1、 International Telecommunication Union ITU-T Y.2721TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2010) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security NGN identity management requirements and use cases Recomm
2、endation ITU-T Y.2721 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.4
3、00Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource managemen
4、t Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and functional a
5、rchitecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management
6、Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Future networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T Y.2721 (09/2010) i
7、Recommendation ITU-T Y.2721 NGN identity management requirements and use cases Summary Recommendation ITU-T Y.2721 provides identity management (IdM) example use cases and requirements for the next generation network (NGN) and its interfaces. IdM functions and capabilities are used to increase confi
8、dence in identity information and support and enhance business and security applications including identity-based services. The requirements provided in this Recommendation are intended for NGN (i.e., managed packet networks) as defined in Recommendation ITU-T Y.2001. The objectives and requirements
9、 in this Recommendation are based on the IdM framework provided in Recommendation ITU-T Y.2720 and an analysis of use case examples relevant to NGN. The example use cases are informative and are documented in the appendices of this Recommendation. History Edition Recommendation Approval Study Group
10、1.0 ITU-T Y.2721 2010-09-16 13 Keywords Federated identity, identity management, next generation network, security. ii Rec. ITU-T Y.2721 (09/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and com
11、munication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis.
12、The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolutio
13、n 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and
14、a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met
15、. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibi
16、lity that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Rec
17、ommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest informati
18、on and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2721 (09/2010) iii CONTENTS Page 1 S
19、cope 1 2 References. 2 3 Definitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation . 5 4 Abbreviations and acronyms 5 5 Conventions 7 6 IdM overview 7 6.1 General . 7 6.2 IdM relationships 8 6.3 Drivers and motivations . 11 6.4 Multiple service provider and federated envir
20、onment 11 6.5 Identity service provider (IdSP) . 11 6.6 IdM in the context of NGN architectures and reference models 12 7 IdM objectives 13 8 IdM requirements . 14 8.1 General requirements 14 8.2 Identity lifecycle management requirements 15 8.3 Identity management OAM users of this Recommendation a
21、re therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as
22、 a stand-alone document, the status of a Recommendation. ITU-T E.107 Recommendation ITU-T E.107 (2007), Emergency Telecommunications Service (ETS) and interconnection framework for national implementations of ETS. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10181-2:1996, Information tech
23、nology Open Systems Interconnection Security frameworks for open systems: Authentication framework. ITU-T X.1252 Recommendation ITU-T X.1252 (2010), Baseline identity management terms and definitions. ITU-T Y.2001 Recommendation ITU-T Y.2001 (2004), General overview of NGN. ITU-T Y.2012 Recommendati
24、on ITU-T Y.2012 (2010), Functional requirements and architecture of next generation networks. ITU-T Y.2201 Recommendation ITU-T Y.2201 (2009), Requirements and capabilities for ITU-T NGN. ITU-T Y.2205 Recommendation ITU-T Y.2205 (2008), Next Generation Networks Emergency telecommunications Technical
25、 considerations. ITU-T Y.2702 Recommendation ITU-T Y.2702 (2008), Authentication and authorization requirements for NGN Release 1. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following term
26、s defined elsewhere: 3.1.1 anonymity ITU-T X.1252: A situation where an entity cannot be identified within a set of entities. NOTE Anonymity prevents the tracing of entities or their behaviour such as user location, frequency of a service usage, and so on. 3.1.2 assertion ITU-T X.1252: A statement m
27、ade by an entity without accompanying evidence of its validity. 3.1.3 attribute ITU-T X.1252: Information bound to an entity that specifies a characteristic of the entity. 3.1.4 authentication ITU-T X.1252: A process used to achieve sufficient confidence in the binding between the entity and the pre
28、sented identity. NOTE Use of the term authentication in an identity management (IdM) context is taken to mean entity authentication. Rec. ITU-T Y.2721 (09/2010) 3 3.1.5 authentication assurance ITU-T X.1252: The degree of confidence reached in the authentication process that the communication partne
29、r is the entity that it claims to be or is expected to be. NOTE The confidence is based on the degree of confidence in the binding between the communicating entity and the identity that is presented. 3.1.6 authorization ITU-T X.1252: The granting of rights and, based on these rights, the granting of
30、 access. 3.1.7 binding ITU-T X.1252: An explicit established association, bonding, or tie. 3.1.8 claim ITU-T X.1252: To state as being the case, without being able to give proof. 3.1.9 claimant ITU-T X.1252: An entity that is or represents a principal for the purposes of authentication. NOTE A claim
31、ant includes the functions necessary for engaging in authentication exchanges on behalf of a principal. 3.1.10 context ITU-T X.1252: An environment with defined boundary conditions in which entities exist and interact. 3.1.11 credential ITU-T X.1252: A set of data presented as evidence of a claimed
32、identity and/or entitlements. 3.1.12 delegation ITU-T X.1252: An action that assigns authority, responsibility, or a function to another entity. 3.1.13 discovery ITU-T Y.2720: The act of locating a machine-processable description of a network-related resource that may have been previously unknown an
33、d that meets certain functional criteria. It involves matching a set of functional and other criteria with a set of resource descriptions. The goal is to find an appropriate service-related resource. 3.1.14 entity ITU-T X.1252: Something that has separate and distinct existence and that can be ident
34、ified in context. NOTE An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, a software application, a service, etc., or a group of these entities. In the context of telecommunications, examples of entities include access points, su
35、bscribers, users, network elements, networks, software applications, services and devices, interfaces, etc. 3.1.15 emergency telecommunications (ET) ITU-T Y.2205: ET means any emergency related service that requires special handling from the NGN relative to other services. This includes government a
36、uthorized emergency services and public safety services. 3.1.16 emergency telecommunications service (ETS) ITU-T E.107: A national service providing priority telecommunications to the ETS authorized users in times of disaster and emergencies. 3.1.17 federation ITU-T X.1252: An association of users,
37、service providers, and identity service providers. 3.1.18 federated identity ITU-T Y.2720: An identity that can be used to access a group of services or applications that are bounded by the policies and conditions of a federation. 3.1.19 identifier ITU-T X.1252: One or more attributes used to identi
38、fy an entity within a context. NOTE In the context of NGN as defined in b-ITU-T Y.2091, an identifier is a series of digits, characters and symbols or any other form of data used to identify subscriber(s), user(s), network element(s), function(s), network entity(ies) providing services/applications,
39、 or other entities (e.g., physical or logical objects). 4 Rec. ITU-T Y.2721 (09/2010) 3.1.20 identity ITU-T X.1252: A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context. For identity management (IdM) pur
40、poses, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attributes is limited by a framework with defined boundary conditions (the context) in which the entity exists and interacts. NOTE Each entity is represented by one holistic identity that compr
41、ises all possible information elements characterizing such entity. However, this holistic identity is a theoretical issue and eludes any description and practical usage because the number of all possible attributes is indefinite. 3.1.21 identity assurance ITU-T X.1252: The degree of confidence in th
42、e process of identity validation and verification used to establish the identity of the entity to which the credential was issued, and the degree of confidence that the entity that uses the credential is that entity or the entity to which the credential was issued or assigned. 3.1.22 identity manage
43、ment ITU-T Y.2720: Set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: assurance of identity information (e.g., identifiers, credentials, attribu
44、tes), assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects), and enabling business and security applications. 3.1.23 identity pattern ITU-T X.1252: A structured expressio
45、n of attributes of an entity (e.g., the behaviour of an entity) that could be used in some identification processes. 3.1.24 identity provider: See identity service provider (IdSP). NOTE The term “identity provider (IdP)“ is used in ITU-T Y.2720 and in specifications by other organizations. However,
46、to avoid misinterpretation that it could be construed to mean an entity that provides identities, rather than an entity that manages identities, the term identity service provider (IdSP) is used in this Recommendation. 3.1.25 identity service provider ITU-T X.1252: An entity that verifies, maintains
47、, manages, and may create and assign identity information of other entities. 3.1.26 next generation network ITU-T Y.2001: A packet-based network able to provide telecommunication services and able to make use of multiple broadband, QoS-enabled transport technologies and in which service-related func
48、tions are independent from underlying transport related technologies. It enables unfettered access for users to networks and to competing service providers and/or services of their choice. It supports generalized mobility which will allow consistent and ubiquitous provision of services to users. 3.1
49、.27 personally identifiable information (PII) ITU-T X.1252: Any information a) that identifies or can be used to identify, contact, or locate the person to whom such information pertains; b) from which identification or contact information of an individual person can be derived; or c) that is or can be linked to a natural person directly or indirectly. 3.1.28 presence ITU-T Y.2720: A set of attributes that characterizes an entity relating to cu
