Abstract
Depending on whether the users or the providers are performing it, Identity Management (IM) traditionally has different meanings. For users, IM means to choose between one’s own identities and roles, in order to make selected personal information available to providers under privacy aspects. For providers, IM typically consists of centralized identity data repositories and their use by the offered services. Methods and tools for both aspects of IM have developed almost orthogonally, failing to consider their interoperability and complementary purposes. We analyze the similarities between both IM aspects and demonstrate how both sides can benefit from the use of a common policy language for personal information release and service provisioning. We derive criteria for this common policy language, demonstrate XACML’s suitability and discuss our prototype for the Shibboleth IM system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Pfitzmann, A., Köhntopp, M.: Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 1–9. Springer, Heidelberg (2001)
Bonatti, P.A., Samarati, P.: Regulating Service Access and Information Release on the Web. In: Proceedings of CCS 2000. ACM Press, Athens (2000)
Camenisch, J., Shelat, A., Sommer, D., Fischer-Hübner, S., Hansen, M., Krasemann, H., Lacoste, G., Leenes, R., Tseng, J.: Privacy and identity management for everyone. In: 1st conference on Digital Identity Management. ACM Press, New York (2005)
Bhargav-Spantzel, A., Squicciarini, A., Bertino, E.: Establishing and protecting digital identity in federation systems. TR 2005-48, Purdue University (2005)
Powers, C., Schunter, M.: Enterprise Privacy Authorization Language, W3C submission (2003), http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
Karjoth, G., Schunter, M., Waidner, M.: The Platform for Enterprise Privacy Practices — Privacy-enabled Management of Customer Data. In: Proceedings of the Workshop on Privacy Enhancing Technologies, Springer, Heidelberg (2002)
Mont, M.: Dealing with privacy obligations in enterprises. Technical Report HPL-2004-109, HP Laboratories Bristol (2004)
Reagle, J., Cranor, L.F.: The Platform for Privacy Preferences. In: Communications of the ACM, vol. 42, pp. 48–55. ACM Press, New York (1999)
Langheinrich, M. (ed.): A P3P Preference Exchange Language — APPEL 1.0 (2002), http://www.w3.org/TR/P3P-preferences/
Damiani, E., di Vimercati, S.D.C., Fugazza, C., Samarati, P.: Semantics-aware privacy and access control: Motivation and preliminary results. In: Proceedings of 1st Italian Semantic Web Workshop (2004)
Baker, M., Apon, A., Ferner, C., Brown, J.: Emerging grid standards. IEEE Computer Journal, 43–50 (2005)
Allison, C., et al.: Integrated user management in the european learning grid (2005), http://www.hlrs.de/publications/
Hommel, W., Reiser, H.: Federated Identity Management in B2B Outsourcing. In: Proceedings of the 12th Annual Workshop of the HP OpenView University Association (HPOVUA 2005), Porto, Portugal (2005) ISBN 972-9171-48-3
Linn, J. (ed.): Liberty Trust Models Guidelines (2003)
Cantor, S.: Shibboleth v1.2 Attribute Release Policies (2004), http://shibboleth.internet2.edu/guides/deploy-guide-origin1.2.html#2.e
Goldberg, I.: A Pseudonymous Communications Infrastructure for the Internet. PhD thesis, University of California, Berkeley (2000)
Koch, M.: Global identity management to boost personalization. In: 9th Research Symposium on Emerging Electronic Markets, pp. 137–147 (2002)
Pashalidis, A., Mitchell, C.: A taxonomy of single sign-on systems. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, Springer, Heidelberg (2003)
Pfitzmann, B.: Privacy in browser-based attribute exchange. In: ACM Workshop on Privacy in Electronic Society (WPES 2002), pp. 52–62. ACM Press, New York (2002)
Josang, A., Pope, S.: User Centric Identity Management. In: Proceedings of AusCERT (2005)
Hommel, W.: An Architecture for Privacy-Aware Inter-domain Identity Management. In: Schönwälder, J., Serrat, J. (eds.) DSOM 2005. LNCS, vol. 3775, pp. 48–59. Springer, Heidelberg (2005)
Aarts, R., et al.: Liberty architecture framework for supporting Privacy Preference Expression Languages (PPELs). Liberty Alliance White Paper (2003)
Ahn, G.J., Lam, J.: Managing Privacy Preferences for Federated Identity Management. In: 1st Workshop on Digital Identity Management. ACM Press, New York (2005)
Koch, M., Möslein, K.: Identities management for e-commerce and collaboration applications. International Journal of Electronic Commerce (IJEC) (2005)
Nazareth, S., Smith, S.: Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in Shibboleth. Technical Report TR2004-485, Department of Computer Science, Dartmouth College, Hanover, HN 03744 USA (2004)
Hommel, W.: Using XACML for Privacy Control in SAML-Based Identity Federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 160–169. Springer, Heidelberg (2005)
Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement with HP Select Access for Regulatory Compliance. Technical Report HPL-2005-10, HP Bristol (2005)
Cantor, S., Carmody, S., Erdos, M., Hazelton, K., Hoehn, W., Morgan, B.: Shibboleth Architecture, working draft 09 (2005), http://shibboleth.internet2.edu/
Pfitzmann, B., Waidner, M.: BBAE — a general protocol for browser-based attribute exchange. Technical Report RZ 3455, IBM Research, Zürich (2002)
Aarts, R (ed.): Liberty ID-WSF Interaction Service Specification (2004)
Choi, H.-C., Yi, Y.-H., Seo, J.-H., Noh, B.-N., Lee, H.-H.: A Privacy Protection Model in ID Management Using Access Control. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 82–91. Springer, Heidelberg (2005)
Hommel, W., Reiser, H.: Federated Identity Management: Shortcomings of existing standards. In: Proceedings of the 9th IFIP/IEEE International Symposium on Integrated Management (IM 2005), Nice, France. IEEE Press, Los Alamitos (2005)
Chadwick, D., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. In: 7th ACM SACMAT. ACM Press, New York (2002)
Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, p. 18. Springer, Heidelberg (2001)
ContentGuard Holdings Inc.: XrML 2.0 Technical Overview (2002), http://www.xrml.org/reference/XrMLTechnicalOverviewV1.pdf
Moses, T (ed.): OASIS eXtensible Access Control Markup Language 2.0, core specification. OASIS XACML Technical Committee Standard (2005)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First Experiences Using XACML for Access Control in Distributed Systems. In: Proceedings of the ACM Workshop on XML Security. ACM Press, New York (2003)
Lorch, M., Kafura, D., Shah, S.: An XACML-based Policy Management and Authorization Service for Globus Research Resources Work in Progress Draft Paper. Department of Computer Science, Virginia Tech (2004)
Wu, J., Periorellis, P.: Authorization-Authentication Using XACML and SAML. TR CS-TR-907, University of Newcastle, UK (2005)
Vullings, E., Buchhorn, M., Dalziel, J.: Secure Federated Access to GRID applications using SAML/XACML. Tr, Macquarie University, Sydney (2005)
Lopez, G., Gomez, A., Marin, R., Canovas, O.: A Network Access Control Approach Based on the AAA Architecture and Authorization Attributes. In: 19th IEEE Int. Parallel and Distributed Processing Symposium. IEEE Press, Los Alamitos (2005)
Proctor, S.: Sun’s XACML implementation (2004), http://sunxacml.sf.net/
Crane, S., Mont, M., Pearson, S.: On helping individuals to manage privacy and trust. Technical Report HPL-2005-53, HP Laboratories Bristol (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hommel, W. (2006). Policy-Based Integration of User and Provider-Sided Identity Management. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_12
Download citation
DOI: https://doi.org/10.1007/11766155_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34640-1
Online ISBN: 978-3-540-34642-5
eBook Packages: Computer ScienceComputer Science (R0)