Understanding Digital Identity Management - Phil Windley's ...

More documents

Recommendations

Info

Identity FrameworkDigital identity management is built on a set of concepts that provide a frameworkfor addressing the identity in a business context instead of an IT security context:• Integrity and non-repudiation• Confidentiality• Authentication and authorization• Identity provisioning• Representing and managing authorization policyThe most significant challenge in each of these areas is interoperability since thegoal is to build an enterprise wide identity system, even one that federatesoutside the enterprise. To that end, there are a number of standards bodiesworking to build a common foundation in these areas. The following sectionsbriefly describe these problem domains and the standards being developed toaddress them.Integrity and Non-Repudiation: XML SignaturesXML signatures can ensure message integrity and authenticate all or part of anXML document. The standard doesn’t define new signature methods, but ratherspecifies how existing digital signature technology can be used inside XMLdocuments. Message integrity ensures that the data has not been changedthrough some error during transport or as the result of a malicious attack. Digitalsignatures also prevent a signer from repudiating a message.Like any standard, the XML Signature standard has options for numerouscontingencies that make it seem complicated, but at its heart its quite simple. AnXML signature is contained in a element and consists of three mainparts:1. The element contains a reference to the data that has beensigned along with information about how it was made canonical, whatsignature method was used, relevant digest information, and anytransformations that were applied.2. The element contains the actual signature.3. The element contains the key information necessary tovalidate the signature.Using the XML signature standard, parts of a document can be signed andmultiple entities can sign the same or different parts of a document.The following is an example of an XML signature shows each part:
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />f7dhfj38sdjdf89fjskfhweol=KLUR~HF=CN=Phil Windley,O=The Windley Group, LLC,ST=Utah, C=USMIID5jCCA0+gA...lVNThis XML signature is signing the document located at the URL shown in the element.Confidentiality: XML EncryptionLike any other communication on the Internet, any XML document can beencrypted in its entirety and sent across the wire to be decrypted at the otherend. Alternately, the channel could be encrypted, using SSL for example,ensuring that any message transferred is protected.Frequently, however, parts of XML message need to be sent in the clear. Forexample, all or part of the body of a SOAP message may need protection whilethe headers are sent in the clear so that routing and other information can beseen by intermediaries. The XML Encryption standard is designed to providethese benefits.Any encrypted data in an XML document is identified using the element. The element consists of twoparts:1. An optional element that gives information. The element is the same as the one defined forthe XML signature specification.2. A element that contains the raw encrypted data containedin a element or a element thatcontains a URI that points to the raw encrypted data.The following is an example of an element:John Smithsh748fjl4…Digital Identity Management 5 of 20 Phillip J. Windleywww.windley.com
Page 1 and 2: Understanding DigitalIdentity Manag
Page 3: perfectly understandable given our
Page 7 and 8: • Issuer ID and issuance timestam
Page 9 and 10: authenticated. The site recommends
Page 11 and 12: Figure 5: Web Services ProfileIdent
Page 13 and 14: Figure 6 diagrams an example of the
Page 15 and 16: SAML provides a format for exchangi
Page 17 and 18: Notice that operators and types are
Page 19 and 20: Enterprises who implement an identi

Understanding Digital Identity Management - Phil Windley's ...

Create successful ePaper yourself

Delete template?

Save as template?