Feeds

Naming some identity standards

Politics could be the biggest identity issue

Choosing a cloud hosting partner with confidence

Confused about how the emerging identity standards and systems fit together and which to work with? You're not alone. There's a lot of talk – and quite a few demos – of interoperable identity systems, but how do you know how well they really fit together?

That's what the ITU focus group on identity management (FG IdM) was set up to thrash out: how do we turn promising developments into an identity layer for networks that everyone can work with?

User names and passwords as we use them today are enough of a security and usability problem on the Web; as converged next-generation networks become a reality, many of the services that are planned simply couldn't work that way. According to the chairman of the focus group Abbie Barbir “What we really need in the long run - or the short run - is the identity layer as the enabler of the service layer; I see the identity layer as the enabler of federation of services at the end of the day”.

With only nine months to work, the focus group can't solve the whole problem, but it can, explains Barbir, document how the different systems are solving it: “What we want to do is a framework for defining what you do with identity rather than being technical about how it's done.” It’s looking at CardSpace (formerly InfoCard), Open ID, the Higgins project, IBM's Identity Mixer, openLiberty and other identity frameworks.

While many of these frameworks are already looking at interoperability, there are also overlapping areas and rivalries to contend with. Barbir says the problems aren't all in the technology: “A lot of them are political. The technical issues - they are solvable. It's mostly a political problem. Speaking as the chair of this focus group, this is where the ITU comes in. This is a global industry. If it can be done, the ITU is the place to do it.”

Tony Rutkowski, Verisign's VP for regulatory affairs, agrees that the aim is to “formalise and fill holes”. Although there are many approaches, there's general agreement that identity management services need discovery, interoperability – and, of course, security.

“There may well be solutions everyone could agree on to provide these,” Rutkowski says, “What exists that everyone could buy into as a common global solution; or what can we do to make existing solutions work together? We're casting the net very wide, from authentication of people, authentication of providers - which is increasingly important - and identity management of objects from RFIDs [radio-frequency identity tags] up. There will be a ratio of 400 objects [with an identity] per person very shortly and it's still growing. We're also focusing on trust mechanisms; so that when you deal with another party under a particular set of circumstances and using a particular kind of asserted identity, you have the ability to measure in some quantitative sense what the level of trust is.”

And, of course, “All these systems create their own problems and insecurities,” as Rutkowski points out, and "one has to ask what vulnerabilities we're creating within the systems.”

Trust is vital. Along with identity services come identity providers and there has to be a way of knowing who's reputable, says Barbir. “Part of our aim,” he explains, “is to enable an identity provider to be an anchor of trust; whether at the user, application or network level. Currently that anchor of trust is not communicated to the upper level. This is needed, that what we call ‘trusted identifiers’ can be available - we need that glue before we can have any [safe] interaction with the identity layer.”

So, how long before we get away from ‘silos of identity’ (whether it's Active Directory or your Amazon account) to an interworking identity system. Going by Barbir's estimates, you shouldn't hold your breath – at least in part because of those political issues. “I'm expecting three-five years,” Barbir says,

“that's the timeframe - you have to get that silo mentality to go away. I think the pressure from Open ID will put enough pressure on the other silos. We are certainly heading that way; I think the Liberty Alliance [people] will eventually see that this is coming down and they have to do something about it. The key is how we are going to do federation; I see federation as a key component of how we do this identity layer. The whole concept revolves around the use of the Web services stack, a protocol that more and more identity information is being based on. After all, ‘identity’ is nothing but some data that need to be exchanged and updated… data in a database that need to be synchronised.”

The next FG IdM meeting is in Geneva, 23-25 April 2007 and the focus group Wiki is here.

Business security measures using SSL

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.