Village Research
Identity Analysis
Bay Colony Center
1050 Winter Street
Suite 1000
Waltham, MA 02451
USA
TITLE: HAVE IDENTITES BEFORE YOU MANAGE THEM
AUTHOR: Wes Kussmaul
FIRST EDITION: September 2006
FORMAT: PDF
PAGES: 72
PRICE: $499.00 USD
Digital IDWorld PRICE: $299.99 USD
Attendees of DIDW receive a discount for a limited time.
Buy Report 
TABLE OF CONTENTS EXECUTIVE SUMMARY - The various parts of Identity Management fall into two categories
- Provisioning
- What we do with “provisioned” identities
- The Fundamental Assumptions behind Provisioning
- Identities are available
- An identity is a manifestation of relationship
- A credential that protects an organization’s assets is treated as carefully as one that protects the user’s assets
- Credentials are not shared
- Users can reset their own passwords safely
- What do we mean by “provisioning?”
- Enrollment?
- Scattering of identity seeds to be cultivated…
- What if…
- Drivers’ licenses were provisioned by relationships
- Passports were provisioned by relationships
-
- How Provisioning Assumptions Affect The Rest of IDM
- PKI works only in support of small confined applications
- Identity Management is a constant effort to keep up with changing relationships
-
- IDQA
- Why we avoid UID: Privacy concerns
- Why universal identities are inevitable
UID ≠ National ID
IDQA™
HOW RELIABLE ARE YOUR IDENTITIES?
CHAPTER I: MARKET ANALYSIS
1.1 Market Overview
1.1.1 What is Identity Management
1.1.2 Market Drivers
1.1.3 Identity Management Market Barriers
1.1.4 How to Select an Identity Management Vendor
1.1.5 Market Trends over the Next Four Years
1.2 Market Segmentation
1.3 Full Suite Vendors
1.4 Provisioning
1.5 Secure Access and Authentication Vendors
1.6 Federated Identity
CHAPTER II: TECHNOLOGY OVERVIEW
2.1 Directory Services Overview
2.1.1.1 Lightweight Directory Access Protocol (LDAP)
2.1.1.2 Directory Service Markup Language (DSML
2.1.1.3 DEN Initiative
2.2 Provisioning Systems Overview
2.3 Security Authentication and Authorization Systems Overview
2.4 Federated Identity of the Liberty Alliance
2.4.1.1 Security Assertion Markup Language (SAML)
2.4.1.2 Simple Object Access Protocol (SOAP)
2.4.1.3 Web Services
CHAPTER III: IDENTITY MANAGEMENT VENDORS
IDENTITY MANAGEMENT FULL SUITE VENDORS
A10 Networks
Computer Associates International, Inc
IBM
Microsoft Corporation
Novell, Inc
Oracle Corporation
Siemens AG
Sun Microsystems, Inc
3.2 PROVISIONING VENDORS
Beta Systems Software AG
BMC Software, Inc
Courion Corporation
MaXware International AS
Thor Technologies, Inc
3.3 SECURE ACCESS & AUTHENTICATION VENDORS
Entrust, Inc.
Netegrity
Oblix
RSA Security, Inc
3.4 FEDERATED IDENTITY VENDORS & SERVICE PROVIDERS
Hewlett-Packard
Ping Identity Corporation
M-Tech
Trustgenix
Sxip
ActivIdentity
1.1.1 What is Identity Management?
- Quality of Identity Management
- Provisioning
- Enrollment is independent of provisioning?
- Provisioning vs enrollment
- RA=CA
- “Deprovisioning” = death or key compromise
- DBC
- Separating identity from relationship
- Benefits of using a credential that protects personal assets
- AAA
- Identity Federation & SSO
- Privacy protection
- Ownership of information
- Enrollee owns all
- Enrollee owns all but cookies
- Enroller owns all
- Linkage of ID to PII
- Universal and Pseudonymous
- Universal, not pseudonymous
- Not universal but pseudonymous
- Not universal, not pseudonymous
- Privacy performance to CPIPEDA Standards (Canadian Act)
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure, and retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance
- Quality of Enrollment Processes and Standards
- Enrollment officer credentials and qualification
- Latin (Civil) Notary or Tabelio Officer
- ICCAP certified enrollment professional
- Signing agent
- Notary from Class A states & provinces
- Notary from Class B states & provinces
- Qualified administrator
- Non-qualified administrator
- Identity verification
- Source of ID information
- Multiple document + BC
- Two document (DL+Passport)
- Two document (DL or passport + other)
- Single document (DL or passport)
- Method of ID document authentication (additive factors)
- Trained professional
- Good UV machine
- Normal UV light source
- Context software
- ID checking guide
- Untrained ID authenticator
- Credential issuance
- F2F
- Credential issued during enrollment session
- Credential issued later
- Multi channel verification
- Authentify-style callback
- Authentify-style callback with voice biometric
- Certified mail
- Soft token, online, encrypted, signed @ both ends
- Soft token, online, encrypted
- Soft token, online, plaintext
- Domain
- Universal
- Multi-domain but not universal
- Government issued with governmental liabilities
- Employment
- Federated
- Authority
- Public authority
- Global
- National
- State / Provincial
- Regional / Municipal
- Commercial authority
- Matt Blaze quote
- Commercial enterprise can be purchased
- Toysmart example
- Code signing example
- Captive authority
- Attestation
- Oath/Affidavit/Jurat (penalty of perjury enforceable worldwide)
-
- Form
- Hard
- No biometric
- Biometric on token
- Biometric processing
- Biometric releases crypto key for external processing
- Biometric releases key for processing on token
- Biometric template serves as key
- Type of Biometric
- Fingerprint on token
- Reader technology
- Optical
- Thermalectric
- Capacitive
- E-field
- Surface pressure
- Soft
- Recognition method
- Minutiae based
- Global pattern match
- Equal error rate
- FAR
- FRR
-
- Nature
- Asymmetric
- Identifier
- BC public key is identifier; natural name is just an index
- Natural name is identifier that invokes BC public key (IBE)
- Username is identifier
- Key pairs
- Multiple key pairs
- Foundational (“BC”)
- Signing
- Lightweight
- Middleweight
- Two Factors: P&F
- Two Factors: P&P
- Heavyweight
- 3 Factors
- Key Escrow
- Biometric Escrow
- Encryption
- Casual ID
- Key Escrow (important decision)
- No: if lost you’re hosed
- Yes: vulnerabilities
- Single key pair
- Primary identifier
- Quality
- Isolation of private key
- Isolation of OS
- Isolation of fingerprint
- Size of asymmetric key
- Size of symmetric key
- Quality of asymmetric algorithm
- Quality of symmetric algorithm
- Liability assumed by enrollment officer
- Liability assumed by enrollment organization
- Liability assumed by enrollee
- Liability assumed by Principal Relying Party
- Conveyance of trust assertions
- Complete SAML compliance
- Partial SAML compliance
- Other reliable conveyance
- Other conveyance
TITLE: HAVE IDENTITES BEFORE YOU MANAGE THEM
AUTHOR: Wes Kussmaul
FIRST EDITION: September 2006
FORMAT: PDF
PAGES: 72
PRICE: $499.00 USD
Digital IDWorld PRICE: $299.99 USD
Attendees of DIDW receive a discount for a limited time.
Buy Report