1、 International Telecommunication Union ITU-T X.1251TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2009) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management A framework for user control of digital identity Recommendation ITU-T X.1251 ITU-T X-S
2、ERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGE
3、MENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Mu
4、lticast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Coun
5、tering spam X.1230X.1249 Identity management X.1250X.1279SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1251 (09/2009) i Recommendation ITU-T X
6、.1251 A framework for user control of digital identity Summary Recommendation ITU-T X.1251 defines a framework to enhance user control and exchange of their digital identity related information. This Recommendation also defines user and functional capabilities of the digital identity information exc
7、hange. The work includes providing the user with the ability to control the release of personally identifiable information. Source Recommendation ITU-T X.1251 was approved on 25 September 2009 by ITU-T Study Group 17 (2009-2012) under the WTSA Resolution 1 procedure. Keywords Digital contract, digit
8、al identity, digital identity client, identity, identity interchange, identity management, identity server. ii Rec. ITU-T X.1251 (09/2009) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communicati
9、on technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The Worl
10、d Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In
11、some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recogn
12、ized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The wor
13、ds “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that
14、 the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendati
15、on development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are th
16、erefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1251 (09/2009) iii CONTENTS Page 1 Scope 1 2 Refe
17、rences. 1 3 Terms and definitions . 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions 3 6 General capabilities 4 6.1 User capabilities . 4 6.2 Functional capabilities 4 6.3 Security guidelines . 5 7 Enhanced user control of digi
18、tal identity interchange 5 7.1 Introduction 5 7.2 Security threats . 6 7.3 Conceptual model for digital identity interchange . 6 7.4 Digital contract . 8 7.5 Three layers for identity interchange 9 8 Digital identity interchange framework 10 8.1 Design principles 10 8.2 Framework components . 11 App
19、endix I Reference implementation guideline for a framework for user control of digital identity using WS-trust and Information Card technology . 14 I.1 Introduction 14 I.2 Background . 14 I.3 DIIF capabilities . 15 Bibliography. 18 Rec. ITU-T X.1251 (09/2009) 1 Recommendation ITU-T X.12511A framewor
20、k for user control of digital identity 1 Scope This Recommendation defines a framework to enhance user control and exchange of their digital identity related information. This Recommendation also defines capabilities for the digital identity information exchange. The work includes providing the user
21、 with the ability to control the release of personally identifiable information. NOTE The use of the term “identity“ in this Recommendation relating to IdM does not indicate its absolute meaning. In particular, it does not constitute any positive validation of a person. 2 References The following IT
22、U-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendati
23、on are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it
24、, as a stand-alone document, the status of a Recommendation. ITU-T X.1205 Recommendation ITU-T X.1205 (2008), Overview of cybersecurity. ITU-T X.1250 Recommendation ITU-T X.1250 (2009), Baseline capabilities for enhanced global identity management and interoperability. 3 Terms and definitions 3.1 Te
25、rms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 credential b-ITU-T X.1252: A set of data presented as evidence of a claimed identity and/or entitlements. 3.1.2 entity b-ITU-T X.1252: Anything that has separate and distinct existence and that can be identif
26、ied in context. NOTE An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, software application, service, etc. or a group of these individuals. In the context of telecommunications, examples of entities include access points, subscr
27、ibers, users, network elements, networks, software applications, services and devices, interfaces, etc. 3.1.3 federation b-ITU-T X.1252: An association of users, service providers and identity service providers. 3.1.4 identifier b-ITU-T X.1252: One or more attributes used to identify an entity withi
28、n a context. _ 1This Recommendation may not be applicable in some countries due to their domestic legislation. 2 Rec. ITU-T X.1251 (09/2009) 3.1.5 identity b-ITU-T X.1252: The representation of an entity in the form of one or more information elements which allow the entity(s) to be sufficiently dis
29、tinguished within context. For IdM purposes, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attributes is limited by a framework with defined boundary conditions (the context) in which the entity exists and interacts. NOTE Each entity is represent
30、ed by one holistic identity, which comprises all possible information elements characterizing such entity (the attributes). However, this holistic identity is a theoretical issue and eludes any description and practical usage because the number of all possible attributes is indefinite. 3.1.6 identit
31、y management b-ITU-T Y.2720: A set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: assurance of identity information (e.g., identifiers, credenti
32、als, attributes); assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and enabling business and security applications. 3.1.7 identity service provider (IdSP) b-ITU-T X
33、.1252: An entity that verifies, maintains, manages, and may create and assign identity information of other entities. 3.1.8 personally identifiable information (PII) b-ITU-T Y.2720: The information pertaining to any living person which makes it possible to identify such individual (including the inf
34、ormation capable of identifying a person when combined with other information even if the information does not clearly identify the person). 3.1.9 relying party b-ITU-T Y.2720: An entity that relies on an identity representation or claim by a requesting/asserting entity within some request context.
35、3.1.10 user b-ITU-T X.1252: Any entity that makes use of a resource e.g., system, equipment, terminal, process, application, or corporate network. 3.1.11 user-centric b-ITU-T X.1252: An IdM system that can provide the (IdM) user with the ability to control and enforce various privacy and security po
36、licies governing the exchange of identity information, including PII, between entities. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 circle of trust: A set of criteria established for joining organizations within a federation for the purposes of tru
37、sted access to each others resources. Note that a circle of trust is also the end result of joining organizations within a federation. 3.2.2 digital contract: A contract made in digital form and signed by two entities between whom an agreement is reached. 3.2.3 digital identity: The digital represen
38、tation of the information known about a specific individual, group or organization. 3.2.4 digital identity client: A client program that provides authentication and credential management, identity interchange and privacy protection service to the user. 3.2.5 identity fraud: A crime in which an impos
39、tor obtains key pieces of personally identifiable information (PII) such as social security numbers and drivers license numbers and uses them for his own personal gain. 3.2.6 identity information: The information identifying a user, including trusted (network generated) and/or untrusted (user genera
40、ted) addresses. Rec. ITU-T X.1251 (09/2009) 3 3.2.7 identity interchange: A process of disseminating users identity information between an identity service provider and a relying party through a digital identity client. 3.2.8 identity selector: A software component in a digital identity client avail
41、able to the user through which the user controls and dispatches his/her digital identities. 3.2.9 identity server: A server that manages the users credential and identity information and provides it to a digital identity client. 3.2.10 identity synchronization: A process of updating disseminated use
42、rs identity information to a relying party when the source of the identity information in an identity service provider is changed. 3.2.11 identity termination: A process of deleting users identity information from a storage when the validity of it is expired. 3.2.12 identity token: A data model for
43、the digital identity, which can contain a users PII and credential information. 3.2.13 phishing: The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communicati
44、on. 3.2.14 privacy policy: The policy statement that defines the rules for protecting access to and dissemination of personal privacy information. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: CoT Circle of Trust DIC Digital Identity Client DIIF Digital Identity
45、Interchange Framework IdM Identity Management IdS Identity Server IdSP Identity Service Provider PII Personally Identifiable Information PKI Public Key Infrastructure RP Relying Party SP Service Provider XML eXtensible Markup Language 5 Conventions None. 4 Rec. ITU-T X.1251 (09/2009) 6 General capab
46、ilities This Recommendation defines the following set of capabilities. The capabilities specified in the user and functional parts below are mandatory unless indicated as optional. 6.1 User capabilities The following are required to satisfy users capabilities: 1) Support for mutual authentication me
47、chanisms. 2) Provision of a consistent authentication interface to support various authentication mechanisms with a digital identity client (DIC). 3) Provision of an identity selector that allows the user to choose which credential is going to be used for authentication. The choice of the credential
48、 to be used for authentication might also be constrained by some websites requirements. For the users convenience, the choice of the authentication method and associated credential might also be delegated to the identity service provider (possibility for the user to only choose an identity service p
49、rovider and not specifically a particular credential to be used to authenticate at that identity service provider). 4) Provision of an intuitive and consistent interface to manage his/her credential information with maximum security. 5) Support for auto fill-in registration or subscription of a website to minimize the users interaction with the site including the users full control to activate and deactivate such mechanisms. This is optional. 6) Provision of identity information