Consensus Emerging on Proposal for Identity Management Framework

Business plans and legal and regulatory mandates are predicated on a common global identity management framework, said Tony Rutkowski, vice president of regulatory affairs and standards at VeriSign. Nearly 50 legal and regulatory mandates apply to identity management, a focus group document said. National Security Telecommunications Advisory Committee (NSTAC) requirements are also addressed in the IdM work, Rutkowski said.

A consensus appeared to be emerging in recent FG-IdM meetings on a three-part identity management model: (1) assertion of an identity; (2) processing the information; (3) validation of an identity or routing, if it is a service request, said Rutkowski after a June 14-15 FG-IdM meeting on user needs and legal and regulatory requirements including privacy at VeriSign. An example would be a mobile phone company that provides a service based on an authenticated device.

Determining what is missing for the global IdM framework and how to deal with the holes remains an issue, Rutkowski said: “Missing component one is global buy-in to a common three-part model for what identity management is.” Other missing pieces include discovery of identity management resources, and trusted interoperability between resources so users can determine the appropriate level of trust to give. Privacy is also critical so users can understand how their personal information may be used as part of an identity interaction, Rutkowski said.

Consensus is also emerging on using Organization for the Advancement of Structured Information Standards (OASIS) standard called XRI (Extensible Resource Identifier) for discovery of identification resources, wrote FG-IdM Chairman Abbie Barbir of Nortel in a report on the May FG-IdM meeting.

Officials are talking about ITU-T as a possible organizer of a global registration process for implementation of XRI, Rutkowski said: “XRI allows the expression of identity resources… It’s a kind of a global root of all identifier systems.” XRI assumes a global registration process of all identity systems, he said: “It’s one of the things that’s been sort of missing and it’s going to get worse over time” because more identity systems will be implemented. ITU currently allocates country codes for telephone numbers, E.212 for Global System for Mobile, international signaling point codes and abstract syntax notification object identifiers, which are used for identifying equipment.

Migrating the specification into ITU will not assure global buy-in, officials said. Design and adoption issues also factor in, said Drummond Reed, chief technology officer of Cordance, speaking as chairman of the Oasis XRI technical committee. The XRI architecture was designed for virtual addressing and discovery and privacy control, he said.

One remaining issue is how to treat objects, Rutkowski said. Officials from South Korea’s Electronics and Telecommunications Research Institute are pushing for the FG- IdM to come up with a suggestion for how objects could become part of identity management framework.

Government concerns about authoritative authentication of a person in ITU’s lead Next Generation Network study group and other venues are expected to be addressed by individual administrations rather than inside the ITU, Rutkowski said: “One of the legal and regulatory gaps is a certain level of cooperation and harmonization,” between activities and platforms used for it.

New developments in the EU Daidalos (Designing Advanced network Interfaces for the Delivery and Administration of Location independent, Optimized personal Services) project are expected in the next two weeks, said Amardeo Sarma of NEC, speaking as a Daidalos team leader. The project is looking at how the network may change due to identity schemes, he said.

The focus group’s work will be written up as suggestions for ITU’s more formal study groups to consider. China is expected to provide more input during the July 17-20 meeting in Tokyo.