IDsec

IDsec is a mechanism that provides a "virtual" or "digital identity" system that can be managed through a customer's Internet service provider. As such it can be an alternative for Windows Live ID.
Introduction
Today many services exist on the Internet that require some form of user identification or user information, e.g. for personalisation or e-commerce purposes. These services rely on customer information to improve their quality by using previously acquired knowledge about users stored in user profiles. However each of these services implements its own mechanism for that purpose, which leads to user information redundancy, fragmentation and possible inconsistency. Moreover the current situation forces users to maintain multiple profiles at multiple service providers. This overload of personal, possibly privacy-sensitive, information floating around the Internet leads to great issues of trust.
IDsec presents a generic mechanism for establishing virtual identities on the Internet, that standardises protocols and interfaces for exchanging identity information between users and service providers in a secure manner. It enables users to reuse profile information across Internet services and service providers to delegate (part of) their customer information maintenance.
Overview
Identity in IDsec means that a user is known by a certain profile that contains precisely those attributes that the user wants to reveal to the requester of his profile. Access to profile attributes is managed by the user himself. Certificates and public/private key mechanisms ensure that information is exchanged in a secure way only between parties that trust each other.
Profiles are stored with so-called Profile Managers somewhere on the Internet. Profile Managers are parties that have a trusted relationship with the Profile Owners whose Profiles they have stored in their databases.
A Profile Manager runs a server-side application that allows his clients to modify their Profile over a secure connection. In addition to modification of attributes and their values, Profile Owners can assemble Access Control Lists that specify which attributes are accessible to which Profile Requesters. Access Control Lists are based on certificate information.
Upon starting an Internet action that requires the use of IDsec, a Profile Owner will login with the Profile Manager. This "session login" will result in the creation of a "session certificate" that is sent to the Owner. The session certificate represents the Owner in the current Internet session and it contains a reference to the location of his Profile.
The Profile Owner sends the session certificate to the IDsec enabled Profile Requester. The Requester in his turn, sends it together with his own root certificate to the location specified in the session certificate. The Profile Manager uses the session certificate to identify the Owner and to assemble a Profile Requester specific Profile based on the Requester credentials and the Access Control List that the Owner specified.
The Profile Requester now has a customer Profile that he can use to personalize content, to do accounting and/or billing (eventually in combination with a third party) and any other business that he would normally do with locally stored customer data.
Notice that IDsec supports "anonymous browsing" and single sign-on; it does not necessarily reveal the name and address of the Profile Owner or any other attribute that uniquely identifies the Profile Owner. IDsec transmits exactly those attributes that an Owner trusts to be sent to the Requester.
Status
Several people have given positive feedback on the IDsec specification. It has been proposed as input to the IETF, to the DotGNU project and to the PingID project, amongst other personal initiatives. Furthermore RSA security has commented on the draft specification and they will put it forward as input to the Liberty Alliance Project.
 
< Prev   Next >