Identity Management System Requirements
In emerging paradigms of identity systems (such as user-centric identity) there are several distinct properties of the identity attributes that must be maintained. A key property is that of user control. While reasoning about the security and privacy properties of user control, we refer to the OECD countries. The OECD guidelines are widely accepted and they are the cornerstone of fair information practices and regulations designed to protect personal information around the world. In addition, Cameron's Laws of Identity are a recent set of prevalent guidelines regarding digital identity management.[1] They both aim at explaining the successes and failures of digital identity systems. In addition, design principles and rules to achieve several security and dependability properties are included. Figure 7-2 shows the properties of our taxonomy related to user control, illustrated as nodes. Taken together, these basic properties define what we mean by security and privacy in our solution.
Figure 7-2. Taxonomy of user control properties for identity attributes
Basic User Control Properties
The basic properties related to the identity attributes either apply to the entire IdM system, to transactions in the system, or to the identity information and credentials of the entities involved. Although this classification is not exclusive, the semantics of the properties highlight which of the three they are relevant to. Table 7-1 briefly describes these properties.
Table 7-1. Basic Properties Achieving Security and Privacy
Key Requirements for an Identity Management Solution
The key requirements for an identity management system to ensure security and privacy of the identity data are as follows.
Accountability
Accountability refers to an ability to hold entities responsible for their actions in user transactions and for their use of identity information at the service provider and IdP. IdM systems have typically been focused on underpinning the accountability in business relationships and checking adherence to regulatory controls. In user-centric systems, the identity information of a user may be provided via the user's client. Therefore, it is required that, in addition to guaranteeing the integrity of the identity data, there should be accountability in providing such data. Accountability also becomes a significant issue if the user is to stay anonymous, as accountability and anonymity are, per se, contradictory properties. Nevertheless, conditional release of identity information can help in obtaining accountability in anonymous transactions. The eighth OECD accountability principle is devoted to understanding accountability, especially as it relates to privacy.
- [1] msdn.microsoft.com/en-us/library/ms996456.aspx.
