Identity metasystem: Difference between revisions
Content deleted Content added
m sp: an platform→a platform |
Wrote entirely new and significantly more substantial page, including references |
||
| Line 1: | Line 1: | ||
The '''Identity Metasystem''' is an interoperable architecture for digital identity that enables people to have and employ a collection of digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, customers can continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others. The Identity Metasystem is based upon the principles in [http://msdn2.microsoft.com/en-us/library/ms996456.aspx The Laws of Identity]. |
|||
'''Identity Metasystem''' is a platform for managing digital identities and provide authentication services. An identity metasystem manages authentication service providers and facilitates authenticating the user to resources that require authentication. It thus provides interoperability between various authentication credential providers (including password based authentication systems to biometric systems) and allows the user to authenticate himself to any resource using the authentication system of choice. |
|||
== Identity Metasystem Architecture == |
|||
| ⚫ | |||
=== Roles within the Identity Metasystem === |
|||
Different parties participate in the metasystem in different ways. The three roles within the metasystem are: |
|||
* '''Identity Providers''', which issue digital identities. For example, credit card providers might issue identities enabling payment, businesses might issue identities to their customers, governments might issue identities to citizens, and individuals might use self-issued identities in contexts like signing on to web sites. |
|||
* '''Relying Parties''', which require identities. For example, a web site or online service that utilizes identities offered by other parties. |
|||
* '''Subjects''', which are the individuals and other entities about whom claims are made. Examples of subjects include end users, companies, and organizations. |
|||
In many cases, the participants in the metasystem play more than one role, and often all three. |
|||
=== Components of the Identity Metasystem === |
|||
There are five key components to the Identity Metasystem: |
|||
* A way to represent identities using '''claims'''. Claims are carried in security tokens, as per [[WS-Security]]. |
|||
* A means for identity providers, relying parties, and subjects to '''negotiate'''. Dynamically negotiating the claims to be delivered and the security token format used enables the Identity Metasystem to carry any format of token and any kinds of claims needed for a digital identity interaction. Negotiation occurs using [[WS-SecurityPolicy]] statements exchanged using [[WS-MetadataExchange]]. |
|||
* An '''encapsulating protocol''' to obtain claims and requirements. The [[WS-Trust]] and [[WS-Federation]] protocols are used to carry requests for security tokens and responses containing those tokens. |
|||
* A means to bridge technology and organizational boundaries using '''claims transformation'''. '''Security Token Services (STSs)''' as defined in [[WS-Trust]] are used to transform claim contents and formats. |
|||
* A '''consistent user experience''' across multiple contexts, technologies, and operators. This is achieved via [[Identity Selector]] client software such as [[Windows CardSpace]] representing digital identities owned by users as visual [[Information Card|Information Cards]]. |
|||
== Interoperability and Licensing == |
|||
The protocols needed to build Identity Metasystem components can be used by anyone for any purpose at no cost and interoperable implementations can be built using only publicly-available documentation. Patent promises have been issued by [http://www.microsoft.com/interop/osp/ Microsoft], [http://www-03.ibm.com/linux/opensource/ispinfo.shtml IBM], and others ensuring that the protocols underlying the Identity Metasystem can be freely used by all. |
|||
Several interoperability testing events for Identity Metasystem components have been sponsored by [http://osis.netmesh.org/ OSIS] and the [http://www.burtongroup.com/ Burton Group], the most recent of which was the [http://identityblog.burtongroup.com/bgidps/2007/10/osis-user-centr.html Interop at the October 2007 European Catalyst Conference in Barcelona]. These events are helping to insure that the different software components being built by the numerous Identity Metasystem participants work well together. |
|||
In his report on the [http://identityblog.burtongroup.com/bgidps/2007/08/recapping-the-c.html Interop at the June 2007 Catalyst Conference in San Francisco], analyst Bob Blakley wrote: |
|||
<blockquote> |
|||
The interop event was a milestone in the maturation of user-centric identity technology. Prior to the event, there were some specifications, one commercial product, and a number of open-source projects. After the event, it can accurately be said that there is a running identity metasystem. |
|||
</blockquote> |
|||
| ⚫ | |||
* [[Information Card]] |
|||
* [[Identity Selector]] |
|||
* [[WS-Security]] |
|||
| ⚫ | |||
* [[WS-MetadataExchange]] |
|||
* [[WS-SecurityPolicy]] |
|||
* [[WS-Federation]] |
|||
* [[Windows CardSpace]] |
* [[Windows CardSpace]] |
||
| ⚫ | |||
* [[Higgins trust framework]] |
* [[Higgins trust framework]] |
||
== |
== References == |
||
* [http://www.identityblog.com/stories/2005/07/05/IdentityMetasystem.htm Microsoft's vision for an identity metasystem] |
|||
* [http://msdn2.microsoft.com/en-us/library/ms996422.aspx Microsoft's Vision for an Identity Metasystem], Michael B. Jones, May 2005. |
|||
* [http://msdn2.microsoft.com/en-us/library/ms996456.aspx The Laws of Identity], Kim Cameron, May 2005. |
|||
* [http://research.microsoft.com/~mbj/papers/Identity_Metasystem_Design_Rationale.pdf Design Rationale behind the Identity Metasystem Architecture], Kim Cameron and Michael B. Jones, January 2006. |
|||
* [http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age], Ann Cavoukian, Information and Privacy Commissioner of Ontario, October 2006. |
|||
== External Links == |
|||
* [http://identityblog.burtongroup.com/bgidps/2007/08/recapping-the-c.html Burton Group report on June 2007 User-Centric Identity Interop at Catalyst in San Francisco], August 2007. |
|||
{{software-stub}} |
|||
* [http://identityblog.burtongroup.com/bgidps/2007/10/osis-user-centr.html Burton Group report on October 2007 User-Centric Identity Interop at Catalyst in Barcelona], October 2007. |
|||
* [http://www.bandit-project.org/index.php/DigitalMe DigitalMe Identity Selector] |
|||
* [http://www.microsoft.com/interop/osp/ Microsoft Open Specification Promise], May 2007. |
|||
* [http://www-03.ibm.com/linux/opensource/ispinfo.shtml IBM Interoperability Specifications Pledge], July 2007. |
|||
[[Category:Identity management systems]] |
[[Category:Identity management systems]] |
||
[[Category:Identity management|Information Card]] |
|||
[[Category:Identity management systems|Information Card]] |
|||
Revision as of 07:55, 27 November 2007
The Identity Metasystem is an interoperable architecture for digital identity that enables people to have and employ a collection of digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, customers can continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others. The Identity Metasystem is based upon the principles in The Laws of Identity.
Identity Metasystem Architecture
Roles within the Identity Metasystem
Different parties participate in the metasystem in different ways. The three roles within the metasystem are:
- Identity Providers, which issue digital identities. For example, credit card providers might issue identities enabling payment, businesses might issue identities to their customers, governments might issue identities to citizens, and individuals might use self-issued identities in contexts like signing on to web sites.
- Relying Parties, which require identities. For example, a web site or online service that utilizes identities offered by other parties.
- Subjects, which are the individuals and other entities about whom claims are made. Examples of subjects include end users, companies, and organizations.
In many cases, the participants in the metasystem play more than one role, and often all three.
Components of the Identity Metasystem
There are five key components to the Identity Metasystem:
- A way to represent identities using claims. Claims are carried in security tokens, as per WS-Security.
- A means for identity providers, relying parties, and subjects to negotiate. Dynamically negotiating the claims to be delivered and the security token format used enables the Identity Metasystem to carry any format of token and any kinds of claims needed for a digital identity interaction. Negotiation occurs using WS-SecurityPolicy statements exchanged using WS-MetadataExchange.
- An encapsulating protocol to obtain claims and requirements. The WS-Trust and WS-Federation protocols are used to carry requests for security tokens and responses containing those tokens.
- A means to bridge technology and organizational boundaries using claims transformation. Security Token Services (STSs) as defined in WS-Trust are used to transform claim contents and formats.
- A consistent user experience across multiple contexts, technologies, and operators. This is achieved via Identity Selector client software such as Windows CardSpace representing digital identities owned by users as visual Information Cards.
Interoperability and Licensing
The protocols needed to build Identity Metasystem components can be used by anyone for any purpose at no cost and interoperable implementations can be built using only publicly-available documentation. Patent promises have been issued by Microsoft, IBM, and others ensuring that the protocols underlying the Identity Metasystem can be freely used by all.
Several interoperability testing events for Identity Metasystem components have been sponsored by OSIS and the Burton Group, the most recent of which was the Interop at the October 2007 European Catalyst Conference in Barcelona. These events are helping to insure that the different software components being built by the numerous Identity Metasystem participants work well together.
In his report on the Interop at the June 2007 Catalyst Conference in San Francisco, analyst Bob Blakley wrote:
The interop event was a milestone in the maturation of user-centric identity technology. Prior to the event, there were some specifications, one commercial product, and a number of open-source projects. After the event, it can accurately be said that there is a running identity metasystem.
See Also
- Information Card
- Identity Selector
- WS-Security
- WS-Trust
- WS-MetadataExchange
- WS-SecurityPolicy
- WS-Federation
- Windows CardSpace
- Higgins trust framework
References
- Microsoft's Vision for an Identity Metasystem, Michael B. Jones, May 2005.
- The Laws of Identity, Kim Cameron, May 2005.
- Design Rationale behind the Identity Metasystem Architecture, Kim Cameron and Michael B. Jones, January 2006.
- 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, Ann Cavoukian, Information and Privacy Commissioner of Ontario, October 2006.
External Links
- Burton Group report on June 2007 User-Centric Identity Interop at Catalyst in San Francisco, August 2007.
- Burton Group report on October 2007 User-Centric Identity Interop at Catalyst in Barcelona, October 2007.
- DigitalMe Identity Selector
- Microsoft Open Specification Promise, May 2007.
- IBM Interoperability Specifications Pledge, July 2007.