Motivation

Identity management (IdM) is the management of the life cycle and use (creation, maintenance, utilization, and revocation) of credentials, identifiers, attributes, and patterns by which entities (e.g., service providers, end-user, organizations, network devices, applications and services) are known with some level of trust. Depending on the context, multiple identities may exist for a single entity at differing security requirements, and at multiple locations. In public networks, IdM supports trusted information exchange between authorized entities that is based on validation and assertion of identities across distributed systems in a multiple service providers and open service environment. IdM also enables the protection of private information and ensures that only authorized information is disseminated.

IdM is a key component of telecommunications/ICT networks, services, and products because it supports establishing and maintaining trusted communications. It not only supports authentication of an entity’s identity, it also permits authorization of privileges, easy change of privileges when an entity’s role changes, delegation, nomadicity, and other significant identity-based services.

IdM is a critical component in managing network security and enabling the nomadic, on-demand access to networks and e-services that end-users’ expect today. Along with other defensive mechanisms, IdM helps to prevent fraud and identity theft and thereby increases users’ confidence that e-transactions are secure and reliable.

National/regional specific IdM specifications and solution will exist and continue to evolve. Harmonization of the different national/regional IdM approaches, specifications and solution variants is very important for global communications.

This Question is dedicated to the vision setting and the coordination and organization of the entire range of IdM activities within ITU-T. A top-down approach to the IdM will be used with collaboration with other study groups and other standards development organizations (SDOs). It is recognized that other Questions will be involved in specific aspects of IdM i.e., protocols, requirements, network device identifiers, etc.

Recommendations under responsibility of this Question as of 1 December 2008: None.

Question

Study items to be considered include, but are not limited to:

1. What are the functional concepts for a common identity management (IdM) infrastructure?
2. What is an appropriate IdM model that is independent of network technologies, supports user-centric involvement, represents IdM information and supports the secure exchange of IdM information between involved entities (e.g., users, relying parties and identity providers) based on policies?
3. What are the components of a generic framework and requirements for IdM?
4. What are the specific IdM requirements of service providers?
5. What are requirements, capabilities and possible strategies for achieving interoperability between different IdM systems (e.g., identity assurance, inter-working)?
6. What are the candidate mechanisms for IdM interoperability to include identifying and defining applicable profiles to minimize interoperability issues?
7. What are the requirements and mechanisms for protection and disclosure of personally identifiable information (PII)?
8. What are the requirements to protect IdM systems from cyber attacks?
9. What IdM capabilities can be used against cyber attacks?
10. How should IdM be integrated with advanced security technologies?

Tasks

Tasks include, but are not limited to:

1. Specify an IdM framework that supports discovery, policy and trust model, authentication and authorization, assertions, and credential lifecycle management required for IdM.
2. Define functional IdM architectural concepts to include IdM bridging between networks and among IdM systems taking into account advanced security technologies.
3. Specify requirements (and propose mechanisms) for identity assurance, and mapping/interworking between different identity assurance methods that might be adopted in various networks. In this context, identity assurance includes identity patterns and reputation.
4. Define interfaces for interoperability of IdM systems.
5. Define requirements (and propose mechanisms) for protection and disclosure of personally identifiable information (PII).
6. Define requirements (and propose mechanisms) to protect IdM systems including how to use IdM capabilities as a means for service providers to coordinate and exchange information regarding cyber attacks.
7. Maintain and coordinate IdM terminology and definitions living list and to continue the on-going work.
8. Study and define IdM security risks and threats.

Relationships

Recommendations: X- and Y-series

Questions: ITU-T Qs 1, 4, 8/17 and 16/13

Study groups: ITU-T SGs 2, 11, 13 and 16; ITU-D SG 1

Standardization bodies: ISO/IEC JTC 1 SCs 6, 27 and 37; IETF; ATIS; ETSI/TISPAN; OASIS; Liberty Alliance; OMA; NIST; 3GPP; 3GPP2

Other bodies: Eclipse; InCommon; PRIME; OpenID Foundation; Shibboleth; etc.