Emerging Standards

Editors: Rick Kuhn, kuhn@nist.gov

Susan Landau, susan.landau@sun.com
Ramaswamy Chandramouli, mouli@nist.gov

User-Centric
Identity Management
New Trends in Standardization and Regulation

I
n offering services to individuals, enterprises often deal service providers. It might seem use-
ful for a citizen to have an account
with a lot of personal information, the improper handling with the Internal Revenue Service
to deal with an annual tax declara-
of which creates security risks for both the enterprises and tion online or to link it with infor-
mation about medical service costs,
individuals concerned. Authentication procedures usu- but a unification of all the data and
profiles stored by the tax office, the
ally assume specific behavior on the part of individuals, and this hospital, and the health insurance
provider would require close man-
PETE perception becomes a critical part of tice, employees often have a plethora agement. Ideally, users should have
BRAMHALL an enterprise’s security mechanism. of legacy identifiers and access control over their identity informa-
Hewlett- Identity management systems are rights, making it difficult to know tion as it’s collected and stored. Ad-
Packard touted as a solution, but even though and manage who has authorization ditionally, users should be able to
Laboratories users and enterprises are stakeholders to do what. Establishing an efficient know and restrict who might use the
in the broader conversation about framework for corporate access data, and for what purposes.
MARIT HANSEN identity management, their interests management with reliable account-
Independent aren’t necessarily aligned: who’s in ability isn’t trivial. Identity management
Centre for control, and whose interests will Vendors often tout “identity man-
Privacy prevail in case of conflict? Single sign-on agement” as an answer to both en-
Protection The European Commission- Single-sign-on systems are popular terprise and user needs. Identity
funded Privacy and Identity Manage- tools for addressing identity needs: management systems come in a vari-
KAI ment for Europe project (Prime; they attempt to unify all accounts ety of flavors—the term comprises
RANNENBERG www.prime-project.eu) proposes a and access rights into one system per several technologies (together with
Goethe solution driven by the EU Privacy enterprise against which users can organizational processes) used to
University Directive (95/46/EC; http://ec. authenticate themselves. The enter- manage entities’ attributes, includ-
Frankfurt europa.eu/justice_home/fsj/privacy/ prise then uses this association to ing authorizations, authentication
law/), which puts the user in control make authorization decisions about data, and accounting information,
THOMAS wherever possible. This article focuses access to resources such as comput- possibly complemented with policy
ROESSLER on that project and how it interacts ers, customer databases, or printers. information. So-called user-centric
Worldwide with standardization initiatives and in- Yet, account and access unifica- identity management systems, which
Web ternational organizations. tion can be a double-edged sword focus on the users’ rather than the
Consortium for users and service providers. Al- service providers’ perspective, have
Corporate access though users typically like the added increasingly come forward in the
management convenience of single-sign-on sys- past few years. This approach lets
Enterprises must be efficient in tems, as the number of applications users choose, for example, what per-
identifying and addressing users and in their daily lives increases, so too sonal data to disclose under various
customers—for instance, managing does the risk of data misuse: the conditions, and which credentials to
access control policies might, at least more you access your sensitive infor- present in response to authentication
in theory, require a competent point mation with one identifier, the or attribute requests. As the Higgins
within the enterprise to determine higher the risk you’ll fall victim to (www.eclipse.org/higgins), Card-
which user has access to which assets identity fraud. Space (http://cardspace.netfx3.com),
under specific conditions. In prac- Similar considerations apply to and Liberty Alliance (www.project

84 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY

liberty.org) systems illustrate, user-
centric identity models are usually
combined with federated identity
management paradigms rather than
purely centralized approaches.
Given that those centralized
systems usually let the identity
provider monitor all activities, this
privacy-invasive approach is less
suitable for user-centric models in
which the user can decide in each
specific situation what to reveal and
who to trust. The flipside of users’
offering data only under condi-
tions is the requirement that enter-
prises connect their databases and
business processes to privacy poli-
cies and accountability systems.
Today’s policy languages and iden-
tity systems only partially serve this
requirement, and new research
challenges continue to arise as data
and policies are aggregated across
different domains.
Privacy and
identity management
à la Prime
User-centric identity management
is also a key idea in the Prime proj-
ect, which began in 2004 with 20
partners from industry, academia,
and a data protection authority.
Prime aims to develop a working
prototype of an identity manage-
ment system that lets users maintain
control of their own private
spheres. It implements the data-
minimization principle as far as
possible—by using private creden-
tials that offer anonymous, yet
accountable, interaction, for exam-
ple. The project has developed an
architecture for privacy-enhancing
identity management that inte-
grates state-of-the-art mechanisms,
including privacy policies, ontolo-
gies, privacy-enhancing access
control policy languages, private
credentials, anonymous communi-
cation, assurance, seals, and audits.
Prime tools can enhance various
application scenarios, including
Web browsing, aviation passenger
processes, location-based services,
and collaborative e-learning.
Interaction with
standardization bodies
When Prime began, work toward
the development and standardization
of specifications relevant to identity
management was under way in vari-
ous forums, including the Liberty
Alliance’s specifications for federated
identity management, the Organiza-
tion for the Advancement of Struc-
tured Information Standards’ (Oasis;
www.oasis-open.org) specifications
such as the Security Assertion
Markup Language (SAML) and Ex-
tensible Access Control Markup
Language (XACML), and various
Web services specifications. The
World Wide Web Consortium’s
Platform for Privacy Preferences
(P3P) also introduced a vocabulary to
express services’ privacy policies in a
machine-readable way.
Since then, additional efforts rele-
vant to identity management stan-
dardization have commenced. Prime
partners monitor ongoing work and
adopt its results where appropriate;
the goal is to then feed results back
into standardization initiatives. The
Prime project organized open
workshops on standardization in
user-centric identity management
in 2006 and 2007. Participants active
in efforts at the International Orga-
nization for Standardization (ISO),
International Electrotechnical
Commission (IEC), International
Telecommunication Union (ITU),
and W3C attended these work-
shops. The perspective of Prime—
The flipside is the requirement that enterprises
connect their databases and processes to
privacy policies and accountability systems.
striving for maximum privacy in
realistic scenarios—is valuable for
designing acceptable and legally
compliant standards, infrastruc-
www.computer.org/security/
Emerging Standards
tures, and products. These, in turn,
would offer the landscape in which
Prime’s identity management
could come into full effect.1
ISO/IEC efforts
In May 2006, Subcommittee 27
(which works on IT security tech-
niques; www.jtc1sc27.din.de) of the
ISO/IEC Joint Technical Commit-
tee on Information Technology
(JTC 1) established Working Group
5 to focus on identity management
and privacy technologies. In its
Working Draft 24760, WG 5 de-
fines identity management as “an in-
tegrated concept of processes,
policies, and technologies that
enables authoritative sources to ac-
curately identify entities, and au-
thoritative sources, as well as
individual entities to facilitate and
control the use of identity informa-
tion in their respective relations.”
Four of WG 5’s active projects
are especially relevant here:
• A framework for identity management
(WD 24760) addresses the secure
management of identity informa-
tion, letting individuals and orga-
nizations protect privacy and
control access to information, re-
gardless of the nature of the activi-
ties in which they’re involved.
• Authentication assurance (New Proj-
ect [NP] 29115) aims to improve
and enhance trust and confidence
in authentication by providing ob-
jective, vendor-neutral guidelines
for authentication assurance.
• A privacy framework (WD 29100)
aims to provide mechanisms for
defining privacy-safeguarding re-
quirements related to personally
identifiable information processed
by any information and communi-
■ IEEE SECURITY & PRIVACY 85
 Emerging Standards
cation system in any jurisdiction.
• A privacy reference architecture (NP
29101) promises a model to de-
scribe best practices for consistent
Most enacted privacy-related laws and
regulations mandate data protection rather
than provide privacy.
technical implementation of pri-
vacy requirements in information
and communication systems.
Two other projects deal with bio-
metric template protection (WD
24745) and the authentication con-
text of biometrics (Committee
Draft [CD] 24761). Further projects
can be expected.
ITU-T
The telecommunication standard-
ization sector of the ITU recently
published a report that outlines the
need to improve the design of
identity-management mechanisms
from the consumers’ perspective.2 In
December 2006, the ITU then es-
tablished the Focus Group on Iden-
tity Management (FG IdM; www.
itu.int/ITU-T/studygroups/com
17/fgidm/)—defined here as “man-
agement by providers of trusted at-
tributes of an entity such as a
subscriber, device, or provider”—to
help facilitate and advance the de-
velopment of a generic identiy-
management framework and means
of discovery for autonomous distrib-
uted identities and identity federa-
tions and implementations. The aim
is interoperability among solutions
via an open mechanism—a “trust-
metric system”—that will let differ-
ent identity-management systems
communicate even as each contin-
ues to evolve. The FG IdM is open
to ITU member states, sector mem-
bers, and associates, as well as individ-
uals from any country that’s an ITU
member, as long as they’re willing to
contribute to the work.
86 IEEE SECURITY & PRIVACY ■ JULY/AUGUST 2007
W3C
At the W3C’s October 2006 Privacy
Workshop, researchers and practi-
tioners explored new directions in
privacy policy languages and en-
forcement mechanisms. Participants
considered technologies to address
privacy needs across the whole value
chain, including data processing
within enterprises and data distribu-
tion among enterprises. Workshop
attendees identified policy interop-
erability and mapping as key enablers
for future privacy-enhancing policy
deployment.3 Although it would be
difficult (or impossible) to create and
distribute a new, all-encompassing
access control and obligation lan-
guage, participants showed sig-
nificant interest in exploring the
interfaces between different, possibly
domain-specific, policy languages.
Ontologies and common modeling
principles could help combine pol-
icy languages and enable automatic
translation among them. Important
contributions in this area could in-
clude a standardized language to de-
scribe evidence and mechanisms for
discovering ontologies that expose
relationships between vocabularies
used by different organizations.
W3C is reviewing options for
chartering an interest group to serve as
a forum for further community build-
ing and technical discussions in this
space. The group’s work is expected
to include architectural considerations
for policy languages and their interop-
erability, as well as the use of Semantic
Web technologies and the W3C
Rule Interchange working group’s ef-
forts toward delivering interoperabil-
ity frameworks for policy languages.
Legislative activity
All of this activity is unfolding against
a backdrop of worldwide legislative
activity on privacy concerns ex-
pressed by academics, individuals,
and businesses. Various enterprises
are investing in improving their own
privacy-respecting practices, which
not only reduce the chances of pri-
vacy breaches but also demonstrate
leadership and improve companies’
reputations. Despite the lead shown
by these beacons of excellence, how-
ever, the main motivation for most
enterprises to adopt stringent privacy
policies (and privacy-enhancing tech-
nologies as a means for achieving
these) is to avoid punitive action for
failing to comply with privacy-
related legislation and regulations.
Anonymity technologies
Regardless of their titles, most en-
acted privacy-related laws and regu-
lations mandate data protection
rather than provide privacy. Because
most legislation is written to be
technology-neutral, references to the
data-minimization aspect of privacy
fail to specifically consider or require
the use of anonymization or pseudo-
nymization technologies. As a result,
organizations have no regulatory in-
centive to invest in these important
enablers for user-centric privacy in
their identity management systems.
Regulations
Given regulation’s current role as the
preeminent driver for investment
decisions—both by organizations in
privacy-related technologies and
practices and by standardization
bodies in developing tools to ease
their adoption—trends in regulatory
activities provide a key indicator to
the future privacy landscape for or-
ganizations and individuals.
Europe follows the most mature
regulatory approach: the 1995 adop-
tion of the EU Privacy Directive
mandated that member states enact
data-protection measures that com-
ply with (at least) the directive’s min-
imum terms. The directive is based
on the notion of individual rights,
which therefore forms the basis for

the national-level legislation that’s
been enacted.
In the Asia-Pacific Economic
Cooperation (APEC) organization,
work is under way to formulate a
common approach to privacy regu-
lation. Given the different histories,
priorities, philosophies, and customs
of the nations within APEC, the or-
ganization’s approach is based not on
the notion of rights but on minimiz-
ing the probability and impact of ac-
tual harm to individuals. In China,
for example, the government is con-
sidering a privacy-related law in re-
sponse to the concerns of its rapidly
growing consumer class.
Within the US, pressure from
consumer advocacy groups and
some forward-thinking businesses is
building for Congress to enact an en-
hanced federal privacy law. The re-
sulting legislation might also be based
on the principle of minimizing
harm. To come full circle, there is
some support in Europe for a review
of the EU’s Privacy Directive. Al-
though no plans currently exist to
amend it, this support could ulti-
mately lead to a change from a rights-
based to a harm-avoidance approach
for European privacy law, as well.
F or harm-avoidance to drive a
significant increase in the use of
privacy-enhancing technologies
such as user-centric identity man-
agement systems, the incentives for
organizations to adopt them to meet
regulatory data-minimization re-
quirements would need to be based
on very severe penalties for harms
caused by inadequate safeguarding
of personal data and its use. In addi-
tion to a legal baseline supporting
users’ privacy, reliable reputation
systems on companies—for ex-
ample, privacy seals certifying
privacy-compliant procedures—
and transparency for consumers
about enterprises’ misconduct are
needed to help users make well-in-
formed choices regarding how and
with whom they deal.
Emerging Standards
Prime’s comprehensive approach Kai Rannenberg is a professor of mobile
to research into and development of business and multilateral security at
Goethe University. His research interests
requirements, architectures, and
include mobile applications and multi-
technologies for user-centric iden- lateral security, privacy and identity man-
tity management, to enhance privacy agement, communication infrastructures
for individual participants in the dig- and devices, and IT security evaluation
and certification. Rannenberg has a PhD
ital economy, provides a valuable first in business informatics and economics
step toward meeting the needs of the from Albert-Ludwigs-Universität. He
diverse set of stakeholders in this serves as convener of ISO/IEC JTC 1 SC
space. The project is disseminating its 27/WG 5 and as chair of the Interna-
tional Federation for Information Pro-
outputs (software, design knowl- cessing’s Technical Committee 11
edge, tutorials, and socio-economic (Security & Protection in Information Pro-
analysis) in a wide variety of indus- cessing Systems). Contact him at kai.
trial, public policy, standardization rannenberg@m-chair.net.
and academic fora to catalyze further
Thomas Roessler is security activity lead
refinement and adoption. at the W3C. His work covers areas includ-
ing security usability, digital signature
References standards, and policy languages.
Roessler has a Diplom in mathematics
1. Privacy and Identity Management for
from Bonn University, Germany. Contact
Europe—Prime White Paper, version him at tlr@w3.org.
2.0, R. Leenes, J. Schallaböck and
M. Hansen, eds., white paper, June
2007; www.prime-project.eu/
prime_products/whitepaper/.
2. L. Srivastava et al., Digital.life,
ITU Internet Report 2006, tech.
report, Int’l Telecommunication
Union, 2006; www.itu.int/osg/
spu/publications/digitalife/.
3. T. Roessler, “W3C Workshop on
Languages for Privacy Policy
Negotiation and Semantics-Driven
Enforcement,” workshop report,
Oct. 2006; www.w3.org/2006/
07/privacy-ws/report.
FREE Visionary
Pete Bramhall is a senior project man-
ager at Hewlett-Packard Laboratories in Web Videos
Bristol, England. His team’s research
interests include user and enterprise
aspects of managing privacy, identity,
about the
reputation and trust. Bramhall has an
MSc in computer science from the Uni-
Future of Multimedia.
versity of Manchester, England. Contact
him at pete.bramhall@hp.com.
Marit Hansen is head of the Privacy-
Listen to premiere
Enhancing Technology (PET) department
at the Independent Centre for Privacy
multimedia experts!
Protection. Her research interests include
identity management, anonymity, pseu- Post your own views
donymity, transparency, and user em-
powerment. Hansen has a Diplom in and demos!
computer science from the University of
Kiel, Germany. She is a member of the
ACM and Gesellschaft für Informatik
where she serves as chair of the Special Visit www.computer.org/
Interest Group on PETs. Contact her at
marit.hansen@acm.org. multimedia
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 87