250 (09/2009) 3 3.2.14
39、identity management: A set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: assurance of identity information (e.g., identifiers, credentials, att
40、ributes); assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and supporting business and security applications. 3.2.15 identity service provider: An entity that verif
41、ies, maintains, manages, and may create and assign identity information of other entities. 3.2.16 identity pattern: A structured expression of attributes of an entity (e.g., the behaviour of an entity) that could be used in some identification processes. 3.2.17 manifestation: An observed or discover
42、ed (i.e., not self-asserted) representation of an entity. (Compare with assertion.) 3.2.18 pseudonym: An identifier, whose binding to an entity is not known or is known to only a limited extent, within the context in which it is used. 3.2.19 requesting entity: An entity making an identity representa
43、tion or claim to a relying party within some request context. 3.2.20 terminal object: An object (such as a SIM card) which may have a relationship to a network terminal device (such as a mobile phone). 3.2.21 trust: The firm belief in the reliability and truth of information; or in the competence of
44、 an entity to act appropriately, within a specified context. 3.2.22 user: Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network. 3.2.23 user-centric: An IdM system that can provide the (IdM) user with the ability to control and enforce
45、 various privacy and security policies governing the exchange of identity information, including PII, between entities. 4 Abbreviations This Recommendation uses the following abbreviations: DHCP Dynamic Host Configuration Protocol ID Identifier IdM Identity Management IdSP Identity Service Provider
46、IT Information Technology NGN Next Generation Network(s) PII Personally Identifiable Information RFID Radio Frequency IDentification SIM Subscriber Identity Module URL Uniform Resource Locator 4 Rec. ITU-T X.1250 (09/2009) 5 Conventions None. 6 General The growth and evolution of communications capa
47、bilities has enabled the proliferation of numerous consumer, business, and government e-services. Communications are no longer just a resource to browse for information, the Internet protocol based communications technologies, such as NGN, are becoming an indispensable enabler for conducting daily e
48、-transactions. The capabilities described in this Recommendation are intended to support the development and deployment of structured and interoperable identity management capabilities under a common framework for all telecommunication/IT network and service systems, subject to regional and national
49、 policies concerning personally identifiable information and privacy. The capabilities described in this Recommendation include: a) Examples of common, structured identity management models Identity management usually involves an exchange between entities of one or more identities using a telecommunication/IT network or service. In order to meet a desired authentication assurance level, the parties may decide or be required to communicate additional information among themselves or
