P. 1
User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

|Views: 557|Likes:
Published by Emereo Publishing
User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes. User provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers or other recipients of a service. Services may include electronic mail, inclusion in a published user directory, access to a database, access to a network or mainframe, etc. User provisioning is a type of identity management software, particularly useful within organizations, where users may be represented by multiple objects on multiple systems.

This book is your ultimate resource for User Provisioning. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about User Provisioning right away, covering: User provisioning software, BoKS (software), CAPTCHA, Central Authentication Service, Enigform, Local Security Authority Subsystem Service, PassWindow, Radiator RADIUS server, ReCAPTCHA, Security Accounts Manager, Identity management, Windows CardSpace, CCSO Nameserver, Certification on demand, Common Indexing Protocol, Credential, Digital identity, Directory information tree, Directory System Agent, Electronic authentication, Federated identity, Federated identity management, Federated Naming Service, Future of Identity in the Information Society, Group (computing), Identity access management, Identity as a service, Identity assurance, Identity Assurance Framework, Identity change, Identity Governance Framework, Identity intelligence, Identity management system, Identity Management Theory, Identity metasystem, Identity score, Information Card, Information Card Foundation, Liberty Alliance, Scott Mitic, Mobile identity management, Mobile signature, Mobile Signature Roaming, Multi-master replication, Novell Storage Manager, Online identity management, Oracle Identity Management, Organizational Unit, Password management, Password manager, Privacy, Privacy-enhancing technologies, Profiling practices, Service Provisioning Markup Language, Syncope (software), Trombinoscope, User profile, White pages schema, Athens (access and identity management service), Courion Corporation, Forefront Identity Manager, FreeIPA, Hitachi ID Systems, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, Imprivata, Microsoft Identity Integration Server, Novell Identity Manager, OpenPTK, Optimal IdM, Password synchronization, Self-service password reset.

This book explains in-depth the real drivers and workings of User Provisioning. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of User Provisioning with the objectivity of experienced professionals.
User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes. User provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers or other recipients of a service. Services may include electronic mail, inclusion in a published user directory, access to a database, access to a network or mainframe, etc. User provisioning is a type of identity management software, particularly useful within organizations, where users may be represented by multiple objects on multiple systems.

This book is your ultimate resource for User Provisioning. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about User Provisioning right away, covering: User provisioning software, BoKS (software), CAPTCHA, Central Authentication Service, Enigform, Local Security Authority Subsystem Service, PassWindow, Radiator RADIUS server, ReCAPTCHA, Security Accounts Manager, Identity management, Windows CardSpace, CCSO Nameserver, Certification on demand, Common Indexing Protocol, Credential, Digital identity, Directory information tree, Directory System Agent, Electronic authentication, Federated identity, Federated identity management, Federated Naming Service, Future of Identity in the Information Society, Group (computing), Identity access management, Identity as a service, Identity assurance, Identity Assurance Framework, Identity change, Identity Governance Framework, Identity intelligence, Identity management system, Identity Management Theory, Identity metasystem, Identity score, Information Card, Information Card Foundation, Liberty Alliance, Scott Mitic, Mobile identity management, Mobile signature, Mobile Signature Roaming, Multi-master replication, Novell Storage Manager, Online identity management, Oracle Identity Management, Organizational Unit, Password management, Password manager, Privacy, Privacy-enhancing technologies, Profiling practices, Service Provisioning Markup Language, Syncope (software), Trombinoscope, User profile, White pages schema, Athens (access and identity management service), Courion Corporation, Forefront Identity Manager, FreeIPA, Hitachi ID Systems, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, Imprivata, Microsoft Identity Integration Server, Novell Identity Manager, OpenPTK, Optimal IdM, Password synchronization, Self-service password reset.

This book explains in-depth the real drivers and workings of User Provisioning. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of User Provisioning with the objectivity of experienced professionals.

More info:

Published by: Emereo Publishing on Aug 02, 2011
Copyright:Traditional Copyright: All rights reserved
List Price: $39.95


Read on Scribd mobile: iPhone, iPad and Android.
This book can be read on up to 6 mobile devices.
Full version available to members
See more
See less



  • User provisioning software
  • BoKS (software)
  • Central Authentication Service
  • Enigform
  • Local Security Authority Subsystem Service
  • PassWindow
  • Radiator RADIUS server
  • Security Accounts Manager
  • Identity management
  • Windows CardSpace
  • CCSO Nameserver
  • Certification on demand
  • Common Indexing Protocol
  • Credential
  • Digital identity
  • Directory information tree
  • Directory System Agent
  • Electronic authentication
  • Federated identity
  • Federated identity management
  • Federation Identity Management
  • Federated Naming Service
  • Future of Identity in the Information Society
  • Group (computing)
  • Identity access management
  • Identity as a service
  • Identity assurance
  • Identity Assurance
  • [12]Identity Assurance Framework
  • Identity Assurance Framework
  • Identity change
  • Identity Governance Framework
  • Identity intelligence
  • Identity management system
  • An identity management system:
  • Identity Management Theory
  • Identity metasystem
  • Identity score
  • Information Card
  • Information Card Foundation
  • the Information Card Foundation
  • Liberty Alliance
  • Scott Mitic
  • Mobile identity management
  • Mobile signature
  • Mobile Signature Roaming
  • Multi-master replication
  • Novell Storage Manager
  • Novell Storage Manager [1]
  • Online identity management
  • Oracle Identity Management
  • Organizational Unit
  • Password management
  • Password manager
  • Privacy
  • Privacy-enhancing technologies
  • Profiling practices
  • Service Provisioning Markup Language
  • Syncope (software)
  • Trombinoscope
  • User profile
  • White pages schema
  • Athens (access and identity management service)
  • Courion Corporation
  • Forefront Identity Manager
  • FreeIPA
  • Hitachi ID Systems
  • IBM Tivoli Access Manager
  • IBM Tivoli Identity Manager
  • Imprivata
  • Microsoft Identity Integration Server
  • Novell Identity Manager
  • OpenPTK
  • Optimal IdM
  • Password synchronization
  • Self-service password reset

User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist

in one or more systems, directories or applications, in response to automated or interactive business processes. User provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers or other recipients of a service. Services may include electronic mail, inclusion in a published user directory, access to a database, access to a network or mainframe, etc. User provisioning is a type of identity management software, particularly useful within organizations, where users may be represented by multiple objects on multiple systems. This book is your ultimate resource for User Provisioning. Here you will find the most up-to-date information, analysis, background and everything you need to know. In easy to read chapters, with extensive references and links to get you to know all there is to know about User Provisioning right away, covering: User provisioning software, BoKS (software), CAPTCHA, Central Authentication Service, Enigform, Local Security Authority Subsystem Service, PassWindow, Radiator RADIUS server, ReCAPTCHA, Security Accounts Manager, Identity management, Windows CardSpace, CCSO Nameserver, Certification on demand, Common Indexing Protocol, Credential, Digital identity, Directory information tree, Directory System Agent, Electronic authentication, Federated identity, Federated identity management, Federated Naming Service, Future of Identity in the Information Society, Group (computing), Identity access management, Identity as a service, Identity assurance, Identity Assurance Framework, Identity change, Identity Governance Framework, Identity intelligence, Identity management system, Identity Management Theory, Identity metasystem, Identity score, Information Card, Information Card Foundation, Liberty Alliance, Scott Mitic, Mobile identity management, Mobile signature, Mobile Signature Roaming, Multimaster replication, Novell Storage Manager, Online identity management, Oracle Identity Management, Organizational Unit, Password management, Password manager, Privacy, Privacy-enhancing technologies, Profiling practices, Service Provisioning Markup Language, Syncope (software), Trombinoscope, User profile, White pages schema, Athens (access and identity management service), Courion Corporation, Forefront Identity Manager, FreeIPA, Hitachi ID Systems, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, Imprivata, Microsoft Identity Integration Server, Novell Identity Manager, OpenPTK, Optimal IdM, Password synchronization, Self-service password reset This book explains in-depth the real drivers and workings of User Provisioning. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of User Provisioning with the objectivity of experienced professionals.

User Provisioning

Kevin Roebuck

User Provisioning


High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

Topic relevant selected content from the highest rated entries, typeset, printed and shipped. Combine the advantages of up-to-date and in-depth knowledge with the convenience of printed books. A portion of the proceeds of each book will be donated to the Wikimedia Foundation to support their mission: to empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally. The content within this book was generated collaboratively by volunteers. Please be advised that nothing found here has necessarily been reviewed by people with the expertise required to provide you with complete, accurate or reliable information. Some information in this book maybe misleading or simply wrong. The publisher does not guarantee the validity of the information found here. If you need specific advice (for example, medical, legal, financial, or risk management) please seek a professional who is licensed or knowledgeable in that area. Sources, licenses and contributors of the articles and images are listed in the section entitled “References”. Parts of the books may be licensed under the GNU Free Documentation License. A copy of this license is included in the section entitled “GNU Free Documentation License” All used third-party trademarks belong to their respective owners.

User provisioning software BoKS (software) CAPTCHA Central Authentication Service Enigform Local Security Authority Subsystem Service PassWindow Radiator RADIUS server reCAPTCHA Security Accounts Manager Identity management Windows CardSpace CCSO Nameserver Certification on demand Common Indexing Protocol Credential Digital identity Directory information tree Directory System Agent Electronic authentication Federated identity Federated identity management Federated Naming Service Future of Identity in the Information Society Group (computing) Identity access management Identity as a service Identity assurance Identity Assurance Framework Identity change Identity Governance Framework Identity intelligence Identity management system Identity Management Theory 1 4 7 12 13 14 15 16 17 20 21 27 30 32 32 33 37 41 42 43 45 45 47 47 49 50 52 53 55 58 59 61 62 65

Identity metasystem Identity score Information Card Information Card Foundation Liberty Alliance Scott Mitic Mobile identity management Mobile signature Mobile Signature Roaming Multi-master replication Novell Storage Manager Online identity management Oracle Identity Management Organizational Unit Password management Password manager Privacy Privacy-enhancing technologies Profiling practices Service Provisioning Markup Language Syncope (software) Trombinoscope User profile White pages schema Athens (access and identity management service) Courion Corporation Forefront Identity Manager FreeIPA Hitachi ID Systems IBM Tivoli Access Manager IBM Tivoli Identity Manager Imprivata Microsoft Identity Integration Server Novell Identity Manager OpenPTK Optimal IdM Password synchronization Self-service password reset

66 69 73 79 80 84 85 87 89 90 93 94 96 99 100 100 102 112 116 121 124 126 127 127 128 131 134 135 136 137 138 138 139 143 145 146 148 149

References Article Sources and Contributors Image Sources. Licenses and Contributors 152 156 Article Licenses License 157 .

User provisioning software 1 User provisioning software User provisioning software is software intended to help organizations more quickly. E-mail systems such as Microsoft Exchange and Lotus Notes. Operating systems such as Linux.they change names. They may forget their password or require new security entitlements. a contractor starts work. IBM DB2 and MySQL.principally their name. Lawson Financials and Oracle eBusiness Suite. Microsoft SQL Server. A unique identifier. Databases such as Oracle. . JD Edwards. Examples of systems and applications include: • • • • • • • • • • • • • LDAP directories. CA ACF/2 and CA TopSecret. A password and/or other authentication factors. User objects are generally connected to other parts of a system or application through security entitlements. HP-UX and Windows Server. reliably and securely manage information about users on multiple systems and applications. cheaply. Applications and Users People are represented by user objects or login accounts on different systems and applications. Microsoft Active Directory and Novell eDirectory. Background: Systems. their department or their location. Contact information for that person. User objects generally consist of: Note that users need not be able to login to a system or application. • This term alludes to the process of loading passengers onto a commercial airliner. A description of the person who has been assigned the user object -. or a customer or partner is granted access to systems.. Unix. manage and delete user objects on their systems and applications: • Onboarding: • Represents the steps taken when a new employee is hired. • Changes experienced by users in the physical world must be reflected by user objects on systems and applications. this is done by placing a user into one or more security groups. etc. which the user cannot log into but which nonetheless represents the user. addresses. custom or vertical-market systems and applications. such as the ID of their manager. Mainframe security products such as RAC/F. mailing address. PeopleSoft. Solaris. Organizational information about that person. A variety of other. ERP applications such as SAP R/3. where users of each group are granted some security rights. On most systems. • Support: • Users sometimes experience problems with systems and applications. for example. They are a type of identity management system. responsibilities and more. such as their e-mail address. The user object may be a record in an HR application or an entry in a phone book system. phone numbers. • Management: • Users are dynamic -. User Lifecycle Processes Organizations implement business processes to create. AIX.

• Deactivation: • Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed.to reduce the cost of managing systems and applications in response to user lifecycle events. • Auto-deactivation. • Self-service profile changes. • More securely -. employees may leave a company and be hi-hired later. or contractors may end their contract only to be hired as employees. this does happen.so users don't have to wait for changes. phone number or mailing address are detected on an HR system. to resolve user problems. For example: • Allow managers to request access to systems and applications on behalf of their direct subordinates. whose scheduled termination date has passed. automatically update the same user's e-mail address on other systems. For example: • Allow users to request access to systems and applications. resignation. 2 User Provisioning Systems User provisioning systems are intended to help organizations streamline user lifecycle processes so that updates to user objects on their systems and applications can be made: • More quickly -. For example: • Ask business stake-holders to review and either approve or reject proposed changes to user profiles or access rights. • When changes in a user's name. User Provisioning Processes A user provisioning system may implement one or more processes to achieve the aforementioned goals. However. due to inappropriate security entitlements and due to easily guessed or otherwise compromised passwords. . For example: • When changes in a user's e-mail address are detected on a mail system. • Authorization workflow. such as contractors.User provisioning software • User support means changing data about users on systems and applications. • Delegated access requests.to reduce the risk of system compromise due to user objects that have outlived their usefulness. For example: • Allow users to update their own contact information. • Identity synchronization. etc. retirement. -their access to systems and applications should likewise be deactivated. end of customer relationship. Incidentally. For example: • Monitor an HR application and automatically create new users on other systems and applications when new employee records appear in the HR database.termination. • Automatically deactivate user objects for users. These processes may include: • Auto-provisioning. For example. • When users leave -. end of contract. • More efficiently -. the term lifecycle does not imply that users who have been activated will necessarily be onboarded again. resetting user passwords and so on. • Self-service access requests. For example: • Monitor an HR application and automatically deactivate users objects on other systems and applications when an employee records either disppears or is marked as inactive in the HR database. automatically update the same user's e-mail address on other systems.

Michael (2005). pp. com/ science?_ob=ArticleURL& _udi=B6VJC-4BXN4BK-9& _user=10& _coverDate=03%2F31%2F2004& _rdoc=1& _fmt=high& _orig=search& _sort=d& _docanchor=& view=c& _searchStrId=1194442730& _rerunOrigin=scholar. used primarily to invite users to review and either approve or reject changes. • A workflow engine. • A user interface where users can review the contents of the internal database. . which populates the internal database using the connectors. Supporting Virtual Organization Lifecycle Management by Dynamic Federated User Provisioning [2]. 2006. springerlink. villanova. edu/ viewdoc/ download?doi=10. pdf http:/ / www. References • Casassa Mont.1007/s10550-006-0009-x • Witty. google& _acct=C000050221& _version=1& _urlVersion=0& _userid=10& md5=01a0ef109fcca0c8e7f70e0045f20ddb [6] http:/ / identity-manager. include some or all of the following components: • Connectors. com/ docs/ user-provisioning-best-practices. homepage. html http:/ / citeseerx. tools4ever. com/ solutions/ autoprovisioning/ [8] http:/ / www. pp. Shiu. Schiffers. The Identity and Access Management Market Landscape [4]. ay/ DIT2160/ IdMgt/ the_identity_an. which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations. modify user information) back to those systems and applications. ist. hpl. 11 • Sodhi. BT Technology Journal (BT Technology Journal) 23 (4): 71–79. create new user. • A policy engine. geneous."User Provisioning" Case Study: Using Modelling and Simulation for Policy Decision Support [1]. Wolfgang. Inc.) • User Provisioning and downstream provisioning [7] from any application or system in your network • User provisioning software . Drew. doi:10.. • An auto-discovery system. Marco. "Overcoming the challenges in deploying user provisioning/identity access management backbone" [3]. Simon (2009).g. User provisioning with SPML [5]. For example: • Periodically ask managers to verify that the list of their direct subordinates (a) are still employed with the organization and (b) still report to them. 86–96 External links • User provisioning best practices: [6] (free white paper published by Hitachi ID Systems. html [1] [2] [3] [4] [5] . to read information about users from integrated systems and applications and to send updates (e. sciencedirect. • A reporting engine. M (2005). 49 • Hommel. pp. 1. 3 User Provisioning System Components A user provisioning system must. etc. edu/ timothy.User provisioning software • Access certification. • Periodically data or application owners to verify a list of users with access to their data or application.Identity Management Frequently asked questions [8] References http:/ / www. html [7] http:/ / www. pp. Identity Analytics . Adrian. hitachi-id. Baldwin. make change requests. Gavenraj (2004). 6068& rep=rep1& type=pdf http:/ / www. 1. Roberta J (2003). com/ techreports/ 2009/ HPL-2009-57. 84. which helps organizations extract information from the internal database. • An internal database.no registration required. delete user. com/ content/ b54rx62855483632/ http:/ / www85. in general. that tracks user objects and other data from integrated systems and applications. approve or reject proposed changes. 12 • Becker. com/ faq_access_and_identity_management_solutions. psu. hp. M.

which then communicates with a Replica over the network. • Provides tools for proactive security monitoring. but has recently been ported to Windows as well. in Server 2008 the BoKS agent is installed as a credential provider).BoKS (software) 4 BoKS (software) BoKS Developer(s) Stable release FoxT 6. SCP. Solaris. Any changes made to accounts.X (now all End of Lifed) that are not fully PAM compliant one usually opts to replace the actual daemons (such as OpenSSH. BoKS is a proprietary product for the centralized management of user authentication and authorization (Role-based access control). On the server no modifications to the operating system are required when the agent is installed. The name is an abbreviation for the Swedish "Behörighet. BoKS was originally designed for use on Unix systems. • The master server runs the main database and the web interface.5.och KontrollSystem". Replicas handle most of the authentication and authorization requests sent by servers and desktops.foxt. HP-UX. The BoKS daemons run alongside all the other processes. telnet and ftp) with the FoxT versions which automatically hand over these requests.2 and HP-UX 10. Its full name is "BoKS Access Control for Servers". Replicas can also be promoted to master server for the purpose of disaster recovery. Operation A basic BoKS infrastructure consists of one master server. On older versions of AIX 4. which translates as "Legitimacy and Control System".g.5. For example. Wide range of configuration options. • Replica servers contain a copy of the database which is asynchronously updated. . The product's key features include:[2] • • • • Centrally defined access policies for user access to Unix. All communications between these hosts are encrypted and take place over a reserved set of TCP/IP ports. security policies and access routes are all made on the master server.com [1] In computer security.0.5. • Allows for interoperability with directory services such as NIS+ and LDAP.g.1.4 Operating system Cross-platform Type License Website computer security Proprietary www. • Extensible beyond initial set of supported protocols through the use of Pluggable Authentication Modules. AIX and Linux) PAM is reconfigured in such a way to hand off authentication and authorization requests to the local BoKS daemons. while certain key components of the environment are exchanged to enable BoKS security. one or more replica servers and any number of client (server or desktop) systems.5. Real-time provisioning of security policies from a web interface or the command line. A similar plug-in experience is used for the BoKS Windows Server agent (e.X. Linux and Windows servers. including various levels of security for specific (groups of) servers. Custom version of OpenSSH which allows fine-grained access control for SSH subsystems such as SFTP. X11 forwarding and tunneling. on modern UNIX/Linux platforms ( e.

A logical grouping of hosts. identity or role managers. Multiple occurrences of a user name are allowed. BoKS will perform a second check to see whether the user is actually allowed to login to this particular server. Term host host group user account access route user class Explanation Any system on the network. Examples of user accounts: server1:root. SOLARIS:Peter may have both the user classes "SolarisThirdLine" and "BackupManagement". server1 may be part of host groups SOLARIS. If these are found to match. For example. BoKS becomes an enforcement and compliance reporting engine. Early versions of BoKS could be configured using a Tivoli/Plus module. see later). client (server agent) or non-BoKS host. Thus one can allow server1:root to login only to the console of server1. • • • • • • Through the BoKS web interface. For example. SOLARIS:peter.[3] 5 Terminology The following terms are frequently used in the management of a BoKS infrastructure. One common example is the Unix Root user account.BoKS (software) Once a user attempts to login to a server OS. A combination of a username. If this second check is passed. the user is handed back to the login process to conclude the session in the usual fashion. which is always defined on the host level. Typically user ID's and business groups reside in a corporate databases (Active Directory or LDAP). The BoKS configuration may be modified in a number of ways. as long as they are defined for different hosts or host groups. • A user account may have multiple user classes assigned to it. ORACLE and BACKUPEXEC. thus receiving all user accounts defined for those groups. while allowing SOLARIS:peter SSH access to all servers in host group SOLARIS. plus its intended target host or hostgroup. A few notes: • A unique user account is identified by the combination of its user name and the host or host group for which it has been defined. ORACLE:patrick. and datafeeds. be it master. ftp and SSH. From the Unix command line. the daemon in question will ask a BoKS Replica to verify the provided user name and password (or other authenticator. Automatic user and group updates from Active Directory and LDAP synchronization Integration with Role or Identity Managers thu APIs By dumping the BoKS database. • Access routes can be assigned both to individual users. replica. which can be used in an access route. • A host can be part of any number of host groups. This allows for fine-grained control over the provisioning of user accounts to specific servers. This allows one user account to perform work that is officially split across different departments. Common implementation assumes that enterprise (or service provider) provisioning workflow approval of identity occurs elsewhere. One specific security authorization. such as telnet. A role description assigning a set of access routes to a user account. access method A communications protocol. Also includes su and suexec. which is then manually edited and restored (not recommended). program group A logical grouping of commands to be executed through suexec. assigned to a user account or a user class providing a specific linkage to a host or host group. • The term "BoKS client" is being replaced in FoxT literature/website and documentation with the more common market term "Server Agent" . at this time and using this access method. as well as to user classes.

ssh_scp (SCP only). ssh_exec (remote command execution). su. rex. History Over the years the BoKS family of products has changed names and vendors a few times via product acquisition. boksrunas (Windows equivalent to runas). after which it was sold by Security Dynamics. XDM and SSH (UNIX/Linux & Windows). The individual agent solutions are sold as "BoKS Access Control for Servers". latterly by TFS Technology (known as UnixControl or ServerControl). ssh_sftp (SFTP only). but more typically are set up as banned across your server estate for compliance reasons. It's possible to plug other protocols into BoKS. The SSH protocol may be sub-defined and further split into ssh_sh (shell). secure RDP(Windows) secure telnet (UNIX/Linux). . "BoKS Access Control for Desktops". ssh_fwd (local port forwarding) and ssh* (all of the above). suexec (UNIX/Linux equivalent to sudo). Each protocol definition (defined in an Access Route) can be configured to change or require multiple factors of authentication • • • • • • all: use password authentication all: use X. "BoKS Access Control for Applications" Over the years the product has been sold under OEM licenses by other server vendors (HP. telnet are also supported for legacy purposes. ssh_x11 (X11 forwarding).509 certificate authentication all: use a One Time Password authentication like SecurID or Safeword for su: to use the user's own password to transition to a privileged account for suexec: optionally to keystroke log the session for SSH protocols: SSH keys generated by BoKS. RSA Security (known as Keon). It originated as BoKS UnixControl at DynaSoft in Sweden. rsh. as there is a standard BoKS module for PAM. or to re-use existing SSH distributed keys.BoKS (software) 6 Supported protocols BoKS supports the following protocols: Serial & network port login(UNIX/Linux). SUN) with alternate product names. Support for PC-NFS has been depreciated. and uses the sales/marketing label FoxT. It's easiest if the software in question has support for Pluggable Authentication Modules. Older non-secure protocols: rlogin. though this will require some customization. A typical use case might be server support staff are challenged by a SecurID request to login on a server console in the computer room. ftp. ssh_rfwd (remote port forwarding). rexec. The company changed its name in 2004 to Fox Technologies Inc. console login (UNIX/Linux & Windows). and to use a PKI token on their own PC in their normal work area.

because it is administered by a machine and targeted to a human. ibm. php?id=699 CAPTCHA A CAPTCHA ( /ˈkæptʃə/) is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. . kilala. in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. Early CAPTCHAs such as these. http:/ / www. and John Langford (all of Carnegie Another way to make segmentation difficult is to crowd symbols together. were used on Yahoo!. Thus. boulder.[2] but the trademark application was abandoned on 21 April 2008. It is a contrived acronym Yahoo's current CAPTCHA format. Because other computers are supposedly unable to solve the CAPTCHA. pdf). com/ "BoKS Access Control for Servers" (http:/ / www. However. rather than attempting to create a distorted background and high levels of warping on the text. foxt. "Tivoli/Plus for BoKS user's guide" (http:/ / publib. it is sometimes described as a reverse Turing test. technology was developed to read this type of [1] CAPTCHA A modern CAPTCHA. Hopper. com/ products/ bacs. com/ tividd/ td/ BKS/ BoKS/ en_US/ PDF/ BoKS. generated by the EZ-Gimpy program. based on the word "capture" and standing for "Completely Automated Public Turing test to tell Computers and Humans Apart". nl/ Sysadmin/ index. . Nicholas J. might focus on making segmentation difficult by adding an angled line The term "CAPTCHA" was coined in 2000 by Luis von Ahn. Manuel Blum. Carnegie Mellon University attempted to trademark the term. any user entering a correct solution is presumed to be human.[3] Characteristics A CAPTCHA is a means of automatically generating challenges which intends to: • Provide a problem easy enough for all humans to solve. foxt.BoKS (software) 7 External links • Official BoKS homepage [1] • International BoKS Users Group [4] • BoKS tutorials and howtos [5] References [1] [2] [3] [4] [5] http:/ / www. as in Mellon University). html). . boksug. org http:/ / www. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. A common type of CAPTCHA requires the user to type letters or digits from a distorted image that appears on the screen.

with or without providing the option of generating a new image if one is too difficult to read. This has the benefit of distinguishing humans from computers.[4] Accessibility Because CAPTCHAs rely on visual perception. Therefore. with most websites (including Wikipedia) offering only the visual CAPTCHA. Automated usage of a service might be desirable until such usage is done to excess and to the detriment of human users. or harassment and vandalism. CAPTCHAs do not have to rely on difficult problems in artificial intelligence. A check box in a form that reads "check this box please" is the simplest (and perhaps least effective) form of a CAPTCHA. but it is not usable for deafblind people or for users of text web browsers. unless it is specially designed to circumvent specific CAPTCHA systems. 8 Applications CAPTCHAs are used in attempts to prevent automated software from performing actions which degrade the quality of service of a given system. administrators can use CAPTCHA to enforce automated usage policies based on given thresholds. whether due to abuse or resource expenditure. Hotmail. CAPTCHAs are also used to minimize automated posting to blogs. especially those which have not been designed and reviewed by experts in the fields of security. • improving character recognition software. It also creates incentive to further develop artificial intelligence of computers. CAPTCHAs also serve an important function in rate limiting. such as the webmail services of Gmail. The official CAPTCHA site recommends providing an audio CAPTCHA for accessibility reasons. whether as a result of commercial promotion. and Yahoo! Mail. . In such cases. Many CAPTCHA implementations. users unable to view a CAPTCHA due to a disability will be unable to perform the task protected by a CAPTCHA. Insecure implementation Like any security system. including the use of JavaScript. They are not automatically generated and they do not present a new problem or test for each attack. such as those who have disabilities. some types of CAPTCHAs do not meet the criteria for a successful CAPTCHA. This combination is not universally adopted. The article rating systems used by many news web sites are another example of an online facility vulnerable to manipulation by automated software. although they can. or • using cheap human labor to process the tests (see below). mathematical questions ("how much is 1+1") and common sense questions ("what colour is the sky on a clear day"). forums and wikis. Attempts at more accessible CAPTCHAs Even audio and visual CAPTCHAs will require manual intervention for some users. design flaws in a system implementation can prevent the theoretical security from being realized. Circumvention There are several approaches available to defeating CAPTCHAs: • exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA. sites implementing CAPTCHAs may provide an audio version of the CAPTCHA in addition to the visual method. There have been various attempts at creating more accessible CAPTCHAs. are prone to common attacks.CAPTCHA • Prevent standard automated software from filling out a form. However. CAPTCHAs can be deployed to protect systems vulnerable to e-mail spam.

and many other developing nations. With enough traffic. In this scheme.CAPTCHA Some CAPTCHA protection systems can be bypassed without using OCR simply by re-using the session ID of a known CAPTCHA image. in responding to CAPTCHAs for Microsoft's Live Mail service[15] and a success rate of 20% against Google's Gmail CAPTCHA.000 solved. China.[17] Human solvers CAPTCHA is vulnerable to a relay attack that uses humans to solve the puzzles. A correctly designed CAPTCHA does not allow multiple solution attempts at one CAPTCHA. A more secure scheme would use an HMAC. One approach involves relaying the puzzles to a group of human operators who can solve CAPTCHAs. Steps 1 and 3 are easy tasks for computers. Segmentation: Splitting the image into regions which each contain a single character.[23] These methods have been used by spammers to set up thousands of accounts on free email services such as Gmail and Yahoo!. phpBB.[13] [14] In February 2008 it was reported that spammers had achieved a success rate of 30% to 35%. Classification: Identifying the character in each region. Spammers pay about $0. Another approach involves copying the CAPTCHA images and using them as CAPTCHAs for a high-traffic site owned by the attacker. spam sent through these compromised accounts is less likely to be blocked. and other services. when enough CAPTCHA image solutions have been collected by an attacker over a period of time.000 solved CAPTCHAs to companies employing human solvers in [18] Other sources cite a price tag of as low as $0. and claim that this could lead to a complete crack with a greater than 60% rate. Eventually. a piece of malware appeared in the wild which enticed users to solve CAPTCHAs in order to see progressively further into a series of striptease images. Finally. Often the CAPTCHA is of small enough size that this hash could be cracked.[20] In October 2007.[9] [10] [11] In January 2008 Network Security Research released their program for automated Yahoo! CAPTCHA recognition. were cracked shortly after.[21] [22] A more recent view is that this is unlikely to work due to unavailability of high-traffic sites and competition by similar sites.[12] Windows Live Hotmail and Gmail. and the letters are connected by this clutter.[5] Other CAPTCHA implementations use a hash (such as an MD5 hash) of the solution as a key passed to the client to validate the CAPTCHA. This prevents the reuse of a correct CAPTCHA solution or making a second guess after an incorrect OCR attempt.20 for each 1. If the background clutter consists of shapes similar to letter shapes.[8] LiveJournal.[7] The only step where humans still outperform computers is segmentation.[6] Further. 3. the segmentation becomes nearly impossible with current software. 9 Computer character recognition A number of research projects have attempted (often with success) to beat visual CAPTCHAs by creating programs that contain the following functionality: 1.[24] Since Gmail and Yahoo! are unlikely to be blacklisted by anti-spam systems. some implementations use only a small fixed pool of CAPTCHA images. the other two major free email providers. based on a hash of the challenge image. Hence.[16] A Newcastle University research team has defeated the segmentation part of Microsoft's CAPTCHA with a 90% success rate. the attacker can get a solution to the CAPTCHA puzzle in time to relay it back to the target site. . the hash could assist an OCR based attempt. 2.80 to $1. the CAPTCHA can be broken by simply looking up solutions in a table. [19] for each 1. a computer fills out a form and when it reaches a CAPTCHA. using a bot. Pre-processing: Removal of background clutter and noise. including one of Yahoo's early CAPTCHAs called "EZ-Gimpy"[1] and the CAPTCHA used by popular sites such as PayPal. it gives the CAPTCHA to the human operator to solve. Several research projects have broken real world CAPTCHAs. an effective CAPTCHA should focus on the segmentation.50 Bangladesh. India.

If the database of cat and dog photos can be downloaded. The images (and the challenge questions) can be customized.g. . Image-recognition CAPTCHAs Some researchers promote image recognition CAPTCHAs as a possible alternative for text-based CAPTCHAs. KittenAuth. an image based challenge does not usually meet the definition of a CAPTCHA.[28] Researchers claim to have written a program that can break the Microsoft Asirra CAPTCHA. which cannot be correctly extracted after the designed distortions. In October 2007. Causing minor changes to images each time they appear will not prevent a computer from recognizing a repeated image as there are robust image comparator functions (e. In 2007. for example to present questions and images which would be easily answered by the forum's target userbase.[32] This was later removed because (legitimate) users had trouble entering the correct letters.CAPTCHA 10 Legal concerns The circumvention of CAPTCHAs may violate the anti-circumvention clause of the Digital Millennium Copyright Act (DMCA) in the United States.2M judgment in favor of Ticketmaster." which it is providing as a free web service.01 to classify each photo as either a dog or a cat means that almost the entire database of photos can be deciphered for $30. texture. Warping an image sufficiently to fool a computer will likely also be troublesome to a human. Images were also collaboratively filtered by showing a "candidate" image along with good images for the person to rotate.com. A recent example of image recognition CAPTCHA is to present the website visitor with a grid of random pictures and instruct the visitor to click on specific pictures to verify that they are not a bot (such as “Click on the pictures of the airplane.[30] Researchers at Google used image orientation and collaborative filtering as a CAPTCHA. Image recognition CAPTCHAs face many potential problems which have not been fully studied. RapidShare free users had to get past a CAPTCHA where they had to only enter letters attached to a cat. or special point features. Their original images can be made public without risking image-retrieval or image-annotation based attacks.[31] Generally speaking. classified by people at thousands of US animal shelters. then paying workers $0. the boat and the clock”). Furthermore. attempts to address this by means of Microsoft Research's partnership with Petfinder. while others were attached to dogs. It is difficult for a small site to acquire a large dictionary of images which an attacker does not have access to and without a means of automatically acquiring new labelled images. color histograms) that are insensitive to many simple image distortions. Ticketmaster sued software maker RMG Technologies[25] for its product which circumvented the ticket seller's CAPTCHAs on the basis that it violated the anti-circumvention clause of the DMCA. Human solvers are a potential weakness for strategies such as Asirra. Images were pre-screened to be determined to be difficult to detect up (e.[29] The IMAGINATION CAPTCHA..[26] In June 2008. however. people know what "up" is but computers have a difficult time for a broad range of images.[27] Microsoft's "Asirra. no faces.000.g. which has provided it with more than three million images of cats and dogs. only had 42 images in its database. by default. Many users of the phpBB forum software (which has suffered greatly from spam) have implemented an open source image recognition CAPTCHA system in the form of an addon called KittenAuth[27] which in its default form presents a question requiring the user to select a stated type of animal from an array of thumbnail images of assorted animals. Ticketmaster filed for default judgment against RMG. Computer-based recognition algorithms require the extraction of color. However. If there was a large variance in answers for the candidate image. uses a sequence of randomized distortions on the original images to create the CAPTCHA images. it was deemed too hard for people as well and discarded. no skies. no text). humans can still recognize the original concept depicted in the images even with these distortions. image hashes. an injunction was issued stating that Ticketmaster would likely succeed in making its case. Photos that are subsequently added to the Asirra database are then a relatively small data set that can be classified as they first appear. for a time. shape. The Court granted Ticketmaster the default and entered an $18.

zoy. Sam. co. . google. "Striptease Used to Recruit Help in Cracking Sites" (http:/ / www. "Google’s CAPTCHA busted in recent spammer tactics" (http:/ / web. pdf). 2008-04-10. com/ securitylabs/ blog/ blog. "Gmail CAPTCHA Cracked" (http:/ / it. . [6] "Online services allow MD5 hashes to be cracked" (http:/ / milw0rm. "Defeating of some weak CAPTCHAs" (http:/ / www. Kurt (May 12. Kurt (February 28. asp). blogspot. Google acquired reCAPTCHA to aid their book digitization efforts. com/ ). com/ securitylabs/ blog/ blog. zoy. org/ web/ 20060613111749/ http:/ / www. "Breaking a Visual CAPTCHA" (http:/ / www. pl?sid=08/ 02/ 27/ 0045242). Slashdot (SourceForge). "Statistics Hacking — Exploiting Vulnerabilities in News Websites" (http:/ / paper. boingboing. reported in August 2010. C.[34] However. cs. [24] "Spam filtering services throttle Gmail to fight spammers" (http:/ / www. (It stands for "completely automated public Turing test to tell computers and humans apart". Archived from the original (http:/ / www. A Low-cost Attack on a Microsoft CAPTCHA (http:/ / homepages. International Journal of Computer Science and Network Security 7: 342–347. cc/ papers-2005/ 160.00. Retrieved 2008-12-21.pdf "Re: CAPTCHAs:understanding CAPTCHA-solving services in an economic context"]. org/ article. html?src=me& ref=technology). . Retrieved 2007-01-04. Retrieved 2008-12-21. Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs) (http:/ / web. The New York Times. [5] "Breaking CAPTCHAs Without Using OCR" (http:/ / www. Archived from the original (http:/ / ap. Retrieved 2008-12-21. 2005. Lisa (2007-11-01). and S. UK. Vikas (April 25.. nytimes. Retrieved 2008-12-21. captcha. Levchenko. the acronym doesn't really fit. Associated Press.CAPTCHA Currently. uk/ cm_breaking_captcha_115. [10] Hocevar. websense. Voelker.00. Cory (2004-01-27). com/ action/ article. Retrieved 2008-04-10. co. ceas. . "Spammers' bot cracks Microsoft's CAPTCHA: Bot beats Windows Live Mail's registration test 30% to 35% of the time. cc/ papers-2005/ 160. pcmag.ucsd. [23] "Captcha. slashdot. . Retrieved 2006-08-22. . . "Breaking the PayPal CAPTCHA" (http:/ / www. com/ article2/ 0. [15] Gregg Keizer. Microsoft Research. Time (magazine). Mori. "PWNtcha . "Scams Use Striptease to Break Web Traps" (http:/ / web. [2] Grossman. "Computer Literacy Tests: Are You Human?" (http:/ / www. Retrieved 2008-04-16. Jordan (2007-11-01). Computerworld"'. [17] Jeff Yan.1812084. com/ time/ magazine/ article/ 0. Retrieved 2008-06-12. 2008 [16] Prasad. time.uk). . pdf). Sumeet (2008-02-22). [18] Bajaj. php).ucsd. Retrieved 2008-12-21. . [21] Robertson. Websense.edu/~klevchen/mlkmvs-usesec10. Archived from the original (http:/ / www. no. captcha. php). archive. cseweb. . Patrice Simard. Simon Fraser University. ceas. com/ cracker/ list. org/ web/ 20071106170737/ http:/ / ap. M. 2008) (PDF). ac. University of California. org/ web/ 20080822032312/ http:/ / www.net. Sam. D. San Diego. "Windows Live Hotmail CAPTCHA Cracked. . Kruglov. . Retrieved 2011-03-22. Kanich. "Breaking ASP Security Image Generator" (http:/ / www. . archive. google.com.ru. Exploited" (http:/ / tech. Retrieved 2008-12-21. kloover. net/ ). websense. "The Carnegie Mellon team came back with the CAPTCHA. School of Computing Science. yan/ msn_draft.pdf. [4] Amrinder Arora (2007). . Jitendra. Retrieved 2008-04-16. cs. ca/ ~mori/ research/ gimpy/ ).net" (http:/ / www.) The point of the CAPTCHA is that reading those swirly letters is something that computers aren't very good at. org/ article. Kloover.9171. Retrieved 2008-12-21. [9] Kluever.[35] 11 References [1] Greg. html). uk/ 2008/ 04/ 10/ web_mail_throttled/ ). puremango. Malik. [8] Kluever. Captcha. PC Magazine. . Mary Czerwinski (2005) (PDF). php?BlogID=174). 2008). 2008-04-21. USPTO. net/ 2004/ 01/ 27/ solving_and_creating. Kevin Larson. com/ article/ ALeqM5jnNrQKxFzt7mPu3DZcP7_UWr8UfwD8SKE6Q80) on 2007-11-06.edu/~klevchen/mlkmvs-usesec10. California.com. .2704. sfu. computerworld. . Retrieved 2006-08-02. Slashdot (SourceForge). pdf) (PDF). Retrieved 2008-12-21. html). com/ 2008/ 05/ 12/ breaking-the-paypalcom-captcha/ ). . . Ahmad Salah El Ahmad (April 13. San Jose. [11] Sergei. . Kloover.G. Newcastle University. ijcsns. slashdot. 2008). org/ pwntcha/ ).[33] In September 2009. [7] Kumar Chellapilla. . Retrieved 2006-08-22. org/ 07_book/ 200703/ 20070348. "Spammers Pay Others to Answer Security Tests" (http:/ / www. Retrieved 17 March 2011. uk/ jeff. com/ article/ ALeqM5jnNrQKxFzt7mPu3DZcP7_UWr8UfwD8SKE6Q80).co. pl?sid=08/ 04/ 15/ 1941236& from=rss). 2010). ncl." [3] "Latest Status of CAPTCHA Trademark Application" (http:/ / tarr. kloover. Lev (2008-06-05). ru/ en/ breakings/ ). this CAPTCHA has been cracked with 30% success rate. [14] Dawson (2008-02-26). February 7. CAPTCHA creators recommend use of reCAPTCHA as the official implementation. do?command=viewArticleBasic& articleId=9061558). . php?BlogID=174) on 2008-08-22.2210674. archive. Savage. "Solving and creating CAPTCHAs with free porn" (http:/ / www. Retrieved 2008-12-21. gov/ servlet/ tarr?regser=serial& entry=78500434). Captcha. [20] Doctorow. pdf) on 2006-06-13. says Websense" (http:/ / www. [12] "Network Security Research and AI" (http:/ / network-security-research. com/ 2008/ 02/ 28/ breaking-the-asp-security-image-generator/ ). Retrieved 2010-04-28 [19] M. . com/ 2010/ 04/ 26/ technology/ 26captcha.org. [13] Dawson (2008-04-15).captcha decoder" (http:/ / sam. K. uspto. [cseweb. theregister. [22] Vaas. Boing Boing. Howard Yeend (pureMango. McCoy. Retrieved 2008-12-21. Motoyama.

com/ asirra/ papers/ CCS2007. "Attached to a Captcha" (http:/ / www. The name CAS also refers to a software package that implements this protocol. Ziff Davis Media. Captcha. If the authentication succeeds.com [28] Asirra (http:/ / research. com/ authentication/ security/ vulnerabilities/ showArticle. It also allows web applications to authenticate users without gaining access to a user's security credentials. com/ 2009/ 09/ teaching-computers-to-read-google. pdf) by Rich Gossweiler.com. randomwire. . net/ ). pcmag. It may also involve a back-end service. html). CAS allows multi-tier authentication via proxy address. [26] "TicketMaster v. the web application requesting authentication. [27] The Cutest Human-Test: KittenAuth (http:/ / www.00.com (http:/ / www. Retrieved 2008-12-21. [35] Darkreading. Lance (October 31. pdf) from Microsoft Research (PDF) [31] What’s Up CAPTCHA? A CAPTCHA Based On Image Orientation from WWW'09 (http:/ / www. 2008). [33] "CAPTCHA homepage" (http:/ / www. com/ doc/ 404395/ ticketmaster-v-rmg). CAS validates the client's authenticity. jhtml?articleID=226700514& cid=RSSfeed) 12 External links • Definition of CAPTCHA from Wiktionary Central Authentication Service The Central Authentication Service (CAS) is a single sign-on protocol for the web. stanford. CAS then gives the application trusted information about whether a particular user has successfully authenticated. Philippe. com/ asirra/ ) from Microsoft Research (PDF) [29] Golle. 2007). html). The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. .2704. Retrieved 2007-12-12. edu/ ~pgolle/ papers/ dogcat. that does not have its own HTTP interface but communicates with a web application. . microsoft.CAPTCHA [25] Ulanoff. such as a database server. "Deep-Sixing CAPTCHA" (http:/ / www. . richgossweiler.2209782.net. [34] "Teaching computers to read: Google acquires reCAPTCHA" (http:/ / googleblog. validating the authenticity of users via information it receives from web applications. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. Retrieved 2009-12-04. 2009. the application redirects it to CAS. Retrieved 2008-12-21. . com/ projects/ rotcaptcha/ rotcaptcha. can participate in CAS. a webmail client and a webmail server can all implement CAS. com/ article2/ 0. such as a password. [30] Asirra: A CAPTCHA that Exploits Interest-Aligned Manual Image Categorization (http:/ / research. asp). When the client visits an application desiring to authenticate to it. and Shumeet Baluja [32] David (June 4. like a database or mail server. com/ articles/ security/ the_cutest_humantest_kittenauth) from ThePCSpy. . blogspot. Thus. darkreading. CAS returns the client to the application. RMG" (http:/ / www. and the CAS server. microsoft. PC Magazine. usually by checking a username and password against a database (such as Kerberos or Active Directory). Stanford Crypto. randomwire. A cooperating back-end service. passing along a security ticket. . scribd. Description The CAS protocol involves at least three parties: a client web browser. Maryam Kamvar. com/ 2008/ 06/ 04/ attached-to-a-captcha/ ). thepcspy. captcha. Retrieved 2009-09-16. Machine Learning Attacks Against the Asirra CAPTCHA (http:/ / crypto.

Enigform was declared Finalist in the Security category of Les Trophees du Libre.google.org/wiki/display/CASC/Home) CAS 1. As of May 13th. CAS 2.000. Apache HTTP server support via the mod_openpgp module currently supports request verification. through the use of digital signatures. edu/ [2] JASIG press release (http:/ / www.web2py. . As of September 2.Org website. Several other CAS distributions have been developed with new features. the author never had such an intention in his mind. References [1] http:/ / tp. Formerly called "Yale CAS". html).Central Authentication Service 13 History CAS was conceived and developed by Shawn Bayern of Yale University Technology and Planning [1]. CAS 1.org/cas) CAS Clients and Related Documentation (http://www. Cetril. Mellon Foundation awarded Yale its First Annual Mellon Award for Technology Collaboration.[3] At the time of that award CAS was in use at "hundreds of university campuses (among other beneficiaries)".com/cas) for web2py (http://www. External links • • • • • Jasig CAS Home Page (http://www. . Vinton Cerf said that Enigform and mod_openpgp "[this] strikes me as a really interesting idea and I hope you (Buanzo) will pursue it with the W3C.org/cas/protocol) CAS consumer/provider software (https://web2py.ja-sig.0 and 2. pdf). [3] Mellon press release (http:/ / rit. the Andrew W. the author has not received the prize money from the Les Trophees du Libre parent company.0 introduced multitier proxy authentication. The project got its initial funding from OWASP in 2007.0 implemented single-sign-on. It was later maintained by Drew Mazurek at Yale. 2009. its. [1] On March 9. in the amount of $50. and it seems the company has vanished. 2010.com) RubyCAS Server and Client (http://code. org/ cas-press-release. a secure instant messaging system based on Enigform and HTTPS has been announced during the OWASP Ibero-American Web-Application Security Conference. Some people believe it to be an alternative for the Secure Sockets Layer method for encrypting Hypertext Transfer Protocol (or HTTP) connections. and was awarded the second prize.Mozilla. ja-sig. 2008). requests are form submissions to web servers. As of June/2007. 2008 Enigform was granted the Trusted status on the Addons." (February 18. mellon.[2] which is as of 2008 responsible for its maintenance and development. Buanzo committed to the mod_openpgp Subversion repository a Wordpress plugin (wp-enigform-authentication) that enables Enigform-based login to a Wordpress blog admin/user interface. for Yale's development of CAS. yale. In December 2006. CAS became a project of the Java Architectures Special Interest Group. . Guaranteeing the identity of a requester and the integrity of the request is Enigform's primary goal. CAS is now also known as "Jasig CAS". In December 2004.jasig. [2] On April 23rd. org/ awards/ matcpressrelease. However.jasig. 2009. OpenPGP encryption is being implemented. In this instance. As of 2010.com/p/rubycas-server/) Enigform Enigform is a Mozilla Firefox extension authored by Arturo 'Buanzo' Busleiman which uses GnuPG to implement OpenPGP-signed HTTP requests.0 Protocol Specification (http://www.

exe information [3] What Is Process lsass. freesoftwaremagazine. php?n=Main. It verifies users logging on to a Windows computer or server. Buanzo.com lsass. owasp. php/ Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgp Local Security Authority Subsystem Service Local Security Authority Subsystem Service (LSASS). [3] http:/ / enigform. org/ extend/ plugins/ wp-enigform-authentication/ [8] http:/ / wiki.org [3] Enigform Extension for Firefox [4] Interview with Enigform's developer. buanzo. com/ directory/ files/ lsass/ http:/ / www. com/ buanzo/ status/ 1301587617). processlibrary.exe information [4] User experiences and ratings of lsass. com/ taskmanager/ process/ lsass. com/ lsass-exe/ 16/ http:/ / www.Enigform 14 External links • • • • • • • Enigform's Website on Mozdev. and creates access tokens. . 2008-09-02.exe will result in the Welcome screen losing its accounts. html). [2] "Enigform for Wordpress twit" (http:/ / twitter. Arturo "Buanzo" Busleiman [5] Enigform: The Definitive Guide [6] Wordpress Enigform Authentication Plugin [7] Guide for Installing GnuPG and Enigform on Windows [8] Enigform at OWASP Projects [9] References [1] "Enigform granted Trusted Status in addons. org/ en-US/ firefox/ addon/ 4531 [5] http:/ / www. 2009-03-09. org/ index. org/ index. is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. mspx http:/ / www. php?n=Main. mozdev. neuber. prompting a restart of the machine. Forcible termination of lsass. It also writes to the Windows Security Log. mozilla. com/ blogs/ interview_with_arturo_busleiman [6] http:/ / wiki. com. buanzo. External links • • • • • MS identity management [1] ProcessLibrary. com/ technet/ security/ topics/ identitymanagement/ idmanage/ p2pass_1. org/ [4] https:/ / addons. ar/ 2008/ 09/ enigform-granted-trusted-status-in-addonsmozillaorg. Buanzo. . handles password changes. Enigform-on-windows-installation [9] http:/ / www.exe info [2] FileInspect detailed lsass. org/ index. fileinspect. com/ fileinfo/ lsass-exe/ http:/ / whatisprocess. microsoft.mozilla. exe.org" (http:/ / blogs. html . buanzo. Wp-enigform-authentication [7] http:/ / wordpress.exe [5] References [1] [2] [3] [4] [5] http:/ / www.

[5] • PassWindow has been selected as a finalist in The Wall Street Journal 2010 Asian Innovation Awards. Matthew Walker. By varying the challenge pattern displayed on the screen. These are referred to as the key pattern and challenge pattern. perpetually looping sequence of challenge patterns is displayed. each encoding a single digit placed in a random location within the matrix. respectively. These digits are then used as a one-time password. The matrix is then divided into two component patterns that reveal the whole when superimposed. Transaction verification is accomplished by including specific transaction information encoded within the challenge pattern along with the unique authentication digits. Half of the pattern is printed on a transparent region of a plastic card.[7] .[3] [4] as well as being the subject of a white paper written by VEST corporation. and the challenge pattern can only be decoded by its corresponding printed key. Media appearances • PassWindow first appeared in the media in May 2009 as a 'Cheap solution for security' on account of its ability to securely produce one-time passwords without the need for electronics to be deployed to its end users.[2] • PassWindow has since appeared several times in the media. appeared on the Australian television program The New Inventors in June 2009.[1] • PassWindow's inventor. PassWindow was invented by Australian Matthew Walker in 2006.[6] • PassWindow has been featured in The Wall Street Journal as "A New Way to Outwit Internet Fraudsters". PassWindow is typically implemented such that an animated. The system works by encoding digits into a segment matrix similar to the seven-segment matrices used in digital displays. France. PassWindow key and challenge example A valid solution to this challenge then consists of a specified number of consecutively-appearing digits. while the other is displayed on an electronic screen such as a computer monitor.PassWindow 15 PassWindow PassWindow is a technique of producing one-time passwords and facilitating transaction verification that is used as an online second-factor authentication method. Each key pattern is unique. a series of digits can be communicated to the card holder without being visually revealed on the screen.

[3] Walker. au/ tv/ newinventors/ txt/ s2622746. COM& thePubDate=20100514). com. 2009-06-15. SunOS. [5] S. HP-PA etc). Dearne. fr/ PassWindow_Analysis. "A New Way to Outwit Internet Fraudsters" (http:/ / online. [4] Kassner. Lindows. It provides authentication. Retrieved on 2010-06-30.PassWindow 16 References [1] K. au/ australian-it/ cheap-solution-for-security/ story-e6frgalo-1225716033700). SCO OpenServer. HP-UX • Windows Server. Ubuntu etc on Intel. NetBSD. abc. SuSE. AIX. Sparc. IRIX. Michael (31 August 2009). Retrieved on 2010-05-01. Presenter: James O'Loghlin. Radiator was first released in January 1998. com. Matthew. techrepublic. Mandrake. "PassWindow: A New Solution to Providing Second Factor Authentication" (http:/ / vest. PPC. Windows NT. Retrieved on 2010-07-14. Tech Republic. Innovations (http:/ / www. [2] The New Inventors. abc. 26 May 2009. Debian. FreeBSD. theaustralian. [7] The Wall Street Journal. Retrieved on 2010-05-02. html). O'Neil and P.passwindow. "Cheap solution for security" (http:/ / www. The New Inventors. Episode 24. au/ ra/ innovations/ stories/ s2715207. html?project=imageShell07& bigImage=AK-AK279_AIAlist. Windows 98. wsj. com/ security/ ?p=2271). au/ ra/ innovations/ ). com/ public/ resources/ documents/ info-enlargePic07. ABC1. Windows 2000 • Mac OS X and Mac OS X Server • Novell Open Enterprise Server • OpenVMS .com/) Radiator RADIUS server Radiator RADIUS Server is a product of Open System Consultants Pty Limited. [6] The Wall Street Journal. including: • Any Unix including Linux distributions (Red Hat. Digital Equipment Corporation. Retrieved on 2010-05-02. abc.PassWindow" (http:/ / www. The Australian. Windows XP. htm). ABC Radio Australia. authorisation and accounting (AAA protocol) access to computer networks using the RADIUS protocol (Remote Authentication Dial In User Service). Lock (2009). Windows 95. com/ article/ SB10001424052748704111704575355573300913824. gif& h=800& w=644& title=WSJ. Interview with Desley Blanch. Program specifications Platforms Radiator RADIUS server runs on many different platforms. "Low-Cost Visual Authentication System . Brisbane. 2009 (http:/ / www. net. Windows Vista. wsj. htm). Australia. Slackware. pdf). "PassWindow: A brand new Web-site authentication process" (http:/ / blogs. net. "2010 Asian Innovation Awards" (http:/ / online. Solaris (operating system) 10 (Intel and Sparc). net. External links • The official PassWindow website (http://www. 2009-10-02.

• Hassell. RADIUS Securing Public Access to Private Resources (http://www. as part of their normal validation procedures. Twitter. 2009.au/radiator • http://www. which sends the results to the digitization projects. Jonathan (2003).[1] On September 16. Solaris & Mac OS X • Perl Digest-MD5 module version 2. html#413361).[4] The ReCaptcha logo reCAPTCHA supplies subscribing websites with images of words that optical character recognition (OCR) software has been unable to read.com/ reCAPTCHA reCAPTCHA is a system originally developed at Carnegie Mellon University that uses CAPTCHA to help digitize the text of books while protecting websites from bots attempting to access restricted areas.com.com/ catalog/radius/).[5] and among its subscribers are such popular sites as Facebook.[7] The U.005 or better. 2009. juniper. External links • http://www.oreilly.Radiator RADIUS server 17 System requirements • Perl 5.[8] . and StumbleUpon. They then return the results to the reCAPTCHA service. TicketMaster.radiusexpert. The system is reported to display over 100 million CAPTCHAs every day. National Telecommunications and Information Administration also used reCAPTCHA for its digital TV converter box coupon program website as part of the US DTV transition. Linux. CNN. O’Reilly & Associates.[6] Craigslist began using reCAPTCHA in June 2008. Retrieved 28 Aug. . Google acquired reCAPTCHA. net/ techpubs/ software/ management/ sdx/ sdx71x/ sw-rn-sdx710/ html/ sw-rn-sdx710-body12.S.open.[3] Twenty years of The New York Times have been digitized and the project planned to have completed the remaining years by the end of 2010. 4chan.12 or better • Operating system platform of your choice (see above) Real-world use Juniper Networks lists the OCS Radiator server software as an RFC 2865 and RFC 2866 compliant RADIUS implementation suitable for use with their Service Deployment System (SDX) [1] References [1] "Restrictions and Recommendations" (http:/ / www. The subscribing websites (whose purposes are generally unrelated to the book digitization project) present these images for humans to decipher as CAPTCHA words.[2] reCAPTCHA is currently digitizing the archives of The New York Times.com. ActivePerl from ActiveState on Windows.

in return for assistance with the decipherment). Security The basis of the CAPTCHA system is to prevent automated access to a system by computer programs or "bots". This is done through a JavaScript API with the server making a callback to reCAPTCHA after the request has been submitted."[9] Operation Scanned text is subjected to analysis by two different optical character recognition programs. millions of hours of a most precious resource: human brain cycles.reCAPTCHA 18 Origin The reCAPTCHA program originated with Guatemalan computer scientist Luis von Ahn. CON 18 Hacking Conference detailing a method to reverse the distortion added to images which allowed a computer program to determine a valid response 10% of the time. which supplies the words to be deciphered. in ten-second increments. Those words that are consistently given a single identity by human judges are recycled as control words. containing the 1. The distortion style has been altered. The active one is usually not a dictionary word. An example of a reCAPTCHA challenge from 2010. The waviness and horizontal stroke have been added to along with a control word already known. like ASP. Ruby. 2009. reCAPTCHA offers plugins for several web-application platforms. to ease the implementation of the service. reCAPTCHA is a free service (that is. It has also been noted that reCAPTCHA usually only has one active word or phrase.5 votes. the CAPTCHA images are provided to websites free of charge.5 points. he realized "he had unwittingly created a system that was frittering away.[15] [16] The reCAPTCHA system was modified on 21 July 2010. On December 14.NET.[11] but the reCAPTCHA software itself is not open source. which may frustrate potential abusers. 2010. aided by a MacArthur Fellowship. containing the words into a CAPTCHA. system assumes that if the human types the control word correctly. the questionable word is also correct. Houck also mentioned security defenses in the system such as a high security lock out if a valid response isn't given 32 times in a row. or PHP. the word is considered called. Chad Houck gave a presentation to the DEF words and chisels. . with the other word responding to any text input including single characters. and each interpretation by a human is given a full point. before Houck was to speak on his method. The identification performed by each OCR program is given a value of 0. Houck modified his method to what he described as an "easier" CAPTCHA to determine a valid response 31. the questionable word is converted An example of a reCAPTCHA challenge from 2007. The word is displayed following finding.[17] ReCAPTCHA frequently modifies its system which would require the author of a similar program to frequently update the method of decoding. Once a given identification hits 2.8% of the time. An early CAPTCHA developer. in cases where the programs disagree. The increase the difficulty of breaking the CAPTCHA with a computer program. The reCAPTCHA project provides libraries for various programming languages and applications to make this process easier.[10] Implementation reCAPTCHA tests are taken from the central site of the reCAPTCHA project. Jonathan Wilkins released a paper describing weaknesses in reCAPTCHA [12] [13] [14] On August that allowed a solve rate of 18%.

@example. craigslist.com". [10] Timmer. com/ recaptcha/ mailhide/ ). External links • The reCAPTCHA project (http://recaptcha. "Human Resources: The job you didn't even know you had". The visitor would then click on the ". (2009).net. dtv2009. co. "Spam weapon helps preserve books" (http:/ / news. Event occurs at 46:58.. the email address is converted into a format that does not allow a crawler to see the full email address. net/ learnmore. John (2008-08-14). [6] Rubens.net. com/ 2009/ 09/ teaching-computers-to-read-google.1126/science. ." [5] "reCAPTCHA FAQ" (http:/ / www. edu/ ~biglou/ reCAPTCHA_Science. . cs. The Walrus: pp. Google.com/articles/2009. html).. co.1160379. . theregister. . google. google. "reCAPTCHA: Human-Based Character Recognition via Web Security Measures" (http:/ / www. reCAPTCHA. BBC. reCAPTCHA. Retrieved 2009-09-16. html). Notes [1] Luis von Ahn. gov/ ) [9] Hutchinson. .[18] By default. "mailme@example. [11] "FAQ" (http:/ / recaptcha. stm). org/ 2008/ 06/ fight-spam-digitize-books/ ). com/ recaptcha/ faq).net. . ." and solve the CAPTCHA in order to obtain the full email address. . Retrieved 2008-11-23. com/ news. Science 321 (5895): 1465–1468. Retrieved 2008-12-09. net/ faq. [18] "Mailhide: Free Spam Protection" (http:/ / www. [2] "Teaching computers to read: Google acquires reCAPTCHA" (http:/ / googleblog. blogspot. pdf). "CAPTCHAs work? for digitizing old. Google. . org/ projects/ reCAPTCHA/ docs/ reCAPTCHA. [17] "Decoding reCAPTCHA Power Point" (http:/ / n3on. For example. docx). "The New York Times has this huge archive. cmu. . . [14] "Google's reCAPTCHA dented" (http:/ / www. defcon. Paul (2007-10-02). which protects email addresses on web pages from being harvested by spammers. 03-technology-human-resources-recaptcha-alex-hutchinson/) Two-page article in The Walrus magazine . NOVA ScienceNow s04e01. com/ security/ news/ item/ Google-s-reCAPTCHA-dented-888859. org/ projects/ reCAPTCHA/ docs/ reCAPTCHA. 15–16. . Retrieved 2010-12-18. Alex (March 2009). [15] "Def Con 18 Speakers" (http:/ / www. Chad Houck. html). [Television production]. Craigslist Blog. org/ html/ defcon-18/ dc-18-speakers. David Abraham and Manuel Blum (2008). Chad Houck. [4] Luis von Ahn. over 130 years of newspaper archive there. Digitize Books" (http:/ / blog. . pptx). . One can also edit the popup code so that none of the address is visible. bbc. 2008-06. pdf) (PDF). html#Houck). Ars Technica. [3] "Learn more" (http:/ / recaptcha. uk/ 2/ hi/ technology/ 7023627. [16] "Decoding reCAPTCHA Paper" (http:/ / n3on. html). uk/ 2009/ 12/ 14/ google_recaptcha_busted/ )..walrusmagazine. net/ captcha. damaged texts. And we've done maybe about 20 years so far of The New York Times in the last few months and I believe we're going to be done next year by just having people do a word at a time. html). h-online. [7] "Fight Spam. defcon. Ben Maurer..reCAPTCHA 19 Mailhide reCAPTCHA has also created project Mailhide. ars/ post/ 20080814-captchas-workfor-digitizing-old-damaged-texts-manuscripts.org. [12] "Strong CAPTCHA Guidelines" (http:/ / bitland. [8] TV Converter Box Program (https:/ / www. reCAPTCHA. manuscripts" (http:/ / arstechnica. Colin McMillen. .net/) • ReCAPTCHA: The job you didn't even know you had (http://www. [13] "Google's reCAPTCHA busted by new attack" (http:/ / www. PMID 18703711.com" would be converted to "mai. doi:10.

The SAM file cannot be moved or copied while Windows is running. the LM hash value is set to a "dummy" value. it is not possible to simply copy the SAM file to another location. or boot disk (usually unix/linux) based environment to mount the local drive housing the active NT(Windows) partition. the in-memory copy of the contents of the SAM can be dumped using various techniques.) As well.51. or in some cases. This is the default setting in Windows Vista. However. making the password hashes available for offline brute-force attack.g. so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). Windows Vista and Windows 7. an attack was devised to bypass the local authentication system. In an attempt to improve the security of the SAM database against offline software cracking.0. (This dummy value has no relationship to the user's password . However there exists recently developed software utilities which. Since a hash function is one-way. and familiarity with both the cracking utility software and the security routines of the windows NT kernel (as well as offline and immediate local access to the target computer) the capability to entirely bypass/remove the windows account passwords from a potential target computer. when a user (or administrator) sets a password of 15 characters or longer. This article was originally based on material from the Free On-line Dictionary of Computing. experience. since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file. Removing LM Hash Most versions of Windows can be configured to disable the creation and storage of valid LM hashes when the user changes their password. Thus. but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash is otherwise stored. which is licensed under the GFDL.0 and 2000. Microsoft introduced the SYSKEY function in Windows NT 4. this provides some measure of security for the storage of the passwords.Security Accounts Manager 20 Security Accounts Manager The Security Accounts Manager (SAM) is a registry file in Windows NT. the on-disk copy of the SAM file is partially encrypted. but was disabled by default in previous versions of Windows. In the case of online attacks. It stores users' passwords in a hashed format (in LM hash and NTLM hash). and will not release that lock until the operating system has shut down or a blue screen exception has been thrown. as well as a possible use as a malacious software security bypassing utility. Essentially granting a user with enough ability. . and using programmed software routines and function calls from within assigned memory stacks to isolate the SAM file from the WindowsNT system installation directory structure (default: C:\windows\system32\config) and. Note: enabling this setting does not immediately clear the LM hash values from the SAM. Windows XP. remove the password hashes stored for user accounts in their entirety.it is the same value used for all user accounts. modify the user account passwords directly from this environment. LM hashes cannot be calculated when the user chooses a password of over 14 characters in length. This flaw was corrected with Windows XP. which shows an error message and shuts down the computer. depending on the particular software utility being used. NT 4. mounting the Windows OS volume into an alternate operating system). Related Attacks In Windows NT 3. When SYSKEY is enabled. This software has both a highly pragmatic and beneficial use as a password clearing or account recovering utility for individuals who have lost or forgotten their windows account passwords. Windows 2000. If the SAM file is deleted from the hard drive (e. the attacker could log in as any account with no password. by the aforementioned methodology of using either an emulated virtual drive. which is not valid for authentication purposes.

passwords. The service paradigm: A system that delivers personalized. See OECD[1] and NIST[2] guidelines on protecting PII[3] and the risk of identity theft. It covers issues such as how users are given an identity. It is a concept that is fluid and contextual depending on a number of factors including culture. While the term management requires little explanation. • Security – Manages elements such as access control. a network. It can also mean Middle-of-the-Road Italy. online. • Organizations – Hierarchies and divisions of access. network protocols. or an organization) and controlling access to the resources in that system by placing restrictions on the established identities of the individuals. Identity management is multidisciplinary and covers many dimensions. and the technologies supporting that protection (e.. management and deletion of identities without regard to access or entitlements. the term identity is a more abstract concept that will always be difficult to define in a way that satisfies everyone. 2. 3. multimedia (content). implementation. presence-based services to users and their devices. • Police – Deals with identity theft. Identity management (or ID management. The pure identity paradigm: Creation.). In each organisation there is normally a role or department that is responsible for managing the schema of digital identities of their staff and their own objects. these represented by object identities or object identifiers (OID). Digital identity can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing. etc. digital certificates.[4] SAML protocol is used to exchange identity information between two identity domains Perspectives on IdM In the real-world context of engineering online systems. • Legal – Deals with legislation for data protection. .g. on-demand. identity management can involve three perspectives: 1. buildings and data within an organization). administration and termination of identities with access to information systems. Thus the term management is appended to "identity" to indicate that there is technological and best practices framework around a somewhat intractable philosophical concept. the protection of that identity. or simply IdM) is a broad administrative area that deals with identifying individuals in a system (such as a country. • Social and humanity – Deals with issues such as privacy. role-based.Identity management 21 Identity management IdM redirects here. such as: • Technical – Employs identity management systems (identification. Digital identity: Personal identifying information (PII) selectively exposed over a network. History Identity management (IdM) is a term related to how humans are identified and authorized across computer networks. The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view).

a given identity object consists of a finite set of properties. for example in classification and retrieval. in other words not treated specially by the model. In practice. . for example that all identities in a given abstract namespace are unique and distinctive. identity management is often used to express how identity information is to be provisioned and reconciled between multiple identity models. These properties may be used to record information about the object. Identity management. The absence of external semantics within the model qualifies it as a "pure identity" model. either for purposes external to the model itself or so as to assist the model operationally. or as a set of capabilities with reference to it. as well as between identities and the attributes they consist of. The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity. In most theoretical and all practical models of digital identity. The diagram below illustrates the conceptual relationship between identities and the entities they represent. An axiomatic model of this kind can be considered to express "pure identity" in the sense that the model is not constrained by the context in which it is applied.Identity management 22 Pure identity paradigm A general model of identity can be constructed from a small set of axiomatic principles. can be defined as a set of operations on a given identity model. an entity can have multiple identities. but which are simply stored and retrieved. then. In general. and each identity can consist of multiple attributes or identifiers. A "pure identity" model is strictly not concerned with the external semantics of these properties. some of which are shared and some of which are unique within a given name space. it is not a pure model. for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. or that such identities bear a specific relationship to corresponding entities in the real world. Contrast this situation with properties which might be externally used for purposes of information security such as managing access or entitlement. To the extent that the model attempts to express these semantics internally.

content title. • IdM provides the focus to deal with system-wide data quality and integrity issues often encountered by fragmented databases and workflow processes. usage right. user access can be tracked from new hire. Service paradigm In the service paradigm perspective. • IdM can deliver single-customer views that include the presence and location of the customer. See Service Delivery Platform and Directory service. • IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology. This aspect has largely been ignored during the early development of identity management. but will have to be taken seriously in the future. where organizations evolve their systems to the world of converged services. portals. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users. . entitlements and telephone numbers. tokens and web access control systems. travel and government services. preferences. content. network equipment. and allows the organization to keep tabs of excessive privileges granted to any individual within the company. Emerging fundamental points • IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and granting access to authorized users via cards. The scope of identity management includes all the resources of the company deployed to deliver online services. media. • It is equally important for users to correctly identify and authenticate service providers as it is for service providers to identify and authenticate users. parental controls. Today. address books. Therefore. the use of a unique identity across all systems ease the monitoring and verification of potential unauthorized access. such as health. From the user lifecycle perspective. These may include devices. the scope of identity management becomes much larger. security domain. applications and/or products as well as a user's credentials.Identity management 23 User access paradigm User access requires each user to assume a unique "digital identity" across applications and networked infrastructures. voice mailbox. servers. CRM. help desk etc. entitlements. which enables access controls to be assigned and evaluate against this identity. media server. Accordingly. IdM relates intrinsically to information engineering. soft switch. product catalog set. • IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. billing system. presence and loyalty schemes. security and privacy. policy-based routing. insurance. • Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective. Technically. with security and single-customer viewing facilities. mail server. IdM applies to the products and services of an organization. • User-based IdM has started to evolve away from username/password and web-access control systems toward those that embrace preferences. single products and services as well as single IT infrastructure and network views to the respective parties. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply. and its application more critical. suspension to termination of employee.

and in particular the young people (15-25). and in particular the important development of online social networking services. technical. the humanities and the law (Halperin & Backhouse 2009)) and areas. but have to combine the different dimensions such as: • • • • legal. also create a certain number of risks related to the disclosure of personal information (Gross. and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers. Research Research related to the management of identity covers a variety of disciplines (such as technology. Including socio-psychological aspects (social engineering). several new projects related to Identity Management started. PrimeLife [5] will develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information. Forensics). or risk related to the stealing of identity (identity theft). and tries to investigate many different issues (technical. European research Within the Seventh Research Framework Programme of the European Union from 2007 to 2013. for which the management of their identities of their members represent a core element of these systems. With the data protection legislation or human rights legislation (Pounder 2009). More specifically young people: • are often very knowledgeable about these systems (web 2. legal. police (i. SWIFT [6] focuses on extending identity functions and federation to the network while addressing usability and privacy concerns. are well aware of the risks towards eID enabled services (Lusoli & Miltgen 2009). social sciences. such as privacy issues that may lead to the implementation of a surveillance society (Taylor. The advent of the social web. Other identity related projects from older European Union funded framework programs include: • FIDIS (Future of Identity in the Information Society • GUIDE [8] • PRIME [9].). On the backdrop of an increased risk to privacy of the citizen in the Information Society. [7] ) . etc.e. PICOS investigates and develops a state-of-the-art platform for providing trust. Lips & Organ 2009). Using for instance with the use of Privacy enhancing technologies. privacy and identity management in mobile communities. Acquisti & Heinz 2008). irrespective of their activities. it should be noted that people.Identity management 24 Issues The management of identity raises a certain number of issues. societal. Addressing the identity issues First.0) that they use frequently and for a long time • have a high level of perception of risk associated to these tools Addressing these different issues may be done only by legislation or via the use of technical systems. and in particular in losing an individual's privacy (Taylor 2008). security.

Implementation challenges • • • • • • Getting all stakeholders to have a common view of area which is likely to come together and discuss the issues Expectation to make the IdM a data synchronization engine for application data Envisaging an appropriate business process leading to post-production challenges Lack of leadership and support from sponsors Overlooking change management — expecting everybody to go through the self-learning process Lack of definition of the post-production phase in a project plan — for a smooth transition of the system to the end-user community.1007/s12394-008-0004-0. An Exploratory Survey [15] . IEC (2009). Ralph. Identity in the Information Society (Springer) 1: 1. (2005). "Information revelation and privacy in online social networks" [14]. • Lusoli. doi:10. Miltgen. Oracle Identity Management: Governance.A Framework for Identity Management [16]. pp. N. • Taylor. M.1007/s12394-008-0002-2. John A.1102214 • Halperin. doi:10. JRC Scientific and Technical Reports (Sevilla: EC on Motivations. Ruth. Identity in the Information Society (Springer) 1 (1): 71. Acquisti. doi:10. James (2008). This may take from three to six months. . SC27 IT Security techniques) is conducting some standardization work for identity management (ISO 2009). See for instance the Special Issue on: Digital ID management (Volume 33. Joe (2009). Caroline (2009). 2009. Auerbach Publications. Workshop On Privacy In The Electronic Society. including the definition of different identity related terms. (2008).. it becomes critical that an organization gears up for proper support through a transition phase or stabilization phase. "Nine principles for assessing whether privacy is protected in a surveillance society". "Identification practices in government: citizen surveillance and the quest for public service improvement". Alessandro. Miriam. • Pounder. 2009. Backhouse. Heinz. 2009). Lips. Proceedings of the 2005 ACM workshop on Privacy in the electronic society. (2008). "Young People and Emerging Digital Services. M. 71–80. and Compliance Architecture. such as the elaboration of a framework for identity management. Identity in the Information Society (Springer) 1: 135. Lack of focus on integration testing Lack of consistent architectural vision Expectations for "over-automation" Deploying too many IdM technologies in a short time period • • • • References • Gross. Risk. March 2009. J.Security Techniques -. Information Technology -. Organ. Perceptions and Acceptance of Risks" JRC IPTS) (EUR 23765 EN).2791/68925. doi:10. "A roadmap for research on identity in the information society".B. Issue 3. ISBN 978-1420072471. ISO/IEC WD 24760 (Working draft) • Pohlman. C. • ISO. Standardization ISO (and more specifically ISO/IEC JTC1. H. and for instance have special issue on Identity such as: • Online Information Review [13].1145/1102199.Identity management 25 Publications Different academic journals can be used to publish articles related to identity management such as: • Ethics and Information Technology [10] • Identity in the Information Society [11] • Surveillance & Society [12] Less specialized journals may also publish on the topic. Wainer.

prime-project. 26 Notes [1] Functional requirements for privacy enhancing systems (http:/ / www.1109/MSPEC. uk/ projects/ guide/ [9] https:/ / www.FiXs. Graham.htm) (Computer Weekly) • Secure Widespread Identities for Federated Telecommunications (SWIFT) (http://www. David.eu/tutorials/gpto/) • Identity Management Overview (http://www. "Zero Privacy". com/blog/?p=1516) . som. Spaulding.com/Articles/2007/07/23/225715/ identity-management-the-expert-view.com/docs/ identity-management-terminology. jrc.1007/s12394-009-0007-5. ist-swift.ist-swift. com/ computer/ journal/ 12394 [12] [13] [14] [15] [16] http:/ / www. November 21. January 2009 [3] PII (Personally Identifiable Information) (http:/ / www. springer. 2007 [4] Object Id's (OID'S) (http:/ / doc. com/ products/ journals/ journals. Norway. com/ etin/ [11] http:/ / www. net/ home/ [8] http:/ / istrg. • Taylor. Kent (September 01. org/ iso/ iso_catalogue/ catalogue_tc/ catalogue_detail. html).iso. Sharni. surveillance-and-society.computerweekly. org/ 10. • Williamson.html) (free.itsecuritystandard. htm?csnumber=51625 External links • General Public Tutorial about Privacy and Identity Management (http://www. editorialmanager. PostgreSQL: Introduction and Concepts. eu/ publications/ pub. ua/ db/ pgsql_book/ node72.org/) • Federation for Identity and Cross-Credentialing Systems (FiXs) (http://www. MC Press. acm. The Center For Democracy & Technology. surrey. iso. fidis. primelife. nist. sumy. Trondheim.4547499. org/ privacy/ issues/ pii/ ). doi:10. OECD Workshop on Digital Identity Management. IEEE Spectrum 45 (7): 20–20. org/ dataoecd/ 36/ 30/ 38573952.org/) • Identity management and information sharing in ISO 18876 Industrial automation systems and integration (http:// www. gov/ publications/ drafts/ 800-122/ Draft-SP800-122. prime-project. Yip. pdf) Fred Carter. in Bruce Momjian. 1999 [5] http:/ / www. Ilan. Recommendations of the National Institute of Standards and Technology.Identity management doi:10. ec.org/iso/search. europa. eu/ [6] http:/ / www. September 14. John A.hitachi-id. org/ http:/ / info. cdt. (2008). no registration required) • Sloppiness in access and authorization management can cost enterprises dearly (http://www. pdf). cfm?id=2119 http:/ / www. ac.2008. 1102214 http:/ / ipts. 1145/ 1102199. org/ [7] http:/ / www. eu/ [10] http:/ / www. ISBN 978-1-58347-093-0. htm?id=oir http:/ / doi. 09 May 2007 (PPT presentation) [2] Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (http:/ / csrc. emeraldinsight. oecd.htm?qt=18876&searchSubmit=Search&sort=rel&type=simple&published=on) • Identity management terminology (http://identity-manager. Identity Management: A Primer. 2009).

The user selects the InfoCard to use and the CardSpace software contacts the issuer of the identity to obtain a digitally signed XML token that contains the requested information. thus including CardSpace within a broader.NET Framework 3. the application or website requests a particular set of claims from the user. Overview When an Information Card-enabled application or website wishes to obtain information about the user. In order to accept Information Cards. If an Identity Provider wants to issue tokens. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity"[1] were goals in its design. switching the display to the CardSpace service. these are issued by a third party identity provider that makes the claims on the person's behalf. IBM and Novell will support[4] the Higgins trust framework to provide a development framework that includes support for Information Cards and the Web Services Protocol Stack. Microsoft initially shipped Windows CardSpace with the . Windows Server 2003. which can contain one or more of 14 fields of identity information such as full name.[3] Indeed. Windows Live ID accounts. or Siemens. they must provide a means by which a user can obtain a managed card and provide a Security Token Service (STS) which handles WS-Trust requests and returns an appropriate encrypted & signed token. CardSpace provides a consistent UI designed to help people to easily and securely use these identities in applications and web sites where they are accepted. they will be able to obtain one from a variety of vendors including PingIdentity. a website developer simply needs to declare an HTML <OBJECT> tag that specifies the claims the website is demanding from the user and then implement code to decrypt the returned token and extract the claim values. In some ways. CardSpace does not compete directly with other Internet identity architectures like OpenID and SAML. which runs on Windows XP. as well as other companies or organizations. etc. If an Identity Provider does not wish to build an STS. Information Cards can be used today for signing into OpenID providers. employer.[2] The Windows CardSpace user interface. Other transactions may require a managed InfoCard. It is installed by default on Windows Vista as well as Windows 7 and is . and other kinds of services. address. including WS-Security. and Windows Vista. such as a bank. an open set of XML-based protocols. CardSpace stores references to users' digital identities for them. BMC. CardSpace is an instance of a class of identity client software called an Identity Selector. Microsoft. WS-MetadataExchange and WS-SecurityPolicy. is Microsoft's now-canceled client software for the Identity Metasystem. The CardSpace UI then appears. Sun Microsystems. or a government agency.Windows CardSpace 27 Windows CardSpace Windows CardSpace (codenamed InfoCard). This means that any technology or platform that supports WS-* protocols can integrate with CardSpace. which displays the user's stored identities as visual Information Cards. Windows CardSpace is built on top of the Web Services Protocol Stack. extensible framework also supporting other identity-related technologies. WS-Trust. presenting them to users as visual Information Cards.0. SAML identity providers. Because CardSpace and the Identity Metasystem upon which it is based are token-format-agnostic. these three approaches to identity can be seen as complementary. CardSpace also allows users to create personal (also known as self-issued) Information Cards. such as SAML and OpenID.

microsoft.com/informationcardjava) Relying Party code for accepting Information Cards. "The Laws of Identity" (http:/ / msdn. com/ en-us/ um/ people/ mbj/ papers/ Identity_Metasystem_Design_Rationale. microsoft.pdf).microsoft. • Open Source Java (http://www. Addison-Wesley.com/CardSpace) – Developer articles and technical documentation on Windows CardSpace. Garrett Serack.0 Community (NetFx3) (http://netfx3.5. April 2007. [3] Three Digital Identity Standards (http:/ / upon2020.com/content/WindowsCardspaceHome.0 within Web Applications and Browsers (http://download.microsoft. Caleb Baker: Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities.Windows CardSpace available as a free download for XP and Server 2003 via Windows Update. com/ b/ card/ archive/ 2011/ 02/ 15/ beyond-windows-cardspace. References [1] Kim Cameron (2005-05-01).NET 2. • Microsoft Information Card Kit for HTML (http://go.0 (http://download.NET Framework 3. An updated version of CardSpace shipped with the . .NET Framework 3. • A Guide to Using the Identity Selector Interoperability Profile V1.com/interop/osp/). Michael B. ISBN 0-321-49684-1 External links Informational • A consumer introduction to Windows CardSpace (http://www.mspx) • Microsoft Developer Network (MSDN) CardSpace page (http://msdn. April 2007. Microsoft announced that they would be retiring Windows CardSpace[5] before they had shipped version 2. May 2007.pdf). April 2007.microsoft.microsoft. Microsoft Corporation and Ping Identity Corporation. 2006). . 28 Retired On the 15th of February 2011. Michael B. aspx) – CardSpace community site.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/ Identity-Selector-Interop-Profile-v1-Web-Guide. aspx • Identity Selector Interoperability Profile (http://download. Software development • Microsoft Information Card Kit for ASP. microsoft. "Design Rationale behind the Identity Metasystem Architecture" (http:/ / research. [2] Kim Cameron.0 (http://go. pdf). wss) [5] http:/ / blogs. Retrieved 2010-12-13.pdf).codeplex. December 27 2007. aspx). com/ press/ us/ en/ pressrelease/ 19280.microsoft. Jones. Retrieved 2010-12-13. • Open Source Ruby (http://www.com/fwlink/?LinkId=89182) – platform-independent JavaScript and CSS code that detects if the client can use Information Cards and provides the corresponding UI support.microsoft. . Arun Nanda.com/ download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Guide. ibm. com/ en-us/ library/ ms996456.com/download/1/1/a/ 11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.0 of the product. msdn. com/ 2006/ 01/ the-identity-landscape-of-2006/ ) [4] Novell Press Release (http:/ / www-03.com/fwlink/?LinkId=89183) – ASP. • Microsoft Open Specification Promise (http://www.codeplex.microsoft.com/informationcardruby) Relying Party code for accepting Information Cards.NET Relying Party code to support CardSpace. Additional resources • Vittorio Bertocci.com/windows/products/winfamily/ cardspace/default. • An Implementer's Guide to the Identity Selector Interoperability Profile V1. Jones (January. • Microsoft .

com/vbertocci/) – Information on designing and developing with CardSpace from Microsoft's architect evangelist for Windows Server 2008.bandit-project.hccp. • Mike Jones' blog (http://self-issued. • A plug-in (http://www.org/trac/wiki/DigitalMe) – an open source Identity Selector for Linux and Mac OS X • A plug-in (http://www.identityblog. • Open Source C# (https://sharpsts. Blogs • Kim Cameron's Identity Weblog (http://www.carillon. • Open Source C (http://dacs.com/) Secure Token Service code for managed Information Cards.html) for Apple's Safari implementing an Information Card identity selector. • Vittorio Bertocci's Weblog (http://blogs.ca/) Relying Party code for accepting Information Cards and Secure Token Service code for managed Information Cards.dss.org/safari-plug-in.msdn. • Open Source PHP (http://www.php) Secure Token Service code for managed Information Cards.com/IdentitySelector) for Firefox to activate CardSpace and other identity selectors.msdn. and the Digital Identity from Microsoft's Director of Identity Partnerships.Windows CardSpace • Open Source C and PHP (https://infocard-demo.codeplex. • CardSpace team blog (http://blogs. Information Cards.pingidentity.info/) – Information on CardSpace.com/card/) – Information on CardSpace from the CardSpace team itself.labs.ca/products/demo-sts.com/) – Information from Microsoft's architect for identity.com/) Relying Party code for accepting Information Cards. 29 . Identity selectors • Digital Me (http://code.

id information . [3] It defines sixteen keywords that can be used on the server side to define record properties. However the memo issued at this time references its prior use for an unspecified period of time before this date. 100:1420 Digital Computer Lab. fields [field . 100:Be sure to bring your U of I ID card. The tools "Ph" and "Qi" were the two components of the system: Ph was a client that queried the Qi server. As a result only characters between 0x20 and 0x7f are initial sent by the server in raw form. They can be separated by spaces tabs or the end of the line.] List all available entry fields on the server or only those of the specified name or names. It was used mainly in the early-to-middle 1990s. Other characters if present in entries will be escaped using the RFC 2045 defined "Quoted-Printable" encoding.. between 8:30 and 5 Monday-Friday. It also defines how clients should access records on the server and what responses the server should give. The following are a few of the commands: status This command takes no parameters and simply asks the server to report its status as above.CCSO Nameserver 30 CCSO Nameserver A CCSO name-server or Ph protocol was an early form of database search on the web. siteinfo Returns information such as server version mail domain and who to contact about password issues and authentication methods. The following example response to a status request is provided by the RFC memo. The Ph protocol was formally defined by RFC 2378 in September 1998. 200:Database ready Each command defined by the RFC 2378 memo consists of a keyword followed as needed by one or more parameters or key words.[1] Today this service has been largely replaced by LDAP. The initial request from the client is a text base keyword optionally followed by one or more parameters as defined in the RFC 2378. Each line must be terminated in CRLF style. In its most common form it was used to look up information such as phone numbers and e-mail addresses. Overview The name-server directories were frequently organized in Gopher hierarchies. Ph sever communication takes place on TCP port 105.[2] The name-server was developed by Steve Dorner at the University of Illinois at Urbana-Champaign.6 $ 100:Ph passwords may be obtained at CCSO Accounting. C: S: S: S: S: S: status 100:Qi server $Revision: 1. The server then responds to the request. Command Structure All commands and response are initially assumed to be in US-ASCII encoding for historical reasons unless the client explicitly asks for 8-bit(ISO-8859-1) encoding..

. . [2] "Ph and Gopher" (http:/ / groups. com/ group/ comp. That code was distributed under an open source license for several years prior to the university's transition to LDAP. In the early 1990s. the nameserver was backed by a flat file database.The CCSO Nameserver (Ph) Architecture" (http:/ / www. faqs. Logging in allows a user to change their own entry and view certain fields in it flag for restricted access. Retrieved 2007-07-14. [3] "RFC 2378 . infosystems.. org/ faqs/ ph-faq/ ). Indiana University software developer Larry Hughes implemented a version of Qi (called "Phd") that was written in perl and backed by a relational database. google. If used without parameters it lists the current server settings.CCSO Nameserver Causes the server to log the specified information as the current user id without login. 31 Database As distributed. answer encrypted-response clear cleartext-password The client normally uses one of these to send the password information after the login command is sent. html). org/ rfcs/ rfc2378.. . Retrieved 2007-09-18. quit exit stop One or more of these will be recognized by the server as an end of session command closing the connection. login [alias] logout This is the actual login/logout commands for the server here the alias must be the users Ph alias. Retrieved 2007-05-12.] Sets the specified option on the server to value. gopher/ browse_frm/ thread/ eef4cfbdbc862afe/ 9cbc3e3690b8fb4e?lnk=st& q="cso+ nameserver"& rnum=19& hl=en#9cbc3e3690b8fb4e). faqs. . References [1] "ph (cso nameserver) Frequently Asked Questions (FAQ)" (http:/ / www. set [option[=value] .

The carrier will probably face increased costs for the signature capable SIM-card but can also expect increasing traffic caused by signature services. The indexes contained summaries or subsets of information about individuals and organizations represented in a white pages schema.de/publikationen/MobileQualifiedElectronicSigna917.Certification on demand 32 Certification on demand Certification on Demand refers to a process where digital certificates are issued for a signature creation device that has already been sent out and is in the hands of the customer. For example. and was intended to be capable of interconnecting services from both the evolving WHOIS and LDAP activities. searches scoped near the root of the tree (e. Heiko Rossnagel Heiko Rossnagel from University Frankfurt.500 Directory model. the customer can then generate the keys and activate the signature component and the public key(s) can be certified by any Certification Service Provider on demand.pdf Common Indexing Protocol The Common Indexing Protocol (CIP) was an attempt in the IETF working group FIND during the mid-1990s to define a protocol for exchanging index information between directory services. The protocol evolved from earlier work developing WHOIS++. Through the separation of the telephone functionality and the (possibly later) certification of the user’s identity by a certification service provider. at a particular country) were problematic to implement. it was hoped that an index server holding that subset could be able to process a query more efficiently by chaining it only to some of the sources: those sources which did not hold information would not be contacted. enterprises that manage employee. if a server holding the base entry for a particular country were provided with a list of names of all the people in all the entries in that country subtree. This protocol has not seen much recent deployment. . In the X. All distribution channels will remain unchanged. then that server would be able to process a query searching for a person with a particular name by only chaining it to those servers which held data about such a person. "The mobile operator could sell SIM-cards equipped with a key generator for one or more key pair(s) which can be used for the signing functionality. as potentially hundreds or thousands of directory servers would need to be contacted in order to handle that query. WHOIS deployments are typically in domain name registrars.wiiw. In contrast. Chair of Mobile Business and Multilateral Security specifically mentioned Certification on Demand in connection with a mobile signature. customer or student identity data in an LDAP directory have looked to federation protocols for interconnection between organizations. After obtaining the SIM-card from the mobile operator. both functions can be sold separately and can be obtained from different providers.g. as WHOIS and LDAP environments have followed separate evolution paths. By merging subsets of information from multiple sources." Sources http://www. and its data management issues have been addressed through specifications for domain name registry interconnection such as CRISP.

such as diplomacy. Diplomacy In diplomacy. powers of attorney. academic degrees. plenipotentiary. are documents that ambassadors. A great deal of effort goes into finding methods to reduce or prevent counterfeiting. badges. a password or key) as proof of the credential. such as scientific papers or books. Sometimes publications. Sometimes this proof (or a copy of it) is held by a third. for the purpose. in other cases. passwords. but in practice this rarely happens. may be viewed as similar to credentials by some people. also known as a letter of credence. an envoy receives no official recognition. based on widely varying criteria. A elow. diplomatic ministers. The credentials of an ambassador or minister plenipotentiary are signed by the head of state. it may involve presentation of letters directly from the issuer of the credential detailing its faith in the person representing them in a negotiation or meeting.Common Indexing Protocol 33 RFCs • • • • • • • RFC 2651 The Architecture of the Common Indexing Protocol (CIP) RFC 2652 MIME Object Definitions for the Common Indexing Protocol (CIP) RFC 2653 CIP Transport Protocols RFC 2654 A Tagged Index Object for use in the Common Indexing Protocol RFC 2655 CIP Index Object Format for SOIF Objects RFC 2656 Registration Procedures for SOIF Template Types RFC 2657 LDAPv2 Client vs the Index Mesh Credential A credential is an attestation of qualification. While in some cases a credential may be as simple as a paper membership card. identification documents. user names. Until his credentials have been presented and found in proper order. . and chargés d'affaires provide to the government to which they are accredited. the greater the problem with counterfeiting and the greater the lengths to which the issuer of the credential must go to prevent fraud. this list is far from exhaustive. Examples of credentials include academic diplomas. of communicating to the latter the envoy's diplomatic rank. Types and documentation of credentials A person holding a credential is usually given documentation or secret knowledge (e. It also contains a request that full credence be accorded to his official statements. Counterfeiting of credentials is a constant and serious problem. security clearances. keys. those of a chargé d'affaires by the foreign minister. A receiving government may reject a diplomat’s credentials by declining to receive them. the greater the perceived value of the credential..g. especially if the publication was peer reviewed or made in a well-known journal or reputable publisher. competence. In general. certifications. and so on. or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so. credentials. irrespective of the type of credential. trusted party. Diplomatic credentials are granted and withdrawn at the pleasure of the issuing authority. chiefly.

or it may require a new round of examinations and training. Operator licenses often expire periodically and must be renewed at intervals. etc. voice recognition. Cryptographic credentials are often designed to expire after a certain period. they cannot be used for their other purpose as travel documents. Most identification documents are issued for a lifetime. a badge (often machine-readable). but may be withdrawn in the event of fraud or malpractice by their holders. real individual or other entity. and aircraft must have credentials in the form of government-issued licenses in many jurisdictions.Credential 34 Medicine In medicine. An increasing number of information systems use other forms of documentation of credentials. Information technology Credentials in information systems are widely used to control access to information or other resources. retinal scans. such as fingerprints. such as an automobile driver's license). Often the documentation of the license consists of a simple card or certificate that the operator keeps on his person while operating the vehicle. X. This type of credential often requires certification of good health and may also require psychological evaluations and screening for substance abuse. and/or practical experience. the process of credentialing is a detailed review of all permissions granted a medical doctor at every institution at which he or she has worked in the past. training. in many cases the only criterion for issuance is unambiguous association of the credential with a specific. An x. Cryptographic credentials may be self-issued. which they obtain after suitable education. passwords. but some must be periodically renewed.509 certificate is an example of a cryptographic credential. boats. Renewal may simply be a formality. Many identification documents use photographs to help ensure their association with their legitimate holders. Some also incorporate biometric information. Most medical practitioners also must have credentials in the form of licenses issued by the government of the jurisdictions in which they practice. Most medical credentials are granted for life. passports often expire after a certain number of years. backed up by an archival record of the license at some central location. Cryptography Credentials in cryptography establish the identity of a party to communication. although this is not mandatory. particularly if they have other functions besides identification. issued by a trusted third party after some form of identity verification. Identification Credentials that simply establish a person's identity are very widely used. PINs. Licenses are granted to operators after a period of successful training and/or examination. and so on to further reduce the opportunities for fraud. or issued by a trusted third party. The classic combination of a user account number or name and a secret password is a widely-used example of IT credentials. to determine a risk profile for trusting them at a new institution.509 Public key certificate. and while they may still be valid identification after their expiration. and so on. Documentation usually consists of an identity card (sometimes a credential that is also used for other purposes. .. Usually they take the form of machine-readable cryptographic keys and/or passwords. Identification credentials are among the most widely counterfeited credentials. Operator licensing Operators of vehicles such as automobiles. For example.

freelancers. Some governments impose restrictions on who may work as a journalist. . press credential are not required at the national or federal level for any publication of any kind. and sometimes also to track them for tax-reporting or other purposes like people evaluation. or withdraw press credentials to disallow critique of government policy. they exist mainly to control the number of people who are allowed to exercise a trade or profession. the purpose is mainly to control the number of people working in this way. Security clearances are among the most carefully guarded credentials. withhold. particularly if government leaders selectively grant. requiring anyone working for the press to carry government-issued credentials. and may not be considered any more truthful or informative than propaganda. Some credentials of this type are considered so sensitive that their holders are not even permitted to acknowledge that they have them (except to authorized parties). Press credentials indicate that a person has been verified as working for a known publication. Breaches of security involving security clearances are often punished by specific statutory law. Trade credentials Some trades and professions in some jurisdictions require special credentials of anyone practicing the trade or profession. Documentation of security clearances usually consists of records keep at a secure facility and verifiable on demand from authorized parties. and holding a press pass typically allows that person special treatment or access rights. may require special credentials in some jurisdictions as well. Restricting press credentials can be problematic because of its limitations on freedom of the press. and some private organizations. Journalism In many democratic nations. and certain government or military entities require press credentials. whereas most other counterfeiting and misuse of credentials is punished by law only when used with deliberate intent to defraud in specific contexts. a system of compartmenting information exists to prevent the uncontrolled dissemination of information considered to be sensitive or confidential. or when the person holding them is determined to be too great a security risk. etc. Often they are granted to individuals only after a lengthy investigation and only after their need to have access to protected information has been adequately justified to the issuing authority. in order to control salaries and wages. or interviews.Credential 35 Security clearances In military and government organizations. as a formal invitation to members of the press which grants them rights to photographs or videos. These credentials may or may not be associated with specific competencies or skills. Any press coverage published under governments that restrict journalism in this way is often treated with skepticism by others.. press conferences. Persons acting as merchants. In some cases. particularly if they occur in the context of deliberate espionage. which can be tracked and verified to ensure that no unauthorized persons gain access to protected information. However. Security clearances are regularly withdrawn when they are no longer justified. Here again. such as a press pass. individual corporations. Persons with a legitimate need to have access to such information are issued security clearances. The most elaborate security-clearance systems are found in the world's military organizations.

such as Lord. P. formal document designed to last a lifetime without deterioration.Eng or M. 2006. • persons allowed access to specific areas during special events. "Employers Look At Facebook. • labor union and club memberships. problems with spamming and identity theft have created a renewed need to verify credentials online. A partial list of such titles includes • personal titles. Titles Titles are credentials that identify a person as belonging to a specific group. etc. Many companies now search the web for indications about their future employees[1] . and to attest to their successful completion of tests and exams. • an academic degree or professional designation such as PhD.g. blogs and profiles of potential candidates. in order to attest to the completion of specific training or education programs by students. The issuing institution often maintains a record of the credential as well. as in the case of passports and birth certificates. and they do not usually attest to any specific competence or skill (although they may be associated with other credentials that do). or in other largely symbolic ways. indicating an earned or inherited rank or position within a formal power structure. • command ranks. Knight. or associated with credentials attesting to specific competence. and degrees. Academic credentials are normally valid for the lifetime of the person to whom they are issued. police rank or military rank. e. Internet ID Since the launch of "people" search engines and social networking sites. such as the nobility or the aristocracy. whether this be purely honorary or symbolic. Documentation of academic credentials usually consists of a printed. They may or may not be associated with specific authority. June 20. . or skills. Too" (http:/ / www. • citizenship. com/ stories/ 2006/ 06/ 20/ eveningnews/ main1734920. shtml). such as concerts and shows. References [1] CBS News.Credential 36 Academic credentials The academic world makes very extensive use of credentials. certificates. or a specific command grade in the military. which look for people instead of websites.. Human resource management (HRM) at many companies has taken an interest at sites. Sergeant. In the USA there are companies offering to correct "past mistakes" made by people in form of negative comments of or about them. indicating likewise a very specific position in a command hierarchy.D. cbsnews.. learning. such as diplomas. such as Captain. Right Honourable.

New physical authentication techniques such as iris scanning. etc. Authentication Authentication is a key aspect of trust-based identity attribution. application. Identity through relationship An observer's perception of the digital identity of an entity is inevitably mediated by the subjective viewpoint of that observer (just as it is with physical identity). Authentication methodologies include the presentation of a unique object such as a bank credit card. the provision of confidential information such as a password or the answer to a pre-arranged question. the entity may only grant the observer selective access to its informational attributes (according to the identity of the observer from the perspective of the entity). • Digital resources (which attract us to it).). Omnidirectional identifiers are intended to be public and easily discoverable. while unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship. In order to attribute a digital representation to an entity.. business-to-business authentication prioritises security while user to business authentication tends towards simplicity. . but unlimited number of identity attributes.g. directory. A digital subject can be human or non-human. community. Identifiers Digital identity fundamentally requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain. handprinting. Every digital subject has a finite. digital identity is better understood as a particular viewpoint within a mutually-agreed relationship than as an objective property. Conversely. • Policies and relationships between other digital subjects (e. and more robust but relatively costly solutions utilising encryption methodologies. between humans and devices or documents or services). Identifiers may be classified as omnidirectional and unidirectional[1] . the attributing party (the observer) must trust that the representation does indeed pertain to the entity (see Authentication below). the confirmation of ownership of an e-mail address. Non-human examples include: • Devices and computers (with which we have built the "digital realm" in the first place). providing a codified assurance of the identity of one entity to another. Identifiers are the key used by the parties to an identification relationship to agree on the entity being represented. which belongs to the area of Artificial Intelligence or Machine Learning. In general.Digital identity 37 Digital identity For related uses. In this way. see Internet identity Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things. This contextual nature of digital identity is referred to as contextual identity. Digital identity also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject. and so to elide the two as a digital subject. Those new techniques fall into the area of Biometry (biometrics).[1] Digital subject A digital subject is an entity represented or existing in the digital realm which is being described or dealt with. and voiceprinting are currently being developed and in the hope of providing improved protection against identity theft.

. such as a domain name or e-mail address. movie or sound recording. A digital object may incorporate not only informational elements. known as handles." An entity represented in this ontology as a "cat" is therefore invariably also considered an "animal. OpenID also supports XRIs. A simple example of a taxonomy is "A cat is a kind of animal. This information can be changed as needed to reflect the current state of the identified resource without changing its identifier. such as a person's real-world name. This in turn allows computer applications to process identity attributes in a reliable and useful manner. i. OpenID and Light-Weight Identity (LID) are two web authentication protocols that use standard HTTP URIs (often called URLs). authenticate. notices of ownership. extensible. or otherwise make use of the resources. The protocols enable a distributed computer system to store identifiers. may be dereferenced into the entity they represent. 38 Digital Object Architecture Digital Object Architecture (DOA)[2] provides a means of managing digital information in a network environment. and secure identifier and resolution services for use on networks such as the internet. Some have speculated that digital identities could become a new form of legal entity. accessed and protected. a digitized version of a paper. access. Extensible Resource Identifiers A new OASIS standard for abstract. for example. There are many different schemes and formats for digital identifiers. contact. XRI (Extensible Resource Identifiers). if appropriate. and XRIs are the basis for i-names. or a subject or topic name. but also the unique identifier of the digital object and other metadata about the digital object. XML (eXtensible Markup Language) has become a de facto standard for the abstract description of structured data. The Handle System The Handle System is a general purpose distributed information system that provides efficient. Policy aspects of digital identity There are proponents of treating self-determination and freedom of expression of digital identity as a new human right. A digital object has a machine and platform independent structure that allows it to be identified.Digital identity Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers. adds new features to URIs and IRIs that are especially useful for digital identity systems. of arbitrary resources and resolve those handles into the information necessary to locate. . It includes an open set of protocols. Taxonomies of identity Digital identity attributes—or data—exist within the context of ontologies.e. The original version of the Handle System technology was developed with support from the Defense Advanced Research Projects Agency (DARPA). and identifiers for licensing agreements. The metadata may include restrictions on access to digital objects. a namespace. or some current state data providing relevant attributes of that entity. can be compared for equivalence but are not otherwise machine-understandable. The most widely used is Uniform Resource Identifier (URI) and its internationalized version Internationalized Resource Identifier (IRI)—the standard for identifiers on the World Wide Web. taxonomies are able to represent identity in terms of pre-defined structures. structured identifiers. thus allowing the name of the item to persist over changes of location and other related state information. and a reference implementation of the protocols." In establishing the contextual relationship of identity attributes to one another. Non-resolvable identifiers. as appropriate.

Various attributes such as X. entity A to accept an assertion or claim about entity B by entity C. like computers and telephones." 2.509v3 digital certificates for secure cryptographic communications are captured under a schema. federated ontology of identity (see Taxonomies of identity above). Implementations of X. Integrated compound trust relationships allow. let us suppose a certain Diana wished to book a hire car without disclosing irrelevant personal information (utilising a notional digital identity network that supports compound trust relationships). A domestic cat is a kind of cat and is edible by humans. or in the original design as a TCP-IP based Lightweight Directory Access Protocol compatible with making queries to a X. A classic form of networked digital identity based on international standards is the "White Pages". in a decentralised network like the Internet.500 [2005] and LDAPv3 directories can hold millions of unique objects for rapid access. The development of digital identity network solutions that can interoperate taxonomically-diverse representations of digital identity is a contemporary challenge.500 directory. and published in a LDAP or X. As an illustration of the potential application of selective disclosure. C thus vouches for an aspect of B's identity to A. primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single.500 are managed by the ISO. However. Since combined X. for example. to an individual or organization. Consider two possible elaborations of the above example: 1. Changes to the LDAP standard are managed by working groups in the IETF. As an adult. "A cat is a kind of animal.500[2005] and LDAPv3 have occurred world wide but are primarily located in major data centers with administrative policy boundaries regarding sharing of personal information." Someone searching the first taxonomy for pets would find "domestic cat. Selective disclosure allows for appropriate privacy of information within a network of identity relationships. age and nationality to a car-rental company without having her name or contact details disclosed. the organic integration of the benefits of both structured and fluid approaches to identity attribute management remains elusive." whereas a search of the second taxonomy for foodstuffs would yield the same result! We can see that while each taxonomy is useful within a particular cultural context or set of contexts. A domestic cat is a kind of cat and is a pet. 39 Networked identity Identity relationships within a digital network may include multiple identity entities. Diana might have the UK's Driver and Vehicle Licensing Agency vouch for her driving qualification. identity attributes must somehow be matched across diverse ontologies. unstructured layer. "A cat is a kind of animal. The ITU did significant analysis of gaps in digital identity interoperability via the FGidm. (such as the country level digital object) which can add value not present in the original "White Pages" that was used . A key feature of "compound" trust relationships is the possibility of selective disclosure from one entity to another of locally relevant information. This will be done by scaling individual servers into larger groupings that represent defined "administrative domains". such extended identity relationships effectively require both (a) the existence of independent trust relationships between each pair of entities in the relationship and (b) a means of reliably integrating the paired relationships into larger relational units. An electronic white pages links various devices. it is expected to play a continued role for large scale secure identity access services. LDAPv3 can act as a lightweight standalone server. neither represents a universally valid point of view on domestic cats. The development of network approaches that can embody such integrated "compound" trust relationships is currently a topic of much debate in the blogosphere. UK resident with a current driving license. and changes in X.500 mesh of servers which can run the native OSI protocol. Diana's bank might assert just her banking details to the rental company. Free-tagging has emerged recently as an effective way of circumventing this challenge (to date. And if identity relationships are to reach beyond the context of a single.Digital identity Taxonomies inevitably reflect culturally and personally relative world views. focus group on identity management. Similarly. However.

php/Lexicon) Identity 2.google. Jan 2006. http:/ / www.digitalidnews. 40 Academic work Research on identity is done in a variety of disciplines such as law. References [1] K. html External links • • • • The Identity Dictionary (http://identityaccessman. political and management issues. us/ k-w.identityblog. largely now available through non-authoritative search engines.html) by Phil Windley (http:// www. identityblog. "Laws of Identity". technology.standardsoflife.uk/index.com/) Identity Weblog (http://www.idcommons.blogspot.net/) (Future of Identity in the Information Society) Network of Excellence "Digital Identity" (book) (http://www.net/index. Blog. Identity and Access Architect. Microsoft Corporation • • • • • • . and information systems alongside other social.windley. reston.co.htm) FIDIS (http://www.com/catalog/digidentity/index. preview at Google Books (http://books.fidis.org/xid) DigitalIDNews (http://www.identity20.Digital identity to look up phone numbers and email addresses.0 Keynote (http://www.php?id=69) xID Digital Identity specification for worldwide use (http://www.digitalproductions.com) by Kim Cameron. va.com/books?id=Bmn_Qf7nFiwC& printsec=frontcover&source=gbs_summary_r&cad=0#PPP1.com). The ability to leverage and extend a networked digital identity is made more practicable by the expression of the level of trust associated with the given identity through a common Identity Assurance Framework.M1) Identity Gang Lexicon (http://wiki.onghome. com/ ?p=352 [2] A Framework for Distributed Digital Object Services http:/ / www.oreilly.com/media/OSCON2005/) Ideating Identity (http://www.com/glossary.com) Digital Identity Glossary (http://blog.Cameron. cnri.

The entries subordinate to a country's entry would correspond to states or provinces. . and do not use national country codes as the basis for naming. such as the Common Indexing Protocol. Typically. ou=Operations. then locate the entry for the organization itself. the entry for an organization with domain name "example. o=Example Corporation.com" would have a distinguished name of "dc=example.500 protocols and the Lightweight Directory Access Protocol (LDAP) use directory information trees as their fundamental data structure. and in particular Active Directory deployments.500 within corporations and institutions with entries representing the employees of those organizations often used a DIT structure which mirrored the organizational structure. Instead.g.Directory information tree 41 Directory information tree A directory information tree (DIT) is data represented in a hierarchical tree-like structure consisting of the Distinguished Names (DNs) of directory service entries. or devices) in a DIT may be modeled by a variety of techniques. global namespace. The desire to support searching more broadly for an individual person when all the particulars of that person's location or organization were not known led to experiments in directory deployment and interconnection. The entries at the top level of the tree corresponded to countries. Both the X. For example. identified by their ISO 3166 two letter country code. and national organizations. people. an X. The naming system for a particular country was determined by that country's national standards body or telecommunications provider. The original assumption of X. roles. The determining factors include: • • • • • requirements of the applications which will be searching and updating the directory the requirement to provide a unique name for each entry the desire for stability of the directory structure the desire for human-readability of the Distinguished Names of entries in the directory the ease of importing data into the directory from existing databases and other directories Early deployments of X. ou=Marketing. A limitation of the original directory information tree structure was the assumption that applications searching for an entry in a particular organization would navigate the directory tree by first browsing to the particular country where that organization was based. with organizational unit entries corresponding to departments or divisions of the organization. most LDAP deployments. An example DN of an early X.500 or LDAP deployment for a single organization will have a directory information tree that consists of two parts: • a top level name structure for the name of the organization itself • a representation of the data model structure within the organization Top level naming The top levels of a directory information tree frequently represent political and geographic divisions.500 was that all directory servers would be interconnected to form a single. Organizational structure The elements of an organization represented in the directory (e. dc=com". st=CA.. Today. these deployments follow a directory structure which at the top level mirrors that of the Domain Name System. as described by RFC 2247. The relative distinguished names of the entries for employees were often formed from the common names of the individual employees. are not interconnected into a single global naming space. then to the region where that organization was based.500/LDAP deployment might be "cn=Joe Bloggs. and then search within that organization for the entry in question. and all entries in that organization's directory information tree would contain that distinguished name suffix.

501 [4]. Fundamentals of distributed object systems: the CORBA perspective. 8. Today. microsoft.[1] [2] [3] X. The disadvantage of this approach is that it when the organizational structure is changed. asp?lang=e& id=T-REC-X. Network World (IDG Network World Inc) 6 (43): 58. ISBN 9780471351986.[5] [6] Clients connect to an Active Directory DSA using various different communications protocols: • • • • • LDAP version 3. . Parallel and distributed computing. MSDN.g. flat namespace for the entries. or if employees change their legal name. Windows 2000 Server Resource Kit.500 architecture".500 or LDAP use a single. and Recovery: Summary of Active Directory Architecture: Directory System Agent" (http:/ / technet. These changes can be effected through just an attribute modification. and choose to name the entries for individuals based on a relative distinguished name that is an organizationally-assigned identifier. [4] http:/ / www. 42 Directory System Agent A Directory System Agent (DSA) is the element of a X. .ou=People. ISSN 0887-7661. John Wiley and Sons. dc=example. Microsoft. dc=com". Retrieved 2005-09-22. and applications which may be using the DN as a unique identifier (e. itu. which adds both complexity and overhead and can also upset applications not designed to deal gracefully with such moves. or are transferred to different departments.500 is an international standard developed by the International Organization for Standardization (ISO) and the International Telecommunication Union (ITU-T). 219. [3] "X. . The model and function of a directory system agent are specified in ITU-T Recommendation X. Active Directory In Microsoft's Active Directory the DSA is a collection of servers and daemon processes that run on Windows 2000 Server systems that provide various means for clients to access the Active Directory data store.Directory information tree c=US". com/ library/ en-us/ ad/ ad/ directory_system_agent. Retrieved 2010-10-02. html). Inc. such as a username or an employee number. 501-200508-I!!PDF-E& type=items [5] "Platform SDK: Active Directory: Directory System Agent" (http:/ / msdn.500 directory service that provides User Agents with access to a portion of the directory (usually the portion associated with a single Organizational Unit). in a database) do not need to be touched. com/ en-us/ library/ cc961806.500: Directory Access Protocol (DAP)" (http:/ / www. . a DN might resemble "uid=00003. javvin. many large deployments of X. "Details of X.0[5] [6] Security Account Manager (SAM) interface — used by Windows NT clients[5] [6] MAPI RPC interface — used by Microsoft Exchange Server and other MAPI clients[5] [6] A proprietary RPC interface — used by Active Directory DSAs to communicate with one another and replicate data amongst themselves[5] [6] References [1] Daniel Blum (1989-10-30). The advantage of this structure is that entries need not be moved even when employees change their name. Microsoft. int/ rec/ dologin_pub. [2] Zahir Tari and Omran Bukhres (2001). microsoft. pp. aspx). [6] "Active Directory: Active Directory Diagnostics. it can require the moving or renaming of entries in the directory. Today. Javvin Technologies.0 — used by Windows 2000 and Windows XP clients[5] [6] LDAP version 2. asp). Retrieved 2005-09-22. Troubleshooting. com/ protocolX500..

however in some cases access to the network may be limited and access control decisions may take this into account. and an RA may have relationships with different CSPs as well.g. for the purpose of electronic government and commerce. or it may have relationships with multiple independent RAs. the RA/CSP are separate functions of the same entity. which verifies the identity of the applicant. In the simplest and perhaps the most common case. the subscriber’s identifying information may be incorporated in credentials (e. Therefore a CSP may have an integral RA. There is always a relationship between the RA and CSP. he or she must demonstrate that the identity is a real identity. The verifier passes on an assertion about the identity of the subscriber to the relying party. or several different CSPs. the authentication and transaction take place across an open network such as the Internet. The relying party can use the authenticated information provided by the verifier/CSP to make access control or authorization decisions. the verifier can verify that the claimant is the subscriber. or other subscriber attributes that were verified in the registration process (subject to the policies of the CSP and the needs of the application). This process is called identity proofing. When a claimant successfully demonstrates possession and control of a token in an on-line authentication to a verifier through an authentication protocol. The applicant then becomes a subscriber of the CSP. RAs and CSPs In the conceptual e-authentication model. vouches for the identity of the applicant (and possibly other verified attributes) to a CSP. a claimant in an authentication protocol is a subscriber to some CSP. such as the subscriber name. The RA. That assertion includes identity information about a subscriber. In addition. . typically through the presentation of paper credentials and by records in databases. called a token. an RA might be part of a company or organization that registers subscribers with an independent CSP. In most cases. an identifier assigned at registration. Systems can use the authenticated identity to determine if that individual is authorized to perform an electronic transaction. However. the assertion may be implicit. At some point. and is performed by an RA that registers subscribers with the CSP. A verified name is associated with the identity of a real person and before an applicant can receive credentials or register a token associated with a verified name. E-authentication begins with registration. and a credential that binds the token to a name and possibly other attributes that the RA has verified.Directory System Agent 43 RFCs • RFC 2148 — Deployment of the Internet White Pages Service Electronic authentication Electronic authentication (E-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network. The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. E-Authentication Model E-authentication is the process of establishing confidence in user identities electronically presented to an information system. is issued or registers a secret. as a subscriber. an applicant registers with an RA. The token and credential may be used in subsequent authentication events.. in turn. Where the verifier is also the relying party. The subscriber’s name may either be a verified name or a pseudonym. Subscribers. This process is called identity proofing. An applicant applies to a Registration Authority (RA) to become a subscriber of a Credential Service Provider (CSP) and. and that he or she is the person who is entitled to use that identity. public key certificates) made available by the claimant.

and employee identity cards. driver’s licenses. In e-authentication. that is protected by encrypting it under a password. the verifier must verify that the claimant has possession and control of the token that verifies his or her identity. an ID badge or a cryptographic key) • Something you are (for example. a voice print or other biometric) Electronic Credentials Paper credentials are documents that attest to the identity or other attributes of an individual or entity called the subject of the credentials. such as holograms. that make the credentials recognizable and difficult to copy or forge. the verifier must convey the result of the authentication protocol to the relying party. A claimant authenticates his or her identity to a verifier by the use of a token and an authentication protocol. This is called Proof of Possession (PoP). Authentication systems are often categorized by the number of factors that they incorporate. learns nothing about the token from the run. Some common paper credentials include passports. authentication biometrics contained in those credentials can be checked to confirm that the physical holder of the credential is the subject. This recommendation does not prescribe particular kinds of electronic credentials. and today by more complex mechanisms. . An impostor must steal the encrypted key and learn the password to use the token. More commonly. simple possession of the credentials is sufficient to establish that the physical holder of the credentials is indeed the subject of the credentials. be a cryptographic key. special papers and inks. It is undesirable for verifiers to learn shared secrets unless they are a part of the same entity as the CSP that registered the tokens. There are a variety of electronic credential types in use today. Where the verifier and the relying party are separate entities. The credentials themselves are authenticated in a variety of ways: traditionally perhaps by a signature or a seal. Verifiers In any authenticated on-line transaction. At a minimum. a password) • Something you have (for example. The object created by the verifier to convey this result is called an assertion. the claimant authenticates to a system or application over a network. with no knowledge of the token before the authentication protocol run. Many PoP protocols are designed so that a verifier.Electronic authentication 44 Tokens Tokens generically are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. When these paper credentials are presented in-person. a token used for e-authentication is a secret and the token must be protected. birth certificates. and new types of credentials are constantly being created. credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber. Therefore. high quality engraving. The three factors often considered as the cornerstone of authentication are: • Something you know (for example. the verifier and relying party may be the same entity or they may all three be separate entities. In some cases. Electronic identity credentials bind a name and perhaps other attributes to a token. for example. The verifier and CSP may be the same entity. The token may. the credentials contain biometric information such as the subject’s description. a picture of the subject or the handwritten signature of the subject that can be used to authenticate that the holder of the credentials is indeed the subject of the credentials.

It can increase security and lower risk by enabling an organization to identify and authenticate a user once. Evolving identity management challenges. practices and protocols in place to manage the identity and trust into IT users and devices across organizations[1] . or the "federation" of identity. has given rise to a new approach of identity management. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly. References [1] http:/ / www. saves administrators redundant work in maintaining user accounts and provides a consistent. Federation Identity Management FIDM. cross-domain entitlement management and cross-domain user attribute exchange. Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. web-based single sign-on. stored across multiple distinct identity management systems[1] . and then .Federated identity 45 Federated identity In information technology a federated identity has the meaning of linking a person's electronic identity and attributes. SSO is a subset of Federated Identity Management. org/ liberty/ content/ download/ 387/ 2720/ file/ Liberty_Federated_Social_Identity. Background Centralized identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Related to federated identity is Single sign-on (SSO). as well as enterprise controlled or B2B scenarios. cross-domain user account provisioning. projectliberty. and especially the challenges associated with cross-company. and external users are accessing internal systems. known now as "federated identity management". where a user's authentication process us being across multiple IT systems or even organizations. FIDM allows users to reuse electronic identities. where a user's authentication process us being across multiple IT systems or even organizations. trustworthy infrastructure component. cross-domain issues. as it relates only to authentication and is understood on the level of technical interoperability. Related to federated identity is Single sign-on (SSO). pdf Federated identity management In information technology. users are accessing external systems which are fundamentally outside of their domain of control. Increasingly however. Identity federation comes in many flavors. and without the need for completely redundant user administration. as it relates only to authentication and is understood on the level of technical interoperability. Typical use-cases involve things such as cross-domain. SSO is a subset of Federated Identity Management. such that multiple parties can achieve interoperability for common use cases. standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. describes the technologies. Federated Identity Management amounts to having a common set of policies. The increasingly common separation of user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. including "user-controlled" or "user-centric" scenarios. Federation is enabled through the use of open industry standards and/or openly published specifications.

or by limiting the amount of information shared. the Higgins trust framework or Novell’s Bandit project). and some of which may involve open source technologies and/or other openly published specifications (e.co. 46 References [1] http:/ / net.com on "What is Federated Identity Management? (http://www. And lastly.com/ Authentication-Federation/) • Ideating Identity (http://www. OpenID.00. It can improve privacy compliance by allowing the user to control what information is shared.4149.com/article2/ 0. some of which involve the use of formal Internet standards. however. pdf 7 things you should know about Federated Identity Management Links • Article from EWeek.g.com/content/deciphering-identity-federation) • Overview from Sun on "What is Federated Identity Management? (http://www. is the fact that "federation" does describe methods of identity portability which are achieved in an open. It can involve high-trust. It can involve user-centric use-cases. and is not bound to any one specific protocol. including external partner websites.html) • Authentication Federation Article from AuthenticationWorld (http://www.com/ information-library/Federated-Identity-Management-Tutorial. low security scenarios. One thing that is consistent.eweek.authenticationworld.searchsecurityasia.uk/index. high-security scenarios as well as low-trust. implementation or company.com/software/media/ flash/demo_federation/index. The term "identity federation" is by design a generic term. Identity federation can be accomplished any number of ways.cfm) • Deciphering Identity Federation (http://www. educause.php?id=69) . it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on. The notion of identity federation is extremely broad.digitalproductions. as well as enterprise-centric use-cases.Federated identity management use that identity information across multiple systems.asp) • Ping Identity on "Federated Identity Management: A Beginners Guide" (http://www. user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or service-oriented architecture (SOA) tier. and also evolving. edu/ ir/ library/ pdf/ EST0903. such as the OASIS Security Assertion Markup Language (SAML) specification. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework.pingidentity. It could involve user-to-user. Information Cards.1378436. often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.sun. technology.

sun.Challenges and Opportunities (Rannenberg. com/ app/ docs/ doc/ 802-1999/ Future of Identity in the Information Society The Future of Identity in the Information Society (FIDIS) is a large EU-sponsored NoE (Network of Excellence) targeting various aspects of digital identity and privacy. txt http:/ / www. Technology and Ethics in Society (TELOS) of King's College London has contributed an discussion of the potential pitfalls of profiling from the perspective of legal philosophy. FNS was last included in Solaris 9 and was not included with Solaris 10. the Federated Naming Service (FNS) or XFN (X/Open Federated Naming) is a system for uniting various name services under a single interface for the basic naming operations. professor Roger Brownsword of the Centre of Law. txt http:/ / iforce. com/ protected/ solaris10/ adoptionkit/ general/ fns.Federated Naming Service 47 Federated Naming Service In computing. to avoid duplication of programming effort. The Springer Book The Future of Identity in the Information Society . Identity in the Information Society is an academic journal created by FIDIS.5 to 9. Hewlett-Packard Journal. com/ p/ articles/ mi_m0HPJ/ is_n6_v46/ ai_17990730 http:/ / docs. DNS and so on) via a single interface. The purpose of XFN and FNS is to allow applications to use widely heterogeneous naming services (such as NIS. External links and references • Overview of FNS [1] (Solaris 9 man page) • Overview of the XFN interface [2] (Solaris 9 man page) • X/Open Federated Naming . Royer & Deuker 2009): A synthesis of the results of the project. neither XFN nor FNS were ever popular nor widely used.5 [4] (Sun Microsystems) References [1] [2] [3] [4] http:/ / iforce. Martin. sun. sun. findarticles. It is produced by X/Open and included in various Unix operatings systems such as Solaris Operating Environment versions 2. December 1995) • Federated Naming Service Guide for Solaris 2. .specification for uniform naming interfaces between multiple naming systems [3] (Elizabeth A. It has been edited by Mireille Hildebrandt and Serge Gutwirth of the centre for Law Science Technology and Society studies (LSTS) of the Vrije Universiteit Brussel. From outside the FIDIS network. Unlike the similar LDAP. com/ protected/ solaris10/ adoptionkit/ general/ xfn. Springer Books The Springer Book Profiling the European Citizen (Hildebrandt & Gutwirth 2008): Profiling the European Citizen is the result of research conducted within the framework of the EU funded FIDIS (Future of Identity of Information Society) NoE (Network of Excellence).

net . André. 374.Future of Identity in the Information Society 48 Publications • Hildebrandt. "A roadmap for research on identity in the information society". ISBN 978-1-4020-6913-0. Mireille. doi:10. Identity in the Information Society (Springer) 1: 71–87. 2009. doi. 1007%2F978-1-4020-6914-7 [2] http:/ / www.1007/s12394-008-0004-0. James (2008). Serge. org/ 10. • Rannenberg. Cross Disciplinary Perspectives [1]. pp.1007/978-1-4020-6914-7. The Future of Identity in the Information Society Challenges and Opportunities [2]. Backhouse. Deuker. Dordrecht: Springer. Kai. Profiling the European Citizen. pp. 508. com/ business/ business+ information+ systems/ book/ 978-3-540-88480-4 [3] http:/ / www. Gutwirth. Ruth. ISBN 978-3-540-88480-4. Dordrecht: Springer. Denis.U. Royer. Participants • • • • • • • • • • • • • • Johann Wolfgang Goethe University Frankfurt am Main . • Halperin. eds (2008). fidis. doi:10. eds (2009). Leuven Karlstad University TU Berlin TU Dresden IBM Microsoft Netherlands Forensic Institute London School of Economics External links • The FIDIS Project Website [3] References [1] http:/ / dx. springer.(coordinator) Joint Research Centre / IPTS Vrije Universiteit Brussel INSEAD University of Reading Tilburg University K.

without relying on a system administrator.allocating shared resources like disk space and network bandwidth • Default per-user configuration profiles . alter the group definitions. Static vs. The student system could provide an attribute degreeCode. The entire group can be granted access to the appropriate directory. Traditionally groups are static: one defines a group by individually selecting its members. Suppose then that degreeCode 55 is Bachelor of Computer Science. Without groups. one must only need to do it in one place (in the definition of the group).g. which are groups to which users may elect to add themselves. placing each user in the proper group. one. With groups. that would be very unworkable – every time a student or staff member arrived.. dynamic groups Many systems (especially LDAP systems) offer the facility of dynamic groups. One can construct even more complex definitions: "BCS-Students-1" could be "(&(degreeCode=55)(enrolmentYear=1))" (meaning: a user is a member of the 'BCS-Students-1' group if it's true they're enroled in the BSC Computer Science degree program and they're in their first year – i. the task is much simpler: create a student group and a staff group. administrators would have to allocate permissions on every directory.e.) The primary purpose of user groups is to simplify access control to computer systems.. To add or remove an account. to change the individuals which fall under the policy. one might build an LDAP directory using source data from a student administration system.Group (computing) 49 Group (computing) In computing. or many groups (although in practice some systems place limits on this. every staff account could have a specific directory in their PATH • Content selection . an administrator can specify search criteria.g. by default.e. Some systems also provide joinable groups. when a group is created. and each staff member permission to every staff directory. In dynamic groups. however. For example. we do not need to manually modify its membership – its membership will change automatically as updates flow through the system. These group administrators are then capable of adding and removing other users from the group. The department has made a list of directories which the students are permitted to access and another list of directories which the staff are permitted to access. this mailing list is for the chess club Delegable group administration Many systems provide facilities for delegation of group administration. users may belong to none. In these systems. administrators would give each student permission to every student directory.only display content relevant to group members . this portal channel is intended for students. In practice. Suppose a computer science department has a network which is shared by students and academics. the term group generally refers to a grouping of users. All users which match the search criteria will be considered a member of this dynamic group. Uses of groups The primary uses of groups are: • Access control • Accounting . Computer Science . In principle. Joinable groups are not intended to be used for access control. rather than on every directory. This workflow provides clear separation of concerns: to change access policies.e. which might be a numeric code identifying the degree program in which the student is enrolled. one or more users may be named as group administrators. but rather for such purposes as electronic mailing lists. We could then define a group "BCS-Students" as "(degreeCode=55)" – having defined the group. alter the directory permissions.

50 Roles Some systems (e. Authorization includes user attributes. Authentication. as a list of roles they belong to. Authentication This area covers authentication and session management within user applications. its membership is stored as an attribute of the group. Overview The ability of an organization to rapidly search. . groups to which the user belongs. whereas with roles. IAM checks the user access request against authorization policies of the organization. data resources that can be accessed. The difference is essentially one of performance trade-offs. The goal of IAM is to provide appropriate access to enterprise resources.Group (computing) freshmen). identify and verify who is accessing the systems is a critical aspect of meeting security and compliance requirements for the organization. Sun/Netscape/iPlanet LDAP servers) distinguish between groups and roles. processes and products to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources. or the process of enumerating which collections this user belongs to (faster for roles). access channels. User Management and Central User Repository. in terms of which type of access will be faster: the process of enumerating the membership of a given collection (faster for groups). Authorization Authorization determines whether the user has the required permission or access right to a particular resource. IAM comprises four main components namely. It is at this point that organizations can implement role-based access controls. Authorization. such as time-based access or complex business rules that determine dynamic permissions granted to the user. Implementing IAM models for a small business group and incrementally covering every part of the organization can reap benefits monetarily and security wise.g. These concepts are mostly equivalent: the main difference is that with a group. Its goal is to provide the right access to the right people in order to protect information sources. Implementing IAM helps manage different sessions of the users from centralized locations. the membership is stored within the users. Identity access management Identity Access Management (IAM) encapsulates people. Userid/password authentication is the most common approach to providing access control and information privacy to user and enterprise information. and perhaps more complex access criteria.

This module also manages the entire user life-cycle right from identity creation to final de-provisioning from accounts database. vendors.Identity access management 51 User management activities IAM defines rules for administrative functions like password resetting. Central user repositories By implementing IAM systems the organization can store and deliver identity information from a single authoritative source to other IT services and can provide verification on demand. and user identity and privileges management. employees or contractors to gain necessary information from applications so that they can be productive and at the same time allow the organization to keep a check on the access rights as their roles require. These repositories can be physical or virtually maintained depending on the growing volume of identities. IAM can enable new users. partners providing effective information exchange that can be adapted to a particular user group. IAM requires that every business owner. identity creation. It is necessary to install an integrated workflow system that can take care of user management activities. Key Benefits of implementing identity access management • • • • • • • • Phased approach to providing access controls help you identify loop holes in control points Enhances business value by improving security Improves compliance with various industry regulations and creates opportunities for new business initiatives Reduces overall effort of IT administration Improved employee productivity More effective customer support Eases IT management in large organizations and can enhance overall ROI for business Provides scalable approach that enables IT expansion in growing organizations . This module presents a logical view of existing identities and their relationships to various other systems. Industries that benefit from identity access management Business value improves when the organization is able to appropriately protect its information assets. executive and business group work towards setting up a secure and reliable and readily available work environment. IAM provides the kind of reliability and accessibility to user access control that is imperative to most e-business sites these days. service delivery and retail sites. IAM provides the ability to open up only select subsets of the organization’s information sites to customers. employee. Industries that can benefit from IAM include online banking. propagation.

the levels of sensitivity in them. allowing the demarcation of service scope and boundaries that will make outsourced. It is important to think about IDaaS from a legal and jurisdictional standpoint as well. functionality includes but is not limited to registration. which should be measurable in an objective and demonstrable way. such that they can convey a specific level of confidence or assurance to the parties. Considerations • This is not just a technical definition. the actors. Understanding Identity as a Service (http:/ / blogs. com/ Research/ Topics/ IdentityAsAService. aspx) [4] Martin Kuppinger (January 21. In this context. com/ blog/ bid/ 29162/ Defining-Identity-as-a-Service) [2] Nishant Kaushik. the types of transactions. This definition focuses on the interaction of four elements: the entity. identity verification. com/ kuppinger/ 2009/ 01/ 21/ identity-as-a-service/ ) . oracle. References [1] [2] [3] [4] [1] Frank Villavicencio (December 21. • While IDaaS is particularly relevant for cloud computing based services. federation. Identity as a Service (http:/ / blogs. rigorousness and thoroughness by which IDaaS is provided determines its identity assurance level. 2009). Organizations can view its internally-facing (and possibly internally deployed) identity management infrastructure as identity services. Defining Identity as a Service (http:/ / www. provisioning and reporting. the definition of ownership. 2009). the specific functionality and the electronic transaction. risk and activity monitoring.Identity as a service 52 Identity as a service Identity as a Service (IDaaS) is an approach to digital identity management in which an entity (organization or individual) relies on a service provider to make use of a specific functionality that allows the entity to perform an electronic transaction which requires identity data managed by the service provider. • IDaaS applies to both Enterprise and consumer identity management. on-premise. and easier to evaluate in business terms. burtongroup. but the notion of how digital identity management applies to each could be thought of in the context of IDaaS. Identity As A Service (http:/ / www. In this context. responsibilities and liabilities is significant to all parties involved in IDaaS. Evidently. cloud-based models or any combination therein more concrete. and other elements will vary greatly from Enterprise to Consumer environments. attributes and their lifecycle management. pdf) [3] Burton Group. com/ talkingidentity/ gems/ IDaaSDIDW. kuppingercole. roles and entitlement management. the service provider (which could be the entity in some cases). • IDaaS applies to terms in identity management such as "Cloud Identity" or "identity management co-sourcing". identropy. IDaaS could also apply to on-premise models. authentication. • The strength. This in turn will translate to a risk mitigation level that the parties can agree to be sufficient for a specific type of transaction.

after receiving an identity assertion from an Identity Provider.2 (NIST800-63) confidence level from low to very high. can be trusted to actually belong to the entity. the Government of Canada and the U. this credential may take several forms. The level of certainty one can have about the credential is what is referred to as the "Assurance Level". in an online context. The U.whether a human or a machine. is the ability for a party to determine. government. using a predefined authentication protocol. The degree of certainty that a Relying Party can have about the true identity of someone presenting an identity credential.509 digital certificate.K. the assertion returned to the Relying Party by the Identity Provider allows the Relying Party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential. is what is referred to as the "Assurance Level". with which it interacts to effect a transaction. etc. in the context of Federated Identity Management.Identity assurance 53 Identity assurance Identity assurance. tokens. and (c) an X. or email address. the strength of the token used to authenticate the identity claim. with some level of certainty.. address. Federal Government for categorizing electronic identity trust levels for providing electronic government services. after performing certain tests to authenticate (validate) the origin of the exchange. that a claim to a particular identity made by some entity can be trusted to actually be the claimant's "true" identity. processes. actually refers to the person who made a claim of identity by presenting an identity credential to the Relying Party. National Institute of Standards and Technology [1] outlines four (4) levels of assurance. birthdate. Identity assurance specifically refers to the degree of certainty that an identity assertion made by an Identity Provider to a Relying Party about some person. loginID. and the management processes the Identity Provider applies to it. Identity Assurance Identity assurance. ranging in (NIST) Special Publication 800-63 version 1.S. that an electronic credential representing an entity . These Assurance Levels are also recognized and referenced in the Kantara Initiative Identity Assurance Framework [2]. with some level of certainty. and policies associated with the credentials. processes. In order to issue this assertion. Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology.S. be confident that the identity information being presented by a credential service provider (also referred to as Identity Provider or IdP) actually represents the entity referred to in it and that it is the represented entity which is actually engaging in the exchange. identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else. Identity claims are made by presenting an identity credential to the Relying Party. is the ability of a Relying Party to determine. Depending on the outcome of this authentication procedure. the Identity Provider must first determine whether or not the claimant possesses and controls an appropriate token. and policy and practice statements. and authentication procedures. An assurance level describes the degree to which a relying party in an electronic exchange can. (b) an identity proxy such a username. including: (a) personally identifiable information such as name. In the case where the entity is a person. The level of assurance provided is measured by the strength and rigor of the identity proofing process. . Assurance Levels (ALs) are determined by the kinds of technologies. These four Assurance Levels have been adopted by the U.0. In the case the entity is a person.

This is where the concept of Federated Identity becomes important. Users of electronic identity credentials. 2008)." A relying party (RP) needs to be able to know to some degree of certainty that the presented electronic identity credential truly represents the individual presenting the credential.EAA on harmonization and international standardization of the Identity Assurance Framework---work commenced Sept. In most cases. Four separate audiences are affected by the transaction---and the inherent trust therein: 1. and Relying Parties (RPs) who must trust electronic identity credentials provided by IdPs Different IdPs follow different policies and procedures for issuing electronic identity credentials. credential management and the kind of credentials issued. or a Trusted Third Party that sells digital certificates. a government entity. assessment criteria and certifications. entities need to be able to identify themselves remotely and reliably.Identity assurance 54 Purpose In order to conduct business in an online world. Work is ongoing within the Liberty Alliance. which will also be agreed upon by IdPs 'B.' and 'D. with version 1. on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework. However.1 released in June 2008.' Several presentations on the application of the Identity Assurance Framework have been given by various organizations. so that a relying party will know it can trust a credential issued by IdP 'A' at a level of assurance comparable to a common standard. Federated Identity provides IdPs and relying parties with a common set of identity trust conventions that transcend individual identity service providers. For example. however. and especially in government. or networks. among other contributions). it defined a trust framework around the quality of claims issued by an IdP based on language. The Identity Assurance Expert Group within Liberty Alliance is also working collaboratively on identity assurance with the ITU-T (via the ITU-T SG17Q6 Correspondence Group on X. Providers of IdP services and auditors or assessors who review the business processes of IdPs. But while different IdPs follow their own rules. and the American Bar Association (collaboration to develop a model trade agreement for federated identity). ISOC (ISO SC27 29115 Harmonization with Identity Assurance Framework. and the first public draft was published in November 2007. In the case of self-issued credentials.' 'C. more and more end users (often called subscribers) and online services (often called relying parties) wish to trust existing credentials and not issue yet another set of userID/passwords or other credentials for use to access one service. 4. As such. business rules. published in December 2009. the more stringent the rules governing identity proofing. most electronic identity credentials are issued by identity providers (IdPs): the workplace network administrator. In the business world. The work began within the Liberty Alliance in early 2007. initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. 3. the South East Michigan Health Information Exchange (SEMHIE) has adopted the Kantara Initiative Identity Assurance Framework (IAF) as its open trust framework. this isn't possible. The Kantara Initiative Identity Assurance Framework (IAF). in 2009.believe me. Entities that rely upon the credentials issued by electronic identity providers (IdP). in part. [7] History The Kantara Initiative Identity Assurance Work Group (IAWG) was formed in 2009 to foster adoption of identity trust services. which was based. an online game administrator. it is not sufficient for the typical electronic credential (usually a basic userID/password pair or a digital certificate) to simply make the assertion that "I am who I say I am . users. including Wells Fargo [3] and Fidelity Investments [4]. the more trustworthy the credential. It continued the advancement of the Liberty Alliance Identity Assurance Framework. and case studies about Aetna [5] and Citigroup [6] are also available. consists of many different documents that detail the levels of assurance and the certification program that bring the Framework to the . Most people have multiple credentials from multiple providers. 2. a social networking service.

• The CAF was contributed to Liberty Alliance who extended it with supporting documents like a service assessment policy. • NIST published the guideline SP 800-63[5] that recommended technical safeguards to implemente OMB 0404. pdf [7] "Michigan Healthcare Information Exchange Adopts Kantara Initiative Identity Assurance Framework" (http:/ / newsblaze. a summary Assurance Levels document [9]. nist. projectliberty. credential strength. org/ liberty/ content/ download/ 4420/ 29635/ file/ Aetna%20IDDY%20liberty%20case%20study%208. Retrieved 2011-01-09. which encompasses the associated assessment and certification program. The degree of confidence in Identity assurance is represented by a commonly agreed-upon "level of assurance. pnw/ topstory. The IAF consists of a set of documents that includes an Overview [2] publication. org/ confluence/ download/ attachments/ 38371432/ Kantara+ IAF-1100-Glossary. gov/ publications/ nistpubs/ 800-63/ SP800-63V1_0_2. .Identity assurance marketplace. and an Assurance Assessment Scheme (AAS) [10]." The IAF specifies the way IdPs have to run their services and how the IdPs are audited to ensure they are operating their services in conformance with their proclaimed level(s) of assurance and the stated terms of service. org/ confluence/ download/ attachments/ 38371432/ Kantara+ IAF-1000-Overview. identity proofing services. org/ confluence/ display/ idassurance/ Home) Identity Assurance Framework The Identity Assurance Framework (IAF) [2] provides the policies to assure a Relying Party to have confidence in a Federated Identity that is assured by an Identity Provider (IdP).S. . pdf [12] Identity Assurance Framework [13] Kantara Initiative Identity Assurance Work Group (http:/ / kantarainitiative. pdf [6] http:/ / www. The IAF is maintained by Kantara Initiative Identity Assurance Work Group[1] and was used by several governments to derive local assurance frameworks[2] and contributed to ISO/IEC 29115 [3] and FIDIS[4] . pdf [9] http:/ / kantarainitiative. org/ liberty/ resource_center/ presentations_webcasts/ liberty_alliance_webcast_title_the_journey_from_concept_to_reality_identity_assurance_in_action [5] http:/ / www. org/ liberty/ resource_center/ presentations_webcasts/ real_world_identity_assurance_wells_fargo_demonstration_of_identity_assurance_principles_in_action [4] http:/ / www. pdf [10] http:/ / kantarainitiative. org/ liberty/ content/ download/ 4423/ 29647/ file/ Citi%20IDDY%20liberty%20case%20study%209. and credential management services against which all CSPs will be evaluated. org/ confluence/ download/ attachments/ 38371432/ Kantara+ IAF-1300-Assurance+ Assessment+ Scheme. which establishes baseline criteria for general organizational conformity. pdf [2] http:/ / kantarainitiative. 2009-09-24. org/ confluence/ download/ attachments/ 38371432/ Kantara+ IAF-1400-Service+ Assessment+ Criteria. [8] http:/ / kantarainitiative. federal government's GSA published OMB 0404 which required agencies to establish certain security criteria for remote authentication. • The CAF[6] was the next development step that derived from SP 800-63. The result is the Identity Assurance Framework[7] . projectliberty. projectliberty. 55 References [12] [13] [1] http:/ / csrc. pdf [3] http:/ / www. as well as several subordinate documents. com/ story/ 2009092409450200001. 08. the IAF Glossary [8]. html). org/ confluence/ download/ attachments/ 38371432/ Kantara+ IAF-1200-Levels+ of+ Assurance. 08. projectliberty. among them the Service Assessment Criteria (SAC) [11]. History • The U. pdf [11] http:/ / kantarainitiative. • Kantara Initiative as successor of Liberty alliance is maintaining the document since 2010.

In this way. The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance. there are 4 levels of assurance based on the NIST-standard levels of assurance. Level 2 means medium assurance. credential strength.2 (NIST800-63) [1] which outlines four (4) levels of assurance. simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.. one issuer may have used a RSA SecurID token in combination with Username-Password to issue a Level 2 token. and so on. Service and Credential Assessment Criteria The Service and Credential Assessment Criteria section establishes baseline criteria for organizational conformity.Identity Assurance Framework 56 Contents The IAF is a standardized approach that defines processes and procedures for IdPs. ranging in confidence level from low to very high. and doesn't know/need to know what the actual mechanics were. as needed. processes. and policy and practice statements. and the EU for categorizing electronic identity trust levels for providing electronic government services. increasingly stringent requirements for identity proofing services. Assurance Level Criteria Service and Credential Assessment Criteria Accreditation and Certification Model. The level of assurance (LOA) provided is measured by the strength and rigor of the identity proofing process. these same four Assurance Levels map to increasing levels of risk from hacking. 4. The Service Assessment Criteria within each AL are the basis for assessing and approving electronic trust services. For example. New Zealand U. and the management processes the service provider applies to it.0. The four Assurance Levels have been adopted by several governments like U. The IAF defers to the guidance provided by the U. to account for technological advances and preferred practice and policy updates. These criteria set out the requirements that services and their providers must meet at all assurance levels within the Framework in order to receive Liberty accreditation. it states the level of assurance at which the user was authenticated . CSPs can determine the AL at which their services might qualify by evaluating their overall business processes and technical mechanisms against the Service Assessment Criteria. etc.S.K. with Level 4 being the highest level). When a digital token is issued. The RP receiving the token from both issuers simply knows that both tokens are Level 2. identity proofing services. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1. Canada. The IAF then goes on to describe the service assessment criteria at each AL for electronic trust services providing credential management services. On the Relying Party side. 2. Relying Parties and Federation Operators to trust each others' credentials at known levels of assurance. data/identity theft. while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token.Level 1 through Level 4.S. The IAF also establishes a protocol for publishing updates. . These criteria address increasingly strict requirements for the general business and organizational operations of services and their providers. and Associated Business Rules. Assurance Levels equate increased risk of harm to increased trust in the identities of the transaction participants. and increasingly strict requirements of credential management services and their providers. the credential's strength. The main components of the IAF are: 1. Assurance Level Criteria Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology. As of today. 3. and credential management services against which all Credential Service Providers (CSPs) will be evaluated.

Sill. cio.org/liberty/ resource_center/presentations_webcasts/webcast_identity_assurance_framework_advancing_the_marketplace) • Wells Fargo Webcast on Business Need for Identity Assurance Framework (http://www. org/ liberty/ content/ download/ 4546/ 31057/ file/ liberty-identity-assurance-framework_-_read-me-first-v1. Chris. 3_standardisation_report. Von. Harrison. e.. pdf) | E-Authentication Credential Assessment Framework (CAF) [7] http:/ / www. nist. processes. org/ Workshop/ 2010/ 201001_SECURITYWORKSHOP/ 04INTERNATIONALSTANDARDIZATION/ McCallister_NIST. 0.0.projectliberty. Hawkins. John. Temoshok. Kevin. eds.3 Standardisation report [5] U. Wilsher. govt. and policy and practice statements • CSP: Credential Service Provider: a third party entity that authenticates identities for RPs • IdP: Identity Provider---the entity that issues an identity credential.projectliberty. gov/ eauthentication/ documents/ CAF..0 (March 16.org/docs/Trust_Framework_010605_final. fidis. (http:/ / www. a government entity • RP: Relying Party---that entity that needs to be able to know to some degree that the presented electronic identity credential truly represents the individual named in the credential References [1] http:/ / kantarainitiative. Burr. a social networking service.Identity Assurance Framework 57 Key terms • AL: Assurance Level--.the levels of trust associated with a credential as measured by the associated technology. David.gov/eauthentication/documents/ CAF. National Institute of Standards and Technology (NIST) "Special Publication 800-63" version 1. pdf [4] http:/ / www. Silver.0. Timchak. Cornell.org/ liberty/resource_center/presentations_webcasts/ real_world_identity_assurance_wells_fargo_demonstration_of_identity_assurance_principles_in_action) • EAP Trust Framework (http://eap. pdf) [6] Louden. nz/ standards/ authentication/ guide-to-authentication-standards-for-online-services NZ Guide to Authentication Standards for Online Services [3] http:/ / docbox. an online game administrator. pdf Identity Assurance Framework . pdf FIDIS D19. gov/ publications/ nistpubs/ 800-63/ SP800-63V1_0_2.S. Version 2. Dave. Steve.Read Me First External links • Introductory Webcast on the Identity Assurance Framework (http://www." E-Authentication Initiative. 2005).pdf) . Spenser.2 (http:/ / csrc. Bill. for example a the workplace network administrator.pdf) • US E-Authentication Credential Assessment Framework (http://www. Stephen. Judy.cio.projectliberty. "E-Authentication Credential Assessment Framework (CAF). Richard G. etsi. projectliberty. net/ fileadmin/ fidis/ deliverables/ fidis-wp19-del19. org/ confluence/ display/ idassurance/ Home Kantara Initiative Identity Assurance Work Group [2] http:/ / www.

fidis. who wishes to use the identity. There are several different parties who may initiate the change: • • • • • • • • • • A first party. The topic is of particular interest in "faceless" financial transactions and computer security. Identity takeover (identity theft / identity fraud) Identity delegation Identity exchange Identity creation Identity deletion Identity restoration Identity change can be categorized in several ways: References Sources • ID-related Crime: Towards a Common Ground for Interdisciplinary Research (http://www. may initiate the change A third party may initiate an identity change In some instances.Identity change 58 Identity change Identity change describes the intentional changes to an identity document or digital identity. the original bearer of an identity may initiate the change A second party. multiple parties cooperate to change an identity.net/resources/ deliverables/forensic-implications/int-d52b000/doc/20/) .

2007. Oracle. and Sun Microsystems. Liberty Alliance published final specifications [2] of IGF components CARML (Client Attribute Requirements Markup Language) and IGF Privacy Constraints. Liberty announced completion of the Market Requirements Use Case [7] documentation. In February. addresses. See project FAQ [11] for more information.1 [12]. Project Aristotle published ArisID. an Apache 2. 2008.Identity Governance Framework 59 Identity Governance Framework The Identity Governance Framework is a strategic initiative of the Liberty Alliance that will define a set of standards to help enterprises easily determine and control how identity related information is used. LSM Working Group [3] An implementation of CARML and IGF Privacy Constraints is available through Project Aristotle [4]. an implementation of IGF 1. Identity related information may include things like names. Ongoing standards work is now being handled by the Kantara Initiative. the initiative was transferred to the Liberty Alliance to take the draft proposal forward and fully develop the standard. Status Liberty Alliance published final specifications [2] of IGF components CARML (Client Attribute Requirements Markup Language) and IGF Privacy Constraints in the fall of 2009. and propagated in appropriate and secure ways using protocols such as LDAP. For more information. and WS-Trust and ID-WSF.0 release 1. stored. In July. 2009. Novell. The policy information is both useful to privacy auditors for assessing the use of identity information in applications and to policy enforcement systems for ensuring that appropriate use of identity related information takes place. Ping Identity. . 2006 [6] as a joint initiative between CA. [8] publication of draft specifications [9] for CARML and Privacy [4] In November. Release 1.0 [10] of the ArisID API specifications for IGF. In December. Project Aristotle announced release 1.0 Licensed [5] open source project. Liberty Alliance announced Constraints. HP.1 was released December 2009. implementing the draft In November. 2007. SAML. social security numbers or other information that would be otherwise considered related to an individual's identity. History IGF was originally announced by Oracle in November. Layer 7 Technologies. 2009. In June. 2008. Securent. consult the Liberty Alliance IGF Strategic Initiative web site [1]. Purpose The Identity Governance Framework (IGF) enables organizations to define policies that regulate and control the exchange of identity related information between application systems both internally and with external partners.

org/ liberty/ news_events/ press_releases/ liberty_alliance_announces_first_release_of_identity_governance_framework_components [9] http:/ / www. projectliberty. projectliberty. openliberty. apache. oracle.Identity Governance Framework 60 External links • Liberty Alliance Identity Governance Strategic Initiative [1] • OpenLiberty Project Aristotle [4] • Oracle Technology Network IGF Page [13] Further reading • Sarbanes-Oxley Compliance Journal .Open Initiative to Help Organizations Govern Identity Information Across Enterprise Applications [14] • Network World . cfm?CID=2012 [17] http:/ / blogs. 2007 .Identity Governance Framework . org/ confluence/ display/ WGLSM/ Charter http:/ / www. projectliberty. org/ licenses/ #clas [6] http:/ / www. com/ newsletters/ dir/ 2007/ 0730id1. 2008 . org/ liberty/ strategic_initiatives/ identity_governance http:/ / www. s-ox. org/ index. projectliberty.January 24. org/ wiki/ index. org/ liberty/ resource_center/ specifications/ igf_1_0_specs [10] http:/ / www. cfm?articleID=2233 [15] http:/ / www. html [7] http:/ / www. net [13] http:/ / www. com/ open-source/ ?p=3100 . org/ resource_center/ specifications/ igf_v1_0_final/ http:/ / kantarainitiative.Identity Governance Framework sprints to the finish line [15] • Sarbanes-Oxley Compliance Journal . s-ox.Liberty Alliance's Initiative Addressing Privacy and SOX [16] • ZDNet Dana Blankenhorn Blog . com/ News/ detail. openliberty. com/ technology/ tech/ standards/ idm/ igf/ index. php/ ProjectAris [5] http:/ / www. sourceforge. html [16] http:/ / www.July 30. php/ ArisIdFAQ [12] http:/ / idgov.January 3.November 19. php/ liberty/ news_events/ press_releases/ industry_leaders_submit_identity_governance_framework_to_openliberty_org_for_development_of_open_source_implementations [8] http:/ / www. zdnet. projectliberty. 2008 . oracle. com/ corporate/ press/ 2006_nov/ identity-governance-framework. html [14] http:/ / www. 2007 . org/ wiki/ index. networkworld. com/ dsp_getFeaturesDetails. org/ liberty/ news_events/ press_releases/ openliberty_org_releases_first_open_source_identity_governance_framework_software [11] http:/ / www. projectliberty.Will identity be open source? [17] References [1] [2] [3] [4] http:/ / www.

"to which you can always see in the future to measure the success or failure of projects. able to effectively collect every information characterizing the users and their access rights. This approach. exploits its possibilities only in part. monitoring and reporting systems which operate on a complete repository. different structures and different technologies. At the same time.Identity intelligence 61 Identity intelligence In computer science. that an Identity Management system used for the sole purpose of automating the user account management. For these reasons. to obtain certifications and to satisfy internal and external audit. and refers mainly to the following set of capabilities: • the presence. it increases the chances of success of a project of Identity Management. of a full repository of user accounts. within an organization. so that it can serve as a support in the definition of requirements and the model of Identity Management to be performed. • the ability to relate information from different target and authoritative sources. within the Identity Management field. The most innovative approach that provides the Identity Intelligence is introduced in the company even before the 'Identity Management. In recent years the 'Identity Management solutions are increasingly seen as tools addressed to security governance. Terminology The term "Identity Intelligence" has been diffused throughout the course of 2010. based on the principles of business intelligence. In order to allow quick. in order to correctly and efficiently populate the repository. of analytical techniques typical of business intelligence and other related tools for analysis and control. you must first be able to get to know them in detail. between 2010 and 2011 the evolution trend shows how companies adopt mechanisms and instruments of Identity Intelligence from the early stages of the life cycle of their Identity Management systems. . • The ability to build complex analysis. developed in recent years. Why do you need "Intelligence" before "Management"? The need for Identity Intelligence tools and models comes with the awareness. allows to have information about the status of the User Management useful to ascertain the real need for such a project and gives you a snapshot of the situation to the "time0. In order to properly manage user accounts and identities. providing valuable information in relation with: • the state of the users within the organization. detailed and complete analysis. tools used to meet the compliance requirements that organizations must meet in order to satisfy regulatory constraints. while introducing the cost of a preliminary stage. The assumption to the adoption of an Identity Intelligence solution is that "you can not manage what you can not measure". tools used increase security. The difference is substantial if compared to the "standard" repositories used by the Identity Management solutions. also thanks to its adoption by Gartner. data about users and user accounts are collected from dozens or hundreds of different sources. • the quality of the user management processes. Identity Intelligence is the application. relate and homogenize all this data. In complex environments. using different standards. typically simpler and less suited for complex analysis. it is essential to have a tool that can collect. offer security features and advanced control.

In the environment of static web pages and static portals of the early 1990s. users. Optionally assigns one or more attributes applicable to the particular subject or object to the identity. The design of such systems requires explicit information and identity engineering tasks.g. as the information changed (due to employee turnover. Optionally auto-analyze behaviour patterns of the identity 4.).500. Re-establishes the identity (i. services. applications. Re-describes the identity (i. one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.e. In general. The ability to centrally manage the provisioning and de-provisioning of . in IT terms.Identity management system 62 Identity management system An identity management system refers to an information system. links a new or additional name. such as X. Phishing precisely exploits the difficulty of properly identifying and authenticating service providers on the web due to poor management of service provider identities (Jøsang & Pope 2005). the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today. electronic IdM can be said to cover the management of any form of digital identities. 2. where a namespace serves to hold named objects that represent real-life "identified" entities. Links a name (or number) with the subject or object.509 certificates and PKI systems operate to prove the online "identity" of a subject. With the emergence of phishing attacks it became obvious that service provider identities also need to be managed. Follows identity activity: 1. The X. or number. 3.e. The focus on identity management goes back to the development of directories. etc. Destroys the identity Electronic identity management Several interpretations of identity management (IdM) have been developed in the IT industry. Computer scientists traditionally associate the phrase with the management of user credentials and the means by which users might log on to an online system. with the subject or object). corporations investigated the delivery of informative web content such as the "white pages" of employees. X. Establishes the identity 1. With relation to online government services the term National Identity Management has been used. provisioning and de-provisioning).509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. changes one or more attributes applicable to the particular subject or object). Therefore. such as countries. subscribers or devices. organizations. The evolution of identity management follows the progression of Internet technology closely. organisations. 2. Subsequently. An identity management system: 1. or to a set of technologies that can be used to support the management of identities. Describes the identity: 1. Record and/or provide access to logs of identity activity 2. Typical identity management functionality includes the following: • • • • • User information self-service Password resetting Management of lost passwords Workflow Provisioning and de-provisioning of identities from resources Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. 2. devices.

1X EAP Standards initiatives • Security Assertion Markup Language (SAML) • Liberty Alliance — A consortium promoting federated identity management • Shibboleth (Internet2) — Identity standards targeted towards educational environments . • Type 3: IMS for user-controlled context-dependent role and pseudonym management • Type 3 IMS are characterised by the user control as basically decentralised. Meints & Hansen 2005) • Type 1: IMS for account management • Type 1 IMS are used within an organization especially for account and access administration for computers and network services (e. the Windows-NT-Domain-concept by Microsoft. 63 Types of Identity management systems We can distinguish three main types of IMS: (Bauer.Composite Adaptive Directory Services (CADS) and CADS SDP Access control Directory services Other categories • Role-based access control (RBAC) • Federation of user access rights on web applications across otherwise untrusted networks • Directory-enabled networking and 802. NIS by SUN etc. and consolidate the proliferation of identity stores. • Type 2: IMS for profiling of user data by an organization • Is used for managing and exploiting large amount of statistical user information (for instance in Marketing). user and client-oriented (Management done by the user). all form part of the identity management process.Identity management system identities. The data managed are mainly personal data. This kind of IMS can for instance be found with the user profile in social network services .). Solutions Solutions which fall under the category of identity management may include: Management of identities • • • • • • • • • • • • • • Provisioning/De-provisioning of accounts Workflow automation Delegated administration Password synchronization Self-service password reset Policy-based access control Enterprise/Legacy single sign-on (SSO) Web single sign-on (SeoS) Reduced sign-on Identity repository (directory services for the administration of user account attributes) Metadata replication/Synchronization Directory virtualization (Virtual directory) e-Business scale directory systems Next-generation systems .g. The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.

Identity management system • Global Trust Center 64 List of Leading Identity management systems • • • • • • • • • Sun Identity Manager(will be supported only up to 2014) Microsoft Active Directory in Windows Server Microsoft Identity Lifecycle Manager 2007 and Microsoft Identity Integration Server Microsoft Forefront IM 2010 Oracle IM 11g IBM Tivoli IM Novell IM CA Technologies IM Courion IM Comparison of Leading Identity management systems System of accounts Workflow Delegated Password password reset access control single sign-on (SSO) Web sign-on (SeoS) Identity repository (directory services for the administration of user account attributes) Metadata replication/Synchronization Provisioning/De-provisioning automation administration synchronization Self-service Policy-based Enterprise/Legacy single Microsoft Active Directory No No Yes Yes between AD No Yes Yes Yes Yes No MS FIM 2010 Oracle IM System Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Workflow Yes Delegated Yes Password No Yes Yes Yes Web Yes Identity repository (directory services for the administration of user account attributes) Yes Metadata replication/Synchronization Provisioning/De-provisioning automation administration synchronization Self-service Policy-based Enterprise/Legacy single of accounts password reset access control single sign-on (SSO) sign-on (SeoS) .

Cupach and Tadasu Todd Imahori on the basis of Erving Goffman's Interaction ritual: Essays on face-to-face behavior (1967). fidis. It was developed by William R.avatier.tools4ever. S. Among the multiple identities which an individual possesses.1: Structured Overview on Prototypes and Concepts of Identity Management Systems" [1]. 2. Being able to manage the resulting tensions. net/ resources/ deliverables/ hightechid/ #c1787 [2] http:/ / persons. Meints. Australia (published May 2005) [1] http:/ / www. Hansen. The use of stereotypes in intercultural conversations often results from the ignorance of each other's culture. renegotiating the distinctive cultural identities with the help of the relational identity that was created in phase 2 Cupach and Imahori call these phases "cyclical" as they are gone through by intercultural communicators for each aspect of their identities. Whether an interlocuter is able to maintain face or not. unik. "mixing up" the communicators' identities to achieve a relational identity acceptable for both participants 3. "Del 3. Proceedings of AusCERT. September 2005 • Jøsang.com/solutions/) by Tools4ever • Access & Identity Management Suite (http://www. For becoming competent in developing intercultural relationships.fidis. no/ josang/ papers/ JP2005-AusCERT. Marit (2005). however. Cupach and Imahori distinguish between intercultural communication (speakers from different cultures) and intracultural communication (speakers sharing the same culture). • Identity Management Solutions (http://www. Cupach and Imahori claim that presenting one's face shows facets of an individual's identity. it is important to be familiar with Cupach and Imahori's view of identities. Gold Coast. . User Centric Identity Management [2]. Pope. reveals his or her interpersonal communication competence. (2005). is face threatening. To understand IMT. Martin..net/interactive/ims-db/) The FIDIS IMS Database gives a non comprehensive overview and a brief description of identity management systems and tools. FIDIS Deliverables 3 (1). "trial and error": act of looking for similar aspects in certain identities.uk) by Avatier Identity Management Theory Identity Management Theory (also frequently referred to as IMT) is an intercultural communication theory from the 1990s. the following three phases have to be passed: 1. the application of stereotypes.co. is part of intercultural communication competence. cultural and relational identities are regarded as essential to IMT. Matthias. A.Identity management system 65 References • Bauer. pdf External links • FIDIS Database on IMS (http://www.

Intercultural communication competence.). An independently developed concept. and subjects to negotiate. the concept's inventor. 167-189. the participants in the metasystem play more than one role. William B (ed. which are the individuals and other entities about whom claims are made. • Relying Parties. • A means for identity providers. and often all three. 112-131. The three roles within the metasystem are: • Identity Providers. and individuals might use self-issued identities in contexts like signing on to web sites. L. Garden City. For example. businesses might issue identities to their customers. choose the identity technology that works best for them. Although having an independent genesis. Components of the Identity Metasystem There are five key components to the Identity Metasystem: • A way to represent identities using claims. The WS-Trust and WS-Federation protocols are used to carry requests for security tokens and responses containing those tokens. • A means to bridge technology and organizational boundaries using claims transformation. which require identities. implementations. may be classified as possessing characteristics in keeping with the above definition. Newbury Park. as per WS-Security. Interaction ritual: Essays on face-to-face behavior. Claims are carried in security tokens. Using this approach. credit card providers might issue identities enabling payment. it is proposed by Owen Thomas. Wiseman and J. Thousand Oaks: Sage. William B. Goffman. • An encapsulating protocol to obtain claims and requirements. a web site or online service that utilizes identities offered by other parties. Security Token Services (STSs) as defined in WS-Trust are used to transform claim contents and formats. and Tadasu Todd Imahori. governments might issue identities to citizens. (1967). Erving. companies. Examples of subjects include end users. In many cases. CA: Sage. Identity metasystem The Identity Metasystem is an interoperable architecture for digital identity that enables people to have and employ a collection of digital identities based on multiple underlying technologies. that Clique Space's philosophy would be complimentary to other technology on Identity. which issue digital identities. in: Gudykunst.Identity Management Theory 66 References Cupach. called Clique Space(TM). Gudykunst. Negotiation occurs using WS-SecurityPolicy statements exchanged using WS-MetadataExchange. • Subjects. For example. Cross-Cultural and Intercultural Communication. and providers. Identity Metasystem Architecture Roles within the Identity Metasystem Different parties participate in the metasystem in different ways. "Intercultural Communication Theories". relying parties. and more easily migrate from old technologies to new technologies without sacrificing interoperability with others. "Identity management theory: Communication competence in intercultural episodes and relationships". Koester (eds. William R. (1993). The Identity Metasystem is based upon the principles in The Laws of Identity [1] . and organizations. Dynamically negotiating the claims to be delivered and the security token format used enables the Identity Metasystem to carry any format of token and any kinds of claims needed for a digital identity interaction.). customers can continue to use their existing identity infrastructure investments. NY: Anchor. (2003). . in R.

After the event. it can accurately be said that there is a running identity metasystem. review. • Is invoked by a browser extension or by a local rich client application. a web site's login page). Prior to the event. Several interoperability testing events for Identity Metasystem components have been sponsored by OSIS [4] and the Burton Group [5]. • Provides a user interface to import and export Information Cards in standard file formats. Patent promises have been issued by Microsoft [2]. Microsoft's Windows CardSpace implementation of an Identity Selector • Provides a local Security Token Service that is used to issue the security tokens for personal Information Cards. • Provides a user interface that displays a set of Information Card icons from which the user selects their preferred Information Card when authentication is required by a local application or Relying Party (e. and operators. . create. one commercial product.g. An Identity Selector may also allow the user to manage (e. • Provides a user interface to create and manage personal (also known as self-issued) Information Cards. In his report on the Interop at the June 2007 Catalyst Conference in San Francisco [7]. IBM [3]. These events are helping to ensure that the different software components being built by the numerous Identity Metasystem participants work well together. and others ensuring that the protocols underlying the Identity Metasystem can be freely used by all. analyst Bob Blakley wrote: The interop event was a milestone in the maturation of user-centric identity technology. such as the Interop at the October 2007 European Catalyst Conference in Barcelona [6]. update. 67 Interoperability and Licensing The protocols needed to build Identity Metasystem components can be used by anyone for any purpose with no licensing cost and interoperable implementations can be built using only publicly-available documentation. there were some specifications. and delete cards within) their portfolio of Information Cards. Selectors An Identity Selector is a platform service for user-centric identity management that: • Provides a consistent user experience for authentication (and in some cases other kinds of interactions) with a Relying Party (also known as a Service Provider). technologies.Identity metasystem • A consistent user experience across multiple contexts. and a number of open-source projects.g. The most recent event was sponsored by OASIS at the March 2010 RSA Security Conference in San Francisco. This is achieved via Identity Selector client software such as Windows CardSpace representing digital identities owned by users as visual Information Cards.

External links • Burton Group report on OSIS June 2007 User-Centric Identity Interop at Catalyst in San Francisco [7]. com/ linux/ opensource/ ispinfo. html?tag=rtcol. • IBM Interoperability Specifications Pledge [3]. Windows XP. com/ en-us/ library/ ms996456. Jones. • DigitalMe Identity Selector [13] • Microsoft Open Specification Promise [2]. com/ abstract=1714848 [9] http:/ / news.Identity metasystem 68 Software Implementations • • • • • Windows CardSpace . ca/ images/ Resources/ up-7laws_whitepaper. com/ bgidps/ 2007/ 10/ osis-user-centr. burtongroup. html [7] http:/ / identityblog. July 2007. cnet. Information and Privacy Commissioner of Ontario. microsoft. org/ [5] http:/ / www.open source relying party & Information Card STS written in C References • • • • • Clique Space: another look at identity [8]. aspx [11] http:/ / research.relnews [10] http:/ / msdn2. Parity Provides Free Online Identity Management [9] . com/ en-us/ library/ ms996422. May 2005.Oct 2008 CNET article by Robert Vamosi Microsoft's Vision for an Identity Metasystem [10]. org/ index. microsoft. com/ bgidps/ 2007/ 08/ recapping-the-c. • Burton Group report on OSIS October 2007 User-Centric Identity Interop at Catalyst in Barcelona [6]. aspx [2] http:/ / www. burtongroup. • 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age [12]. pdf [12] http:/ / www. November 2010. and Windows Server 2003 Higgins project web-based Identity Selector deployment configuration Higgins project client-based Identity Selector deployment configuration Higgins project eclipse-based Identity Selector deployment configuration DACS . microsoft. ibm. Owen Thomas. May 2005. com/ [6] http:/ / identityblog. Jones. netmesh. bandit-project. May 2007. ipc. Design Rationale behind the Identity Metasystem Architecture [11]. microsoft. com/ 8301-1009_3-10062365-83. The Laws of Identity [1]. burtongroup.runs on Windows Vista. com/ interop/ osp/ [3] http:/ / www-03. on. Ann Cavoukian. January 2006. html [8] http:/ / ssrn. php/ DigitalMe . References [1] http:/ / msdn2. com/ ~mbj/ papers/ Identity_Metasystem_Design_Rationale. shtml [4] http:/ / osis. August 2007. pdf [13] http:/ / www. Kim Cameron and Michael B. October 2006. Michael B. October 2007. Kim Cameron.

Identity scoring is also being tested as a means for financial institutions to comply with criminal investigations and antiterrorism measures such as the Bank Secrecy Act (BSA) and the USA PATRIOT Act. Identity scores incorporate a broad set of consumer data that gauges a person’s legitimacy. and credit records. Public records can include (but are not limited to) any of the following sources: • • • • • • • • • • • • • Federal. Usage of fraud verification tools and third-party authentication systems to verify identities and “red flag” suspicious activity is greatly enhanced by identity scoring. These records can generally be broken down into three categories: Public records.Identity score 69 Identity score An identity score is a system for detecting identity theft. liens and judgments Property ownership records Registered Voter Records [1] Law enforcement records for felony and misdemeanor convictions Private (non-credit) records can include (but are not limited to) any of the following sources: Bill and utility payments Collected personal information from marketers or affiliates Information provided to subscription-based Internet services Billing information from medical services Private background checks conducted by human resource departments Private (credit) records can include (but are not limited to) any of the following sources: Information submitted to any or all credit bureaus or credit reporting agencies (Equifax. government records. private records. self-assessed behavior patterns. and credit records. Innovis. state and local government records Financial records like bankruptcies. and credit records Identity scores are built from collecting information from a variety of sources and analyzing discernible patterns from the total information. to measure the fraud risk for new customers opening accounts. Business and consumer identity scores Identity scoring was originally developed for use by financial services firms. private records. public records. predicted behavior patterns based on empiric data. Internet data. corporate data. Identity scores are increasingly being adopted as a means to prevent fraud in business and as a tool to verify and correct public records. Experian. Typical external credit and fraud checks often fail to detect erroneous background information. Trans Union.) • “Auto insurance” underwriting scores generated from credit records . Public records. etc. Identity score components can include (but are not limited to) personal identifiers.

Credit scores Credit scores are compiled from information sources relating to credit. Virtually all public information about an individual can be used as data in their identity score. and so on. Identity scores are also much more mutable and “fuzzy” than credit scores. blogs. because of the amount of identifying data it utilizes. their public records are altered. including criminal records. • Internet components Personally identifying information found on the Internet. from identity verification and measuring fraud risk on the enterprise level. Every time an individual changes a job. • Hacker and fraud components Personally identifying information that has been stolen in data breaches and may be used in recognizable patterns of fraud. Credit scores do not measure any financial or personal activity that is not related to credit. and identity fraud that does not involve credit will not appear on your credit report or affect your credit score. buys or sells property. such as number of credit accounts held. Identity scoring enables “grading” of patterns of behavior via predictive analytics. because the source information—public records and personally identifying information—is constantly changing. meaning that results can vary wildly even for the same individual. etc. Identity scores are compiled from much larger sources of information. the science of taking behavioral data and comparing it against historical patterns to identify potentially risky or fraudulent activity. Coordinating the information across so many different sources makes it very difficult to fix errors in one’s information once they . instead of being confined to monitoring just one area. property records. Credit scores and the credit scoring system are also very predictable—there are specific steps you follow to improve your credit score. • Behavioral use pattern components Analyzed patterns of behavior from information.Identity score 70 Components Each identity scoring system uses individual data components to generate their score. and so on. identity scoring systems can measure the authenticity of a particular identity. Identity scoring can theoretically provide much more definitive proof of an identity’s legitimacy. such as Web sites. or has an encounter with law enforcement. etc. address. Usage Identity scoring can be used in a variety of ways. dates of collection activity. Predictive analytics Identity scores are sometimes calculated using predictive analytics. Typical identity score components can include (but are not limited to): • Name components Personally identifying information such as name. etc. such as unexplained credit card purchases • Synthetic identity components Personally identifying information that is being used to create a new false (“synthetic”) identity. from which an identity monitoring service can track an individual’s or criminal group’s activity across several enterprises. to preventing fraudulent use of identities and synthetic identity theft on the consumer level. dispute errors in credit reports. By compiling publicly available information and using predictive analytics to gauge the patterns of how the information is used. balances on each account. chat rooms.

They take her Social Security number and combine it with another stolen name. Breeder documents Reliance on “breeder documents” (documents designed to verify other documents) to verify identities is flawed. could cut down on the sale and misuse of personal information while enabling better enforcement of immigration law. 71 Identity theft Identity scoring works by matching the information the user provides against billions of records in public databases. and credit bureaus' proprietary scores). for example. as it still relied on the underlying accuracy of the information used.Identity score occur. and very bad news for their common enemy. the perpetrators of ID fraud.” • ID Analytics [2] . ranging from property and tax records to Internet search engines. Business The following companies make use of identity scoring products or systems in their businesses: • Experian Experian’s Fraud Shield product cross-references from their 215-million-entry consumer credit database. as there is no standardized means to verify that information contained in breeder documents is legitimate. Because identity scores include much more accurate information and can predict behavior patterns more definitively than credit scores. "Electorate" is an authentication of self reported data with implicit authorization to access and validate it through public records. An identity protection system that used identity scoring would alert Wendy that her Social Security number had been compromised. Gartner research analyst Avivah Litan warned that identity scoring was not a foolproof system. and provides risk management and identity verification services from subscriber businesses. and enables cross-business information sharing. the Gartner research firm predicted that identity scoring will surpass credit monitoring as the leading identity theft prevention measure by 2009. • Fair Isaac Fair Isaac introduced the Falcon ID scoring solution in August 2004. The desire for industries to quickly hire cheap labor trumps any incentive a business has to check the credentials of their new hires. a benefit Fair Isaac touted as “very good news for businesses in many industries that are working to protect their customers from identity fraud. Example: Wendy's name and Social Security number were stolen by identity thieves who hacked a stolen laptop. including credit cards and retail gift cards. Where credit scores have a generally accepted model of a three-digit-number (used for the FICO score. as well as an additional score product that combines information from both credit and fraud-related sources. • e-Merges. Currently there is no standard means to verify that information provided on an I-9 work document is legitimate. or that their I-9 data is correct.com [1] e-Merges fraud prevention product. identity scoring models vary wildly from product to product. Falcon ID uses predictive analytics in its fraud verification process. leading to a “gray market” for stolen identities and contributing to continuing surges in illegal immigration. Tools that employ identity scoring to verify that a person’s name and Social Security number match. However. and use it to open a series of new accounts. the new VantageScore. and calculating it against patterns designed to recognize fraud or identity theft. Identity scoring can be used as a tool to authenticate identities on an independent level in cases of employment hiring and information verification.

Identity score The company's industry standard ID Score(r) is trusted by leading organizations to identify and prevent identity fraud. Harold.com/phoenix.creditcollectionsworld. 2004. http:/ /www." E-Commerce Times. 2006 • Pero. Government Security. but has not provided details.” Gartner Research. "Identity Scoring: The Better Defense Against Data Breaches. “Mistaken identity can lead to embarrassment. http:// redtape.com is a free service that gives consumers immediate insight into their risk of identity fraud. http://www.sciam. http://money.pdf • "Thwarting Fraud Before It Happens. idanalytics. 2/6/07. http://investors. August 3. 7/1/02. Mark. • MyPublicInfo An identity protection company based in Arlington." Scientific American. com .zhtml?c=67528&p=irol-newsArticle& t=Regular&id=599964& References [1] http:/ / www. e-merges. "Scoring Your Identity: New Tactics Root Out The False Use Of Personal Data. Bob.com/article. or worse—how to avoid it.msnbc. 2/6/06. html?id=20061016CK18V3P1 • “Fair Isaac's Falcon ID Delivers New Level of Identity Theft Protection Across Industries. com [2] http:/ / www.cfm?chanID=sa006&colID=5& articleID=C77C581B-E7F2-99DF-349A29510AE8D333 • Hargreaves. The company has announced plans for other consumer identity scoring products in 2007. http://govtsecurity. 72 References • Fischetti. March 2007. “Limit ID Fraud: Use ID Scoring. job loss.com/mag/article_2/ • Sullivan.” Minneapolis Business Wire.html • Experian Fraud Shield : http://www. Not Credit Monitoring.com.experian.html • Litan.com/story/55770.” CNNMoney. MyPublicInfo uses identity scoring as a base for several of its products.com/products/pdf/fraud_shield_ps. but her impostor's picture. Jennifer.ecommercetimes.com/article. Steve. MyIDScore. Who Are You ?.cnn.fairisaac. July 13.com/2006/02/her_atm_card_bu." http://www. “Her ATM card. 2/15/07. VA.” From The Red Tape Chronicles.com/2006/02/07/pf/mistaken_ID • Kraft. Avivah.

• In most i-cards the user is able to see the value of the claims. • Relying Parties accept identities for you. The Information Card metaphor is implemented by Identity Selectors like Windows CardSpace. Overview There are three participants in digital identity interactions using Information Cards: • Identity Providers issue digital identities for you. Generic qualities • I-cards are created by an entity known as a issuer. and use their digital identities. governments might vouch for the identities of their citizens. the Bandit Project's DigitalMe [1]. online services could provide verified data such as age.Information Card 73 Information Card Information Cards are personal digital identities that people can use online. the party in control of all these interactions. Typically this card name is user-editable. • I-cards may have a (GIF or JPEG) background image (cardImage) set by the card issuer (user-editable). Examples of Identity Selectors are Microsoft's Windows CardSpace. each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. manage. and individuals might use self-issued identities to log onto web sites. Information Cards shown in Windows CardSpace Identity Selector • Subject is yourself. Online services that you use can accept digital identities that you choose and use the information provided by them on your behalf. credit card issuers might provide identities enabling payment. The subject can choose which of its applicable digital identities to use with the relying party. • I-cards display the name of the issuer (issuerName) in a text string. Visually. DigitalMe or Higgins Identity Selector. . and several kinds of Identity Selectors from the Eclipse Higgins Project. with your consent. For example. businesses might issue identities to their customers. • I-cards have a text string to identify the card (cardName) that is initially set by the card issuer. Information Cards shown in DigitalMe Identity Selector An Identity Selector is used to store.

0 Committee Draft of Information Cards an Identity Selector must support. surname. which may be used at multiple sites. and a site-specific key uniquely generated for each site where the card is used. These claims can include your name. no shared secret is released. Summary of characteristics: • Data format an XML file containing: set of claim type URIs as well as the (user-defined) values of these claims.0 Committee Draft [3]).5 [2] (or OASIS IMI v1. When a new site is visited. This data format is defined in the ISIP documents. Personal cards can be described as self-issued • Genesis: Created by the user's identity selector. firstname. at sites accepting them. gender. The Bandit project demonstrated prototype managed cards backed by OpenIDs at the BrainShare conference in March 2007. These claims can include any information that a Relying Party requests. a different key would be used at that site than the site that the imposter was trying to impersonate. etc. • Issuer: The user's own identity selector. etc. [3] ) specifies two types • Personal (also called Self-Issued) Information Cards: These cards allow you to issue Claims about yourself to sites willing to accept them. users can authenticate without needing a username and password for every web site.g. the user is informed that they have not previously used a card there. many Identity Selectors provide a means of Phishing detection. a unique cardID. • Managed Information Cards: These cards allow Identity Providers other than yourself to make Claims about you to sites willing to accept them. The use of distinct pair-wise keys per realm means that even if a person is tricked into logging into an imposter site with an Information Card. where the HTTPS certificate of the Relying Party site is checked and compared against a list of the sites at which the user has previously used an Information Card. • Zero-Knowledge Cards (or Z-cards) However the Information Card format allows for custom types. Their behavior is also defined by the same documents covering the Microsoft-defined managed cards (see above). address. A realm may be a single site or a set of related sites all sharing the same target scope information when requesting an Information Card. • Claims: 15 pre-defined claim types (e. email address. Types of Information Card The Identity Selector Interoperability Profile v 1. • Authority: The user's identity selector is the authority for the issued token's set of claim values. instead. cardImage.) are defined in theIdentity Selector Interoperability Profile v 1. The Higgins project is defining two new kinds of Information Cards as well: • Relationship Cards (or R-cards) are used to establish an ongoing relationship between multiple parties. they can log in with an Information Card. and you are willing to send between them. The graphic used to indicate Information Card support Furthermore.Information Card 74 Sign-In with Information Cards Using Information Cards. . birth date. phone numbers.5 [2] (or OASIS IMI v1. Personal cards The first kind of personal information cards were also introduced as part of Microsoft’s Windows CardSpace software in November 2006. an Identity Provider is able to provide. web address. e-mail address. Each Information Card utilizes a distinct pair-wise digital key for every realm where a key is requested.

Information Card • Data flow: On demand (e.g. as needed by a relying site), an STS local to the identity selector creates a security token with the current values. • Editability: The claim values are directly editable by the user. • Attribute data source: The personal card XML file contains claim values. When imported into an identity selector these data values are then managed internally by the selector.


Managed Information Card Details
The first kind of managed card was introduced as part of Microsoft’s Windows CardSpace software in November 2006. The behavior, file format and interoperability characteristics of these kinds of managed cards are defined by Microsoft documents such as the Identity Selector Interoperability Profile v 1.5 [2] (or OASIS IMI v1.0 Committee Draft [3]) (see here [4] for a more complete list), in combination with open standards including WS-Trust [5] and others. Summary of characteristics: • Data format: an XML file containing: network endpoint of the STS, set of claim type URIs, name of the card, cardImage, issuerName, a unique cardID, etc. The XML file format is defined in the ISIP documents. • Issuer: An external, third party token service (representing an external person or organization). • Genesis: A managed card is generated by a Security Token Service running at an Identity Provider site and imported into the user's Identity Selector • Claims: The list of supported claim types (claim type URIs) is defined by the issuer. • Authority: The issuer is the sole authority for the claim values contained within the token it issues. • Data flow: Managed cards contain a network endpoint reference to a Security Token Service (STS) that, when requested by the identity selector (using WS-Trust, etc.) generates/provides a security token containing the required claims. • Editability: Underlying attribute data is not directly editable by the user. • Attribute data source: Determined by the issuer, and generally managed by the issuer. Information Cards issued by third parties can employ any of four methods for the user to authenticate himself as the card owner: • a Personal (Self-Issued) Information Card, • an X.509 certificate (which can either be from a hardware device such as a SmartCard or it can be a software certificate), • a Kerberos ticket, such as those issued by many enterprise login solutions, or • a username and password for the card. Additional methods could also be implemented by future Identity Selectors and Identity Providers (see #Futures). Managed Information Cards can be auditing, non-auditing, or auditing-optional: • Auditing cards require the identity of the Relying Party site to be disclosed to the Identity Provider. This can be used to restrict which sites the Identity Provider is willing to release information to. • Non-auditing cards will not disclose the identity of the Relying Party site to the Identity Provider. • Auditing-optional cards will disclose the identity of the Relying Party site if provided by the Relying Party, but do not require this disclosure.

Information Card


Relationship cards
Relationship cards are under development by the Higgins project (see http://wiki.eclipse.org/R-Card) Summary of characteristics: • Data format: A managed card that supports a resource-udi claim • Supported Claims: Like all managed (or personal) cards, r-cards include a list of supported claim types (expressed as URIs) as defined by the issuer. This set defines the maximal set of claims that issuer will include in its generated security token. These claims are inherited from underlying ISIP-m-card upon which it is based and are used for the same purposes. Beyond managed cards the resource-udi "meta" claim provides a reference to a set of attributes. • Authority: The issuer is the authority for the issued token's set of claim values (as per a normal managed or personal card). • Editability: The values of underlying attributes (referenced by the resource-udi claim) may be editable by parties other than the issuer. • Supported Attributes: The value of an r-card's resource-udi claim is an Entity UDI [6] (URI) that "points to" a data entity (representing a person, organization, or other object). The set of attributes of this data entity is distinct from (though usually a superset of) the "supported claims" mentioned above. Reliance on the Higgins Data Model Conceptually a managed card is essentially a human-friendly "pointer" to a Token Service—a web service (e.g. a WS-Trust Security Token Service) from which security tokens can be requested. A security token is a set of attribute assertions (aka claims) about some party that is cryptographically signed by the issuer (the token service acting as the authority). An r-card, contains a second "pointer" that points to a data entity whose attribute's values (i) shared by all parties to the r-card and (ii) form the underlying attributes that are consumed by the r-card issuer's STS and provide the values of the claims that this STS makes. By including this second "pointer" on the r-card, r-card holders have the potential to access and update some subset of these underlying attributes. The card issuer maintains an access control policy to control who has what level of access. This second pointer is an Entity UDI —a reference to an Entity object in the Higgins Context Data Model [7]. Entity UDIs may be dereferenced and the underlying Entity's attributes accessed by using the Higgins project's Identity Attribute Service.[8] Once resolved, consumers of this service can inspect, and potentially modify the attributes of the entity as well as get its schema as described in Web Ontology Language (OWL). In addition to basic identity attribute values like strings and numbers, the data entity referred to by an r-card can have complex attribute values consisting of aggregates of basic attribute types as well as UDI links to other entities.

Beyond being used to log into sites, Information Cards can also facilitate other kinds of interactions. The Information Card model provides great flexibility because cards can be used to convey any information from an Identity Provider to a Relying Party that makes sense to both of them and that the person is willing to release. The data elements carried in Information Cards are called Claims. One possible use of claims is online age verification, with Identity Providers providing proof-of-age cards, and Relying Parties accepting them for purposes such as online wine sales; other attributes could be verified as well. Another is online payment, where merchants could accept online payment cards from payment issuers, containing only the minimal information needed to facilitate payment. Role statements carried by claims can be used for access control decisions by Relying Parties.

Information Card


Interoperability and licensing
The Information Cards defined by the Identity Selector Interoperability Profile v 1.5 [2] (or OASIS IMI v1.0 Committee Draft [3]) are based on open, interoperable communication standards. Interoperable Information Card components have been built by dozens of companies and projects for platforms including Windows, Mac OS, and Linux, plus a prototype implementation for phones. Together, these components implement an interoperable Identity Metasystem. Information Cards can be used to provide identities both for Web sites and Web Services applications. Several interoperability testing events for Information Cards have been sponsored by OSIS [9] and the Burton Group [5] , one was at the Interop at the October 2007 European Catalyst Conference in Barcelona [6] and the most recent was at RSA 2008. These events are helping to ensure that the different Information Card software components being built by the numerous participants in the Identity Metasystem work well together. The protocols needed to build Information Card implementations based on the Identity Selector Interoperability Profile v 1.5 [2] (or OASIS IMI v1.0 Committee Draft [3]) can be used by anyone for any purpose at no cost and interoperable implementations can be built using only publicly-available documentation. Patent promises have been issued by Microsoft [2], IBM [3], and others, ensuring that this Information Card technology is freely available to all. In June 2008, industry leaders including Equifax, Google, Microsoft, Novell, Oracle, PayPal and others created the Information Card Foundation in order to advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

History of the terms "i-card" and "information card"
The term information card was introduced by Microsoft in May 2005 as a name for the visual information card metaphor to be introduced in its forthcoming Windows CardSpace software. Until early 2006, information cards were also sometimes referred to by the code-name “InfoCard”, which was not a name that was freely available for all to use. The name information card was specifically chosen as one that would be freely available for all to use, independent of any product or implementation. The name “information card” is not trademarked and is so generic as to not be trademarkable. The term i-card was introduced at the June 21, 2006 Berkman/MIT Identity Mashup conference.[10] [11] The intent was to define a term that was not associated with any industry TM or other IP or artifact. At the time, Microsoft had not yet finished applying the Open Specification Promise [2] to the protocols underlying Windows CardSpace and there was also a misunderstanding that the term information card was not freely available for use by all, so to be conservative, the term i-card was introduced. Mike Jones, of Microsoft, explained to participants of a session at IIW 2007b [12] that Microsoft always intended the term information card to be used generically to describe all kinds of information cards and to be freely usable by all, and tried to correct the earlier misunderstanding that the term might apply only to the kinds of information cards originally defined by Microsoft. He made the case that the industry would be better served by having everyone use the common term information card, than having two terms in use with the same meaning, since there remains no legal or technical reason for different terms. In this case the term i-card would become just the short form of information card, just like e-mail has become the short form of electronic mail.

Information Card


[1] http:/ / code. bandit-project. org/ trac/ wiki/ DigitalMe [2] http:/ / download. microsoft. com/ download/ 1/ 1/ a/ 11ac6505-e4c0-4e05-987c-6f1d31855cd2/ Identity_Selector_Interoperability_Profile_V1. 5. pdf [3] http:/ / www. oasis-open. org/ committees/ download. php/ 29979/ identity-1. 0-spec-cd-01. pdf [4] http:/ / self-issued. info/ ?p=8 [5] http:/ / specs. xmlsoap. org/ ws/ 2005/ 02/ trust/ WS-Trust. pdf [6] http:/ / parity. com/ udi [7] http:/ / wiki. eclipse. org/ Context_Data_Model_1. 1 [8] [http://wiki.eclipse.org/Identity_Attribute_Service IdAS> [9] http:/ / osis. idcommons. net/ wiki/ Main_Page [10] MIT Identity Mashup conference meeting notes (http:/ / wiki. idmashup. org/ I-cards) [11] Drummond Reed's blog post (http:/ / www. equalsdrummond. name/ ?p=72) [12] http:/ / iiw. idcommons. net/ index. php/ Iiw2007b

Additional resources
• Technology Leaders Favor Online ID Card Over Passwords (http://www.nytimes.com/2008/06/24/ technology/24card.html?_r=2&ref=business&oref=slogin&oref=slogin) - New York Times article 24-Jun-08 announcing the Information Card Foundation • Identity Selector Interoperability Profile (http://download.microsoft.com/download/1/1/a/ 11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf), Arun Nanda, April 2007. • Identity Selector Interoperability Profile v 1.5 (http://download.microsoft.com/download/1/1/a/ 11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity_Selector_Interoperability_Profile_V1.5.pdf) • OASIS IMI v1.0 Committee Draft (http://www.oasis-open.org/committees/download.php/29979/identity-1. 0-spec-cd-01.pdf) • An Implementer's Guide to the Identity Selector Interoperability Profile V1.0 (http://download.microsoft.com/ download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Guide.pdf), Microsoft Corporation and Ping Identity Corporation, April 2007. • A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers (http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/ Identity-Selector-Interop-Profile-v1-Web-Guide.pdf), Michael B. Jones, April 2007. • Design Rationale behind the Identity Metasystem Architecture (http://research.microsoft.com/~mbj/papers/ Identity_Metasystem_Design_Rationale.pdf), Kim Cameron and Michael B. Jones, January 2006. • Patterns for Supporting Information Cards at Web Sites: Personal Cards for Sign up and Signing In (http://go. microsoft.com/fwlink/?LinkId=98051), Bill Barnes, Garrett Serack, and James Causey, August 2007. • Microsoft Open Specification Promise (http://www.microsoft.com/interop/osp/), May 2007. • IBM Interoperability Specifications Pledge (http://www-03.ibm.com/linux/opensource/ispinfo.shtml), July 2007.

Michael B. • 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age (http://www.com/en-us/library/ms996422. html?_r=2& ref=business& oref=slogin& oref=slogin http:/ / informationcard.bandit-project.New York Times article 24-Jun-08 announcing the Information Card Foundation • Press Release [2] . May 2005.com/en-us/library/ms996456. com/ action/ article. References • Technology Leaders Favor Online ID Card Over Passwords [1] .com/bgidps/2007/10/osis-user-centr. com/ 2008/ 06/ 24/ technology/ 24card.org/higgins/) • Burton Group report on OSIS June 2007 User-Centric Identity Interop at Catalyst in San Francisco (http:// identityblog.microsoft.info/?p=17).Information Card 79 External links • Information Card Foundation (http://informationcard.burtongroup. Microsoft.org/) • DigitalMe Identity Selector (http://code.on. computerworld. industry leaders including Equifax.net/) • Avoco Secure Information Card and Identity Solutions (https://www. October 2006.ComputerWorld Article covering ICF announcement. nytimes.com/bgidps/2007/08/recapping-the-c.idcommons.eclipse.ipc. net/ files/ ICFPressRelease6-24-08.org/trac/wiki/DigitalMe) • Eclipse Higgins Project (http://www. Kim Cameron. user-centric identity layer spanning both the enterprise and the Internet. June 2007. External links • Information Card Foundation Website [4] References [1] [2] [3] [4] http:/ / www. • Open-Source Identity System (OSIS) (http://osis.com) • Bandit Project (http://www.secure2cardspace. Ann Cavoukian. royalty-free. PayPal and others created the Information Card Foundation in order to advance the use of the Information Card metaphor as a key component of an open. Oracle Corporation. Jones. • Microsoft's Vision for an Identity Metasystem (http://msdn2. May 2005.html). August 2007.aspx). • Azigo Identity Selector (http://www.Announcement of the Information Card Foundation • Heavy Hitters Collaborate on Promoting Digital-ID Tech [3] . Information and Privacy Commissioner of Ontario.com) Information Card Foundation In June 2008.pdf). interoperable.azigo. October 2007. do?command=viewArticleBasic& articleId=9102578 http:/ / informationcard.bandit-project. ca/images/Resources/up-7laws_whitepaper.aspx). net . • The Laws of Identity (http://msdn2. pdf http:/ / www.burtongroup.microsoft.html). Google. Novell.net) • Information Card Icon Announcement (http://self-issued. • Burton Group report on OSIS October 2007 User-Centric Identity Interop at Catalyst in Barcelona (http:// identityblog.

publicly releasing the Liberty Identity Web Services Framework in April 2004. forming the foundation for SAML 2. Management Board members include AOL. calendars.0 "the de facto [9] federation standard across industries. Liberty Identity Federation (ID-FF) 1. several member companies also announced upcoming availability of Liberty-enabled products. Oracle Corporation and Sun Microsystems. History and key output Identity federation In July 2002. Gartner. guidelines and best practices for identity management. an industry analyst firm.0.Liberty Alliance 80 Liberty Alliance The Liberty Alliance was formed in September 2001 by approximately 30 organizations to establish open standards. and Identity Web Services. educational organizations and governments from around the world. Nippon Telegraph and Telephone (NTT). Identity Assurance. Mobile Messaging and Liberty People Service.0 specifications when implementing federation. Liberty Identity Web Services [10] is an open framework for deploying and managing a variety of identity-based Web services." Liberty Actors Liberty Federation History Identity Web services Liberty Alliance also focused on identity web services standards. blogs. marking very rapid release and deployment of open specifications developed by a consortium like the Liberty Alliance. Computer Associates (CA).0 [8]. and then in June 2003 contributed its federation specification. consumer-facing companies. as well as hundreds of additional organizations that participate in Liberty's various open community Special Interest Groups (SIGs) [2]. declared SAML 2. The Liberty Alliance released two more versions of the Identity Federation specification. to OASIS. Novell. Liberty Web Services applications include Geo-location. British Telecom. Today it has a global membership of more than 150 organizations [1]. [11]" Burton Group recommends organizations consider Liberty Alliance ID-WSF 2. At this time. This federated approach does not require the user to re-authenticate and can support privacy controls established by the user. the Liberty Alliance has tracked well over one billion Liberty-enabled identities and devices [3] in fields as diverse as defense & law enforcement [4] to telecommunications [5] to egovernment [6]. including technology vendors. Internet Society (ISOC). It has also been active in privacy and policy issues relative to identity. a Web services framework for managing social applications such as bookmarks. Today. As of June 2009. photo sharing and instant messaging in a secure and privacy-respecting federated social network.[12] . the work of the Liberty Alliance is transitioning to the Kantara Initiative. Contact Book. Calendar. In 2007. As of 2006. many organizations have deployed interoperable solutions that support SAML 2. the Liberty Alliance released its first public specifications [7] . In the October 2008 report "Federated Identity. Liberty Federation allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. Identity Governance. Intel. as various services applications. Fidelity Investments. It has released Frameworks that address Federation (since contributed to OASIS for the SAML standard).0.

government. OpenLiberty. the credential's strength.org In January 2007. . Identity governance framework In February 2007 [18]. Federal Government for categorizing electronic identity trust levels for providing electronic government services.org is a portal where developers can collaborate in the OpenLiberty Project and access tools and information for "jump starting" the development of more secure and privacy-respecting applications based on the widely deployed Liberty Federation and Liberty Web Services standards. the Government of Canada and the U. and encouraging and facilitating the creation of protocol solutions in the appropriate homes for those technologies. the Liberty Alliance began working on the Identity Governance Framework. the US GSA began requiring [14] successful completion of this certification test as a prerequisite for participating in the US E-Authentication Identity Federation. Identity assurance framework The Liberty Alliance began work on the Identity Assurance Framework in 2008. The Identity Governance Framework defines a set of standards to help enterprises easily determine and control how identity related information is used. providing enterprise developers and system architects with a library for building enterprise-grade identity-enabled applications using multiple identity protocols. In November 2008 [10]. SAML. In 2007. publishing business and policy guidelines [23] in a variety of forms for different business and legal audiences in a variety of vertical sectors. Concordia project In 2007 the Liberty Alliance helped to found the Concordia Project [22]. stored. more than 80 products have passed testing. openliberty. releasing the first version publicly in July 2007 [19]. OpenLiberty released the open source ArisID API [17]. Currently. the Liberty Alliance announced [15] the OpenLiberty Project [16]. The level of assurance provided is measured by the strength and rigor of the identity proofing process.0. an independent initiative focused on driving harmonization of specifications in the identity space. the Liberty Alliance has also focused on the business and policy aspects of identity management. These Assurance Levels are also recognized and referenced in the Liberty Alliance Identity Assurance Framework [21].S. and WS-Trust and ID-WSF. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.1 {NIST800-63} [1].0 applications together based on standardized business rules and security risks associated with each level of identity assurance. Privacy & policy Since inception.S. The Liberty Identity Assurance Framework (IAF) [20] details four identity assurance levels designed to ease and speed the process of linking trusted identity-enabled enterprise.K. and propagated in appropriate and secure ways using protocols such as LDAP. The Assurance Levels are based on four levels of assurance outlined by the U. and the management processes the service provider applies to it. The Liberty Alliance hosted Privacy Summits [24] across the globe in 2007 and 2008 to foster dialogue about and understanding of privacy issues in the identity space.Liberty Alliance 81 Liberty interoperable certification program In an effort to grow the identity marketplace. a global initiative formed to provide resources and support to open source developers building identity-based applications. and range in confidence level from low to very high. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios. designed to test commercial and open source products against published standards to assure base levels of interoperability between products. social networking and Web 2. These four Assurance Levels have been adopted by the U. the Liberty Alliance introduced the Liberty Interoperable (TM) certification program [13] in 2003.

Policy and Legal Issues: Privacy. Education and Outreach. telecommunications [5]. projectliberty. projectliberty. government and Web communities to provide the industry with a clear path for moving interoperable identity systems forward. and travel & transportation [38]. projectliberty. oil & gas [32]. Government's Adoption of SAML 2. Membership Management board members • • • • America Online BT CA. 2007 [10] http:/ / www. defense & law enforcement [4].S. Inc. projectliberty. projectliberty. October 2008 [13] http:/ / www. mobile. commercial IT [26]. projectliberty. projectliberty. Market Research. The Kantara Initiative is working to bridge the enterprise. org/ liberty/ news_events/ press_releases/ us_gsa_requires_liberty_alliance_interoperability_testing_as_public_sector_saml_2_0_adoption_soars [15] http:/ / www. burtongroup. Tool Development. php/ Main_Page http:/ / www.Liberty Alliance 82 Adoption More than one billion Liberty-enabled identities and devices [3] have been tracked globally as reported by different organizations and news outlets. by Gregg Kreizman. healthcare [30]. References [1] [2] [3] [4] [5] [6] [7] http:/ / www. "The U. org/ liberty/ adoption/ defense_law_enforcement http:/ / www. Cross-Community Coordination and Collaboration. advancing adoption and meeting marketplace and user needs. Concordia and others and has been formed by leaders of many foundations and associations working on various aspects of Digital identity to be a robust and well-funded focal point for collaboration to address the issues we each share: Interoperability and Compliance Testing. org/ liberty/ adoption/ telecom http:/ / www. org/ index. education [27]. financial services [29]. aspx?cid=719 [12] Source: Burton Group "Federated Identity". including biometrics [25]. across a variety of categories. Harmonization. technology [37]. org/ liberty/ liberty_interoperable [14] http:/ / www. Identity Assurance. org/ liberty/ specifications__1 [11] http:/ / www.0 Shows Wide Acceptance". Inc Fidelity Investments • • • Intel Internet Society (ISOC) Novell • • • NTT Oracle Corporation Sun Microsystems Full Current membership [1] Looking to the Future Kantara initiative The Kantara Initiative is a successor to Liberty Alliance. egovernment [6]. projectliberty. real estate [35]. Use Cases and Requirements. standards organizations [36]. org/ liberty/ news_events/ press_releases/ liberty_alliance_announces_openliberty_project . outsourcers & service providers [34]. October 29. org/ adoption [9] Source: Gartner. Ownership and Liability. projectliberty. projectliberty. UX and Usability. online service providers [33]. org/ liberty/ news_events/ press_releases/ industry_leaders_release_details_of_anticipated_liberty_alliance_enabled_products [8] http:/ / www. HR [31]. escience [28]. org/ liberty/ membership/ current_members http:/ / wiki. com/ Client/ Research/ Document. org/ liberty/ adoption http:/ / www. projectliberty. John Pescatore and Ray Wagner. org/ liberty/ adoption/ egovernment http:/ / www. projectliberty. by Bob Blakley.

org/ wiki/ index.org/liberty/adoption) • Liberty Identity Assurance Framework (http://projectliberty. projectliberty. org/ liberty/ adoption/ travel_transport 83 External links • Liberty Alliance web site (http://www. org/ liberty/ adoption/ outsourcers_service_providers [35] http:/ / www. org/ liberty/ resource_center/ papers [24] http:/ / www.Liberty Alliance [16] http:/ / www.S.org/liberty/liberty_interoperable) • ArisID API (http://www.pdf) • Concordia Project (http://www. projectliberty. projectconcordia. projectliberty. projectliberty.org/liberty/strategic_initiatives/ identity_assurance) • Identity Governance Framework • Liberty Interoperable (TM) certification program (http://www. org/ liberty/ liberty/ www.projectliberty. openliberty. org/ liberty/ adoption/ biometrics [26] http:/ / www. org [23] http:/ / www. projectliberty. projectliberty. projectliberty.gov/publications/nistpubs/800-63/SP800-63V1_0_2. openliberty. org/ liberty/ adoption/ education [28] http:/ / www. 1. php/ ArisID_API [18] http:/ / www. org/ liberty/ strategic_initiatives/ identity_assurance [21] http:/ / www. org/ liberty/ news_events/ press_releases/ industry_leaders_submit_identity_governance_framework_to_openliberty_org_for_development_of_open_source_implementations [20] http:/ / projectliberty.org/wiki/index. org/ liberty/ adoption/ financial_services [30] http:/ / www. projectliberty. projectliberty.php/ArisID_API) • Kantara Initiative (http://kantarainitiative. org/ liberty/ adoption/ online_service_providers [34] http:/ / www. org/ [17] http:/ / www. projectliberty.org/liberty/liberty/www. org/ liberty/ adoption/ escience [29] http:/ / www.org/) • U. projectliberty. org/ liberty/ adoption/ healthcare [31] http:/ / www. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.openliberty.1 {NIST800-63} (http://csrc.projectliberty. org/ liberty/ news_events/ press_releases/ liberty_alliance_and_oracle_team_to_advance_identity_governance_framework [19] http:/ / www.projectliberty. org/ liberty/ adoption/ commercial_it [27] http:/ / www.projectliberty. org/ liberty/ adoption/ real_estate [36] http:/ / www.0. org/ liberty/ adoption/ technology [38] http:/ / www.openliberty. projectliberty. org/ liberty/ public_community/ privacy_summits [25] http:/ / www. projectliberty. org/ liberty/ adoption/ standards_organizations [37] http:/ / www. projectliberty. projectliberty.projectliberty. projectliberty. pdf [22] http:/ / www. org/ liberty/ adoption/ oil_gas [33] http:/ / www. projectliberty. projectliberty.org/) • OpenLiberty Project (http://www.nist. projectliberty. org/ liberty/ adoption/ hr [32] http:/ / www.org/) . org/ liberty/ content/ download/ 4315/ 28869/ file/ liberty-identity-assurance-framework-v1.org) • Privacy Summits (http://www.projectconcordia. projectliberty.org/liberty/public_community/privacy_summits) • Liberty Alliance Adoption by Sector (http://www.

he has been quoted extensively in American news print publications such as The Wall Street Journal. In addition.. unlimited views of credit scores. San Francisco Chronicle. Inc.com. Mitic is currently Chief Executive Officer of the company. 2004 (http:/ / articles. In 2002. sfgate. The New York Times. MyFICO. html?_r=1& scp=1& sq=scott mitic& st=cse) [2] How to Avoid Medical I. published by Nolo. NYT Nov 18 2009 (http:/ / www. He is regularly quoted on topics related to identity theft.com. growing the company's consumer credit education services.com in 2009. The Washington Post. Newsweek. References [1] Building an Online Bulwark to Fend Off Identity Fraud. USA Today. com/ 2004-02-22/ real-estate/ 17413381_1_credit-scores-home-mortgage-and-credit-independent-credit-reporting-agencies) . consumer credit and credit scores. National Public Radio and Public Radio International. Feb 22. A sampling of his work includes appearances on United States-based television and radio programming such as FOX. nytimes. he co-founded Headlight. TrustedID. Background Mitic grew up in Maryland and attended McGill University in Montreal. and INC Magazine. Time Magazine.[1] [2] Readers Digest. which he grew until its sale in 2001.Scott Mitic 84 Scott Mitic Scott Mitic (born February 13. Canada and Georgetown University in Washington DC. In 1998.D. author and businessman. Theft. Oprah & Friends. ABC. Book Mitic is author of Stopping Identity Theft: 10 Easy Steps. Chicago Tribune. and CNBC. The San Francisco Chronicle [3] San Jose Mercury News. com/ 2009/ 11/ 19/ technology/ personaltech/ 19basics. NYT Jun 06 2009 (http:/ / www. html) [3] Lender gives free. in 2004. he became an executive at FICO. com/ 2009/ 06/ 13/ health/ 13patientbar. His family's repeated experiences with identity theft led to the founding of the identity theft protection company. an online learning company. 1970) is an American identity theft expert. nytimes. The Miami Hearld.

there are a number of private company stakeholders that have an inherent interest in setting up a mobile signature service infrastructure thus offering mobile identity services. When using Mobile Identity. as the phone itself already performs both functions. distributing and managing the cards has become a logistical nightmare.fi/vrk/home. Smart card-based digital identities can only be used in conjunction with a card reader and a PC. the mobile phone has turned into a device for managing each person’s digital identity.nsf/pages/9C0B5FFC32EC6AF2C225724400511298?opendo Sweden The need for new authentication solutions like Mobile Identity in the Nordic region is rapidly growing as governments. the SIM card of one’s mobile phone works as an identity tool. references http:/ / www. net http:/ / www. [1] In Sweden a consortium owned by banks and mobile operators (WPK. In addition.Net ) is specifying a mobile signature service infrastructure that is first used by banks to authenticate online banking users.com/news_and_events/01-09-2009/uusi-laki-sahkoisesta-tunnistamisesta-astui-voimaan • http://www. thus allowing the Finnish mobile operators to offer mobile signature services. Mobile Identity is a development of the traditional online authentication and digital signing. exacerbated by the lack of interoperability between services relying on such a digital identity. By storing all the technical necessary applications on a SIM card. that could leverage the use of mobile signatures across several applications. com/ valimo-and-telenor-sweden-collaborate-mobile-authentication-technology news_and_events/ 16-02-2009/ . corporate services. With the mobile signature concept. Later on the mobile signature services is supposed to be available for other applications as well. Mobile Identity enables legally binding authentication and transaction signing for online banking. references • http://www.valimo. The user’s certificates are maintained on the telecom operator’s SIM card and in order to use them.Mobile identity management 85 Mobile identity management The mobile phone in addition to a wallet and house keys has become one of the essentials to take with you when leaving the house. and consuming online content. The Finnish government certificate authority (CA) also issues the certificates that link the digital keys on the SIM card to the person’s real world identity. public sector and financial institutions are increasingly offering online and mobile channels to access their services. the user has to enter a personal. Finland The Finnish government has supervised the deployment of a common derivative of the ETSI-based mobile signature service standard. the mobile phone in conjunction with a mobile signature-enabled SIM card offers the same security and superior ease of use than for example Smart cards in existing Digital identity management systems.vrk. Telenor enables its customers a convenient and secure login to online services using their mobile phone for authentication and digital signing. In contrast to other approaches. no separate card reader is needed. secret PIN code. Telenor Sweden has provided technology for the company's mobile signature services in Sweden since 2009. valimo. These new services require more secure and user-friendly authentication methods. wpki. payment confirmation. These stakeholders are mobile network operators and to a certain extent financial institutions or service providers with an existing large customer base.

the Austrian government has explicitly mentioned mobile phones as one of the likely devices to be used for storing and managing a digital identity. com.turkcell. Eight Austrian saving banks will launch a pilot allowing online user authentication with mobile signatures. Since 2006.abriva. There is now a concerted effort from the private industry to leverage the Estonian CA landscape and deploy mobile signature services.com. ^^dead links^^ References [1] http:/ / wpki. references http:/ / www.mobile-identity. but citizens are using the digital identity sparsely. com/ news_and_events/ 26-02-2009/ kenya-turkey-japan-lead-mobile-money-trend http:/ / www. valimo.net • http://id.net Abriva is a new promising free Mobile Identity Management. references https://www. tr/ ekonomi/ 6307988.de/presse/detail/88/ Quaified Mobile Identity Providers • http://www. do?load=detay& link=113484 http:/ / www.pdf Austria The Austrian government has decided to allow private sector companies to propose means for storing the government-controlled digital identity. com . com/ tz-web/ detaylar.abriva.tr/bultenler/2007_02_20_mobile_signature_eng. Turkey The mobile operator Turkcell has bought a mobile signature service infrastructure and has now signed up 8 Turkish banks to enable them to use mobile signatures for online user authentication. thus enabling Estonian citizens to port their existing digital identity to the mobile phone.Mobile identity management 86 Estonia The Estonian government has issued all citizens with a Smart card.quelle-bausparkasse. todayszaman. It now supports OpenID standard.com Free Mobile identity Services • http://www.asp?gid=196 http://www. Other services relying on mobile signatures are: • Securing the withdrawal of small loans from an ATM • Processing custom work flow processes by enabling applicants to use mobile signatures.com • http://www. hurriyet.valimo.

ETSI-MSS standardization The term was then used by Paul Gibson (G&D) and Romary Dupuis (France Telecom) in their standardisation work at the European Telecommunications Standards Institute (ETSI) and published in ETSI Technical Report TR 102 203. Each of your mobile/digital signatures can be linked to a digital certificate (an electronic record) that vouches for your real-world identity. Materna. The ETSI-MSS specifications define an XML interface and Mobile Signature Roaming for systems implementing mobile signature services. Thus. your signing PIN) into the signing device (for example: your mobile phone). The mobile signature is the legal equivalent of your own wet signature. 3 G-phones and other portable devices will feature a similar mobile signature application. In 2001. that would enable the IC 35's WAP browser to view WAP pages from a remote server. MoSign project and standardization attempt The MoSign project (short for Mobile Signature) initiated by the companies Deutsche Bank. Siemens and TC TrustCenter was meant to demonstrate the deployment of electronic signatures using a "mobile signing device". In October 2000. Dresdner Bank and HypoVereinsbank announced that they would use the findings from the MoSign project and would develop it into a single standard for electronic signatures used in conjunction with mobile devices and financial services. mSign gained industry-wide coverage when it came apparent that Brokat (one of the founders company) also obtained a process patent in Germany for using the mobile phone to generate digital signatures. To generate a mobile signature the user inserted a Smart card into the IC35's card slot. The mobile signing device comprised a Siemens IC35 organizer with an integrated WAP browser and a Smart card reader. The digital keys are stored on the Smart card and the signing application was based on the WAP 1. regardless of their capacity. The user was meant to connect the IC35 via the IrDA interface to an internet-enabled mobile device. In March 2001. Mobile signatures today Currently. This secret code in combination with your key storage token (for example: SIM card) and a chosen text triggers a cryptographic algorithm to generate the (digital) signature. Those mobile signature services on sim cards can be supported by almost all GSM phones. the consortium published an XML-interface defining a protocol allowing service providers to obtain a mobile (digital) signature from a mobile phone subscriber.Mobile signature 87 Mobile signature A mobile signature is a digital signature generated either on a mobile phone or on a SIM card. Ericsson.Deutsche Bank. Sema Group. In the near future. the mobile signature is a unique feature for: • Proving your real-world identity to third parties without face-to-face communications . four German banks . The mobile signature is created by typing a secret code (i.e.2 Crypto SignText implementation in the WAP browser stack. Commerzbank. GSM phones and WAP phones are mostly supporting this technology. Origins of the term mSign The term first appeared in articles introducing mSign (short for Mobile Electronic Signature Consortium). It was founded in 1999 and comprised 35 member companies. Microsoft.

17.html?banner=dig_20022007_turkcellmobilimza) Golem.property=publicationFile. php) .3.400004. com) (Turkish) Turkcell. com/ essay-083. com/ articles/ 2001/ 03/ 26/ techbrief_ed3__67.tr/index/0. turkcell.00.Mobile signature • Making a legally-binding commitment by sending a confirmed message to another party • Solve security problems of the online world with identity confirmation.[2] Sources for the origins of the term • • • • mSign: Announcement of MSign formation (in German only). turkcellmobilesignature. tr/ bireysel/ servisler/ asistan/ Turkcell_mobil_imza) [7] (English) Turkcellmobilesignature. 26.com (http:/ / www.10.com (http:/ / www.de (http:/ / www.[1] 88 Mobile Signature with On Board Key Generation Turkcell is the first provider of a mobile signature service with "On Board Key Generation" functionality.company magazine.templateId=raw. de/ 0010/ 10335.2008[6] [7] References [1] http:/ / www.1028. December 2004[4] MoSign: International Herald Tribune tech brief. which enables customers to create their signing and validation key pair. iht. com.com.de (http:/ / www. / Monitor/ DE/ 2000/ 2000-4. . In this way GSM operators do not need to distribute signing PINs to customers. However authentication is still vulnerable to man in the middle attacks and trojan horses. materna-tmt.2000[3] MoSign: Materna Monitor . html [2] [3] [4] [5] [6] (Turkish) Turkcell.com (http://www.3.turkcell. on their own. html) Materna-tmt.2001[5] MobilImza: Turkcell Mobil Imza 10. after they get the simcard. schneier. golem. .com (http:/ / www. pdf/ 2000-4) IHT. Customers can create their PIN anew. de/ .

• Routing Entity (RE): any entity that facilitates the communication between the AE and the home MSSP. • Attribute Provider: this role is described by Liberty Alliance [3].4. payment associations. The entry point in the Mesh may be for instance a MSSP.(reference [1]) Entities involved are: • Acquiring Entity (AE): an entity performing this role is one of the entry points of the Mesh. and handles commercial agreements with APs. An Acquiring Entity implements the Web Service Interface specified in TS 102 204 [8]. banks.). pdf [3] http:/ / www. • Acquiring MSSP (AMSSP): this is a MSSP acting as an entry point in the Mesh. this is typically the CA and/or a RA. we assume that various entities (including MSSPs) will join in order to define common commercial terms and rules corresponding to a Mobile Signature Roaming Service. One or several mesh members may undertake this role and store relevant attributes in order to facilitate the discovery of the Home MSSP by other Mesh members.Mobile Signature Roaming 89 Mobile Signature Roaming The concept of Mobile signature Roaming is: an Access point (AP) should be able to get a Mobile Signature from any enduser. Otherwise. valimo.2007 "World's first international Mobile Signature Roaming . and this might be a cost burden. A MSSP may be a Verifying Entity as well. That's the reason why we define this more abstract role. MNOs etc. or an aggregator of Application Providers in the context of a particular communities of interests (e. Within a PKI system. • Verifying Entity (VE): an entity that can verify a Mobile Signature. an AP would have to build commercial terms with as many MSSPs as possible. etsi.(reference [1]) First mobile signature roaming transactions 13. and this should be transparent for the AP. • Identity Issuer: an entity that is able to make a link between a Mobile Signature and an enduser's identity. even if the AP and the enduser have not contracted a commercial relationship with the same MSSP. • Home MSSP (HMSSP): this is the MSSP that is able to deal with the current enduser and the current transaction. This means that a Mobile Signature transaction issued by an Application Provider should be able to reach the appropriate MSSP.2.g. com/ news_and_events/ news/ 2007/ 74 . This is the concept of a Mobile Signature Roaming Service. pdf [2] http:/ / wpy. In this respect.2005 "Finnet and TeliaSonera Finland Performed Successful MSS Roaming" (announced by TeliaSonera [2]) 7. Mobile Signature roaming itself requires commercial agreements between the entities that facilitate it. se/ wpyfs/ 00/ 00/ 00/ 00/ 00/ 05/ 6D/ 81/ wkr0007. observer. org/ docbox/ EC_Files/ EC_Files/ ts_102207v010103p.with ETSI-MSS by Valimo (Finland) and BBS [3] (Norway)" (announced by Valimo ) References [1] http:/ / portal. We can imagine that a commercial model for a mobile Signature Roaming Service is a Mesh of MSSPs which are fully or partially connected between each others.

With trigger-based transaction capturing. It is not required for all domain controllers to replicate with each other domain controller as this would cause excessive network traffic in large Active Directory implementations. • Eager replication systems are complex and introduce some communication latency. Trigger-Based Triggers at the subscriber capture changes made to the database and submit them to the publisher. violating ACID properties. lazy and asynchronous. i. • Issues such as conflict resolution can become intractable as the number of nodes involved rises and the required latency decreases. Advantages • If one master fails.e. The multi-master replication system is responsible for propagating the data modifications made by each member to the rest of the group. Allowing only a single master makes it easier to achieve consistency among the members of the group. Implementations Many directory servers based on LDAP implement multi-master replication. other masters will continue to update the database. and resolving any conflicts that might arise between concurrent changes made by different members. Methods Log-Based A database transaction log is referenced to capture changes made to the database.e. Within Active Directory. Disadvantages • Most multi-master replication systems are only loosely consistent. Multi-master replication can be contrasted with master-slave replication. Some Active Directory needs are better served by Flexible single master operation. Other members wishing to modify the data item must first contact the master node. . For log-based transaction capturing. Active Directory One of the more prevalent of multi-master replication implementations in directory servers is Microsoft's Active Directory. but is less flexible than multi-master replication. • Masters can be located in several physical sites i. Instead. domain controllers have a complex update pattern that ensures that all servers are updated in a timely fashion without excessive replication traffic. and updated by any member of the group. distributed across the network. in which a single member of the group is designated as the "master" for a given piece of data and is the only node allowed to modify that data item. objects that are updated on one Domain Controller are then replicated to other domain controllers through multi-master replication. database changes can be distributed either synchronously or asynchronously. database changes can only be distributed asynchronously.Multi-master replication 90 Multi-master replication Multi-master replication is a method of database replication which allows data to be stored by a group of computers.

Ingres Replicator provides an elegant and sophisticated design that allows the appropriate data to be replicated to the appropriate servers without excessive replication traffic. it uses a log with a publish-subscribe mechanism that allows scaling to a large number of writable copies. implementing synchronous replication is Postgres-XC [8]. In the event of a source. Oracle Oracle database clusters implement multi-master replication using one of two methods. PostgreSQL also has the ability to run read-only queries against these replicated slaves. Postgres-XC also is still under development. Ingres Replicator can operate over RDBMS’s from multiple .23. rubyrep [3]. The OpenDS multi-master replication is asynchronous. OpenLDAP The widely used open source LDAP server implements multi-master replication since its version 2. including solutions based on two phase commit.3. There's Bucardo [2]. client connections can be re-directed to another server. a subset of rows for a geographical region or one-way replication for a reporting server.4 (October 2007) [1]. It is not required for all Ingres servers in an environment to replicate with each other as this could cause excessive network traffic in large implementations. Yet another project. data integrity is enforced through this two-phase commit protocol by ensuring that either the whole transaction is replicated. OpenDS OpenDS implements multi-master replication since its version 1. implementing eager (synchronous) replication is Postgres-R [7]. Instead. Ingres Within Ingres Replicator. objects that are updated on one Ingres server can then replicated to other servers whether local or remote through multi-master replication. PgCluster [5] and Sequoia [6] as well as some proprietary solutions. target. beginning from version 9.0. MySQL MySQL ships with replication support.Multi-master replication 91 CA Directory CA Directory supports multi-master replication. OpenDS replication does conflict resolution at the entry and attribute level. If one server fails. or none of it is. This means that some servers in the environment can serve as failover candidates while other servers can meet other requirements such as managing a subset of columns or tables for a departmental solution. PgPool and PgPool-II [4]. Another promising approach. includes built-in binary replication.0. or network failure. however it is still in development. based on shipping the changes made to all database blocks to other systems asynchronously after commit. Asynchronous multi-master replication commits data changes to a deferred transaction queue which is periodically processed on all databases in the cluster. PostgreSQL offers multiple solutions for multi-master replication. PostgreSQL PostgreSQL. MySQL Cluster supports conflict detection and resolution between multiple masters since version 6. Synchronous multi-master replication uses Oracle's two phase commit functionality to ensure that all databases with the cluster have a consistent dataset. OpenDS replication can be used over Wide Area Network. This allows splitting read traffic among multiple nodes efficiently. In addition. It is possible to achieve a multi-master replication scheme beginning from MySQL version 3.

92 References [1] [2] [3] [4] [5] [6] [7] [8] http:/ / www.com/resources/documentation/Windows/2000/ server/reskit/en-us/Default. postgresql. data migration.asp) • Terms and Definitions for Database Replication (http://www. HSQLDB. The software was designed to scale for a large number of databases. Daffodil Replicator is available in both enterprise (commercial) and open source (GPL-licensed) versions. It uses web and database technologies to replicate tables between relational databases in near real time.microsoft. • DBReplicator Project Page (http://dbreplicator. work across low-bandwidth connections.org/documentation/terms) • SymmetricDS (http://symmetricds. DB2. and Apache Derby included. PostgreSQL.daffodilsw. org http:/ / pgpool.org/Computers/Software/ Databases/Replication/) . com/ community/ lab-projects/ sequoia http:/ / www. Firebird.org) • DMOZ Open Directory Project . Apache Derby. Oracle. projects. and data backup between various database servers.dmoz. MySQL. projects. postgresql.replicator. it supports following databases: Microsoft SQL Server. SQL Server. Daffodil Replicator works over standard JDBC driver and supports replication across heterogeneous databases. data synchronization/replication software. openldap.Multi-master replication vendors to connect them. html http:/ / bucardo. org/ wiki/ Bucardo http:/ / www. H2.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/ dsbh_rep_fgtk. At present. Oracle. html) • Active Directory Replication Model (http://www. net/ projects/ postgres-xc/ • Challenges Involved in Multimaster Replication (http://www. org http:/ / sourceforge.postgres-r. with implementations for MySQL. continuent. Support for database vendors is provided through a Database Dialect layer.codehaus. Licensed under LGPL open source license.com/) is a Java tool for data synchronization.org/) is web-enabled. and withstand periods of network outage.com/presentations/mm_replication. and PostgreSQL. Daffodil database.dbspecialists. org/ http:/ / pgcluster. org/ software/ roadmap. • Daffodil Replicator (http://opensource. By using database triggers. postgres-r. org/ http:/ / www. SymmetricDS guarantees that data changes are captured and atomicity is preserved.Database Replication Page (http://www. database independent. DB2. rubyrep.

retrieved 26 July 2010 [6] Toigo. com/ articles/ 2009/ 04/ 28/ novell-storage-mgr. By tying storage management to an organization's existing identity infrastructure.Novell Storage Manager 93 Novell Storage Manager Novell Storage Manager Developer(s) Novell Initial release 2004 Stable release 3. including user creations. References [1] http:/ / www. It also allows recovery from failures involving network communications. novell. "Efficiently Delivering Enterprise-Class File-Based Storage". com/ products/ storagemanager/ [2] Greyzdorf. com/ docrep/ 2009/ 01/ Novell Delivers a New Way of Intelligently Managing Organizations_ File-Based Information_en. "Novell Delivers a New Way of Intelligently Managing Organizations' File-Based Information" (http:/ / www. moves. into an organized and efficient management scheme"[5] . pdf). renames. Storage policies. 4. Novell Storage Manager agents. IDC Spotlight: 1–5 [4] Novell Storage Manager for Novell eDirectory (http:/ / www. and deletions. p. [5] Toigo. group assignments. aspx). Jon William. When a change happens in the directory that affects a user’s file storage needs or user storage policy. com/ docrep/ 2009/ 04/ Novell_Storage_Manager_for_Novell_eDirectory_White_Paper_en. Reviews Jon Toigo called Novell Storage Manager "a robust and smart approach to corralling user files. and Action objects. drunkendata. If a failure or interruption occurs at any point during operation. Everything We Need to Know About How to Screw Up IT… (http:/ / www. Novell Storage Manager enables the administration of users across all file servers "as a single pool rather than [in] separate independently managed domains. Noemi (2010). Novell Storage Manager event monitors. 2009. Storage Manager applies the appropriate policy and makes the necessary changes at the file system level to address those storage needs[4] . . Jon William." Novell Storage Manager is a component of the Novell File Management Suite. . [3] Greyzdorf.. Noemi (2009). Storage Manager will be able to successfully continue the operation from where it was when the interruption occurred. novell. com/ ?p=2916).0 / 2010 Type Website System Software Novell Storage Manager [1] Novell Storage Manager is a system software package released by Novell in 2004 [2] that uses identity. retrieved 30 July 2010 . pdf). policy and directory events to automate full lifecycle management of file storage for individual users and organizational groups. Novell Storage Manager policy engine.. IDC #216013 1 (Storage Software: Technology Assessment): 1–3. a target server or a server running a component of Storage Manager—including the policy engine itself. He also said it was "best in class" of the products he'd reviewed[6] . it has been pointed out[3] . novell. The following key components comprise Novell Storage Manager's identity and policy-driven state machine architecture: Directory services. Novell Storage Manager Strikes Data Management Gold (http:/ / esj. How It Works Novell Storage Manager dynamically manages and provisions storage based on user and group events that occur in the directory. This state machine architecture enables the engine to properly deal with transient waits with directory synchronization issues.

Online identity management also refers to identity exposure and identity disclosure. A survey by CareerBuilder. a privacy research organization. Maximize the appearances of positive online references about a specific person.e. including news. and is related to blogging. Hence in the case of social network services users have the possibility to buy 'friends' so to increase their visibility [2] . but also to those that eventually can reach a person's reference while browsing the web. OIM is a part of another discipline called search engine optimization with the difference that the only keyword is the person's name. blog social networks like MyBlogLog and blog search engines like Technorati. the process can also be named online reputation management. hiring officials use the Internet in vetting job applications [5] . Myspace.storagemanagersupport. 2. But it can also consist in more questionable practices. The objective in this case is to get high rankings for as many sites as possible when someone search for a person's name. and the optimization object is not necessary a single web site. and has particularly developed in the management on online identity in social network services (Tufekci 2008) or online dating services (Siibak 2007). Motivation The reason why someone would be interested in doing online identity management is closely related to the increasing number of constituencies that use the internet as a tool to find information about people. personal web sites (Marcus. Last. In that aspect. i.fm. One aspect of the online identity management process has to do with improving the quantity and quality of traffic to sites that have content related to a person. Online identity management often involves participation in social media sites like Facebook. Orkut and other online communities and community websites. In this case. participation in blogs and forums. targeting not only to users that actively search for that person on any Search Engine.novell. Another aspect has to do with impression management. Build an online identity in case the person's web presence is minimal or nonexistent. video. Twitter. pictures. . One of the objective is in particular to increase the online reputation of the person. roughly half of U. Solve online reputation problems. Machilek & Schütz 2006). [3] 3.com/products/storagemanager/) • Support homepage (http://www.com/nsm/) Online identity management Online identity management (OIM) also known as online image management or online personal branding or personal reputation management (PRM) is a set of methods for generating a distinguished Web presence of a person on the Internet. According to a December 2007 survey by the Ponemon Institute. Flickr. this action is called "to google someone"[1] . "the process through which people try to control the impressions other people form of them". Twitxr. If the search engine used is Google.Novell Storage Manager 94 External links • Novell Storage Manager homepage (http://www. Objective The objective of online identity management is to: 1. YouTube. LinkedIn. One in 10 also checked candidates' profiles on social networking sites such as MySpace or Facebook [4] .com found that 1 in 4 hiring managers used search engines to screen candidates. That presence could be reflected in any kind of content that refers to the person.S. etc. it can consider a set of completely different sites that contain positive online references. social media presence.

csmonitor. Franz. [3] Susan Kinzie and Ellen Nakashima (July 2.html/) • Sara Hashash and Roger Waite (February 17. Zeynep (2008). jrnl. AdvertisingAge. typepad. "Can You See Me Now? Audience and Disclosure Regulation in Online Social Network Sites".1014. com/ seths_blog/ 2008/ 01/ the-first-thing. washingtonpost. . (Eds. PMID 16784349. ut. Muukkonen& K. [4] Cristian Lupsa (November 29. com/ wp-dyn/ content/ article/ 2007/ 03/ 06/ AR2007030602705_pf. "Personality in cyberspace: Personal web sites as media for personality expressions and impressions". Journal of Personality and Social Psychology 90 (6): 1014–1031. 2007). com/ wp-dyn/ content/ article/ 2007/ 07/ 01/ AR2007070101355." (http:// technology. Young People at the Crossroads: 5th International Conference on Youth Research in Karelia. Astrid (2006). [5] Ellen Nakashima (March 7. 2007). Petrozavodsk. ISBN 978-952-219-020-8. "Do you need a Web publicist?" (http:/ / www. The Sunday Times. "Casanova` s of the Virtual World. September 1-5. The Washington Post.co. html?hpid=artslot). "The first thing to do this year" (http:/ / sethgodin. doi:10.1037/0022-3514. . (2007).000 More Facebook Friends? That'll Be $654. . Seth Godin. 83–91.Online identity management 95 References • Marcus. 2009. • Tufekci. Machilek. Schütz. doi:10. 2008). [2] Learmonth. com/ 2006/ 1129/ p13s01-stct. com/ digital/ article?article_id=138770).90. html). Washington Post. 2008). pp. html). Sotkasiira. "Smeared on the internet? Then call in the cleaners. Technology & Society 28 (1): 20–36.uk/tol/news/tech_and_web/the_web/article3382175. Bulletin of Science.timesonline. html). A. • Siibak. Joensuu University: Joensuun yliopisto. .30" (http:/ / adage. [1] Seth Godin (January 2. .reputation-centre. . 2006).) M. "Harsh Words Die Hard on the Web" (http:/ / www.ece). ee:8080/ 35/ External links • 25+ Ways to Manage Your Online Identity (http://mashable.com/2007/09/10/online-identity/) • European Centre for Reputation Studies (http://www. "Calling In Pros to Refine Your Google Image" (http:/ / www. 2006. Republic of Karelia.org/en/currentnews. "Want 5. Bernd. washingtonpost. The Christian Science Monitor. How Boys Present Themselves on Dating Websites" [6]. Russian Federation. Michael (2009). September 02.1177/0270467607311484.6. [6] http:/ / mail.

in the 11g version. Oracle Access Manager (OAM) is the strategic product. with OAM 11g able to interoperate with mod_osso. OpenSSO is developed and supported by ForgeRock under the name of OpenAM. OIM and also OpenAM Access management. both Oracle Internet Directory and the Sun LDAP (renamed to Oracle Directory Server Enterprise Edition) are maintained as strategic LDAPs. Components Product Software Stack OIM Description Original name Notes Oracle Internet Directory (OID) An LDAP directory server which stores its data in the Oracle database. in particular. but OpenSSO provides some facilities that OAM/OIF does not offer yet. As of 11g. include multiple vendor LDAPs. A product which configures Linux/Unix systems to authenticate against OID via PAM/NSS. Oracle Identity Manager (OIM). databases. OctetString VDE Oblix CoreID The 10g version was written in C. Directory Integration Platform (DIP) OIM/OID A directory synchronization and provisioning framework included in OID. Oracle Authentication Services for Operating Systems (OASOS) Oracle Directory Server Enterprise Edition Oracle Virtual Directory (OVD) Oracle Access Manager (OAM) OIM/OID OIM An LDAP directory server. Sun OpenSSO Oracle Single Sign-On (OSSO) OIM Oracle's legacy single sign-on (SSO) solution. the server component of SSO has been discontinued. Secure Token Service (STS). . Oracle's strategic solution for access management. The name of the software suite is very similar to the name of one of its components. OIM OIM A directory virtualization solution. the server itself has been rewriten in Java.Oracle Identity Management 96 Oracle Identity Management Oracle Identity Management (OIM) is a software suite from Oracle providing identity and access management (IAM) technologies. Supports synchronization of data between heterogenous systems. Sun LDAP With the Sun acquisition. With the Sun acquisition. although some of the integration components (web gates) are still written in C. but the Apache module (mod_osso) is still provided. OSSO is focused on integrating with Oracle products. etc. flat files and Oracle eBusiness Suite HRMS. both Oracle Internet Directory and the Sun LDAP (renamed to Oracle Directory Server Enterprise Edition) are maintained as strategic LDAPs. and has more limited support for integrating with products from third-party vendors than OAM. Oracle OpenSSO.

Disparate applications can use OES to provide a common framework for managing access control policies. request-based provisioning.). expressible in XACML. 97 N/A From the Bridgestream acquisition. (product discontinued) This provides desktop-based single sign-on (SSO). self-service. including support for retrofiting single sign-on into legacy fat client applications via automated login form fill-in. Provides role management. Provides fraud detection and countermeasures including strong authentication. OIM N/A This is free. The name of this component is very similar to the name of the software suite as a whole. and integration with heterogenous identity systems through connectors (LDAPs. Similar features as Oracle Identity Manager (OIM). A directory service. ERP packages. A library providing implementations of encryption algorithms. email/collaboration suites. but with Oracle Identity Manager as the strategic product. and doing the same for web and 3270-based applications. From the Bharosa acquisition. Oracle Certificate Authority (OCA) Oracle Enterprise Single Sign-On (eSSO) N/A OIM An X. Manager From the Thortech acquisition. OIM OIM Oracle's strategic solution that provides provisioning. Discontinued in favor of Oracle Identity Analytics (OIA) post-Sun acquisition. open source software written in Java. Sun Identity Manager was renamed to Oracle Waveset to avoid confusion. originally from Sun. This is no longer offered as a product.509 certificate authority. but continues as an open-source project.. Provides centralized management of security policies. This was originally OEM-ed from Passlogix. operating systems. Waveset also incorporates connectors and adapters for interfacing to heterogenous systems. etc. although Passlogix is now being acquired by Oracle. . supporting SAML and Liberty protocols. (no longer a product) Oracle Entitlements Server (OES) Oracle Security Developer Tools (OSDT) OpenDS OIM Originally a BEA Systems product. mainframe/midrange.Oracle Identity Management Oracle Identity Federation (OIF) Oracle Adaptive Access Manager (OAAM) Oracle Role Manager (ORM) Oracle Identity Analytics (OIA) Oracle Identity Manager (OIM) OIM OIM An identity federation solution. reconciliation. similar in principle to those included in Oracle Identity Manager. databases. which is actually a reversion to the original name before Waveset Technologies was acquired by Sun. Formerly an Oblix product. Sun Java Replaces the former Oracle Role Manager System Role (ORM) component. This component has been discontinued in the 11g release with no replacement. XML security. for use by application programmers. etc. Sun Identity Manager Oracle Waveset OIM This product is continued to be maintained. (product discontinued) Provides role management.

in the 10g and earlier versions. net-security. This is part of the Oracle SOA Suite rather than the Identity Management stack. OIM) supported other J2EE appservers. the software is undergoing Common Criteria evaluation process. . but overlaps with a number of areas of identity management. This is part of the Oracle Content Management suite (from the Stellent acquisition) rather than the Identity Management stack. including the WS-Security protocol. although some components (e. The relevant OIM connectors will call out to OAACG to ensure the SOD policies are enforced via the SIL (SOD Invocation Library). net-security. and is extensible to integrate OIM with arbitrary SOD frameworks.org. the OC4J-based components were ported to WebLogic.Oracle Identity Management Oracle Applications Access Control Governor (OAACG) Applications Provides segregation of duties (SOD) functionalities for Oracle eBusiness Suite and Peoplesoft. html) . As of November 2008. org/ secworld. Provides web-services security.com/technetwork/middleware/id-mgmt/overview/index. External links • Oracle Identity Management (http://www. In the 11g version. SIL also supports interfacing with SAP Virsa to perform SOD for SAP systems. php?id=6778). the Java-based poritions of the suite ran mainly on OC4J.oracle. 2008-11-26.[1] References [1] "Oracle Identity Management products earn Common Criteria Security Evaluation" (http:/ / www.g. Retrieved 9 December 2008. but overlaps with a number of areas of identity management. 98 Oracle Web Services Manager (OWSM) Oracle Information Rights Management (Oracle IRM) SOA Suite Content Management Provides for the securing and tracking of sensitive digital information wherever it is stored and used. Other information Originally.

X. . or the technology used in relation to the objects. However. and encountered the support and name-conflict limitations inherent in their flat structures. LifeScan. When OUs are nested. but this claim appears suspect. or names in a digital certificate hierarchy. OUs are used to create a hierarchy of containers within a domain. In many systems one OU can also exist within another OU. Origins with X.500 directories. this creates a relationship where the contained OU is called the child and the container is called the parent. given that X. Lightweight Directory Access Protocol (LDAP) directories. typically used either to differentiate between objects with the same name (John Doe in OU "marketing" versus John Doe in OU "customer service"). Novell. OUs let an administrator group computers and users so as to apply a common policy to them.g.) that is owned by but separate from a parent corporation (Johnson & Johnson). and Lotus Notes directories and certificate trees. Sun Enterprise Directory Server and Active Directory In Sun Java System Directory Server and Microsoft Active Directory (AD).500 OU concept into their next-generation software around 1993 -. Each of these companies started with flat account and directory structures. OUs of the same name in different domains are independent. Storage Servers) that runs across all divisions of a company should be represented by an "Organizational Role" entry. OUs in separate Domains may have identical names but are independent of each other. To identify geographically distinct regions (e. Job types or functions (e. Kansas City) the X. as one OU contains another OU. Managers. or to parcel out authority to create and manage objects (for example: to give rights for user-creation to local technicians instead of having to manage all accounts from a single central group).g.Organizational Unit 99 Organizational Unit In computing. Microsoft allegedly used Novell's directory as a blueprint for the first released versions of AD.g. [1] Specific uses The name "Organizational Unit" appears to represent a single organization with multiple units (departments) within that organization. associations with other (external) groups. Inc. including other OUs. but they may feature in almost any modern directory or digital certificate container grouping system. They adopted the X. Contractors) that is external to the organization.500. Only OUs within the same domain can have relationships.500 served as the "granddaddy" of all directory systems. Human Resources) within a corporation • Division (e. OUs give a hierarchical structure.509 certificates. and Lotus with the release of the third version of Lotus Notes. Organizational Units most commonly appear in X. and when properly designed can ease administration. groups. users. an Organizational Unit (OU) can contain any other unit. In most systems. job-functions. Examples would include: • Department (e. They might represent geographical regions. although this would commonly be placed in a separate domain • Association (e.Novell with the release of Novell Directory Services (subsequently known as eDirectory). called a Domain. Active Directory (AD). Thus.g. and computers. BIZOUs do not always follow this model. and Lotus Software Novell and Lotus supplied the two largest software directory systems. Organizational Units appear within a top-level Organization grouping or Organization certificate. an Organizational Unit (OU) provides a way of classifying objects located in directories.521 standard recommends a "Locality" entry instead.g.

However not all password managers can automatically handle the more complex login procedures imposed by many banking websites.Organizational Unit 100 References [1] "Organizational Units" (http:/ / technet. thus they fill the user and password data automatically into forms. which can handle automated login script is not susceptible to visual imitations and look alike websites. • Self-service password reset software enables users who forgot their password or triggered an intruder lockout to authenticate using another mechanism and resolve their own problem. . smart phone or as a portable application on a USB stick such as U3 or similar. Microsoft TechNet. microsoft. Password management There are several forms of software used to help users or organizations better manage passwords: • Intended for use by a single user: • Password manager software is used by individuals to organize and encrypt many personal passwords. • Enterprise Single signon software monitors applications launched by a user and automatically populates login IDs and passwords. without calling an IT help desk.desktop software storing passwords on a computer hard drive. where the user is authenticated and directed back to the original URL. The software typically has a local database or files that holds the encrypted password data. aspx).portable software storing passwords and program on a mobile device. • Web based . such as a PDA. the use of a password manager is beneficial even if the user only has a few passwords to remember. . a password manager program. With this built-in advantage. • Portable . com/ en-us/ library/ cc758565. • Intended for use by a multiple users/groups of users: • Password synchronization software is used by organizations to arrange for different passwords. on different systems. These are usually implemented as a browser extension. • Privileged password management software Password manager A password manager is software that helps a user organize passwords and PIN codes. to have the same value when they belong to the same person. Password managers can also be used as a defense against phishing. Password managers come in three basic flavors: • Desktop . Unlike human beings. • Web single signon software intercepts user access to web applications and either inserts authentication information into the HTTP(S) stream or redirects the user to a separate page.Online password manager where passwords are stored on a provider's website. This is also referred to as a password wallet. Many password managers also work as a form filler.

or may serve as a stop-gap measure pending adoption of a better method. dmoz. This master password must be strong enough to resist attack (eg. The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser and a network connection. but if compromised would render compromised all of the passwords held. dictionary attacks. though turning off swap. The major disadvantage of online password managers is the requirement that you trust the hosting site. and a reduced risk of losing passwords through theft from or damage to a single PC . without having to install software).Password manager 101 Vulnerabilities Password managers typically use a user-selected master password or passphrase to form the key used to encrypt the protected passwords. External links • Password manager [1] at the Open Directory Project References [1] http:/ / www. In both cases this risk can be prevented by ensuring secure backups are taken. etc). Some password managers include a password generator. such as OpenID or Microsoft's Windows Live ID scheme (formerly Passport). brute force. or installing more memory prevents this risk. The use of a web-based password manager is an alternative to single sign-on techniques. Online password manager An online password manager is a website that securely stores login details. Some password managers attempt to use virtual keyboards to reduce this risk . A compromised master password renders all of the protected passwords vulnerable.also the same risk is present for the server that is used to store the users passwords on. As with any system which involves the user entering a password. Password managers that do not prevent swapping their memory to hard drive make it then possible to extract unencrypted passwords from the computers hard drive.though this again is vulnerable to key loggers which take screenshots as data is entered. Generated passwords may be guessable if the password manager uses a weak random number generator instead of a cryptographically secure one. org/ Computers/ Security/ Products_and_Tools/ Password_Tools/ / . They are a web-based version of more conventional desktop-based password manager. the master password may also be attacked and discovered using key logging or acoustic cryptanalysis. This demonstrates the inverse relation between usability and security: a single password may be more convenient (usable).

normally in exchange for perceived benefits and very often with specific dangers and losses. corporations or individuals is part of many countries' privacy laws. behaviors or body parts • preventing unwelcome searching of one's personal possessions . The concept of privacy is most often associated with Western culture. In some countries individual privacy may conflict with freedom of speech laws and some laws may require public disclosure of information which would be considered private in other countries and cultures. on a bed by a bed sheet or a blanket.secrecy. to what extent these measures also prevent acts being heard varies • video. etc. an example of this would be law concerning taxation. which normally require the sharing of information about personal income or earnings.[2] Types of privacy The term "privacy" means many things in different contexts. from privo "to deprive") is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. cultures. and in some cases. the concept of privacy sets Anglo-American culture apart even from other Western European cultures such as French or Italian. however. partitions between urinals. deprived of something. where sweepstakes or competitions are involved. acts. секретность . The right against unsanctioned invasion of privacy by the government. Almost all countries have laws which in some way limit privacy. Such languages either use a complex description to translate the term (such as Russian combine meaning of уединение . Privacy is broader than security and includes the concepts of appropriate use and protection of information. and частная жизнь . which differs between places and over time. Physical Physical privacy could be defined as preventing "intrusions into one's physical space or solitude"[3] This would include such concerns as: • preventing intimate acts or one's body from being seen by others for the purpose of modesty. privacy screens. of aptly named graphic. recognize certain forms of hidden or personal information that is not shared with wider society.Privacy 102 Privacy Privacy (from Latin: privatus "separated from the rest. According to some researchers. Many languages lack a specific word for "privacy". the wish to remain unnoticed or unidentified in the public realm. esp. Information which is voluntarily shared and is later stolen or misused can lead to identity theft. participation in the government". or intimate. is not a universal concept and remained virtually unknown in some cultures until recent times. English and North American in particular.solitude. constitutions. office. The word "privacy" is sometimes regarded as untranslatable[2] by linguists. Academics who are economists. The degree to which private information is exposed therefore depends on how the public will receive this information. The boundaries and content of what is considered private differ among cultures and individuals. When something is private to a person. apart from being dressed this can be achieved by walls. Privacy is sometimes related to anonymity. cathedral glass. it usually means there is something within them that is considered inherently special or personally sensitive. when changing clothes by a towel. evolutionary theorists. although this is a very strategic view of human relationships.private life) or borrow English "privacy" (as Indonesian Privasi or Italian la privacy). In the business world. Different people. a person may give personal details (often for advertising purposes) in order to enter a gamble of winning a prize. as the term is generally understood in the West.[1] Privacy. fences.. by being far away from others. and research psychologists describe revealing privacy as a 'voluntary sacrifice'. Most cultures. Privacy may be voluntarily sacrificed. but share basic common themes. and nations have a wide variety of expectations about how much privacy a person is entitled to or what constitutes an invasion of privacy.

personal dignity. in which information about a person's financial transactions is guarded. this type of privacy very often does. Medical privacy allows a person to keep their medical records from being revealed to others. Physical privacy may be a matter of cultural sensitivity. Information about a person's purchases can also reveal a great deal about that person's history. which guarantees "the right of the people to be secure in their persons.[4] Most countries have laws regarding trespassing and property rights also determine the right of physical privacy. These concerns include whether email can be stored or read by third parties without consent. individuals may not wish for personal information such as their religion. products they use. Various types of personal information often come under privacy concerns. or medications they have used. store. papers. and associated. There may also be concerns about safety. Another concern is whether web sites which are visited collect. personal embarrassment. Privacy concerns exist wherever uniquely identifiable data relating to a person or persons are collected and stored. sexual orientation. against unreasonable searches and seizures". or public expectation of privacy in the collection and sharing of data about one's self. or whether third parties can track the web sites someone has visited. houses. and effects. Tools used to protect privacy on the internet include encryption tools and anonymizing services like I2P and Tor. For various reasons. or personal activities to be revealed. In fact even where other rights of privacy do not exist. the right to make fundamental medical decisions without governmental coercion or third party review. In some cases these concerns refer to how data is collected. Sexual privacy prevents a person from being forced to carry a pregnancy to term and enables individuals to acquire and use contraceptives and safe sex supplies and information without community or legal review Political privacy has been a concern since voting systems emerged in ancient times. is important for the avoidance of fraud or identity theft. most widely applied to questions of contraception An example of the legal basis for the right to physical privacy would be the US Fourth Amendment. and challenge that information. political affiliations. This may be because they have concern that it might affect their insurance coverage or employment.. such as places they have visited. Internet privacy is the ability to control what information one reveals about oneself over the Internet.Privacy • preventing unauthorized access to one's home or vehicle • medical privacy. 103 Informational Data privacy refers to the evolving relationship between technology and the legal right to. and possibly share personally identifiable information about users. whom they have had contact with. their activities and habits. and considered a basic right of citizenship. The secret ballot is the simplest and most widespread measure to ensure that political views are not known to anyone other than the original voter — it is nearly universal in modern democracy. verify. in digital form or otherwise. or shyness. or damage to one's professional reputation. Financial privacy. stored. if for example one has concerns about being the victim of crime or stalking. Revealing medical data could also reveal other details about one's personal life (such as about one's sexual activity for example). and/or the right to view. Or it may be because they would not wish for others to know about medical or psychological conditions or treatment which would be embarrassing. In other cases the issue is who is given access to information. and to control who can access that information. Other issues include whether an individual has any ownership rights to data about them. This may be to avoid discrimination.[5] Civil inattention is a process whereby individuals are able to maintain their privacy within a crowd. .

the increased ability to share information can lead to new ways in which privacy can be breached. such as the printing press or the Internet. of his feelings and his intellect. 27) it was decided that thermal imaging devices that can reveal previously unknown information without a warrant does [11] indeed constitute a violation of privacy. has no way of knowing of or controlling all of the information about themselves that others may have access to. Privacy law in many . Organizations may seek legal protection for their secrets. Generally the increased ability to gather and send information has Advertisement for dial telephone service available to had negative implications for retaining privacy. For example. or a corporation might attempt to protect trade secrets. Such organizations may implement various security practices in order to prevent this." Its development from then on became "one of the most significant chapters in the history of privacy law. which protected "only the physical interference of life and property. that was written largely in response to the increase in newspapers and photographs made possible by printing technologies.S. and other organizations may desire to keep their activities or secrets from being revealed to other organizations or individuals. there is so much Chicago. United States (533 U." and the former definition of "property" would then comprise "every form of possession -. 4 Harvard L. As large scale delegates to the 1912 Republican convention in information systems become more common. In the case of some technologies. the scope of those rights broadened even further to include a basic "right to be let alone. a government administration may be able to invoke executive privilege[6] or declares certain information to be classified. corporations. The Right to Privacy.[7] History of privacy Privacy and technology As technology has advanced. For example. interest in a "right to privacy" grew as a response to the growth of print media. Such information could potentially be sold to others for profit and/or be used for purposes not known to the individual of which the information is about."[7] Privacy rights gradually expanded to include a "recognition of man's spiritual nature.intangible. the way in which privacy is protected and violated has changed with it.[4] Spiritual and intellectual The earliest development of privacy rights began under British common law.S. as well as tangible. Also the consequences of a violation of privacy can be more severe.Privacy 104 Organizational Governments agencies. It is generally agreed [8] that the first publication advocating privacy in the United States was the article by Samuel Warren and Louis Brandeis. However in 2001 in Kyllo v. it was thought that heat sensors intended to be used to find marijuana growing operations would be acceptable. especially newspapers. A major selling point of dial telephone information stored in many databases worldwide that an individual service was that it was "secret". in the U."[7] Eventually." By the late 19th century. The concept of information privacy has become more significant as more systems controlling more information appear. 193 (1890) [9]. in that no operator was required to connect the call.[10] New technologies can also create new ways to gather private information.R.

offered his thoughts on internet privacy in an interview in 2000:[15] Privacy is one of the biggest problems in this new electronic age. In North America. This citation was a response to recent technological developments. and sensationalist journalism. that's a very valuable asset. telephones had become personal devices with lines not shared across homes and switching was . photo/video-sharing sites. recruiters and human-resource professionals now do online research about candidates." writes law professor and author Jeffrey Rosen.S. In his widely cited dissenting opinion in Olmstead v. reports Rosen. also known as yellow journalism. At the heart of the Internet culture is a force that wants to find out everything about you. by means far more effective than stretching upon the rack. Twitter post and blog entry by and about us can be stored forever.[12] This currently has an effect on employment. recruiters have rejected candidates based on internet information. Samuel D. . But the existing global privacy rights framework has also been criticized as incoherent and inefficient." He writes. Brandeis wrote that privacy is the "right to be let alone" (Warren & Brandeis. And once it has found out everything about you and two hundred million others. such as photography. 1890) focuses on protecting individuals.S. Microsoft reports that 75 percent of U. United States (1928). he now changed the focus whereby he urged making personal privacy matters more relevant to constitutional law. was the largest social-networking site. as a potential privacy invader. both of which have led to legal suits against various sites and employers. often using information provided by search engines. and Twitter.[13] although Apple denied doing so. Senator Al Franken has noted the seriousness of iPhones and iPads having the ability to record and store users locations in unencrypted files.[12] According to some experts. who upload over 25 billion pieces of content each month.[12] The ability to do online inquiries about individuals has expanded dramatically over the last decade. or 22 percent of all Internet users. as of July 2010. going so far as saying "the government [was] identified . telephones were often community assets. to obtain disclosure in court of what is whispered in the closet. This wasn't the information that people were thinking of when they called this the information age. and generally responds to new information and communication technologies. The Library of Congress recently announced that it will be acquiring — and permanently storing — the entire archive of public Twitter posts since 2006. They also report that 70 percent of U.[14] Andrew Grove.[12] This has created a need by many to control various online privacy settings in addition to controlling their online reputations. "Discovery and invention have made it possible for the Government. 105 Privacy and the Internet The Internet has brought new concerns about privacy in an age where computers can permanently store records of everything: "where every online photo." Privacy rights are inherently intertwined with information technology. many commonly used communication devices may be mapping every move of their users. Proposals such as the APEC Privacy Framework have emerged which set out to provide the first comprehensive legal framework on the issue of global data privacy. . social-networking sites. co-founder and former CEO of Intel Corporation. and people will be tempted to trade and do commerce with that asset. By the time of Katz. But in his dissent. Facebook for example. in 1967. The right to privacy Privacy uses the theory of natural rights. Warren and Brandeis declared that information which was previously hidden and private could now be "shouted [16] from the rooftops. personal web sites and blogs." At that time.Privacy countries has had to adapt to changes in technology to address these issues and maintain people's rights to privacy as they see fit. with nearly 500 million members. Brandeis relied on thoughts he developed in his Harvard Law Review article in 1890. with shared party lines and the potentially nosey human operators. status update. Warren and Louis D. Twitter has more than 100 million registered users.

existing laws relating to privacy in general should be sufficient.Alan Westin.[17] Other experts. on the subject of "privacy in the digital environment. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others.Privacy electro-mechanical. how. at least to formulate a definition. This concept forms the foundation for fair information practices used by governments globally.[20] For Lessig.[17] An individual right Alan Westin believes that new technologies alter the balance between privacy and disclosure. anonymity. feelings. 1968[18] Under liberal democratic systems. and that privacy rights may limit government surveillance to protect democratic processes." suggests that the "right to privacy should be seen as an independent right that deserves legal protection in itself. however. to find a "common ground" between the leading kinds of privacy cases in the court system. manner and timing of the use of those parts we choose to disclose. . Lessig claims "the protection of privacy would be stronger if people conceived of the right as a property right". In the 1970s. and to control the extent. and dissemination of personal information". which includes all those things that are part of us. Privacy and Freedom. . but failed. These states must balance participation against norms: Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication of himself to others. Flaherty forwards an idea of privacy as information control.[21] Economic approaches to privacy make communal conceptions of privacy difficult to maintain. resulting in the Fair Information Practice Principles. For Posner. such as our body. and that "individuals should be able to control information about themselves". and allows personal autonomy. new computing and recording technologies began to raise concerns about privacy. intimacy. "[i]ndividuals want to be left alone and to exercise some control over how information about them is used". or institutions to determine for themselves when. privacy creates a space separate from political life." It has therefore proposed a working definition for a "right to privacy": The right to privacy is our right to keep a domain around us. which involves "the collection. By their reasoning. in light of the environmental conditions and social norms set by the society in which he lives. Posner criticizes privacy for concealing information. Westin defines privacy as "the claim of individuals. David Flaherty believes networked computer databases pose threats to privacy. employment is selling oneself in the labour market. He develops 'data protection' as an aspect of privacy. secrets and identity. Westin describes four states of privacy: solitude. home. groups. such as Dean Prosser. thoughts.[17] One law school treatise from Israel. which reduces market efficiency. Any 'defect' in the 'product' that is not reported is fraud. use. and to what extent information about them is communicated to others". while ensuring democratic freedoms of association and expression.[19] Richard Posner and Lawrence Lessig focus on the economic aspects of personal information control." Some experts assert that in fact the right to privacy "should not be defined as a separate legal right" at all. reserve. which he believes is like selling a product. 106 Definitions In recent years there have been only few attempts to clearly and precisely define a "right to privacy. privacy breaches online can be regulated through code and law. have attempted.

and consumer protection.[27] Privacy protection Free market versus consumer protection approaches Approaches to privacy can. Violations of privacy depend on context. Privacy depends on norms for how information is distributed. Public values guarantee democratic participation. In support of this view. She supports a social value of privacy with three dimensions: shared perceptions.[24] Priscilla Regan believes that individual concepts of privacy have failed philosophically and in policy. in contrast. commercial entities are largely allowed to do what they wish. Amitai Etzioni suggests a communitarian approach to privacy. and if this is appropriate. this approach advocates greater government definition and enforcement of privacy standards. Shared ideas about privacy allows freedom of conscience and diversity in thought. In a consumer protection approach. be divided into two categories: free market. Jensen and Potts showed that most privacy policies are above the reading level of the average person . He claims that privacy laws only increase government surveillance. and collective components. and ensures human dignity and autonomy. . If some companies are not sufficiently respectful of privacy. this right includes freedom to hold opinions without interference and to seek. broadly. The human right to privacy has precedent in the United Nations Declaration of Human Rights: "Everyone has the right to freedom of opinion and expression.[23] and that technological effects depend on community accountability and oversight (ibid).[28] In a free market approach. whose social value is an essential component in the functioning of democratic societies. or may not have reasonable alternatives available. and not through the marketplace. as well as the common and public value of privacy. with the expectation that consumers will choose to do business with corporations that respect their privacy to a desired degree. Claims of privacy protection made by companies may be difficult for consumers to verify. This requires a shared moral culture for establishing social order. Such an approach may be limited by lack of competition in a market.Privacy 107 A collective value and a human right There have been attempts to reframe privacy as a fundamental human right. public values."[26] Shade believes that privacy must be approached from a people-centered perspective.[25] Leslie Regan Shade argues that the human right to privacy is necessary for meaningful democratic participation. they will lose market share. except when they have already been violated. including freedoms of speech and association. those advocating privacy protections would have a stronger basis upon which to argue for its protection". Regan's goal is to strengthen privacy claims in policy making: "if we did recognize the collective or public-good value of privacy. by enterprises not offering privacy options favorable to the user. [29] Therefore. receive and impart information and ideas through any media and regardless of frontiers.[22] Etzioni believes that "[p]rivacy is merely one good among many others". it is acknowledged that individuals may not have the time or knowledge to make informed choices. and limits government power. Collective elements describe privacy as collective good that cannot be divided. or by lack of information about actual privacy practices.

states: No one shall be subjected to arbitrary interference with his privacy. including the Canadian Charter of Rights and Freedoms. An action may be brought under another tort (usually breach of confidence) and privacy must then be considered under EC law. however. Privacy and Electronic Communications Regulations 2003. The European Union requires all member states to legislate to ensure that citizens have a right to privacy. The ICO has also provided a "Personal Information Toolkit" online which explains in more detail the various ways of protecting privacy online. Environmental Information Regulations 2004. While there is no universally accepted privacy law among all countries. there is a lack of enforcement in that no institution feels responsible to control the parties involved and enforce their laws. Canada Canadian privacy law is governed federally by multiple acts. Connecticut (1965). a governmental body which must authorize legislation concerning privacy before them being enacted. some organizations promote certain concepts be enforced by individual countries. giving information to individuals and organisations. The relevant U.S. For example. The European Court of Human Rights in Strasbourg has developed a large body of jurisprudence defining this fundamental right to privacy. family.[30] United Kingdom In the United Kingdom. Privacy is regulated in the U. (HIPAA). privacy is not guaranteed per se by the Constitution of the United States. and various state laws. and provincial-level legislation also exists to account for more specific cases personal privacy protection against commercial organizations. and the Privacy Act (Canada). ruling on eligible complaints. and the Health Insurance Portability and Accountability Act (COPPA). the right of freedom of speech granted in the First Amendment has limited the effects of lawsuits for breach of privacy. it is not possible to bring an action for invasion of privacy. one's home and correspondence.Privacy 108 Privacy law Privacy law is the area of law concerning the protecting and preserving of privacy rights of individuals. the Universal Declaration of Human Rights. and taking action when the law is broken. by the Privacy Act of 1974. Europe For Europe. it is sometimes a defense that disclosure of private information was in the public interest.[31] There is. Article 8 of the European Convention on Human Rights guarantees the right to respect for private and family life. an independent public body set up to promote access to official information and protect personal information. through directives such as the 1995 Directive 95/46/EC on the protection of personal data. In the UK. It is regulated in the United Kingdom by the Data Protection Act 1998 and in France data protection is also monitored by the CNIL. home or correspondence.K. The Supreme Court of the United States has found that other guarantees have "penumbras" that implicitly grant a right to privacy against government intrusion. Everyone has the right to the protection of the law against such interference or attacks. Freedom of Information Act 2000. Data privacy was first addressed with the Personal Information Protection and Electronic Documents Act. Australia . article 12. Mostly this legislation concerns privacy infringement by government organizations. In the United States. Some studies show that despite the laws. nor to attacks upon his honor and reputation. laws include: Data Protection Act 1998.[32] United States Concerning privacy laws of the United States. Although there are comprehensive regulations for data protection. Certain privacy rights have been established in the United States via legislation such as the Children's Online Privacy Protection Act [33] the Gramm–Leach–Bliley Act (GLB). the Information Commissioner’s Office (ICO). for example in Griswold v. They do this by promoting good practice.

edu/ entries/ privacy/ ) [12] Rosen. bodies corporate. blurring of information e. amazon. csail.e. mit. and Bermann. Swire. partnerships. For example e-mails can be encrypted[35] and anonymizing proxies or anonymizing networks like I2P and Tor can be used to prevent the internet service providers from knowing which sites one visits and with whom one communicates. stanford. unincorporated associations and trusts . com/ _news/ 2011/ 04/ 21/ 6508416-govt-officials-want-answers-to-secret-iphone-tracking) MSNBC. nytimes. Aspen Publ. "In the City" or "Philadelphia" or "Work") to some of their more casual acquaintances while only displaying specific location information. the Federal Trade Commission is reviewing policy regarding this issue as it relates to behavioral advertising. a sole trader's business activities will be regulated (unless it's a small business). Organisations outside Australia must comply with the provisions in some circumstances. 2. Information. problems related to user privacy arise."[37] As of December 2010. Privacy. html) [7] Solove. rbs2. such as their exact address. com/ privacy. marketing professor at Florida International University and privacy scholar.[34] 109 Privacy on the Internet There are many means to protect one's privacy on the internet. Several methods to protect user's privacy when using location based services have been proposed. Schwartz. "The Web Means the End of Forgetting" (http:/ / www. html?_r=1& ref=technology) New York Times. Federal Trade Commission. gramota. Rotenberg. April 21. committee member or trustee is attributed to the organisation. For example. google. July 19. Helen A. individuals who collect. Sending information out of Australia is also regulated.[36] Privacy and Location Based Services As location tracking capabilities of mobile devices are increasing. [5] Security Recommendations For Stalking Victims (http:/ / www. 2002.S. html [10] Privacy Law in the United States (http:/ / www. ru/ biblio/ magazines/ gramota/ 28_520) [2] Translation Today (http:/ / books. warns that the "elimination of third-party cookie use by Web sites can be circumvented by cooperative strategies with third parties in which information is transferred after the Web site's use of original domain cookies. (2006) pp. Anthony Miyazaki.Privacy In Australia there is the Privacy Act 1988. Swire).M1) [3] Managing Privacy: Information Technology and Corporate America (http:/ / books. and good friends. com/ amar/ 20040416. htm) [11] Privacy (Stanford Encyclopedia of Philosophy) (http:/ / plato. relatives. Georgetown Law Journal.[38] Users of such services may also choose to display more generic location information (i. and 3. Jeffrey. "Gov't officials want answers to secret iPhone tracking" (http:/ / technolog. "Technology".ru (http:/ / www. Official Reference for the Certified Information privacy Professional (CIPP). htm) [6] FindLaw's Writ .any act or practice of a partner. since user's position and preferences constitute personal information and improper use of them violates user's privacy.. edu/ mac/ classes/ 6. to be able to calculate the equilibrium between the benefit of providing accurate location information and the drawbacks of risking personal privacy. S. org/ fs/ fs14a-stalking. Paul M. to closer contacts like spouse. United States" (http:/ / findarticles. msn. (2007) [9] http:/ / groups. com/ books?id=BwQBT2Mr1YoC& pg=PA188& dq=physical+ privacy& sig=dvybgqk6wfkf_xGimY8lvtWVV3I) By H. msnbc. 2010 [13] Popkin.Amar: Executive Privilege (http:/ / writ. Jeff [4] "Fixing the Fourth Amendment with trade secret law: A response to Kyllo v. Daniel J. but information gathered outside business activities won't be.P (http:/ / www. Privacy sector provisions of the Act apply to private sector organisations with a link to Australia. use or disclose personal information in the course of a business.[36] Although some privacy advocates recommend the deletion of original and third-party HTTP cookies. including: 1. com/ 2010/ 07/ 25/ magazine/ 25privacy-t2. . com/ p/ articles/ mi_qa3805/ is_200206/ ai_n9109326/ pg_1).S. google. 2011 . Marc.. ru/ books?id=hJxVffwZEDgC& pg=PA73& lpg=PA73& dq=privacy+ Untranslatability& source=bl& ots=eknZtWs_Mh& sig=TTZpDT8BuHPyjfQ856NxycOmYP8& hl=ru& ei=1DykSentJpKT_gaKg6GaBQ& sa=X& oi=book_result& resnum=1& ct=result#PPP1. com/ s?_encoding=UTF8& sort=relevancerank& search-type=ss& index=books& field-author=Peter P. 805/ articles/ privacy/ Privacy_brand_warr2. privacyrights. Methods to quantify privacy have also been proposed. findlaw. P. Covert collection of personally identifiable information has been identified as a primary concern by the U. and Technology. 9-11 [8] Information Privacy. References [1] Gramota. corporate. including the use of anonymizing servers.a.

Computerworld. 32(3). al. uk/ upload/ documents/ library/ data_protection/ practical_application/ toolkit. [22] Etzioni. Chapel Hill. and public policy. D. 1996). UK: Cambridge University Press. pdf). S. 2000 [16] Warren and Brandeis. Technology & Society. (1989).0." in Michael J.: Basic Books. Protecting privacy in surveillance societies: The federal republic of Germany. org/ Overview/ rights. and the Rise of Technology. html [27] Shade. 248. 2009. 46–68. A. "Identity Management in Grid and SOA". Carlos (2004).google. "The Right To Privacy" (http:/ / www. bbc. L. Cambridge. U. The Cambridge Dictionary of Sociology (pp. [32] "Personal Information Toolkit" (http:/ / www. Ithaca: Cornell University Press • Ruth Gavison. . google. France.aisnet. Connecticut Law Review. A. Böhm. 20. 23 (Spring). Gorr and Sterling Harwood. (1981). (2006). ico. Reconsidering the right to privacy in Canada. Haifa Center of Law & Technology. from BBC News (retrieved 27 April 2005). 1-12 [18] Westin. P. A communitarian perspective on privacy. "Privacy and the Limits of the Law. social values. (2008). 4 Harvard Law Review 193 (1890) [17] Yael Onn. co. Canada. 2. [33] Children’s Online Privacy Protection Act.06 without PGP. ISBN 0-321-53685-1.). A. CA: Wadsworth Publishing Co. "Approaching the value of Privacy: Review of theoretical privacy concepts and aspects of privacy management" (http://aisel. gov. 897-905. paper no. available at (http:/ / www.). Haifa Center of Law & Technology. Technology & Policy. U. [26] United Nations. au/ law/ act [35] Eudora 3. (2009). A. esquire. 81-83). 71(2). • Ulrike Hugl." Preliminary FTC Staff Report (December). (2007). (2008). Are new technologies the enemy of privacy? Knowledge. but promises changes" (http:/ / www.org/amcis2010/248/). Esquire magazine. et al.K. Crime and Punishment: Philosophic Explorations (Belmont.Privacy [14] "Apple denies tracking iPhone users. (2005) • Judith Wagner DeCew. Voulodimos and Charalampos Z. conference on e-democracy. and then quickly followed by 3. [20] Posner. Communitarianism. Universal Declaration of Human Rights. M. 405-409. A. Ethics. html) [36] Federal Trade Commission (2010). New York. com/ article/ 22902/ eudora_light_305. [31] Does Beckham judgment change rules? (http:/ / news. gov/ os/ 2010/ 12/ 101201privacyreport. Sweden. Retrieved October 7. ftc. (1968). U. special issue of the Identity in the Information Society journal.C. 1997. (2005) pp. 19–33. pp. [21] Lessig. "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. 15 U. Bulletin of Science. vol. law. [19] Flaherty.0. Proceedings of the Sixteenth Americas Conference on Information Systems (AMCIS) 2010.S. [34] http:/ / www. [38] Athanasios S. com/ books?id=yeVRrrJw-zAC& pg=PA1& dq=right+ to+ privacy+ tel+ aviv& hl=en& ei=T0IhTaWhEI-msQOizMWZCg& sa=X& oi=book_result& ct=result& resnum=2& ved=0CCwQ6AEwAQ#v=onepage& q=right to privacy tel aviv& f=false''Privacy) .5 (http:/ / www. L. (2006). [30] Burghardt.S. 115-119. formerly Jones and Bartlett Publishers. and the United States.S. stm). un. "Quantifying Privacy in Terms of Entropy for Context Aware Services".S. computerworld. Michael J. paperback. U. 28(1). pdf) prepared by the Information Commissioner’s Office. et. in the Digital Environment (http:/ / books. Privacy and freedom (Fifth ed. (1995).05 was released with PGP built in. com/ features/ what-ive-learned/ learned-andy-grove-0500).: The University of North Carolina Press.com/books?id=yeVRrrJw-zAC& pg=PA1&dq=right+to+privacy+tel+aviv&hl=en&ei=T0IhTaWhEI-msQOizMWZCg&sa=X& oi=book_result&ct=result&resnum=2&ved=0CCwQ6AEwAQ#v=onepage&q=right to privacy tel aviv& f=false) .A. (2000). The American Economic Review. 80-91. Kühling. 2011 [15] "What I've Learned: Andy Grove" (http:/ / www.: The University of North Carolina Press. Privacy in the Digital Environment (http://books. New York. December 2009 110 Further reading • Yael Onn. (1948). The economics of privacy. Code: Version 2. U. louisville.. R." Journal of Public Policy & Marketing. Ethics for the Information Age. Turner (Ed. [25] Regan. SivridisA Study on the Lack of Enforcement of Data Protection Acts Proceedings of the 3rd int. In Pursuit of Privacy: Law. § 6501 et seq... R. [37] Miyazaki. Springer. Anthony D. edu/ library/ collections/ brandeis/ node/ 225). 2000. eds. gov. com/ s/ article/ 9216210/ Apple_denies_tracking_iPhone_users_but_promises_changes?taxonomyId=84). Eudora Light 3. privacy. Buchmann. April 27. Privacy policies as decision-making tools: an evaluation of online privacy notices. no 2. Patrikakis. Chapel Hill. [24] Etzioni. [28] Quinn. 552 pages.: Atheneum. In B. "Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage. 2006 from http:/ / www.S. [29] Jensen. pcworld. May 1. Legislating privacy: Technology. [23] Etzioni. uk/ 1/ hi/ uk/ 4482073.

org) • Electronic Privacy Information Center (EPIC) (http://www. "How Privacy Can Vanish Online. eds.nytimes.gov/privacy) • Interview about internet privacy (http://video.schneier. 2011 . 2010 • Daniel J.com/v/4512257/small-businesses-and-identity-theft/ ?playlist_id=86890) 12 min. Vol.org (http://privacy.org/Society/Issues/Human_Rights_and_Liberties/Privacy/) at the Open Directory Project • Stanford Encyclopedia of Philosophy entry (http://plato.ro/ wp-content/uploads/2010/02/nothing-to-hide.foxnews.Privacy • Steve Lohr. The Toronto School of Communication Theory: Interpretations. Fox News.html) 111 External links • Evergreen collection of regulatory / academic / business interviews and independent objective analysis (http:// www." Providence: Privacy Journal • Bruce Schneier.epic. 2007) • A. Westin. Extensions and Applications (Toronto and Jerusalem: University of Toronto Press and Magnes Press. 1967. Privacy in the Age of Persistence (http://www. a Bit at a Time" (http://www. formerly Jones and Bartlett Publishers. 552 pages. March 17. 34–46. Privacy and Curiosity from Plymouth Rock to the Internet. • Rita Watson and Menahem Blondheim (eds. • Judith Jarvis Thomson. Jan. pp. "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy" (http://www.kpmg. CA: Wadsworth Publishing Co. 44. "Ben Franklin's Web Site. Privacy and Freedom..pdf).org) • UNESCO Chair in Data Privacy (http://unescoprivacychair.html?scp=1&sq=how privacy can vanish steve lohr&st=cse). 26.org) • Privacy Rights Clearinghouse (http://www. San Diego Law Review.cat/) • Privacy Office at the Department of Homeland Security (http://www.). Crime and Punishment: Philosophic Explorations (Belmont. The New York Times.org).org) • privacy. a service of the Electronic Privacy Information Center • Privacy (http://www. Gorr and Sterling Harwood. Solove.dmoz. New York: Atheneum • Robert Ellis Smith.gab. 1995).privacycom.. video." in Michael J. 2000. Wednesday.edu/entries/privacy/) • Privacy Commission (http://www. 2004. 745-772.privacyrights.dhs.com/privacyinstitute) • Privacy International (http://www. "The Right to Privacy.urv.com/blog/archives/2009/02/ privacy_in_the.com/2010/03/17/ technology/17privacy.privacyinternational.stanford.

e. including what data has been transferred. not just having to rely on promises. In incentivised privacy negotiations. preferences.g. They can be applied to email. consumers and service providers establish. instant messaging. etc. (van Blarkom. applications and mechanisms which .).[1] In Privacy Negotiations. online service providers. Web browsing. Chat. They then publish their user-ID and password on the Internet. Privacy enhancing technologies can also be defined as: Privacy-Enhancing Technologies is a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data. anonymisers or anonymous data credentials) • choose the degree of unlinkability (e. phone number. and used by. by using pseudonyms. archive and look up past transfers of their personal data. maintain.[2] provide the possibility to have these negotiated terms and conditions technically enforced by the infrastructures of online service providers and merchants (i.allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by such services or applications. by using multiple virtual identities) • achieve informed consent about giving their personal data to online service providers and merchants • provide the possibility to negotiate the terms and conditions of giving their personal data to online service providers and merchants (data handling/privacy policy negotiation).) and replacing it with a non-traceable identity (disposable / one-time email address. and refine privacy policies as individualised agreements through the ongoing choice amongst service alternatives. address. random IP address of hosts participating in an anonymising network. correction and deletion • • • • Existing PETs Examples of existing privacy enhancing technologies are: • Communication anonymizers hiding the real online identity (email address. or when used in conjunction with such services or applications . • Shared bogus online accounts. when. life situation etc. providing bogus data for Name. the transaction partners may additionally bundle the personal information collection and processing schemes with monetary or non-monetary rewards. IP address. pseudonym. but being confident that it is technically impossible for service providers to violate the agreed upon data handling conditions) provide the possibility to remotely audit the enforcement of these terms and conditions at the online service providers and merchants (assurance) data tracking: allow users to log. Everybody can now use this account comfortably. Borking & Olk 2003) Goals of PETs PETs aim at allowing users to take one or more of the following actions related to their personal data sent to.when integrated in online services or applications. One person creates an account for MSN. without the loss of the functionality of the information system. to whom and under what conditions facilitate the use of their legal rights of data inspection. online service providers and merchants (or other online users) (self-determination) • data minimisation: minimise the personal data collected and used by service providers and merchants • choose the degree of anonymity (e. P2P networking. Thereby the user is sure that there is no personal data . and used by.Privacy-enhancing technologies 112 Privacy-enhancing technologies Privacy enhancing technologies (PET) is a general term for a set of computer tools. etc. merchants or other users: • increase control over their personal data sent to.g. etc. VoIP.

all issued to pseudonyms. This includes the conditions that shall apply to the handling of the personal data.). Moreover. the car rental agency is in possession of all the data it needs to rent the car. When ordering a car online. such as whether or not it may be sent to third parties (profile selling) and under what conditions (e. this enforcement can be remotely audited by the user. proving that the holder is older than 23 (i. he is freed from the hassle of having to register at the site himself. by the provider of the online service or by a third party (another service provider. that the customer has health insurance for accidents (as an example).e. • Negotiation and enforcement of data handling conditions. the user. a government agency. and that the customer is paying. address and credit card number. provides the following credentials.) • Access to personal data: The service provider's infrastructure allows users to inspect. it can be negotiated that personal data mustn't be handed out to third parties or that the data is to be deleted after 3 months following the end of the contract. it can thus. the agreed upon data handling conditions are technically enforced by the infrastructure of the service provider. Additional personal data may be asked for. as an example. As an example. that the customer has a driving licence. Before ordering a product or service online. for example by verifying chains of certification based on Trusted computing modules or by verifying privacy seals/labels that were issued by third party auditing organisations (e. data protection agencies). Thus instead of the user having to rely on the mere promises of service providers not to abuse personal data. i. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimisation). 113 Future PETs Examples of privacy enhancing technologies that are being researched or developed are:[3] • Wallets of multiple virtual identities. and they allow the car rental agency to verify their requirements and get their money. which is capable of managing and processing and data handling obligations. the actual age is not provided) • A driving licence. The assertion can be issued by the user herself. an assertion. that the holder is entitled to drive cars • A proof of insurance. Such wallets allow the efficient and easy creation. the user and the online service provider or merchant negotiate the type of personal data that is to be transferred to the service provider. (Moreover. but will be clearly labelled as optional. Thus no real need to know her real name nor her address nor any other personal information. users will be more confident about the service provider adhering to the negotiated data .e. correct or delete all their data stored at the service provider. not to the real name of the customer: • An assertion of minimal age.Privacy-enhancing technologies about him in the account profile. i. • Anonymous credentials: asserted properties/attributes or rights of the holder of the credential that don't reveal the real identity of the holder and that only reveal so much information as the holder of the credential is willing to disclose. The car rental agency doesn't really need to know the true identity of the customer. provide the unlocking code to the customer with which she can unlock the closet where the car key is kept. For example: • Online car rental.e. or at what time in the future it shall be deleted (if at all). After the transfer of personal data took place. issued by the state. etc. only while informing the user). issued by the motor vehicle control agency.g. management and usage of virtual identities. While this negotiation takes place. issued by the health insurance • Digital cash With this data. too. the online service provider communicates his requirements about the minimum amount of data he needs to provide the wanted service. It only needs to make sure that the customer is over 23 (as an example). instead of providing the classical name.g. Similar scenarios are buying wine at an Internet wine store or renting a movie at an online movie rental store. ideally unlinkable.

i. i. assuming that privacy functions are added to an existing service and taking into account the additional benefits and costs caused by this added functionality. however. then there is a positive business case and it makes sense for the company to consider implementing and deploying the privacy enchanced technologies in question. These logs are stored and allow users to determine what data they have sent to whom. Note that the business case outlined here is a 'differential business case'. if they anticipate a positive business case. when and under what conditions. if the privacy enhancement is not part of or added to the service but instead is the only component of the service. minus the anticipated increased cost of implementing and running privacy enhanced technologies in their infrastructure. or they can establish the type of data that is in possession by a specific service provider. (The other main reason being to comply with legal requirements (which could be considered as coming down to a 'financial benefit' as well. only the additional costs incurring when operating the infrastructure with implemented privacy enhancements must be counted in.)) The anticipated financial benefit is the anticipated increase of income due to privacy enhancing technologies. the benefit of avoiding a fine for non-compliance with the law. including those that were there before the privacy enhancing functions were added. Cost components The anticipated additional cost components for an online service due to enhancing it with privacy protecting technologies are: • additional hardware • additional software licences • personnel costs for designing.e. • Data transaction log. developing. testing and deploying the privacy enhanced service (project costs) • additional personnel costs for • running / operating and maintaining the privacy enhanced service (with respect to what it would be if there were no such privacy enhancements) • fixing additional system failures or problems due to increased system complexity (more functionality means higher complexity which leads to higher vulnerability) • product management of the additional privacy enhancing functions (more functions require more time spent to manage them) • more complex new developments of the infrastructure used to run the service • training customer support and supporting customers • additional marketing communications costs • loss of income as a consequence of additional service downtimes or problems due to increased service / system complexity . In other words. This leads to more transparency.e. the service in consideration is a pure privacy enhancing service. then the business cost and benefit factors below become absolute (delete "additional" and "increased" in all benefits and cost components). whereby the income and cost of every year is cumulated. it would be wrong to account all operational costs. For example. Instead. which is a pre-requisite of being in control. implementing.Privacy-enhancing technologies handling conditions. This anticipated comparison is usually done over a couple of years. 114 The business case for PETs Companies will usually only invest in technologies enhancing the privacy of their customers if they see a financial benefit. If. if the anticipated additional income cumulated over a couple of years is larger than the anticipated additional cost cumulated over the same number of years. Users can log what personal data they sent to which service provider.

prime-project.microsoft.com/u-prove/) Privacy policy negotiation: • The W3C's P3P • IBM's EPAL • Sören Preibusch: Implementing Privacy Negotiations in E-Commerce (http://ideas. ca/ pisa/ handbook/ handbook..html). G. Handbook of Privacy and Privacy-Enhancing Technologies.europa.zurich. 2005 .E.org/p/diw/diwwpp/ dp526. pdf) (Version 2) [4] http:/ / www. Notes [1] The EU PRIME research project's Vision on privacy enchanced identity management (https:/ / www. html External links PETs in general: • Stanford CIS wiki database of PETs (http://cyberlaw.ibm.W. J. andrewpatrick.com/security/idemix/) • Stefan Brands' 'credentica' (http://www.htm) broken link Anonymous credentials: • IBM Zürich Research Lab's idemix (http://www. (2003).com/) • Microsoft's U-Prove (http://www. Discussion Papers of DIW Berlin 526. de) [3] The EU PRIME research project's White Paper (https:/ / www. prime-project. eu/ about/ vision/ ) [2] Key Facts on Privacy Negotiations (http:/ / privacy-negotiations. published by the Danish ministry of science (http://www.eu/information_society/activities/ privtech/index_en.php/PET) • The EU PRIME research project (http://www.G. ISBN 90-74087-33-7.stanford.org/privacy/pet/) • Annual symposium on PETs (http://petworkshop.org/) • Report about PETs from the META Group.Privacy-enhancing technologies 115 Benefit components The anticipated additional income for an online service due to enhancing it with privacy protecting technologies divide up into the following components: • Increased usage of online services by existing customers and increased number of new customers due to • fulfilment of the need for privacy of customers (Some customers may only use the service if their privacy needs are fulfilled.credentica. (The Case of Intelligent Software Agents).asp?page=image&objno=198999309) • Activities of the EU Commission in the area of PETs (http://ec.edu/wiki/index.) • higher trust of customers in the service • increased public image and trust (especially if the privacy friendly attitude is advertised) • competitive advantage (if the competition doesn't have a similar offer) • increased customer retention (Customers appreciate the privacy enhancing functions of the service and don't like the idea of not finding them with competing services.prime-project.dk/ image.) • lower the risk of being fined for violating legal data protection requirements References • van Blarkom. eu/ prime_products/ whitepaper/ PRIME-Whitepaper-V2.J. Borking. J.cdt. other may use the service more often.repec.itst. "PET" [4]. Olk.eu) (2004 to 2008) aiming at studying and developing novel PETs • About PETs from the Center for Democracy and Technology (http://www..

• Application: The constructed profiles are applied. preparation and mining all belong to the phase in which the profile is under construction. the process is circular. e. • Data preparation: The data are preprocessed for removing noise and reducing complexity by eliminating attributes. meaning the usage of profiles for the identification or categorization of groups or individual persons. • Institutional decision: The institution decides what actions or policies to apply to groups or individuals whose data match a relevant profile. The application of profiles to people whose data were not used to construct the profile is based on data matching. price discrimination. This process is called Knowledge Discovery in Databases (KDD) (Fayyad. in the case of credit scoring. which provides new data that allows for further adjustments. or identification of security risks (Hildebrandt & Gutwirth 2008) (Elmer 2004). Other than a discussion of profiling technologies or population profiling the notion of profiling practices is not just about the construction of profiles. However. As can be seen in step six (application). detection of fraud. The process of profiling is both dynamic and adaptive. One of the most challenging problems of the information society is dealing with the increasing data overload. detecting those data that are useful or interesting. which provides the profiler with sets of correlated data that are used as "profiles".g. The profiling process The technical process of profiling can be separated in several steps: • Preliminary grounding: The profiling process starts with a specification of the applicable problem domain and the identification of the goals of analysis. to categories of persons. • Interpretation: The mined patterns are evaluated on their relevance and validity by specialists and/or professionals in the application domain (e. e. There is a feedback loop between the construction and the application of profiles. Profiling is not simply a matter of computerized pattern recognition. profiling also refers to the application of profiles. With the digitizing of all sorts of content as well as the improvement and drop in cost of recording technologies. Real-time machine profiling constitutes the precondition for emerging socio-technical infrastructures envisioned by advocates of ambient intelligence[1] . it enables refined price-discrimination. but also concerns the application of group profiles to individuals. • Data collection: The target dataset or database for analysis is formed by selecting the relevant data in the light of existing domain knowledge and data understanding. and individuals to be able to discriminate information from noise. excluding spurious correlations).Profiling practices 116 Profiling practices Profiling (Information science) refers to the whole process of construction and application of profiles generated by computerized profiling technologies. the amount of available information has become enormous and is increasing exponentially. Data collection. targeted servicing. • Data mining: The data are analysed with the algorithm or heuristics developed to suit the data. What characterizes profiling technologies is the use of algorithms or other mathematical techniques that allow one to discover patterns or correlations in large quantities of data.g. to test and fine-tune the algorithms. When these patterns or correlations are used to identify or represent people they can be called profiles. These technologies are thought to efficiently collect and analyse data in order to find or test knowledge in the form of statistical patterns between data.g. Autonomic Computing (Kephart & Chess 2003) and ubiquitous computing (Weiser 1991). and extensive social sorting. governments. Piatetsky-Shapiro & Smyth 1996). The development of profiling technologies must be seen against this background. model and goals. aggregated in databases. A good illustration of . It has thus become important for companies. The interpretation of profiles can lead to the reiterant – possibly real-time – fine-tuning of specific previous steps in the profiling process.

Two things are important with regard to this distinction. This is called unsupervised learning.e. This is similar to the methodology of traditional scientific research in that it starts with a hypothesis and consists of testing its validity. These data are then prepared and cleansed to allow for initial computability. This kind of profiling is used to discover the particular characteristics of a certain individual. apart from the distinction between the construction and the application of profiles. Piatetsky-Shapiro & Smyth 1996)(Zarsky 2002-3). These techniques are mostly invisible for those to whom profiles are applied (because their data match the relevant group profiles). but by the computer techniques employed in the initial steps of the process. this is called individual profiling (Jaquet-Chiffelle 2008). as well as in the choice of algorithms that are developed. which allows categorisation of a person as a certain type of person. In a way. based on the fact that her profile matches with a profile that has been constructed on the basis of massive amounts of data about massive numbers of other people. In the case of machine profiling. the idea that 'blind' algorithms provide reliable information does not imply that the information is neutral. Individual and group profiles Profiles must also be classified according to the kind of subject they refer to. this is a matter of generating hypothesis: finding correlations one did not expect or even think of. to enable unique identification or the provision of personalized services. This is called top-down profiling or supervised learning. On the other hand. Once the patterns have been mined. the theoretical or causal explanation of these patterns does not matter anymore (Anderson 2008). Some authors claim that if the application of profiles based on computerized stochastical pattern recognition 'works'. Second. like a religious group. meaning that the mathematical techniques developed to search for patterns will be determinate of the patterns that can be found. allows for reliable predictions of future behaviours. not based on hypothesis developed by a researcher and not based on causal or motivational relations but exclusively based on stochastical correlations. The main distinctions are those between bottom-up and top-down profiling (or supervised and unsupervised learning). a political party etc. However. However. translations are made from real-life events to machine-readable data. The result of this type of profiling is the verification or refutation of the hypothesis. they will enter the loop – described above – and will be tested with the use of new data. In that case it can describe previously unknown patterns of behaviour or other characteristics of . a tennis club. A group profile can refer to the result of data mining in data sets that refer to an existing community that considers itself as such. When a profile is constructed with the data of a single person. One could also speak of deductive profiling. profiles can be generated by testing a hypothesized correlation. a university. It is not possible to mine a database for all possible linear and non-linear correlations. using the data mining process to detect patterns in the data base that were not previously hypothesized.Profiling practices the dynamic and adaptive nature of profiling is the Cross-Industry Standard Process for Data Mining (CRISP-DM). Potential bias will have to be located at these points. personalized servicing is most often also based on group profiling. unsupervised learning algorithms seem to allow the construction of a new type of knowledge. and between individual and group profiles. profiles can be generated by exploring a data base. potential bias is not informed by common sense prejudice or what psychologists call stereotyping. First. unsupervised learning algorithms thus seem to allow for an inductive type of knowledge construction that does not require theoretical justification or causal explanation (Custers 2004). 117 Types of profiling practices In order to clarify the nature of profiling technologies some crucial distinctions have to be made between different types of profiling practices. This subject can either be an individual or a group of people. In the process of collecting and aggregating data into a database (the first three steps of the process of profile construction). Supervised and unsupervised learning Profiles can be classified according to the way they have been generated (Fayyad. On the one hand. i.

and also for learning. then that is direct individual profiling. These profiling practices will all have different effect and raise different issues. On the basis of profiling technologies. mortality rates. age. and for the deployment of human resources by pooling and ranking their skills. then that is indirect individual profiling. However. Databases with transactions are searched [5] with algorithms to find behaviours that deviate from the standard. or the category of persons with blue eyes has an average chance of 37% to contract a specific disease. credit risks. previous health. On the basis of extensive group profiling customers are assigned a certain scoring value that indicates their creditworthiness. It should be obvious that. most group profiles will not be accurate. A profile is non-distributive when the profile does not necessarily apply to all the members of the group: the group of persons with a specific postal code have an average earning capacity of XX. Banks want to minimise the risks in giving credit to their customers. For instance. most group profiles generated by means of computer techniques are non-distributive. education. If an individual profile is applied to the individual that it was mined from. A group profile can also refer to a category of people that do not form a community. In the context of employment. 118 Distributive and non-distributive profiling Group profiles can also be divided in terms of their distributive character (Vedder 1999). Examples of profiling practices in marketing are customers loyalty cards. in as far as the application of a group profile to a group implies the application of the group profile to individual members of the group. In that case the group profile describes specific behaviours or other characteristics of a category of people. e. Marketing strategies can then be tailored to the people fitting these types. especially if the group profile is non-distributive. it makes sense to speak of indirect group profiling. This has far-reaching implications for the accuracy of indirect individual profiling based on data matching with non-distributive group profiles. then that is direct group profiling (Jaquet-Chiffelle 2008). background of parents. Quite apart from the fact that the application of accurate profiles may be unfair or cause undue stigmatisation. Financial institutions like banks and insurance companies also use group profiling to detect fraud or money-laundering. sex. Profiling can also be used to support people at work. this can be useful for supporting the management of attention (Nabeth 2008). A group profile is distributive when its properties apply equally to all the members of its group: all bachelors are unmarried. or adults with relatively short arms and legs. earning capacity. . companies can predict the behaviour of different types of customers. Note that in this case the chance of an individual to have a particular earning capacity or to contract the specific disease will depend on other factors. Knowledge about the behaviour and preferences of customers is of great interest to the commercial sector. Application domains Profiling technologies can be applied in a variety of different domains and for a variety of purposes. Similarly. and personalized advertising. These categories may be found to correlate with health risks. or all persons with a specific gene have 80% chance to contract a specific disease. profiles can be of use for tracking employees by monitoring their online behaviour. apart from tautological profiles like that of bachelors.Profiling practices such a group (community). but are found to share previously unknown patterns of behaviour or other characteristics (Custers 2004). by intervening in the design of adaptive hypermedia systems personalising the interaction. like for instance women with blue eyes and red hair.g. because the profile was generated using data of other people.[2][3][4] In the financial sector. indicating potentially suspicious transactions. (Leopold & Meints 2008) [6]. institutions use profiling technologies for fraud prevention and credit scoring. for the detection of fraud by them. customer relationship management in general. If a group profile is applied to an individual whose data match the profile. if a group profile is applied to the group that it was mined from. etc.

ISBN 978-1-4020-6913-0 • Jaquet-Chiffelle. Profiles can be used against people when they end up in the hands of people who are not entitled to access or use them. the profiling service provider. 119 Risks and issues Profiling technologies have raised a host of ethical. security and liability. This poses a threat to the equality of and solidarity of citizens. the liability for this harm has to be determined who is to be held accountable. (2006). Peter (2008). Profiling Machines. They allow unparalleled kinds of social sorting and segmentation which could have unfair effects.M. E. G. References • Anderson. Profiling the . An important issue related to these breaches of security is identity theft. B. "Reply: Direct and Indirect Profiling in the Light of Virtual Persons. To: Defining Profiling: A New Type of Knowledge?". Chicago and London • Hildebrandt.M. Zeno. Cross Disciplinary Perspectives. Mireille. Dordrecht. and they may run increased risks because catering to their needs is less profitable (Lyon 2003). Numerous authors have warned against the affordances of a new technological infrastructure that could emerge on the basis of semi-autonomic profiling technologies (Lessig 2006)(Solove 2004)(Schwartz 2000). G. Policing. Profiling technologies are by their very nature discriminatory tools. This creates difficulties in that it becomes hard.. if not impossible. The Power of Knowledge. to contest the application of a particular group profile. In most cases they will not be aware of this. Is the software programmer.1007/978-1-4020-6914-7. she cannot contest the way she is being treated (Steinbock 2005). On a larger scale. Serge (2008). Mireille. Chris (2008). and Punishing in an Actuarial Age. equality. "The End of Theory: The Data Deluge Makes the Scientific Method Obsolete" [9]. AI Magazine 17 (3): 37–54. This disturbs principles of due process: if a person has no access to information on the basis of which she is withheld benefits or attributed certain risks. • Custers. This could be used for solving existing cases or for the purpose of establishing risk profiles of potential suspects (Geradts & Sommer 2008) (Harcourt 2006). FIDIS Deliverables 6 (7c). P. Profiling the European Citizen. When the application of profiles causes harm. Tilburg:Wolf Legal Publishers • Elmer. Gutwirth. The University of Chicago Press. The people that are profiled may have to pay higher prices[7] . Wired Magazine 16 (7). David-Olivier (2008). U. Databases" • Geradts.H.7c: Forensic Profiling" [11]. Privacy is one of the principal issues raised. since profiling practices are mostly invisible and the profiles themselves are often protected by intellectual property or trade secret. Against Prediction. due process. legal and other issues including privacy. Profiling. • Harcourt. Profiling technologies make possible a far-reaching monitoring of an individual's behaviour and preferences. Springer. Serge.Profiling practices In forensic science. "From Data Mining to Knowledge Discovery in [10] . (2004). "D6.[8] One of the problems underlying potential violations of privacy and non-discrimination is that the process of profiling is more often than not invisible for those that are being profiled. Smyth. MIT Press • Fayyad. Mapping the Personal Information Economy. or the profiled user to be held accountable? This issue of liability is especially complex in the case the application and decisions on profiles have also become automated like in Autonomic Computing or ambient intelligence decisions of automated decisions based on profiling. Gutwirth.. Piatetsky-Shapiro. Sommer. it might cause the segmentation of society. they could miss out on important offers or opportunities. doi:10. In Hildebrandt. B. Profiles may reveal personal or private information about individuals that they might not even be aware of themselves (Hildebrandt & Gutwirth 2008). the possibility exists of linking different databases of cases and suspects and mining these for common patterns. (1996). (2004).

Ethics and Information Technology 1 (4): 275–281. pdf [12] http:/ / www. Sadeh. "User Profiling for Attention Support for School and Work". A. 355–366. and price discrimination on the Internet. es/ fileadmin/ daedalus/ doc/ MineriaDeDatos/ fayyad96. economics. "KDD: The Challenge to Individualism" [13]. 120 • • • • • • • • • • • Notes and other references ISTAG (2001). "Profiling in Employment Situations (Fraud)". N. dissertation at London School of Economics. In Hildebrandt. de/ guetesiegel/ register. pp. 17–45. datenschutzzentrum. ed..1023/A:1010016102284. com/ science/ discoveries/ magazine/ 16-07/ pb_theory [10] http:/ / www. uk/ collections/ informationSystems/ pdf/ theses/ canhoto. datenschutzzentrum. J. ""Mine Your Own Business!": Making the Case for the Implications of the Data Mining or Personal Information in the Forum of Public Opinion". Routledge Nabeth. ACM. Serge. (2005). Technology and Privacy in the Information Age. Springer Netherlands. Profiling the European Citizen. Lessig. available at http:/ / www. dtc. A. Surveillance as Social Sorting: Privacy. In Hildebrandt. M.J. (2002) Data Mining and Surveillance in the post 9/11 environment. Kephart. Vedder. "Data Matching. L. A. (2002-3). (1991). M.1160055. The Digital Person.. Serge. pdf [8] Gandy. Mireille. Profiling the European Citizen. A. D. Thierry (2008). edu/ ~odlyzko/ doc/ privacy. Yale Journal of Law and Technology 5 (4): 17–47. (2006). and Digital Discrimination. Gutwirth. at http:/ / www. (2004). Basic Books. N.I. D. pdf [6] http:/ / epic. (2008). ibm. and Due Process". Springer Netherlands. (1999). pp.1109/MC. Code 2. Forensic_Profiling. Weiser. Wis. fidis.2003. M. pdf [9] http:/ / www. "Beyond Lessig's Code for the Internet Privacy: Cyberspace Filters.1007/978-1-4020-6914-7_10. D. doi:10. doi:10. Georgia Law Review 40 (1): 1–84. New York Lyon. doi:10. Barcelona. "The Computer for the Twenty-First Century". New York University Press.0. (2003). doi:10. "The Vision of Autonomic Computing" [12]. D. Computer 36 (1 January): 96–104. pp.1007/978-1-4020-6914-7_2. Zarsky. Chess. Privacy. daedalus. htm https:/ / www. wired. Solove. P. Information Society Technology Advisory Group http:/ / epic. Presentation at IAMCR. O. (2003). Scientific American 265 (3): 94–104. Scenarios for Ambient Intelligence in 2010. Meints. asc. Leopold. com/ content/ jm7h7n5727861254/ [1] [2] [3] [4] [5] . ICEC2003: Fifth International Conference on Electronic Commerce. umn. 185–200. Privacy-Control and Fair Information Practices". Steinbock.Profiling practices European Citizen. T. ac. net/ fileadmin/ fidis/ deliverables/ fidis-wp6-del6.. pdf [13] http:/ / www. (2000). lse. Springer Netherlands. edu/ usr/ ogandy/ IAMCRdatamining. upenn. Odlyzko. doi:10. Schwartz. de/ guetesiegel/ kurzgutachten/ g041006/ Canhoto. 217–237. com/ autonomic/ research/ papers/ AC_Vision_Computer_Jan_2003. org/ privacy/ workplace/ [7] Odlyzko.1007/978-1-4020-6914-7_12. Data Mining. 7c. research. pdf [11] http:/ / www. Gutwirth. Law Review 743: 743–788. Mireille. O. M. springerlink. pp. New York. at http:/ / www. Risk. economics. (2003). org/ privacy/ profiling/ https:/ / www. (2007) Profiling behaviour: the social construction of categories in the detection of financial crime.

so that customers are not locked into proprietary solutions. Bulk Capability • bulkModify .Service Provisioning Markup Language 121 Service Provisioning Markup Language Service Provisioning Markup Language (SPML) is an XML-based framework.The cancel operation enables a requestor to stop the execution of an asynchronous operation.The lookup operation enables a requestor to obtain the XML that represents an object on a target. Definition The OASIS Provisioning Services Technical Committee uses the following definition of "provisioning":[1] “ Provisioning is the automation of all the steps required to manage (setup. The Service Provisioning Markup language is the open standard for the integration and interoperation of service provisioning requests. • bulkDelete . being developed by OASIS. SPML version 1. application servers.The add operation enables a requestor to create a new object on a target.Enables a requestor to determine the set of targets that a provider makes available for provisioning.0 was approved in October 2003. . This can lead to automation of user or system access and entitlement rights to electronic services across diverse IT infrastructures.The status operation enables a requestor to determine whether an asynchronous operation has completed successfully or has failed or is still executing. • status . by letting enterprise platforms such as Web portals. lookup .0 was approved in April 2006.The modify operation enables a requestor to change an object on a target.The delete operation enables a requestor to remove an object from a target. amend and revoke) user or system access entitlements or data relative to electronically published services. add . Security Assertion Markup Language exchanges the authorization data. delete .0 [2] defines the following functionality: Core functions • • • • • listTargets . resource and service provisioning information between cooperating organizations. for exchanging user.Supports batch execution of requested operations.Allows multiple delete requests to be run together. SPML version 2. and service centers generate provisioning requests within and across organizations. SPML is an OASIS standard based on the concepts of Directory Service Markup Language. ” Goal of SPML The goal of SPML is to allow organizations to securely and quickly set up user interfaces for Web services and applications. Batch Capability • batch . modify .Allows multiple modify requests to be run together. SPML Functionality SPML version 2. Async Capability • cancel .

A Provisioning Service Object (PSO).Enables a requestor to determine whether a specified value would be valid as the password for a specified object.Marks as invalid the current password for an object. • expirePassword .The iterate operation obtains the next set of objects from the result set that the provider selected for an updates operation. Custom Capabilities • An individual provider (or any third party) can define a custom capability that integrates with SPMLv2. Features Provisioning Service Object (PSO) The key identifier in SPML is a PSO. • iterate .The resume operation enables a requestor to re-enable an object that has been suspended. • resume .The active operation enables a requestor to determine whether a specified object has been suspended. • closeIterator .The suspend operation enables a requestor to disable an object.Enables a requestor to change (to an unspecified value) the password for an object and to obtain that newly generated password value.The updates operation obtains records of changes to objects. a provider would represent as an object each account that the provider manages.Service Provisioning Markup Language 122 Password Capability • setPassword .The iterate operation obtains the next set of objects from the result set that the provider selected for a search operation. Every object is contained by exactly one target. • active . . sometimes simply called an object. • iterate . Search Capability • search . Suspend Capability • suspend .The closeIterator operation tells the provider that the requestor has no further need for the search result that a specific <iterator> represents. • validatePassword .The search operation obtains every object that matches a specified query.Enables a requestor to specify a new password for an object. represents a data entity or an information object on a target. For example.The closeIterator operation tells the provider that the requestor has no further need for the updates result set that a specific <iterator> represents. Updates Capability • updates . • resetPassword . • closeIterator . Each object has a unique identifier (PSO-ID).

References [1] Open SPML FAQ (https:/ / openspml. The DSMLv2 Profile may be more convenient for applications that access mainly targets that are LDAP or X500 directory services.org • https://openspml. A requestor and a provider may exchange SPML protocol in any profile to which they agree.oasis-open.com/products_spml-library.java.java.Service Provisioning Markup Language 123 Profile SPMLv2 defines two “profiles” in which a requestor and provider may exchange SPML protocol: • XML Schema as defined in the “SPMLv2 XSD Profile” [SPMLv2-Profile-XSD]. org/ specs/ #spmlv2. • DSMLv2 as defined in the “SPMLv2 DSMLv2 Profile” [SPMLv2-Profile-DSML].net/) • Open Provisioning Tookit (OpenPTK) (https://openptk. oasis-open. External links • http://www.sourceforge. net/ FAQ.net/) • Open Source Softerra SPML2 Library for . The XSD Profile may be more convenient for applications that access mainly targets that are web services.java.dev.dev.net/ • Identity Provisioning Open Source Software Project (http://identitymngr. dev. 0) This is a web service used without any need of wsdl.htm) .NET (http://www.net/) • Keychain: Open Source SPMLv2 Gateway (http://keychain.softerra.dev. java. html) [2] > SPML Version 2 (http:/ / www.

Most of DBMSes available either on the market or in the Open Source space are fully supported. a J2EE container (Apache Tomcat. Some of them are reported below: • • • • • • • • • Spring 3. [2] .0 http:/ / www.5. made in turn by other Open Source projects. Stable Maven artifacts are regularly published to central repository Sonatype OSS. org Syncope is an Open Source system for managing identities in enterprise environments. for example) and a DBMS are only needed.0 Hibernate [3] OS Workflow EHCache Apache CXF Apache Wicket ConnId [4] DbUnit [5] SLF4J . while snapshot releases are available at As many other modern Open Source projects. Italian Identity and access management Apache 2. 2011 Development status Active Written in Operating system Available in Type License Website Java Cross-platform English.1 / May 10.Syncope (software) 124 Syncope (software) Syncope Syncope Admin Console Initial release Stable release May 25. Syncope is built upon solid foundations. implemented in J2EE technology and released under Apache 2. In order to run Syncope.0 license [1]. syncope-idm. 2011 Release 0.

often obtaining very satisfactory results. Like as other external applications. Nothing seemed to be found throughout the all Internet that was implementing what needed to fulfil customers' requirements. it offers a RESTful interface for caller applications. • the console The web management interface for configuring and administering Syncope core. at the end. They used to be able to successfully draft most of customers needs in terms of middleware. Syncope is composed by two main subsystems: • the core The web application that implements IdM features. At that point it became clear that the only way out was to respond to one of mostly heard sentences in modern IT: "Do you pine for the days when men were men and wrote their own device drivers?" [6] So. by only using Open Source systems and tools. All that with a (very noticeable) exception: IdM.Syncope (software) 125 Why Open Source People that started Syncope inception and development got all the times stuck in license related issues. implements the provisioning core by mean of its workflow engine and its propagation layer. why Open Source? Because it's better! High-level architecture From an high-level point of view. mainly about costs and bureaucracy. manages data persistence. the console communicates with the core by REST calls. .

Trombinoscope also awards many annual prizes: political personality of the year. googlecode. html). Dods (Group) PLC. org/ licenses/ LICENSE-2. sénateur de l’année. maven. . Retrieved 17 May 2011. political revelation of the year. syncope-idm. who was then a parliamentary journalist. It is published in two volumes. . p.dodsgroupplc. com/ wiki/ Roadmap Trombinoscope Trombinoscope is a French language directory service publication for the French political world. org/ http:/ / syncope. googlecode. and Health Trombinoscope.400 biographies. député de l’année. and European of the year. and is published by Huveaux Politique[1] a subsidiary company of Dods (Group) PLC[2] . trombinoscope. com http:/ / www. deputy of the year. dodsgroupplc. org/ https:/ / secure. References [1] "Mentions légales" (http:/ / www. wikimedia. il contient les biographies de 7 500 personnalités et est tiré à 12 500 exemplaires[réf.500 personalities and is reprinted in 12. Published each year. Trombinoscope was created in 1981 by Félix Colin.com/) • Publisher's website (http://www. reprinted in 3. with 3. com/ osworkflow/ http:/ / connid. opensymphony. Retrieved 17 May 2011. which contains 600 biographies. There is also a Trombinoscope for the European Union. révélation politique de l’année. nécessaire]. org/ wikiquote/ en/ wiki/ Linus_Torvalds http:/ / www. com/ mentions-legales. 44. External links • Official Site (http://www. minister of the year. org/ maven2/ org/ syncope/ http:/ / www. local elected official of the year. dbunit. Le Trombinoscope décerne plusieurs prix annuels : personnalité politique de l’année. published since 2000. a monthly newsletter.trombinoscope. apache. Dods PLC also publishes "La Lettre du Trombinoscope". [2] "Dods (Group) PLC: Annual Report 2010" (http:/ / www.Syncope (software) 126 External links • Syncope project page [7] • Syncope roadmap [8] References [1] [2] [3] [4] [5] [6] [7] [8] http:/ / www.com/) .500 copies . Mis à jour tous les ans.500 copies. since 2006. ministre de l’année. Huveaux Politique. com/ dods/ uploads/ annualreport/ Dods_AnnualReport2010. pdf). it contains the biographies of 7. 0. senator of the year. html http:/ / repo1.

or application. com/ resources/ documentation/ windows/ xp/ all/ proddocs/ en-us/ userprofile_overview. such as by receiving email or having an account to log into a system. For instance profiles can be used by adaptive hypermedia systems that personalise the human computer interaction. mspx?mfr=true White pages schema A white pages schema is a data model. edu/ ~nellison/ pubs.g. such as an address book. A white pages schema typically defines. "The truth about lying in online dating profiles" [1]. html [2] http:/ / www. recommender systems. computer programs. or dynamic websites (such as online social networking sites or bulletin boards).. A user profile can also be considered as the computer representation of a user model.521. it was not until the rise of electronic mail systems that a requirement for standards for the electronic exchange of subscriber information between different systems appeared. References • Hancock. city) and then by their name. N. roles.User profile 127 User profile A user profile (userprofile. each entry typically represents an individual person that makes use of network resources. In a white pages directory..400 and defined a Directory Information Tree that mirrored the international telephone system. While many telephone service providers have for decades published a list of their subscribers in a telephone directory. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2007). specifically a logical schema. database. A profile refers therefore to the explicit digital representation of a person's identity. J.500 specifications. that was derived from the addressing requirements of X. C. and similarly corporations published a list of their employees in an internal directory. and devices. User profiles can be found on operating systems. Profiling is the process that refers to construction of a profile via the extraction from a set of data. In some environments. The term is derived from the white pages. pp. with entries representing residential and organizational subscribers. typically sorted by the individual's home location (e. Ellison. ACM.520 and X. microsoft. This information can be exploited by systems taking into account the persons' characteristics and preferences. part of the X. This evolved into the Lightweight Directory Access Protocol standard schema in RFC . for each real-world object being represented: • • • • • • what attributes of that object are to be represented in the entry for that object what relationships of that object to other objects are to be represented how is the entry to be named in a DIT how an entry is to be located by a client searching for it how similar entries are to be distinguished how are entries to be ordered when displayed in a list One of the earliest attempts to standardize a white pages schema for electronic mail use was in X. 449–452 • Microsoft on User Profiles [2] References [1] https:/ / www. (2007). A profile can be used to store the description of the characteristics of person. msu. for organizing the data contained in entries in a directory service. the listing of individuals in a telephone directory. the schema may also include the representation of organizational divisions. or simply profile when used in-context) is a collection of personal data associated to a specific user. Toma. groups.T.

although versions of Active Directory require a different object class. or as embedded into network protocols. . Over 4. and Athens then allows the IdP to allocate the resource to appropriate user accounts. such as: • • • • attributes used for naming purposes were non-unique in large environments (such as a person's common name) attributes used for naming purposes were likely to change (such as surnames) attributes were included which could lead to Identity theft. and FOAF. Firstly. Trust is enforced at the Identity Provider through an appointed administrator who uses browser-based tools provided as part of the Athens service to manage their user accounts in a truly federated manner. Some early directory deployments suffered due to poor design choices in their white pages schema. Athens provides a managed infrastructure which facilitates the exchange of security tokens across domains in a secure and trusted way. Secondly. Trust is enforced by the use of public-key cryptography and other security mechanisms. or Local Authentication where usernames are held locally and security tokens are exchanged via a range of protocols: SAML. Service Providers and Athens operate under common rules and licenses. Organisations adopting the Athens service can choose between the Classic Athens service. and associated access rights. defined in RFC 2798. and given access to different sets of resources. Converting between data bases and directories using different schemas is often the function of a Metadirectory. Infrastructure There are two main elements to Athens. One of the most widely deployed white pages schemas used in LDAP for representing individuals in an organizational context is inetOrgPerson.White pages schema 2256. defined in RFC 2426. User. Athens replaces the multiple usernames and passwords necessary to access subscription based content with a single username and password that can be entered once per session. Examples of other generic white pages schemas include vCard. it is not involved in the selling process between a Service Provider (SP) and an Identity Provider (IdP). and data interchange standards such as Common Indexing Protocol. Trust The Athens service is a trust federation where Identity Providers. Athens (access and identity management service) Athens is an Access and Identity Management service based in the United Kingdom that is supplied by Eduserv to provide single sign-on to protected resources combined with full user management capability. as part of their Identity management architecture. their credentials. such as a Social security number users were required during provisioning to choose attributes which are unique but still memorable to them 128 Numerous other proposed schemas exist. where usernames are held by Eduserv. The Athens service is neutral. the ability to manage large numbers of users. or within an organisation. both as standalone definitions suitable for use with general purpose directories. It operates independently of a user’s location or IP address. Many large organizations have also defined their own white pages schemas for their employees or customers. Shibboleth or Athens Devolved Authentication (AthensDA) [1]. The SP informs Athens when access to its resource is to be enabled to an IdP. in a devolved manner where administration can be delegated to organisations. Accounts can be grouped into categories with different attributes.5 million users worldwide can gain access to over 300 protected online resources via the Athens service.

The Athens service offers SAML and Shibboleth connectivity for both IdPs and SPs through Gateways where native connectivity is not practical. but it was actually due to the name Athena being already trademarked. or pseudonymous like the persistent unique identifier for a user account. and in more than 90 countries [2] worldwide. representing around one million users have moved to the fully federated Local Authentication model. whether for Classic or Locally Authenticated users. Attribute-based authorisation Athens user management facilities. Attributes Athens makes a number of attributes relating to its organisations and its user accounts available to its Service Providers through its agent technology.5 million accounts are now registered with Athens. In 2006 Athens was represented at the Medical Library Association Annual Meeting. These are generally organisation-related as in the case of the ‘issuing organisation identity number’ or ‘issuing organisation country’. Over 4. History Conceived in 1996 at the University of Bath. Standards Once SAML became a ratified standard. the service has had two periods of significant expansion. the UK National Health Service. This provides fine-grained authorisation for resources. and over 300 online resources since it was first launched in 1996. and the second in 2003 when adopted by the UK National Health Service. It has been adopted by over 2. Since then hospital libraries in the United States have begun using Athens as method for providing off campus access to library resources. allow the administrator to allocate a different set of resources to each user account.Athens (access and identity management service) 129 Adoption Athens is used extensively within UK Higher and Further Education institutions. The majority of IdPs use Classic Athens. It is rumoured that the name change was partially caused by a common typo. the service was originally named Athena after the Greek goddess of knowledge and learning. when attributes and their meaning are commonly understood by IdPs and SPs. Athens adopted SAML and Shibboleth interfaces to the Athens system to facilitate inter-working with a larger number of systems. however more than 60 organisations. As from 1996.000 organisations. the ability to deliver attributes through the agent technology will offer a long term ability to authorise based on attributes. The first in 2000 due to a central contract that made the service freely available to almost all UK Higher and Further education sites. However. .

athensams. athensams. net/ local_auth/ athensda/ http:/ / auth. net/ orglist. pl?node_id=1888399 . mozilla.Athens (access and identity management service) 130 External links • Athens corporate site [3] • Firefox browser extension [4] • Everything2 article [5] References [1] [2] [3] [4] [5] http:/ / www. net/ https:/ / addons. php?view=byCountry http:/ / www. com/ index. athensams. org/ firefox/ 337/ http:/ / everything2.

Courion's corporate headquarters was relocated to Westborough. Courion is a recognized leader in identity and access management. On May 11.2 Million in a Second Round of Funding. RoleCourier. manufactures.[12] In 2010.[11] In 2010. Compliance Manager for File Shares was introduced. ComplianceCourier. 2004. According to analysts Gartner [2] and Burton Group[3] . headquartered in Westborough. Courion Secured $5 Million in New Funding. RoleCourier was introduced. Compliance Manager for File Shares 154 (2011) http:/ / www. In 1996. 2003. Courion announced the India Technology Center (ITC) in Pune. ProfileCourier. AccountCourier was introduced. CertificateCourier. Courion Secured $4. licenses. PasswordCourier. Courion Secured $9 Million in New Funding.Courion Corporation 131 Courion Corporation Courion Corporation Industry Founded Software USA (1996) Headquarters Westborough. Courion was founded.[13] . Compliance Manager for SharePoint was introduced. PasswordCourier was introduced. Massachusetts. [4] In 2000. In 1998. United States Area served Key people Products Worldwide Christopher Zannetos (CEO). Massachusetts.0 was released. CertificateCourier was introduced. [6] In 2004. Kurt Johnson. USA. In 2009. com/ Employees Website Courion Corporation. 1999. and supports a range of Access Assurance software products for computer networks. [5] In 2000. courion. Courion Secured $13. ProfileCourier was introduced. On Jan 28. ComplianceCourier was introduced. Courion's software products are currently being used by over 9 million users [1] worldwide. India. Massachusetts. On Nov 8. is a United States-based software company that develops. [7] [8] In 2006. Access Assurance Suite 8. 2000.1 million in a First Round of Funding. [9] [10] In 2010. Chris Sullivan AccountCourier. On Nov 28. History In 1996. In 2009.

2009 [19] SC Magazine . 2008 [3] Courion Recognized by Burton Group as 'Short List' Vendor in 2009 User Provisioning Report .0 released .Courion Expands Global Operations with ITC .Identity Lifecycle Management Partner [20] Imprivata .http:/ / www.http:/ / www. 2009 [11] Network Products Guide .Jun 17.http:/ / www. highbeam.Aug 21. networkproductsguide.Compliance Manager for File Shares Introduced .Article . com/ doc/ 1G1-54609216. 2009 [4] Courion Secures $4.2009 'Short List' Vendor.Technology Partner [21] Unisys . reuters. redorbit. com/ article/ pressRelease/ idUS128719+ 16-Jun-2009+ PRN20090616 .1 million in First Round Funding .com . courion. com/ newsletters/ dir/ 2010/ 071910id2. 2004 [8] Courion Secures $5 Million in New Funding ."Best Identity Management Solution" [18] eWeek "Product to Watch Award" 2009 SC Magazine UK . com/ doc/ 1G1-67371603.2009 Leader.Nov 8. html . 2009 [10] CXOtoday.2009 'Short List' Vendor. com/ SC-Magazine-Awards-Europe-2009--winners-announced/ article/ 131554/ .The Security Division of EMC .May 15-18.Courion Corporation 132 Awards • • • • • • Gartner .http:/ / www. reuters. html [12] Network World . networkworld.Jan 28. Magic Quadrant for User Provisioning .Leader. paladincapgroup.Nov 8. html?hpg1=bn [13] Bloomberg Business Week . businessweek.http:/ / www.http:/ / www.http:/ / findarticles. .http:/ / www. com/ portal/ index.Access Assurance Suite solution version 8.2009 Winner . com/ research/ stocks/ private/ snapshot. reuters.http:/ / www.http:/ / www.Press Release . com/ technology/ media-products/ reprints/ ca/ article4/ article4. 2000 [6] Courion Secures $9 Million in New Funding .Sep 4. com/ p/ articles/ mi_m0EIN/ is_2003_Jan_28/ ai_96948778/ . html?id=156 [16] Burton Group . gartner.Apr 29.http:/ / www.http:/ / findarticles. scmagazineuk. networkproductsguide. com/ India/ News/ Courion_Expands_Global_Operations_with_ITC/ 551-103277-908.Nov 28.2 Million in Second Round Funding . com/ innovations/ [18] SC Magazine . cxotoday. Magic Quadrant for User Provisioning . com/ company/ press_release. 2009 [2] Courion Positioned in Leaders Quadrant for User Provisioning .2010 Award Winners Announced . bizjournals.May 11.http:/ / investing.http:/ / www. com/ innovations/ 2010/ Courion-Corporation.Strategic Alliance [23] EMC Corporation .http:/ / www.Leader. User Provisioning [16] 2009 Network Products Guide Innovation Award [17] SC Magazine UK .By Dan Raywood . com/ article/ pressRelease/ idUS173581+ 04-Sep-2008+ PRN20080904 .Las Vegas. com/ news/ technology/ 1633923/ courion_recognized_by_burton_group_as_short_list_vendor_in/ .Feb 4.http:/ / www. scmagazineuk. com/ article/ pressRelease/ idUS159710+ 04-Feb-2009+ PRN20090204 [17] 2009 Network Products Guide Innovation Award . asp?privcapId=27126 [14] Gartner . html [15] Gartner .Technology Partner [25] Events CONVERGE 2011 . html . html ."Best Identity Management Solution" [19] Partners • • • • • • Microsoft . 2004 [9] Courion Expands Global Operations with India Technology Center . com/ sc-magazine-awards-europe-2010--winners-announced/ article/ 168778/ .2010 Winner .Member of EMC Select Program [24] Cyber-Ark . 1999 [5] Courion Secures $13. 2011 . com/ p/ articles/ mi_m0EIN/ is_2004_Nov_8/ ai_n6334820/ .http:/ / www. User Provisioning . php?option=com_content& task=view& id=6& Itemid=2 . Magic Quadrant for User Provisioning [14] [15] Burton Group .Security Partner [22] RSA Security . Mass. NV [26] References [1] Courion Surpasses 9 Million User Licenses Worldwide .Courion Relocates Corporate Headquarters to Westborough.http:/ / www. 2003 [7] Courion Secures $5 Million In New Funding Led By Paladin Capital Group's Homeland Security Fund . highbeam. com/ boston/ prnewswire/ press_releases/ Massachusetts/ 2009/ 08/ 21/ NE64450 .2009 Award Winners Announced .Jun 16.http:/ / www.

com/ 133 .http:/ / www.By Neil Macehiter [26] CONVERGE 2011 . htm [23] Strategic Alliance .https:/ / www. imprivata. htm [25] Cyber-Ark and Courion partner . rsa.http:/ / converge. com/ about__unisys/ partners/ alphabetical__listing/ courion. aspx?id=1457 [24] Member of EMC Select Program . courion. com/ partners/ technology. mspx [21] Technology Partner .http:/ / www. php [22] Security Partner .http:/ / www. microsoft.Courion Corporation [20] Identity Lifecycle Management Partner . 2006 . com/ products/ emc-select/ security. php Oct 9. com/ press_release. net/ blogs/ softwareinfrastructure/ 2006/ 10/ cyberark_and_courion_partner_1. ebizq. unisys.http:/ / www. com/ windowsserver2003/ technologies/ idm/ ilm_partners.http:/ / www. emc.

Part of the Microsoft Identity and Access Management platform product line. certificate management. This is in contrast to most of the transaction-based competing products that do not have a state-based element. ILM 2007 was created by merging Microsoft Identity Integration Server 2003 (MIIS) and Certificate Lifecycle Manager (CLM). and was known as ILM 2 during development. External links • • • • Official website [5] Certificate Lifecycle Manager Overview [6] FIM Resources on the Microsoft TechNet Wiki [7] FIM Best Practices Volume 1: Introduction. com/ en-us/ library/ cc561128. workflow. The codeless provisioning provided in ILM 2 should be able to sustain most of the simple to medium complexity scenarios for account lifecycle management. aspx). using transactional workflows to manage and propagate changes to a user's state-based identity. Microsoft Corporation. com/ en-us/ magazine/ 2007. 05. . Microsoft Corporation.NET framework languages. FIM superseded Microsoft Identity [2] Lifecycle Manager (ILM) . com/ forefront/ identitymanager [2] "FIM 2010 RTM Announcement" (http:/ / blogs. [3] "ILM "2" Glossary" (http:/ / technet. com/ forefront/ archive/ 2010/ 03/ 02/ rsa-conference-2010-identity-at-the-forefront. credentials and groupings throughout the lifecycle of their membership of an enterprise computer system. [4] "Build a Single-Step Provisioning Workflow" (http:/ / technet. FIM 2010 utilises Windows Workflow Foundation concepts. ILM 2 fully honors existing MIIS implementations and supports "traditional" coded provisioning side-by-side with code-less provisioning methods. technet. Architecture and Installation of Forefront Identity Manager 2010 [8] References [1] http:/ / www.Forefront Identity Manager 134 Forefront Identity Manager Microsoft Forefront Identity Manager Developer(s) Initial release Microsoft 2010 Operating system Windows Server 2008 Platform Type License Website x86-64 Identity management Shareware /forefront/identitymanager [1] Microsoft Forefront Identity Manager (FIM) is a state-based identity management software product. . Administrators not only can create workflows with the web-based GUI of ILM 2 portal but also include more complex workflows designed outside of the portal by importing XOML files [3] Codeless Provisioning Forefront Identity Manager introduces the concept of "codeless provisioning" [4] which allows administrators to create objects in any connected data source without writing any code in one of the . designed to manage users' digital identities. . Microsoft Corporation. Aung Oo . . FIM integrates with Active Directory and Exchange Server to provide identity synchronization. aspx). microsoft. microsoft. user password resets and user provisioning from a single interface. microsoft. aspx).

Forefront Identity Manager [5] [6] [7] [8] http:/ / http:/ / www. identitychaos. com/ 2010/ 08/ fim-best-practices-volume-1. technet. freeipa. While each of the major components of FreeIPA is a pre-existing open source project it is the bundling of these components into a single manageable suite that make FreeIPA more comparable to its proprietary software cousins. aspx http:/ / www. com/ wiki/ contents/ articles/ current-forefront-identity-manager-resources. html 135 FreeIPA FreeIPA Developer(s) Stable release Red Hat 2. FreeIPA currently uses 389 Directory Server for its LDAP implementation and MIT's Kerberos 5 for authentication and single sign-on. Identity Manager and Active Directory. com/ en-us/ library/ bb468065(VS. FreeIPA can be compared to Novell's Identity Manager or Microsoft's Active Directory in that the goals and mechanisms used are similar. This year FreeRADIUS and Samba are also to be included in the FreeIPA solution. aspx http:/ / social.freeipa. External links • Official website [1] References [1] http:/ / www. microsoft.org [1] FreeIPA is a Red Hat sponsored open source project which aims to provide an easily managed Identity. microsoft. microsoft. Policy and Audit (IPA) suite primarily targeted towards networks of Linux and Unix computers. org/ .1 / 2 May 2011 Operating system Linux / Unix Type License Website Identity management GNU General Public License www.0. 85). FreeIPA aims to provide support not just for Linux and Unix based computers but ultimately Microsoft Windows and Apple Macintosh computers also. com/ forefront/ identitymanager/ http:/ / msdn.

Hitachi ID products help organizations strengthen network security. formerly M-Tech Information Technology. Login Manager. Telephone Password Manager Hitachi 140 (2009) Hitachi Data Systems http:/ / www. Group Manager. is a leading publisher of identity management software. Idan Shoham (CTO) Identity Manager. to provision and deactivate user access and to manage user privileges. Masato Saito (CSO). Inc.Hitachi ID Systems 136 Hitachi ID Systems Hitachi ID Systems. com/ . Product categories Hitachi ID makes software in the following categories: • • • • • User provisioning Password management Governance and regulatory compliance (GRC) Enterprise single signon Privileged password management External links • Official website [1] References [1] http:/ / http:/ / hitachi-id. Inc. Hitachi ID products have been deployed at over 700 organizations worldwide. Access Certifier. hitachi-id. Password Manager. Canada (1992) Calgary. Org Manager. Industry Predecessor Founded Headquarters Area served Key people Products Software M-Tech Information Technology. lower IT support costs and improve user productivity. Hitachi ID customers achieve these results by implementing automation and self-service processes to more effectively manage passwords and other authentication factors. com/ Owner(s) Employees Parent Website Hitachi ID Systems. Canada Worldwide Gideon Shoham (CEO). Privileged Password Manager.

ibm. Solaris.[4] Based on the authorization service result (approval or denial) the resource manager allows or denies access to the protected resources. htm#i1045612 . ibm. doc/ am61_admin65. Another component that is very close to the base components is called a resource manager. doc/ am61_admin28. boulder. itame. itame. ibm.[3] A user registry and an authorization service are the fundamental building blocks upon which Access Manager provides its security service capabilities. HP-UX). All other Access Manager services and components are built upon this base foundation. ibm. boulder. The policy enforcer component directs the request to the authorization service for evaluation. com/ infocenter/ tivihelp/ v2r1/ topic/ com. and existing applications. htm#wq70 http:/ / publib. boulder. regardless of the authentication mechanism used. ibm. operating systems. ibm. TAMeb provides authentication of users. doc/ am61_admin18. htm#choverview http:/ / publib. which is created for each user authenticated in an Access Manager environment. Access Manager authorization decisions are based upon the Privilege Attribute Certificate (PAC). auditing. itame. ibm.[1] Tivoli Access Manager runs on various operating system platforms such as Unix (AIX. References [1] [2] [3] [4] http:/ / publib. high availability. ibm.[2] • An authorization service consisting of an authorization database and an authorization engine that performs the decision-making action on the request. itame. It is responsible for applying security policy to resources. Linux. com/ infocenter/ tivihelp/ v2r1/ topic/ com. htm#wq34 http:/ / publib. com/ infocenter/ tivihelp/ v2r1/ topic/ com. Core Components Tivoli Access Manager has two core components: • A user registry. policy-based security to a corporate Web environment. and logging. doc/ am61_admin32. boulder. and Microsoft Windows. control of access privileges. Tivoli Access Manager Family Tivoli Access Manager is not a single product but rather a family of products that use the same core authorization and authentication engine: • IBM Tivoli Access Manager for e-business (TAMeb) • IBM Tivoli Access Manager for Operating Systems (TAMOS) .controls access to operating system resources • IBM Tivoli Access Manager for Enterprise Single Sign-On (TAMESSO) Tivoli Access Manager for e-business Tivoli Access Manager for e-business provides robust.IBM Tivoli Access Manager 137 IBM Tivoli Access Manager IBM Tivoli Access Manager is an authentication and authorization solution for corporate web services. single sign-on. com/ infocenter/ tivihelp/ v2r1/ topic/ com.

internetnews. Imprivata expanded its infrastructure to Europe. infoworld. General Catalyst Partners and SAP Ventures. proximity cards. Product reviews suggest that the OneSign platform provides a single framework that allows companies to streamline application access by enabling all enterprise applications for single sign on without requiring custom scripting or modifications to existing directories.4. com/ article/ 07/ 12/ 12/ IBM-ships-Tivoli-update_1. Founded in 2002. History Imprivata was founded by entrepreneurs who had developed identity management technology while working at Polaroid Corporation’s small business incubator. uk/ 2002/ 09/ 04/ ibm_acquires_access360_for_identity/ http:/ / www. [4] References [1] [2] [3] [4] http:/ / www. and . smart cards.1. etc. a manufacturer and reseller of biometric solutions. com/ skerner/ 2009/ 06/ ibm-updates-tivoli-identity-ma. Italy. It can automatically create.0. All later versions of the product are built off this code base. Belgium. financial services and government verticals. Imprivata manufactures and sells the OneSign Platform for securing employee access to desktops. and more based on job roles or requests. the United Kingdom.1 was released in September 2003. Imprivata draws customers primarily from the healthcare. One-Time Password tokens.[2] The latest release of TIM. was released in December 2007. Massachusetts. html http:/ / whitepapers. is an appliance that helps companies manage user access and authentication. Highland Capital Partners. One-Time-Password tokens. IBM acquired Access360 in 2002[1] and rebranded their enRole product as TIM 4. As of 2009. theregister. 5. and delete user access to various system resources such as files. Imprivata shipped its first product.[1] In 2009. and introduced OneSign 3.[2] Technology Imprivata’s flagship product. TIM 4. many national and government ID cards.S. co. zdnet.. TIM 4. Imprivata has over 1. TIM provides centralized identity lifecycle management. also known as TIM. applications.. aspx?docid=292592 Imprivata Imprivata is an IT security company based in Lexington. servers. Africa and the Middle East. com/ abstract. in addition to its finger biometric support already offered in the initial platform offering. ID cards.[3] OneSign can also strengthen user authentication to desktops and networks by replacing passwords with a range of authentication options that include finger biometrics. Imprivata acquired the assets of IdentiPHI.0. is an identity lifecycle management product from IBM.IBM Tivoli Identity Manager 138 IBM Tivoli Identity Manager IBM Tivoli Identity Manager. html http:/ / blog. Imprivata OneSign. TIM 5.000 clients and offices in the U. including the SAFsolution product line. as well as the energy/utilities. retail and telecommunications industries. In 2005.[3] IBM targeted the SMB identity management market in 2006 with the release of IBM Tivoli Identity Manager Express. manage. proximity cards. Imprivata is privately held with venture funding from Polaris Venture Partners. the OneSign Enterprise Single Sign-On appliance in 2004. an upgraded product that increased extensibility and expanded its strong authentication management capabilities to include physical access cards.5. networks and applications. was released in June 2009. Germany and Singapore and its 200 value-added reseller partners worldwide.6 was released in July 2005. In 2006 Imprivata founder David Ting was selected by InfoWorld as one of the top 25 CTOs of the year.

If an employee's telephone number changes." Channel Web (CRN. SC Magazine. the new telephone number will automatically be propagated to the e-mail system. 2009. The goal of MIIS is to provide organizations with a unified view of a user's/resources identity across the heterogeneous enterprise and provide methods to automate routine tasks. such as the employee telephone number.” February 1.dataunit. “Imprivata picks up IdentiPHI assets”. com) L.com/it/page. Due to this approach MIIS requires no software/drivers/agents/shims being installed on the target system. MIIS manages information by retrieving identity information from the connected data sources and storing the information in the connector space as connector space objects or CSEntry objects. April 9. (http:/ / www. imprivata. 2009 External links • Corporate Website (http://www. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects.imprivata. Michele Masterson.00. All back-end data is stored in Microsoft SQL Server.jsp?id=911212) • Trends in Enterprise Identity and Access Management – a SearchSecurity. 2009. August 26.[5] 139 References [1] [2] [3] [4] [5] InfoWorld.asp?item_id=573) • Gartner press release containing predictions about trends in Identity and Access Management (http://www. techtarget.” June 5. This architecture allows data from dissimilar connected data sources to be mapped to the same MVEntry object. through the metaverse an organization's e-mail system can be linked to its human resources database to the organization's PBX system to any other data repository containing relevant user information. On IdM market of products MIIS stands out by implementing state-based architecture.sid14_gci1319773.[1] For example. [4] Product reviews also comment on OneSign's ability to simplify compliance reporting by consolidating the employee strong authentication and application access events in a single database. Majority of competitors are offering transaction-based products.com).be/shop/ news/cms/1b4cae8ff354701c5e313f5a98860271/newsid/18) Microsoft Identity Integration Server Microsoft Identity Integration Server (MIIS) is an identity management (IdM) product offered by Microsoft.com article (http://searchsecurity.com/) • “Sign of the Times” – a FedTach article about SSO and federal healthcare providers (http://fedtechmagazine. “Imprivata OneSign. Security Systems News. Samuel Pfeifle. One of the goals of the identity management is to establish and support authoritative source of information for every known attribute and to preserve data integrity according to predetermined business rules. "Imprivata Targets Verticals with Single Sign-On. 2006. . “InfoWorld CTO 25. The e-mail system can then link to individual attributes from the employee entry.Imprivata an employee’s physical location. Peter Stephenson.289483. It is a service that aggregates identity-related information from multiple data-sources. com/article. Each employee's attributes from the e-mail system and the human resources database are imported into the connector space through respective management agents. gartner.com/tip/0.html) • Article about Imprivata Named A CRN TOP 25 Coolest Emerging Vendor (http://www.

MIIS 2003 no longer uses ZScript (proprietary scripting language of Zoomit Via). After acquiring Zoomit Via Microsoft renamed it to MMS (Microsoft Metadirectory Services) and offered this product for free. . and exchange datastores[4]. MIIS 2003 was recently (Fall 2007) incorporated into a new offering called Identity Lifecycle Manager 2007.NET framework support. 1999. but also a component called Certificate Lifecycle Manager (CLM) which is used to manage X. Versions • Zoomit Via (pre 1999) • Microsoft Metadirectory Server [MMS] (1999–2003) • Microsoft Identity Integration Server 2003 Enterprise Edition [MIIS] (Current) • Microsoft Identity Integration Server 2003 Feature Pack [IIFP] (Current) • Microsoft Identity Lifecycle Manager Server 2007 ILM (Current) • Microsoft Forefront Identity Manager 2010 FIM [CR0] [April 2009] History MIIS has its origins in two Canadian companies' products. 1997[2] and Zoomit Corporation's metadirectory product.NET framework. which Microsoft acquired on July 7. which allows developers and network administrators to extend out-of-the-box capabilities and perform complex tasks. Identity Lifecycle Manager 2007 includes not only the original MIIS 2003 product.[3] LDE was strongly email system oriented but traces of it and its field mapping technology remain through MIIS 2003.509 digital certificate and smart card issuance.Microsoft Identity Integration Server 140 Extensibility The product is extensible through the use of the . Linkage Software's metadirectory product LinkAge Directory Echange (LDE) which Microsoft acquired on June 30. IIFP is a slimmed-down version of MIIS that is limited to synchronization between AD. Microsoft Identity Integration Server 2003 was completely re-written from ground up. This product was announced at the RSA Conference in February 2007 and made available to customers in May 2007. however they will strongly encourage customers to hire Microsoft Consulting Services to install and configure product. ADAM. No original Zoomit Via code was moved into MIIS. Currently Service Pack 2 is available for MIIS 2003. However Microsoft preserved methodology and original idea of the Via product. Via. instead it offered . With this upgrade Microsoft did not offer a migration path from MMS to MIIS due to the significant differences in the products.

aspx). microsoft. Microsoft Press. microsoft. . delimited. Standardization in the service provisioning space would benefit consumers and assist in avoiding costly lockin to proprietry systems. Wishlist • Whilst the product appears to support DSML there is currently no out-of-the-box support for SPML version 1 or version 2. [3] "Microsoft Acquires Leading Developer of Meta-Directory Products" (http:/ / www. microsoft. Windows Live ID/Hotmail. . aspx). following suite of Exchange Server Public Release Candidate (RC) version for Identity Lifecycle Manager '2' is available now (December 2008)[5] The Microsoft SQL Server 2008 is a new back-end dependency of ILM '2' Supported Data Sources MIIS 2003. X. [4] http:/ / forums. com/ presspass/ press/ 1999/ Jul99/ metadirPR. Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8. 2007 Application : PeopleSoft. Network operating systems and directory services : Microsoft Windows NT. [6] "Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8. Resource Access Control Facility (RACF). dBase. To implement SPML or any other standart see Extensibility and XMA sections References [1] "MIIS 2003 Overview" (http:/ / technet. mspx). .0. LDIF.3" (http:/ / capitalhead.500 systems and other network directory products E-mail : Lotus Notes and IBM Lotus Domino. . fixed width. Oracle RDBMS. Microsoft. Microsoft Corporation. attribute value pairs Other: MIIS provides developers with well defined framework to create additional management agents (in any . 2003.3. Comma-separated values CSV. x86 support expected to be dropped.7. Retrieved 2009-06-16. IBM UniData. Novell eDirectory[6] . . IBM Directory Server. Microsoft itself as well as third party vendors is continuing to provide wide array of additional management agents. microsoft. aspx?PostID=1848075& SiteID=17 [5] "Evaluate Microsoft Identity Lifecycle Manager "2" RC" (http:/ / technet. MySQL etc. Enterprise Edition. Active Directory Application Mode. includes support for a wide variety of identity repositories including the following. [2] "Microsoft Acquires LinkAge Software" (http:/ / www. telephone switches PBX. com/ presspass/ press/ 1997/ jun97/ linkAgPr. 2006-08-14. ERP1. Active Directory. com/ articles/ troubleshooting-ldap-ssl-connection-issues-between-microsoft-ilmmiis--novell-edirectory-873. 2000. IBM Informix. IBM DB2 File-based : DSMLv2. 10).7. 1900-1-0. . com/ TechNet/ ShowPost. XML.NET framework languages currently available on the market) that are not available out-of-the box. SAP AG products. com/ en-us/ library/ cc708678(WS.Microsoft Identity Integration Server 141 Future Developments Future releases of MIIS/ILM are expected to be x64 only. com/ en-us/ evalcenter/ cc872861. PeopleSoft. aspx). Microsoft Press. SunONE/iPlanet Directory. Microsoft Exchange 5.5. mspx). such as OpenLDAP. microsoft.and Directory Service Markup Language DSML-based systems Database : Microsoft SQL Server. Retrieved 2009-10-27.

Microsoft Identity Integration Server 142 External links • Microsoft Identity Integration Server 2003 TechCenter page (http://www.technet.com/forums/ en-US/identitylifecyclemanager/threads/) • Microsoft:MIIS/IIFP (http://www.aspx) Community Supported Newsgroups • TechNet>Identity Management>Identity Lifecycle Manager (http://social.microsoft. aspx?dg=microsoft. mspx) • OpenLDAP Management Agent (http://sourceforge.com/communities/newsgroups/en-us/default.microsoft.com/technet/miis/default.microsoft.metadirectory&cat=en_US_35e3cb62-d8f0-4e13-985e-3b927dfdcb49&lang=en& cr=US) • Microsoft Identity Integration & Identity Lifecycle Management Server Users Group (http://tech.public. com/group/MMSUG/) .org/DevVerse-MySQL.net/projects/openldap-ma) • MySQL Management Agent (http://miisexperts.html) • Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.com/articles/ troubleshooting-ldap-ssl-connection-issues-between-microsoft-ilmmiis--novell-edirectory-873.yahoo.7.3 (http:// capitalhead.groups.

SAP HR and User Management. IDM 3. databases. Novell's partners [4] are a viable alternative to using Novell support directly and may be a more cost-effective method of receiving answers that were not found via the free channels. . While a large number of systems are supported out of the box the possibility of integrating with other systems is there through customized drivers and configurations. RACF. operating systems. IDM strives to ease the administrative efforts of large enterprises by preventing administrative effort duplication. Microsoft Windows NT. Documentation and Support Documentation for IDM is available online at Novell's documentation website [2] for free.Novell Identity Manager 143 Novell Identity Manager Novell Identity Manager Developer(s) Initial release Stable release Novell July 24. 2011 Operating system Cross-platform Type License Website Identity management Proprietary [1] Novell Identity Manager (aka. This means that while a single person may have multiple usernames across various systems they can all be tied back to one individual because IDM sends the relevant relationships to Sentinel. Microsoft Active Directory. Various online forums are also available for free use on both Novell's [3] and others' websites. Lotus Domino. Supported applications IDM supports its own and a large number of third-party systems including the following: Novell eDirectory.1 / April 15. The current release of Identity Manager also provides integration with Novell's Security Information and Event Management (SIEM) product called Novell Sentinel. Among other things the integration lets Sentinel understand which of various users and roles are tied to a single person. Novell also offers traditional pay-per-issue support options for its customers along with a consulting option to completely implement a new system. MySQL. any JDBC-compliant database. Searching these online forums for previously-resolved issues can speed up implementation and troubleshooting of new or existing drivers.1 was released June 4.6. 2009.0. For those supported systems drivers and configuration files have been pre-built and made ready for user customization. phone systems. Novell GroupWise. 2000 4. Oracle Database. With synchronization capabilities out of the box including various directories. NNTP news readers such as Mozilla Thunderbird are also recommended to maintain offline searchable copies of forum posts. ACF2 and many others including various Unix and Linux user databases. NIS. A popular and fast way to do this searching along with browsing previous forum posts is through Google Groups. IDM) is Novell's implementation of Identity Management software. SIF. any LDAP-compliant directory. Avaya. Previously known as DirXML the product utilizes XML-based configuration files to determine the product's implemented functions. PeopleSoft. SOAP. and HR systems.

and offering quicker access to driver configuration settings. com/ products/ identitymanager/ http:/ / www.0. A free companion to IDM. Wiley. As of Designer 3. com/ http:/ / www. Novell's Guide to DirXML. infoworld. Designer is made to speed up the process of deploying new drivers and modifying and testing existing drivers by removing the multiple-click requirement that comes with any web interface. Novell Identity Manager Administrator's Handbook.Infoworld [[2006 [8]]] References [1] [2] [3] [4] [5] [6] [7] [8] http:/ / www. A newer method of administration. just like the IDM configurations. Because the test operation document is XML. It is this output that would be used to make changes on either the eDirectory or application system. the document can be easily viewed in a text editor or web browser before and after the simulation operation. Peter (2002). novell. novell. Along with changing and deploying entire environments Designer offers the added benefit of real-time testing of drivers before they are placed in production. com/ coolsolutions/ dirxml/ designer/ http:/ / www. Designer also provides Subversion based version control. • Kuo. and also provides access to a history of changes made to IDM objects. com/ partners/ http:/ / www. Perry Nuffer. html http:/ / www. infoworld. or reconfigure an IDM implementation. com/ documentation/ idm/ http:/ / forums. Designer is written in Eclipse and runs on either a Linux or Windows workstation. configure. is now available through a product known as Designer [5]. This option appeals to many administrators because it only requires a computer with a web browser and network access to perform all tasks associated with IDM. com/ article/ 05/ 10/ 07/ 41FEidm_1. Volker Scheuber (2006). and especially. Steve. novell.Novell Identity Manager 144 Implementation and administration There are a number of ways to develop. com/ article/ 06/ 01/ 02/ 72993_01FEtoyidm_1. Further reading • Weitzell. Because the configuration files are XML-based they can be imported and exported from anywhere in the world or edited directly in iManager's pages. novell. deployment. Using Novell's own iManager has been an option since IDM 2. novell. html . novell. Novell Press. External links • Novell Identity Manager home page [6] • The Identity Management Challenge [7] • Best Identity Manager . This simplifies development of an IDM implementation in a team environment. com/ products/ http:/ / www. Because it is a fat client it does not need to be connected to any networks to make changes to drivers though it does need to deploy changes for them to take effect. ISBN 978-0-7645-4919-9. ISBN 978-0-672-32864-0. Lee Lowry. Richard Matheson. An operation document can be fed into Designer and run through the driver's configuration and policies to see what will come out after the processing takes place.

net Project) [3] Project OpenPTK at Ohloh [4] Extending OpenPTK [5] References • Extending OpenPTK. openptk. com/ https:/ / openptk. openptk.. Derrick Harcey and Terry Sigle. the User Provisioning Toolkit. java. net/ pub/ a/ today/ 2008/ 03/ 27/ extending-openptk-user-provisioning-toolkit. net/ projects/ 8687 http:/ / today. net/ http:/ / www. Inc. java. External links • • • • Project OpenPTK [2] Project OpenPTK (Java. dev. html . org/ http:/ / www. openptk. by Masoud Kalali [5] References [1] [2] [3] [4] [5] http:/ / www. by Scott Fehrman. org/ [1] Project Open Provisioning ToolKit (OpenPTK) is an open source project started within Sun Microsystems.OpenPTK 145 OpenPTK Project OpenPTK Developer(s) Type License Website Sun Microsystems Identity User Provisioning CDDL http:/ / www. ohloh.

Virtual Dynamic and Virtual Claim Groups) Virtual LDAP Schemas Comprehensive Audit Logging Comprehensive Microsoft integrations such as with SharePoint. This enables LDAP applications to access users and groups from multiple sources. Optimal IdM provides sales and services through regional offices across the United States and a growing network of resellers and distributors. such as Active Directory or other LDAP data stores as well as SQL and Oracle databases.NET LDAP virtual directory and is the only virtual directory of its kind that is certified on both Windows Server 2003 and Windows Server 2008.Optimal IdM 146 Optimal IdM Optimal IdM Type Industry Private Computer software Computer companies of the United States Windows software Identity management systems Virtualization software Florida. Virtual Static. Optimal IdM is best known for quickly becoming the industry leader in the virtual directory market by pioneering new features such as: • • • • Virtual Groups (Virtual Auto.optimalidm. United States Lawrence Aucoin John Maring Founded Founder(s) Headquarters Land O'Lakes. Federal. Founded in 2005.NET Virtual Directory [www. State and Local Government agencies in more than 12 countries on 4 continents. Optimal IdM's flagship product.com www. ADFS & UAG .optimalidm.com] Products Services Website Optimal IdM. the Virtual Identity Server (VIS) is a 100% Microsoft . Florida. LLC [1] is an American company that provides global enterprise computer softare for identity management related solutions. Optimal IdM's customers include Fortune 1000 companies. The Virtual Identity Server provides LDAP enabled applications with a single consolidated/joined view of one multiple data stores. as well as. Headquartered in Land O'Lakes. Optimal IdM is Private LLC which has been profitable in every quarter since inception and has never taken any outside invesetment money. Florida United States. United States Key people Lawrence Aucoin (Managing Partner) John Maring (Managing Partner) Michael Brengs (Managing Partner) Nada Jumpter (Chief Software Architect) Virtual Identity Server (VIS) The .

aspx http:/ / www. com/ applications/ 3375/ bmc-buys-opennetwork-for-18-million/ http:/ / www.NET Framework 4.0.0 of the Virtual Identity Server (VIS) software product was released to internal existing customers. com/ pdf/ PressRelease_20060918-001. 2007-2009 In 2007.NET Framework. was delivered in both 32-bit and 64-bit Windows Server platforms. and still to this day. techworld.com/) . Oblix and OpenNetwork Technologies [4] . optimalidm. VIS Federation Services. version 1. In September 2006. All three partners previously worked together at Oracle. pdf External links • Official Website of Optimal IdM (http://www. In March 2011. Also in 2008.0 of VIS was released to the world. Nada Jumper joined the team in running the software development efforts and was appointed Chief Software Architect[5] . another major release of the Virtual Identity Server (VIS) software product was released. where they became known as leaders in the identity management and SSO industries. Mike Brengs [3] . 2006 Although Optimal IdM started as a consulting services organization. optimalidm. Virtual Identity Server (VIS). another key Microsoft integration point. optimalidm. a key third Managing Partner was added. com/ aboutus/ ManagementTeam. but also. At that time. com/ pdf/ PressRelease_20060320-001.optimalidm. 2010-Present In August 2010. software development was underway during the early stages in what has now produced their flagship product. At the Directory Experts Conference (now known as The Experts Conference in March 2008 in Chicago. IL. References [1] [2] [3] [4] [5] http:/ / www. version 2. Within the first year. was released. The company initially started as an expert-level consulting services organization specializing in identity management related deployment services. VIS for SharePoint was released which was the first virtual directory to market to include a deep integration with SharePoint. Optimal IdM was founded by two identity management American experts. the VIS solution was the first and only virtual directory on the market to be built entirely in the Microsoft . pdf http:/ / news. Larry Aucoin and John Maring as Managing Partners [2] . com/ http:/ / www. This released supported not only the very latest Microsoft . optimalidm.Optimal IdM 147 History In 2005.

so the security of password synchronization and single signon is similar -. • Users with just one or two passwords are much less likely to write down their passwords. in place of the existing native password change process. The counter-argument is that. regardless of such academic arguments. since compromise of one password means compromise of all. Uses Password synchronization is an effective mechanism for addressing password management problems on an enterprise network: • Users with synchronized passwords tend to remember their passwords. The best form of password synchronization is one that securely synchronizes only the stored representations of the original passwords -. this feature is typically only found in proprietary forms where the password scheme is controlled by a single vendor on both ends. both systems depend strongly on the security of a single password. as there is no client software deployment. compromise of the primary password (from which an encryption key is derived and used to protect all other. however.Password synchronization 148 Password synchronization Password synchronization is defined as any process or technology that helps users to maintain a single password that is subject to a single security policy. and changes on a single schedule across multiple systems. Therefore. both parties must share the same password storage and verification scheme. with single signon. • Simpler password management means that users make significantly fewer password-related calls to the help desk. Security Some (in particular those who sell single signon systems) claim that password synchronization is less secure than single signon. on other systems (of the same or different types). initiated by the user with a web browser.i. It's a type of Identity management software and it's considered as easier to implement than enterprise single sign-on (SSO). and that password must be well defended. . Types Two types of password synchronization processes are commonly available in commercial software: • Transparent password synchronization. The web-based process allows the user to set multiple passwords at once. stored passwords) also compromises all.not by sharing the clear text password itself. and user enrollment can be automated. • Web-based password synchronization.. The new password is automatically forwarded to other user objects that belong to the same user. password synchronization between vendors may begin to utilize this third and more secure synchronization type. As standards for password storage evolve.e. For this. triggered by a password change on an existing system.

[3] This incident clearly highlighted that the choice of security questions is very important to prevent social engineering attacks on password systems. . without calling the help desk. by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation. It can also be used to ensure that password problems are only resolved after adequate user authentication.it often exists in the help desk prior to deployment of automation. phishing techniques or simple research. self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities. where she met her husband. claims that he has forgotten his password. Users establish their identity. There are many software products available to allow employees to self-reset passwords. Since many organizations have standard ways of determining login names from real names. Self-service password reset technology is often used to reduce this type of vulnerability. such as pet names. Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt. Self-service password reset expedites problem resolution for users "after the fact. html Self-service password reset Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor. responding to a password notification e-mail or. the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions. eliminating an important weakness of many help desks: social engineering attacks. by answering a series of personal questions. unlocked password. place of birth or favorite movie. In September 2008. pretends to be the intended victim user. This vulnerability is not strictly due to self-service password reset -. and repair their own problem. Vulnerability On the other hand. using their own or another user's web browser. her zip code and date of birth and was able to guess the third. Much of this information may be publicly available on some users' personal home pages." and thus reduces help desk call volume. Users can then either specify a new. and asks for a new password. or ask that a randomly generated one be provided. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. by providing a biometric sample.Password synchronization 149 External links Password Management Project Roadmap type of software [1] vendor-neutral white paper about how to run a project to deploy this References [1] http:/ / password-manager. without using their forgotten or disabled password. or through a telephone call. less often. com/ docs/ password-management-project-roadmap. an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained. hitachi-id. they are less likely to treat as sensitive the answers to many commonly used security questions. where an intruder calls the help desk. While users are frequently reminded never to reveal their password.[1] [2] since the answers to such questions can often be obtained by social engineering. using a hardware authentication token. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

the user who forgot his password asks a colleague for assistance. self-service password reset procedures could also rely on the network of existing human relations among users. edu/ ~lyang/ lyangpage/ dim20-yang. Wetzel. acm. 1145/ 1180405. com/ rsalabs/ cryptobytes/ CryptoBytes-Winter07. Markus et al. [6] Crawford. all of which are compromises (e.. . visiting a neighbour. pdf). a user is asked to classify his preferences (like or dislike) for the selected items displayed to him in a random order. "Quantifying the Security of preference-based Authentication" (http:/ / www. cs. There are various approaches to addressing this Catch-22. telephone access. stevens. ." (http:/ / cups. In this scenario.). and attacker simulations. Journal of Leisure Research 18. . blue-moon-authentication. continuing to call the help desk. the problem changes from one of authenticating the user who forgot his password to one of understanding which users should have the ability to vouch for which other users.. [3] http:/ / news. See [7] for a live system. user emulations. . "The Stability of Leisure Preferences".. edu/ soups/ 2008/ proceedings/ p13Rabkin. etc. Virgil. a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order.but the user cannot log into his workstation until the problem is solved.[6] and are not publicly recorded.g. yahoo. Their approach includes two phases---setup and authentication. [9] RSA Laboratories. Mario. "Love and Authentication" (http:/ / www. com [8] Finetti. [2] Rabkin. pdf). . who forgot their PC's login password. com/ files/ chi08JSWY. Duane et al. They evaluated the security of their approach by user experiments. References [1] Griffith. There are two additional problems related to the one of locked out users: • Mobile users. • Passwords cached by the operating system or browser. com/ s/ ap/ 20080918/ ap_on_el_pr/ palin_hacked [4] Jakobsson. The vouching option In conjunction with preference-based authentication. com/ Self-service-password-reset-in-large-organisations/ article/ 128175/ ). a user must launch a web browser to fix his problem -. ravenwhite. [7] http:/ / www. "Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. cmu.[4] [5] The underlying insights are that preferences are stable over a long period of time. During the authentication phase.) and therefore trigger an intruder lockout. Stolterman. Ariel. The "helper" colleague authenticates with the password reset application and vouches for user's identity. etc. 1180427). physically away from the corporate network. Markus et al. scmagazineuk. "Messin' with Texas. .[8] [9] In this scenario. Deriving Mother's Maiden Names Using Public Records" (http:/ / www. desktop software deployment. Accessibility A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. password management web server. org/ 10. domain-wide password reset account.Self-service password reset 150 Preference-based Authentication Jakobsson. pdf). Since SSPR systems are typically web-based. (1986). During the setup. which might continue to be offered to servers after a password change that was initiated on another computer (help desk. pdf). cs. rsa. "Self service password reset in large organisations" (http:/ / www. "Fourth-factor authentication: somebody you know" (http:/ / doi. [5] Jakobsson. and Yang proposed to use preferences to authenticate users for password reset. .

scmagazineuk.Self-service password reset 151 External links • Ariel Rabkin. (http://cups.pdf)" SOUPS 2008.cmu.com/ Self-service-password-reset-in-large-organisations/article/128175/) on password reset procedures based on vouching . • Self service password reset in large organisations (http://www. " Personal knowledge questions for fallback authentication: Security questions in the era of Facebook.edu/soups/2008/proceedings/p13Rabkin.cs.

Chris the speller.org/w/index. Dcandeto. YUL89YYZ. Tbhotch. Sceptre. Aaronbrick.php?oldid=414883085  Contributors: Irradiance. Topher Fangio. Bobo192. Dsnyder0cnn. Dispenser. Octahedron80. Korisu. Matt Crypto. C. Thefrood.php?oldid=414883049  Contributors: Cailin coilleach.org/w/index. Toniher. Systemetsys. Sumbuddi. JamesNK. WesKussmaul. Slakr. Stimpy. Dan Lawrence. MeekMark. Cyde. Ohadpr. Sawblade5. Jgurtz. Alainr345. Onorem. TimmmmCam. Aapo Laitinen. ParanoidMike. Moink. Magical Orb. Christian.php?oldid=414883075  Contributors: Michael B. Vejvančický Radiator RADIUS server  Source: http://en. Theodore Kloba. Isaac Dupree. Zvika. AndyJones. MightyWarrior. JimmyG.wikipedia. Karthik sripal. DH85868993. CompuHacker. Mywikiid99. Hazard-SJ. Markmthomas. Dante Alighieri. Haseo9999. A-giau. Dgillon. Orlanu Brecker. Eskimo.Fred. Vipuser. Filzstift. Belak51.wikipedia. Jpp42. Pnm. BadDoggie. BMaurer. RockMFR. Norman314. Yourmanstan. Dantadd. Xyzzyplugh. Khalid hassani. Beland. Plasticup.). Jatkins. Rip-Saw. Wikibofh. NSK Nikolaos S. Moonriddengirl. Grawity. Josang. Elisabeth de Leeuw. Smurfix.royer. Bovineone. The Duke of Waltham. Usien6. LedgendGamer. C.smith. The Blade of the Northern Lights. Grafman. BrianFennell. RichardGatinho. User24. Leotohill. Intelati. Mets501. Filter1800. SimonP. Lynnecourts. Baricom. Nabeth. Alasiri1. Thingg. Jdrohloff2. IW. Khatru2. Riana. Mbjencyclopedia. Kjr99044. Pnm. Chiapr. Sycarr. David Eppstein. Hintss. JimD. MADe. Kareeser. SMC. Andrew Nutter. LittleDan. SebastianBreier. Cokoli. Everyme. H2g2bob. 29 anonymous edits PassWindow  Source: http://en. Dzonileon. Poc0123. Mike Payne. Psantora. Bmaurer. Eagleal. John Broughton. Ysangkok. Rzelnik. Nova77. Speck-Made. Klausness. Beetstra. Zhou Yu.dane. Johnuniq. KirbyRandolf. Adi lintas. Xenowiki. Wavehunter. Gioto. Deepbluepanther. Crkey. The Anome. Bluerasberry. Warren.org/w/index. Blowdart. Mathiastck. PigFlu Oink. Wayne Slam. Mitch Ames. Pensar. Edupedro. Chealer. NealePickett. Omicronpersei8. L33th4x0rguy. Calliopejen1. Hello71. Mchalil.org/w/index. Andrey78910. Throwaway85. Audriusa. CKWeb. Enlightening7. RockMFR. Graham87. Nono64. Nicbest. Geimas5. Tibti. Raahulr88. SMcCandlish. DataWraith. Wayne Slam. Tempodivalse. clown will eat me. Jpatokal. Keithmahoney.eyes. Everlast1910. Lyangwiki. Amosygal. Anrie Nord. Bgcaus. BlueCaper. Ohnoitsjamie. Sacketty. El C. Shadowjams. Reidbold. CapnZapp. Spongecat. Smllpx. Amardeo. Rlitwin. Guymacon. Okip. Betterusername. Jpgordon. Jusdafax. DopefishJustin. Gantry. Oleg24. Drpatter. Warren. TaZMaNiaK. Tobias Bergemann. Sbluen. Tuxcantfly.php?oldid=429775513  Contributors: Againme. Hayats. Abdullais4u. Salmanazar. Yoyoma101. Starfounder. The Thing That Should Not Be. JamesMLane. Lotje. Rokfaith. MER-C. Pnm. Devpoint. Kozuch. DavidFarmbrough.5. L Kensington. Shohami. Frazzydee.HG. Wagoo. Michaelpb. Cleared as filed. Juneappal. Paul Foxworthy. Girdi. JonHarder. Henrikbag.wikipedia. Srbauer. McGeddon. Buc. Eastonwest. Nalfein. Olmer. Avocado27. SSTwinrova. Passgo. ChrisiPK. Hellznrg. TowerDragon. The Anome. Jptwo. Rachelevans9. Subhasree quantum. Techroot. Nick Levine. Damian Yerrick. Authalic. Qwertyus. FactChecker1199. Quebec99. Tekkenfreak3. EvanProdromou. Pnm. Chameleon. Digantsavalia.php?oldid=414883090  Contributors: Chenzw. Nathan. 47 anonymous edits Enigform  Source: http://en. Josh3580. Srleffler. Lsommerer. Lodders. Mufka. Jdooley4. Obakeneko. Bevo. Ixfd64. Texture. Dragon695. Karam. IP 84. Boombatty. Jwarhol.wikipedia. Takua108. Themfromspace. Beland. Everard Proudfoot. Ronark. Calimo. Tide rolls. Gauravdott. Prabathsiriwardena.wikipedia. Clawed. Pdelong. Wireless friend. AuburnPilot. Andypowe11. Dwvisser. Capricorn42. Noe. Hall Monitor. J. Ph. Mchesnut. Zarel. Pnm. Template namespace initialisation script. SpikeToronto. Mrvedit. Wiz126. Insomnia64. Gagnonrich. Esrever. Nuwewsco. Thorwald.org/w/index. Dancter. Ancheta Wis. Tabletop. DanielRigal. DARTH SIDIOUS 2. Frecklefoot. Menchi. Bitbit. Kakurady. Mark. 6StringJazzer. Korp7. SomniOne. Yang. Vinsfan368. Woodcutteruk. SarekOfVulcan. Fuper. Anclation. R'n'B. Dysprosia. Mansuetodigital. Eleland.Article Sources and Contributors 152 Article Sources and Contributors User provisioning software  Source: http://en. Anwar saadat. Frap. Pnm. AndromedaRoach. Makawity. Johnfranklin00712. Noobhunter514644646. Bob the Wikipedian. MisterSheik. Webzap. Ferri. HumphreyW.php?oldid=431977339  Contributors: Adrian M. TastyPoutine. Nww mag. Camlemelin. Fubar Obfusco. Cgs. MuthuKutty. Danakil. Billdakelski. Zafiroblue05. FreplySpang. S8333631. Epbr123. Qwerty Binary. 13 anonymous edits Local Security Authority Subsystem Service  Source: http://en.t2. Ajeeshmohan. Haakon. Keenan Pepper. Ayush Samantroy. Aeolien. Mxn. Csharpp. Chun-hian. Woohookitty. Neo anderson matrix. Richwales. Richard Arthur Norton (1958. AlistairMcMillan. Marawe. Kenudu. Mstevelman. Avicennasis. Sohmc. Dionyziz. Buga. Bassbonerocks. Damian Yerrick. Manster.org/w/index. Captainccs. 5millionaccountswow. Toddalex2000. Gökhan. Lumbercutter. PRRfan. Strife911. ChrisCotton. Konman72. DarknessEnthroned. PhiLho. Acalamari. Edward. Hu. AndrewHowse.wikipedia. WIKI 284. Lwc. Danelo.wikipedia. Glen. Xompanthy.Fred. Gonzo. Dake. Myanw. GOD ACRONYM. MartinHarper. Volk. Footballer41. Oxymoron83. Carcharoth. Pb30. Are you ready for IPv6?. Dmaz99. E23. Frap. Alexey Petrov. Torinfo. Identity20. Stovee. Pgk. Yamakiri. Dr. GraemeL. Quarl. Android Mouse. Susan028. Fang 23. J04n. Joseph S 97. Toussaint. The Evil Spartan. Can't sleep.php?oldid=429627135  Contributors: 1ForTheMoney. HerpesVirus. Whollabilla. K001. Brentnow. Alasiri2. Authun. Marnanel. Laszlograd. Sabri76. Gabrielwb. Stayman Apple.php?oldid=424408628  Contributors: Agent Koopa. Elipongo. Rebroad. Netrat. Krzysztofgajewski. Zyrain. CharlesGillingham. Nsudac. Feline Hymnic. Lachlan Hunt. Curious1i. Stefanoj. Piquan. Keylay31. Plop. Zootm. Icek. Shoulderoforion. Werdan7. Arclight69.php?oldid=432150451  Contributors: 12ice1Ciller. Calion. Senctisn. Charles Matthews. Bobby. Creidieki. Fragglet. Ram2095. MCBastos. Amilgate. Romanc19s. Weasel5i2. ScottBattaglia. Chronulator. XZerge. Thumperward. Raddick. Houghton. Odie5533. Shai-kun. WillDo. Peterblaise. MattChaput. Bobo192. Optimist on the run. Siddhant. Blanchardb. Mindmatrix. Texxs. Floydc1. Dwo. UkPaolo. Zobh.Z-man. Sole Soul. Zollerriia. Green meklar. DocWatson42. Mrzaius. Hero8088. Dogbreathcanada. Ullastharakan. Isilanes. Samtregar. Triwbe. DerHexer. Ashley Y. Vegaswikian. Svick. Aaron Bruce. Awanta. Ellensn.Anthony. Rich Farmbrough. SF007. Eranb. ObuK. Ben0123.php?oldid=430033289  Contributors: Geneousgeneous. Chris55. LilHelpa. Mr. Elendil's Heir. Kwamikagami. Deflective. Hibernian. Dawnseeker2000. Damamba. Geneous. Gnowor. Anilpassi. Gerold Broser. The undertow. Shmyhelskyy. Yugui. Pnm. KieferSkunk. Shohami. Burchard.wikipedia. B birak. 103 anonymous edits CCSO Nameserver  Source: http://en. TimMagic. Cwolfsheep. Vadim Makarov. JonHarder. Fuzheado. Mgiganteus1. Hi878. Chalkward. Cwolfsheep. Leonard^Bloom. Stan Shebs. Velella. Waseemjng1. Kruglov. 119 anonymous edits Security Accounts Manager  Source: http://en. EdH. 7 anonymous edits BoKS (software)  Source: http://en. Willyarnold. Tqbf. Dthvt. Jamelan. JForget. Mashford. Nealmcb. Surachit. Soumyasch.php?oldid=425216213  Contributors: Aapo Laitinen. Ch0002. BlisteringSh33p. Spoon!. Mehrunes Dagon. GeorgeStepanek. Glloq. Sonjaaa. Sam Hocevar. Arancaytar. BazookaJoe. Picaroon. STDcall22. Brianga. Wickey-nl. Nvk. Nihiltres. Gman112. JonHarder. Flewis. McGeddon. 3 anonymous edits . Ductapeinnovations. Mattisse. Minna Sora no Shita. Loudsox. Wlievens. WhisperToMe. Inkling. Dwheeler. CliffC. Ajraddatz. Debresser. Gstroot. Pgan002. Atif. Wikish.wikipedia. Nakon. Luna Santin. Ubergeekguy. RCX. Pne. Anson Stark. DlanorOk. SeL. MCWNT. Bakasuprman. LinguistAtLarge. Nick. Warren. SchuminWeb. Lee Carre. Creidieki. Pilotguy. Jon Harald Søby. ArnoldReinhold. Bryan Derksen. MJisnotmylover. Denis. Khalid hassani. SF007. Eivind. Adashiel.software. Angela.mohan. KFP. Cnd. CopyeditMan. WikiAuggie. CyberSkull. Jamelan. Ke4roh. Qwerty0. Mvuijlst. Khalid hassani. Loadmaster. Captcha. 5 anonymous edits reCAPTCHA  Source: http://en. Latchkey. Miko3k. Twinsun. Ftc08. Tommy2010. HubHikari. Nightscream. Salavat. Lbgllc. Technopat. Spitzak. 29 anonymous edits Identity management  Source: http://en. Siilats. Stifle. Elias Cy.tang. Microcline. Ed Brey. Arcades. Courtarro. Dawynn. Slowking Man. Yuckfoo. Tim1357. RL0919. Parkviewtruth. Osteoporosis.php?oldid=421441837  Contributors: Akhristov. Arthena. Alibby. Fuddle. Karlo2002. Phatom87. Loadmaster. Acdx. Ghettoblaster. Ken31. Everything counts. Wikitumnus. Elonka. Xpclient. Emijrp. Bhudson. Stephen. Calendar. Robert K S. Rich Farmbrough. Nurg. Wavelength. Opagecrtr.org/w/index. Matt Casey. Hankwang. Zappernapper. PeteVerdon. Miko3k. Scatteredpixels. Joeblakesley. SJK. IvanLanin. Find mobius. GorillaWarfare. Barek-public. Colddata. Galifardeu. Ramraj1006. Samdutton. RedWolf. Widdipedia. Tstrobaugh. Iseeaboar. Rupert Clayton. Bcballard. Ubardak. CrunchyChewy. NetOracle. Savant13. Brouhahahaha. Greatersam.org/w/index. Requestion. Plrk. Fmccown. Shadowjams. An elite. Tregoweth. Theswampman. Mindmatrix. Blacksqr. Kloover. Janne Uusitalo. Michael Hardy. Edward Z. Plugwash. Stevertigo. Rjwilmsi. SuperMidget. Steel. Pnm. Anna Lincoln. Tothwolf. Padraic. BrokenSphere. ChemGardener. Amishbhadeshia. NickCT. Iridescent. Gazpacho. Josephgrossberg. Alkarex. Peter Campbell. Chowbok. Edward Vielmetti. Ivan Štambuk. Wikibob. R3ap3R. Logical Gentleman. RossPatterson. Scarletsmith. ZimZalaBim. Csshyamsundar. BabyPhayce. Nabinkm. Anneyh. Tikiwont. Koweja. Electiontechnology. Maxhiss. Micmath. AlistairMcMillan. AwesomeHumza500. Malevolent insanity. Jnothman. GregorB. Rettetast. Guymacon. EagleOne. Vitriol. IvanOD. Atama. Jncraton. Gunmetal Angel. Denoir.wikipedia. Marquinho. Netsnipe. Blahma. Ctp2702. Abcgdkgnwktnw. Armando. Weaverluke. Clovis Sangrail. JVittes. PatrickFisher. DKqwerty. Wik. OreXero. Manu102332.delanoy. FlamingSilmaril.jennings. Da monster under your bed. Sdedeo. Poetdancer. Mrockman. ForrestVoight. Objectivist-C. Uranium grenade. Computerjoe. Diberri. Brian the Editor. Sade. RHaworth.org/w/index. Fiach6383. CanisRufus. Geneousgeneous. 1byhabitjoin.org/w/index. Rajtuhin. Raymer. Declangraham. Sully343. J12t. Imroy. Lordfkiller. ArnoldReinhold. Adamfstewart81. TobyDZ. Nihiltres. CommonsDelinker. Arnon Chaffin. MC10. Xpclient. Frecklefoot. GlassCobra. Ppatters. Nad. Raanoo. JohnOwens. ZenSaohu. RBBrittain.wikipedia. Gloucks. 306 anonymous edits Windows CardSpace  Source: http://en. Badgernet. Nickcarr. Motoxjus10.chanamolu.org/w/index. Pnm. Thomas Ash. Closedmouth. Kostmo. 8 anonymous edits CAPTCHA  Source: http://en. Anárion. JamesLikesBeer.. Traxs7. LFaraone. Locke Cole. Nurg. clown will eat me. Jaxad0127. NeonMerlin. Xinconnu. MathiasRav. Captchap. KD5TVI. Enter The Crypt. Mrhsj. Caltas. Eric. Faithlessthewonderboy. NicolaWassell. J. JosephBarillari. Enric Naval. SchnitzelMannGreek. Tree Biting Conspiracy. Iamwisesun.kahl. Jamie0117. Ronz. Paranomia. A2-computist. WikiLaurent. Sailsbystars. Lenrius. Antaeus Feldspar. Rangi42. Frap. RobyWayne. Nagika. Alan Au. Gosox5555. Shenme. Giliraanan. CliffC. Euniana. AWendt. BWCNY. Mattpw. Bryan Derksen. Sakurambo.php?oldid=285477242  Contributors: EagleOne. Killacaptcha.org/w/index. Dreftymac. BigNate37. Karastathis. Dougher. Spinnakerguy. Pnm. Gogo Dodo. Silver hr. Blacknova. Active Banana. Thugzclub. Wmplayer. Donarreiskoffer. Mephistophelian. Hadal. Sir Vicious. Brandon. Darkside5001. SpLoT. BillFlis. AxelBoldt. MrOllie. Maximaximax. DanielBartholomew. Sebesta. Mlondeen. Tony Webster. Shel5pete. Imprivata. DieBuche.K. Redvers. Heil92. Akhristov. Courcelles. H. Nabeth. IslandHopper973. Albatross2147. Sonjaaa. Fei0x. MichaelClair. Dmsar. Ufwuct.org/w/index. Yonatan. BenRG. Alansohn. Abe Lincoln. BMaurer. Thorham. Can't sleep. Ligulem. Y. La goutte de pluie. KremeChoco. Xeno. Dcflyer. David spector. Pnm. Traumrune. Teryx. Oren0. 1199 anonymous edits Central Authentication Service  Source: http://en. Kku. Trausch. Visor. Geekdiva.wikipedia. EncMstr. Master Deusoma. Plop. Rifleman 82. Cjkporter. Maurice Carbonaro. Blair P.wikipedia. John of Reading. FrenchIsAwesome.

Nurg. Nww mag. Metavalent. II MusLiM HyBRiD II.php?oldid=423659052  Contributors: Avever. WikiAuggie. Dmccreary. Emufarmers. Coffee and TV.lt. Cvrcek.wikipedia. ScottMainwaring. Chowbok.org/w/index.org/w/index. JohnnyMrNinja.org/w/index. Thaddeus Slamp.wikipedia. GoldKanga. Malcolma. SpaceFlight89. Jayjg. Ff1959. Ultravsar. PoliticalJunkie. RHaworth. Eggyknap. Chowbok. CaribDigita. Skysmith. 4 anonymous edits Federated identity  Source: http://en. 34 anonymous edits 153 . Paul Panther. Rhoerbe.org/w/index. Blowdart. Rhoerbe.php?oldid=414875799  Contributors: Dawn Bard. Timber Skido. Discospinster. Nealmcb. Diningphil. Gary King. 65 anonymous edits Directory information tree  Source: http://en. Pnm. Icairns. Id babe. Werner valimo.wikipedia. 68 anonymous edits Digital identity  Source: http://en.royer. Elonka. JForget. Life of Riley. Leotohill. Ptrevithick. EdJones. Retired username. Eeera. Pnm. Versageek. PingFed.Article Sources and Contributors Certification on demand  Source: http://en. Udrezner. Andrea Parton. Beland. Malcolma. 35 anonymous edits Scott Mitic  Source: http://en. Emre D.wikipedia. Joebigwheel. Rankrover. Daniserra. R'n'B. Boomshadow. Ceefour. Shenme. Mbjencyclopedia. Phatom87.org/w/index. Tintinobelisk. Dthomasmaddox. Techsplash. DasReboot. MarkWahl. Miym. 28 anonymous edits Federated identity management  Source: http://en.php?oldid=414711446  Contributors: 3family6. ClockworkSoul. Mindmatrix. Reedy. Porchcrop. Sprhodes. MEGAC1pher.wikipedia. Ida Shaw. Saramoore29. Flowanda. Kkcalvin. Daboz. Pnm. MrAsker. Vulture19. Mtg1977.org/w/index. Excirial. Toohool. Moonradar. Ed Poor. Neodop. Jonel. Lolo252. That Guy. Taotriad. Malcolma. Joanbrennan. CanadianLinuxUser.wikipedia. Epbr123. NaBUru38. Dancter. Pnm.org/w/index. Stephan Leeds.kris. Fetchcomms.php?oldid=429633556  Contributors: D6. Giorgio-1970. Mikemaccana. RattleMan. Woohookitty. Spiritia. Nealmcb.wikipedia. R'n'B. Darry2385. L33th4x0rguy. Joanbrennan. Kmangold. Beland. Jamie0117. Bearcat.php?oldid=422733747  Contributors: Accesstream.ک ککک ک ک ک‬anonymous edits ‫ک‬ Mobile Signature Roaming  Source: http://en. Acolovic. MarkusSchiltknecht. Nabeth.org/w/index.org/w/index. Finngall. Brady van Leenen.org/w/index.wikipedia.org/w/index. 1 anonymous edits Electronic authentication  Source: http://en. Magne. RHaworth. Cjkporter.php?oldid=422566209  Contributors: Abdel. Night of the Big Wind Turbo. Mojodaddy. Brossow.org/w/index. Nabeth. Alex Toth. Benyarb.org/w/index.arboit. Amilgate. MuffledThud. Momo54. SchfiftyThree. Nww mag. Ed Poor. SteinbDJ. B. Cacetudo. D6. Uncle G.wikipedia. Ridernyc. Orangemike. Jansegers. Mattisse. Dawnseeker2000. Jaycoh. Dak. Jay. EagleOne. ‫ 63 . CatherineMunro. Doctorindy.php?oldid=429633482  Contributors: Fvillavicencio. Fourthords. Lowellian..wikipedia.php?oldid=431407418  Contributors: 1manfern.php?oldid=406891755  Contributors: Berny. Elonka.php?oldid=363439876  Contributors: Fvillavicencio. Nono64.php?oldid=414875453  Contributors: =thomas. Jon207. Agateller. THB. Wwwwolf. Cander0000. Mojodaddy. Woohookitty.php?oldid=391815869  Contributors: Bearcat. J. JHunterJ. Stardust8212. Tuwase. Emj. Minnaert. PMDrive1061. Jrleighton. UnitedStatesian.php?oldid=429840879  Contributors: Atama. Lugnuts. Angrysusan. Richard Slater. Gmerritt. GoingBatty. Giraffedata. JLaTondre. MattOates.org/w/index. Leotohill. 4 anonymous edits Mobile signature  Source: http://en.wikipedia.org/w/index. Waggers. Frap.wikipedia.a. Neilc.wikipedia. CliffC. Fvillavicencio.php?oldid=429883211  Contributors: MauchoEagle. Strikerforce. Bsanders246. Louis Halpern. RJFJR. OlEnglish Future of Identity in the Information Society  Source: http://en.saleh.wikipedia. 3 anonymous edits Identity access management  Source: http://en. Pill. Dondegroovily. Beeblebrox. Id babe. Maurreen. Intgr. Theshadow27. Nicke L.php?oldid=425346844  Contributors: =thomas. Khaless. Pascal666.php?oldid=428274414  Contributors: Adrian. Curb Chain. Mbjencyclopedia. Blowdart. Barefootguru. Ryan Roos. Myraedison. Grafen. Paul Trevithick. IdentityGuy. Stevertigo. Welsh Identity change  Source: http://en. Jamelan. Standardsoflife. Gbrigand. Id babe. John of Reading. Wikidemon.wikipedia. Binksternet. Jom. Boleyn.org/w/index. Ruralhouse. Denis.lt. 15 anonymous edits Identity Management Theory  Source: http://en. Joy. Cbrehaut.php?oldid=429633265  Contributors: Asd. BD2412. Sacketty. Kellerpm. Crusio.org/w/index. Themfromspace.org/w/index.php?oldid=395004084  Contributors: Afowler. Wavelength. SJK. Pnm Liberty Alliance  Source: http://en. Seidenstud.wikipedia. Danieltellez. Malcolma.org/w/index. Longhair. Hoist2k.php?oldid=431066773  Contributors: Chruck. Pnm. CliffC. Joonasl. Joaquin.php?oldid=430303801  Contributors: David Gerard. The Thing That Should Not Be.wikipedia. Trjumpet. Corto. SteinbDJ. R'n'B. Razimantv. My-dfp. Intgr. MrWeeble. 15 anonymous edits Information Card Foundation  Source: http://en.wikipedia. Crashie. ArnoldReinhold.wikipedia. 2 anonymous edits Identity metasystem  Source: http://en. EagleOne. Dishayloo. Ewlyahoocom.wikipedia.org/w/index. RHaworth.org/w/index.php?oldid=419352455  Contributors: 1ForTheMoney. RxS. NeilN. KelleyCook. Alno. Paine Ellsworth. Pnm Online identity management  Source: http://en. Joseph Solis in Australia. SpaniardGR. Susanmorrow11.php?oldid=418281571  Contributors: Auntof6.php?oldid=428397787  Contributors: A.c. Reddi. NerdyNSK. YUL89YYZ. Kbrose. Mindmatrix. Mandarax. Rainglasz. Ghettoblaster. Rhoerbe. Gurch.wikipedia. Msoloviev. Pnm.wikipedia. Raywil.wikipedia. Ckatz. JLaTondre.php?oldid=415250039  Contributors: Bearcat. IdentityGuy. Zollerriia Identity Governance Framework  Source: http://en. Eschuck. Tregoweth. Cliff. Tohobbes. Jeff3000. Versageek.org/w/index. Lukejmorrison.. SatyrTN. Barek. Danlev. Bartdegraaff. Cacophony. Danlev.wikipedia. Rich Farmbrough. Malcolma. 2 anonymous edits Credential  Source: http://en. Pgan002. 7 anonymous edits Directory System Agent  Source: http://en. Atama. Drexell. Sevarine. EJNorman. Robchurch. Wireless friend. XandroZ. TastyPoutine.Rizzo. 16 anonymous edits Group (computing)  Source: http://en. MarkWahl. Rettetast. Paulmadsen. GOD. Pfaff9. Plogo. Plastikspork.wikipedia. Isilanes. Toutoune25.wikipedia. Linkspamremover. Vendettax. Icairns. Paxsimius. R'n'B. Malcolma. John Vandenberg.org/w/index.org/w/index. Longbowman. Rhoerbe Federated Naming Service  Source: http://en. Prokopenya Viktor. Edward. Mudman.php?oldid=427637844  Contributors: Andreas Kaufmann. 8 anonymous edits Information Card  Source: http://en. Gene. Materialscientist. Gardar Rurak. 2 anonymous edits Identity assurance  Source: http://en. Jacobisq.carroll. Jclemens. Barrere42. Schmloof. Mboverload. Jules. JHunterJ. Geneousgeneous. Edward. Michael Hardy. Dreamyshade. Valimo wikipedia Multi-master replication  Source: http://en. Shita. Nww mag. HowardBGolden. Rich Farmbrough Identity Assurance Framework  Source: http://en. Longhair. Wireless friend. CesarB. 1 anonymous edits Common Indexing Protocol  Source: http://en. EJNorman. Mat813. From That Show!. DRosenbach. Shred.italy Identity management system  Source: http://en. Imars. TraceyRoberts. EoGuy.org/w/index.php?oldid=413520330  Contributors: Lt WEASEL. Sinatra.wikipedia. Kdmitry.php?oldid=425347662  Contributors: Auntof6. Pgk. Pegship. Ian Young. Ohnoitsjamie. Cnd. Cliff.and.php?oldid=428151397  Contributors: Dawnseeker2000.org/w/index. Andreassolberg. Beland.php?oldid=381144552  Contributors: Btyner. Soumyasch. Abune. Nagika.php?oldid=362554831  Contributors: Andycjp. Sacketty. Pb30.org/w/index. Scriberius. Dancter. Rhoerbe. Blaxthos. Skychrono. Openiam. Pnm. Mbjencyclopedia. Salad Days. Tnxman307. Lightdarkness. B. Valimo wikipedia. Jules. CesarB. Fratrep. Charly Steinbeisser.org/w/index. Remuel. Reaper Eternal.wikipedia. RazvanCojocaru. Sarahmanners. Blink0gmailcom. Marcinjeske. Rich Farmbrough. DocendoDiscimus. FastLizard4. 14 anonymous edits Identity as a service  Source: http://en. Jaranda.php?oldid=317919793  Contributors: Auntof6. MarkWahl. Kuru. Chris83. Wikante. Crazycoders. Ohconfucius. CanisRufus. Soumyasch. Canley. Nyttend. Blowdart. ZimZalaBim. 39 anonymous edits Novell Storage Manager  Source: http://en. Kdz. Rjwilmsi. Nabeth. 11 anonymous edits Identity score  Source: http://en. Debresser. Esprqii. Pegship. Scientus. CliffC. JLaTondre. Brigitte9engel. Wavelength. 3 anonymous edits Mobile identity management  Source: http://en.wikipedia.php?oldid=410955640  Contributors: Cafreak. R'n'B.wikipedia. JLaTondre. Weaverluke. R'n'B. DrummondReed. Williamcoats. Valimo wikipedia. Beao. Woohookitty. Npaskin.php?oldid=406060135  Contributors: Epbr123. UBJ 43X. JonintheUK. Valimo wikipedia. Cometstyles. Nealmcb.wikipedia. Heron.carroll. Jlundell. Jkl. Bissinger. Pnm. Pjdhunt.org/w/index. L33th4x0rguy. SGGH. Nabeth.org/w/index.wikipedia. Pnm. Ghettoblaster. Faizanalivarya. Paulbrock. EagleOne. Nabeth. Gwernol. The Anome. Id babe. MarkWahl. Icairns. Jason Quinn. Luckyz. Cmh. Dekimasu. RTucker. Dawynn. Esrever. Insanity Incarnate. RHaworth.org/w/index. PingIdentity.wikipedia. Erianna. Katiaaltonen. Weaverluke. Maurice Carbonaro. Reedy. Sepa. Rich257.org/w/index. 9 anonymous edits Identity intelligence  Source: http://en. Jonathan de Boyne Pollard. Vardion. Sadads. EagleOne.org/w/index. The Thing That Should Not Be. Malcolma.

Johnuniq. 33 anonymous edits Forefront Identity Manager  Source: http://en.php?oldid=431329460  Contributors: BD2412. Purduegrad598. 7 anonymous edits FreeIPA  Source: http://en. Eyecanseeyou. Drea0511. Zodon. HamburgerRadio.wikipedia. Gagaboat. Cantras. Eloquence. Tazmaniacs. Boxmoor. Leif.php?oldid=428822888  Contributors: BD2412. Pol098. Asbestos. Ff1959.php?oldid=428595654  Contributors: Beland. Daguero. ClementSeveillac. Raj Kumar Gupta basti. 47 anonymous edits White pages schema  Source: http://en. DVD R W. Stephenchou0722. Winterheart. Deathphoenix. MarioS. John Vandenberg. S h i v a (Visnu).wikipedia. JzG. Kolrobie. Michael Hardy. Slcoppedge. Jerome Charles Potts. DavidBailey. Dwvisser.wikipedia. ColdFusion650. ShelfSkewed. KirinX. Sweetfreek. Talrias. Giac. LotusPirate. Ericoides. 13 anonymous edits Novell Identity Manager  Source: http://en. Linnell. Auntof6. MarkWahl. Rwwww. Wikiolap. Geneousgeneous. Cmdrjameson. 2005. Jimmy Pitt. Eugene Cuprin. OckRaz. AnakngAraw. Woohookitty. Whizzdumb. Podoki. Lycurgus. 3 anonymous edits Optimal IdM  Source: http://en. Ww.wikipedia. Katharineamy.wikipedia. John Vandenberg. HughK. Munci. Floquenbeam. Ecb29. Rjanag. Fisherrider. The Anome. clown will eat me. Windowsvistafan. Kickapples. Saabrock.org/w/index. Dajoker. FT2. Precious Roy. Johndburger. Gabbe. 'mach' wust. MarkWahl. Hu12. AgentPeppermint.sutton. SpaceFlight89. EagleOne.org/w/index.org/w/index.org/w/index. Lethaniol. DStoykov. Paulw1128.org/w/index. Swpb.org/w/index.org/w/index. Tai Streets.wikipedia. Jan1nad. Probatio Pennae. Syp. Gioto. Tommy2010. Haakon.wikipedia. CIQB. Isilanes. Beta m. Dsonplayer. Ratarsed.keller. JoanneB. Marek69.php?oldid=432346782  Contributors: Ilgrosso.Article Sources and Contributors Oracle Identity Management  Source: http://en. Pavel Vozenilek. Al Lemos. Bobo192. Gabriel1907. 5 anonymous edits IBM Tivoli Access Manager  Source: http://en. RexNL. RemoteCar. Plasticup.php?oldid=366479782  Contributors: Alainr345.php?oldid=429228885  Contributors: Bill Malloy. Sfehrman. Lethaniol.org/w/index. Michaelbusch. Anne97432. Toon05. Michaelcmatthews. Loyalty108. 32 anonymous edits Password management  Source: http://en. ArnoldReinhold. L736E. Funandtrvl. Nabeth. Perspective. Rhobite. Ukexpat. Eug. Bpatr. Nixeagle. WaltBusterkeys. Lightsup55.org/w/index. Sapsan. Freedomisgood.andsecurity. J. Curb Safe Charmer. Malcolma. Jeff G. DerHexer. Derekho55.wikipedia. Bryan Derksen. UkPaolo. Tkn20.org/w/index. Jennifer parisi. Wasell. Haakon. Tthheeppaarrttyy. Bisqwit. Gboyers.xxx. Hawaiian717. 12 anonymous edits IBM Tivoli Identity Manager  Source: http://en.org/w/index. ProfessorBaltasar. BankingLife. Aitias. RJASE1. Southen. Tobias Bergemann. JLaTondre. Oezenwa. Sherip23. RHaworth. Jenblower. Nevuer. Jon207. Imeet. JohnValeron.php?oldid=432256024  Contributors: 16@r. Zundark. Jaanis2010. Eddielomax. Danelo. Douglas W. Odonnellpeg. Guinness man. Retired username. LGJ56.wikipedia. 106 anonymous edits Privacy  Source: http://en. Ljean. Refsworldlee. SAE1962. 9 anonymous edits Self-service password reset  Source: http://en. Jones. Datalossperson. E!. Amalas. Danlev. VoiceOfReason. LodestoneStudio. Alansrivastava.php?oldid=431790651  Contributors: Acristea. Stephenb. Techna. Wallacd. Pfaff9. Guinness man. Shizhao. Kku. Xauxau. Orphan Wiki. Oscarthecat.4thestate.wikipedia. Darth Andy. Rwrightpedia. Freeexpression. Auntof6.. Ark2120. Nyttend. LarryAucoin. Gogo Dodo. Pnm. Tassedethe. Qwyrxian. Vagary. Ryan Postlethwaite. Zzuuzz. Pnm.54. Berger1117. Mangostar. Numbo3. Amelio Vázquez. Nabla. Db099221. Jbond00747.wikipedia. Alphajuliet. Grofm. Lyangwiki. Jboarman.wikipedia. RJHall. Arnoutf. RHaworth. B3t. Malcolma. Appleseed.wikipedia.org/w/index. Tarotcards. Frap. OwenBlacker. Nihil novi. Toussaint. Almagor35. TheParanoidOne. Munacu. Moonradar. Doug Bell. Behnam. Peter.org/w/index. Scuppers. SheepNotGoats. Yitscar. Enric Naval. IDGC. Allixpeeke. Publicy. Mindmatrix. Micahgallant. Yonatan. Passpack. LeaHazel. Virtualerian. Creslyn. Yan Kuligin. Iridescence. Martinizing10. Capp-ware. The. Dogposter. Mohitkumargoel. Melaen. Kbdank71. Nabeth. Pastore Italy. Rocket000. FleetCommand. Tomtheman5.php?oldid=430984400  Contributors: A. Nakon.php?oldid=430483437  Contributors: AndrewHowse. PModin. Manoj gdv.software.php?oldid=415128551  Contributors: Dagblakstad. Shangrilaista. Astronouth7303. Ppntori. EntmootsOfTrolls.wikipedia. Ianeiloart. Masta barako. Adaliaholding. Elmondo21st.org/w/index. Cyfal. Charleca. Mintleaf. Bill Sayre. Nabeth. Sam pritchard. Haakon. Tsigle. Rror. Hayder1. Infosearching. CosmosKey. Matrix666. Jenks. Ixfd64. Abune. Funandtrvl.php?oldid=432322570  Contributors: Auntof6. Copperchair. DanielPharos. ZimZalaBim. Lkinkade. Mdoolitt. Sampi. Kdmitry. WhatamIdoing. Mahudson. The Letter J. Rcawsey. R Pollack. Firstamendment. Pmaynz. SteveSims. La goutte de pluie.org/w/index. Rosenny. Can't sleep. Todowd. Martarius. Marcelo Reis. Mentifisto. Lifesajoke2009. Vlad. AvicAWB. GB fan. Oda Mari.php?oldid=426417343  Contributors: Drbreznjev. Mobius. Samuelson.org/w/index. Byeitical.php?oldid=425793424  Contributors: Joy. Fred Bauder. LilHelpa. Tattoe. Geneous. Shohami. Gary Zheng. 9 anonymous edits Hitachi ID Systems  Source: http://en. MZMcBride. J. Rajesh. Daniel C. Jeffhoy. Chris k. TastyPoutine. Academic Challenger. Pnm. DStoykov. Iqspro. Fram. CleoKeelie. Jesus geek. NapoliRoma. Mgmcginn. KAtremer. Greatal386.wikipedia. Woland37. Skysong263. NawlinWiki. DavidBailey. 7 anonymous edits Profiling practices  Source: http://en. Wikiuser83729.software. 154 . 6 anonymous edits Imprivata  Source: http://en. Danelo. Sprhodes. Thenickdude. Swampyank. PrivacyandFreedomofSpeach. Jonverve. Saudade7. Haosusays. Kycook. Nirvana2013. Gsmucker. Platesocks.wikipedia. Sardanaphalus. Pnm. Geneousgeneous. Kellerpm. Mean as custard. Luna Santin. Calliopejen1. Freethechains. Evb-wiki. Gaius Cornelius. Wakeling. Saurabh37. Nuwewsco. Zenohockey. Ericgoldman. Tide rolls. DILIN.wikipedia. RUL3R. Canberra User. Oezenwa.cave. Demiurge1000. Aksn1p3r. Robertvan1. Jnarvey. Mandarax. Neerajyede. Dchuckable. The Thing That Should Not Be. Saqib. LeCire. Yanokwa. Obankston. Paste. Emre D. Cyberlaw09. Gadiandi. Tagishsimon. Anna Lincoln. Philip Trueman. Supertouch. Shohami. Former user 2. Paulinho28. Erik Ernst. JForget. Mav. LorenzoB. Hdt83. Shohami. Samsara. 537 anonymous edits Privacy-enhancing technologies  Source: http://en. Jennavecia. Infosubmitter. Judzillah.org/w/index. Qwyrxian. Pnm. Tyallen87. Jørdan. Math Champion. Yellowdesk. Sanminliu. BillFlis. 4 anonymous edits Organizational Unit  Source: http://en. WikHead. Pnm. Rangoon11. Apau98. Amy brisebois. RoPProfJF. Grahamsayer. Shaliya waya. 41 anonymous edits OpenPTK  Source: http://en. Badlr007. CinnamonApril. 172. Cnis. Raphaelval7. Fabrictramp. MatthewFox. Epeefleche. Jamesday. Sf362.org/w/index. Sanfranman59. Cybercobra. Bsadowski1. Arny. Kdmitry. Adolphus79. Reyk. IvanLanin. Jphekman. Morte. Nnp. Andy Marchbanks. Searchall.php?oldid=420652757  Contributors: Andypowe11. SupaStarGirl.php?oldid=424004747  Contributors: ArnoldReinhold. Hmains. Zhiyoong. Shadowjams. Versageek. Pointlessforest. Petr Gasparik. DerEikopf.210. Geneousgeneous. E8MXNX. Peter.wikipedia. C d h. Nikai.wikipedia. The Anome. Mozzerati. Katalaveno. Archaelicos. Wklee. Nabeth. Soufron. Shadowjams. FlyingToaster. Rjgodoy. Asbruckman. Ric man. MarcRote. Elwell. Trevor mendham. RobTranter. 2 anonymous edits Password manager  Source: http://en. PhilipR. Yomangani. Slakr. Elliskev. KD5TVI. Evrik. Danelo. SatyrTN. Moonradar. Gurch.. 99DBSIMLR. Mattisse.php?oldid=430886268  Contributors: ArnoldReinhold. Whlb User profile  Source: http://en.wikipedia.org/w/index.wikipedia. Skapur. Fan of Freedom. Galoubet. Kzollman. Jcgoble3. Ronz. 2 anonymous edits Athens (access and identity management service)  Source: http://en. Maurice Carbonaro. David Shay. Private272827. Cheeni.php?oldid=410502628  Contributors: Alansohn. Shaddack. Toussaint. Udo Altmann. Arjun01. BillyPreset. Ahoerstemeier. Grutness. Tatterfly. DarkAudit. Wikiwatcher1. Rwwww. Oezenwa. Patrick. Ghettoblaster. Cpeel. BD2412. Kikbguy. Jusdafax.org/w/index. Colonies Chris. Longbowman.baronia. TheRingess. Ant. Mikesd. MarkWahl. Csc300c0. Robertguerra. Extraordinary. Totoblue. Burlywood.org/w/index. AndrewHowse. Materialscientist. Frap. Starz0906. Yishiuan. Frap. Pinethicket. NiTenIchiRyu. Geneous. Bwikit. Haakon. JRR Trollkien. TheParanoidOne. Cynwolfe. Peak. Kylegordon. Shohami. MacGyverMagic. Bertix. Mdsam2. Pooinlodgedinbum. Someguy1221.php?oldid=415125910  Contributors: Cpeel.delanoy. Tra. Dovid. Jonel. Bobblewik. KnowledgeOfSelf. Harry491.php?oldid=414852134  Contributors: Chowbok. Intgr. Tobias Bergemann. Ian01. Vaceituno. Gonei72. Bobgag. Wahoofive. Elmagnon. Haakon. Mbarulli. Alpha713. Hellbentmaster. Wtmitchell. Ski. Tangotango. Cokeabout. Yangjen16.keller. Xenophonf. KAtremer. Yintan. Cleverlymeta. Madhero88. Netrat. CyrilPenaCastillo. Spitfire.php?oldid=420940989  Contributors: Ajoey123.org/w/index. Mglickman. Conversion script. Sjakkalle.org/w/index. Jokestress. Voidxor. Johnuniq.org/w/index. Nzpcmad. Stevage. Squids and Chips. Ultramandk. Sigondronggondrong. Emmett5. Dycedarg. East718. Okedem. Jason Quinn. Tbhotch Password synchronization  Source: http://en. Toussaint. Pnm. Reaper Eternal. 16 anonymous edits Service Provisioning Markup Language  Source: http://en. Infogoodwrite. ArnoldReinhold. Toussaint. MacGyverMagic. Guanaco. Richardwrite. Palffy. 28 anonymous edits Syncope (software)  Source: http://en.wikipedia. Rcawsey.php?oldid=432445979  Contributors: DanielPharos. Jjron.php?oldid=418926307  Contributors: Cunard. Singlarohit29. Schmelvic. Haakon. Sitush Trombinoscope  Source: http://en. 4. Alansohn. Mogigoma. Kdastmal. Ericgoldman. Cyde. Afpre. 9 anonymous edits Courion Corporation  Source: http://en. LodestoneStudio. 16 anonymous edits Microsoft Identity Integration Server  Source: http://en. Rhyssmith. Jidanni. David identity. Vgranucci. Kdmitry.org/w/index. Pfc432. Skomorokh.org/w/index. Ewlyahoocom. Novum. Kaare.wikipedia. Nuttycoconut. Dawynn. Anteaus. Ka peterson. Enric Naval. Beland. IByte. Enyo. Apollosfire. Johnjohnston.wikipedia. Iridescent. Anon lynx. Rjwilmsi.php?oldid=403485882  Contributors: AndrewB47. Apmab1. Y2usxr. Jrtayloriv. Lsoares. Rich Farmbrough.wikipedia. Fieldday-sunday. Ihcoyc. Simsong. TreasuryTag. Soliloquial. JCarlos. Stephenb. Wikiklrsc. Mitch Ames. Andrewgordonsolomon. Ronhjones. Omicronpersei8. Kjkolb. Shshme. Wikipelli. Javidjamae. LiquidEyes. Filippowiki.php?oldid=429614327  Contributors: Nimur.php?oldid=424053820  Contributors: Dawnseeker2000. Pnm. Dc352. Frap. T23c. Riotrocket8676. Seaphoto. Albedo. Paulchen99. Yellowdesk. Leujohn. Tforga. CliffC. Marianocecowski. Infotester. ZeroOne. Pewwer42. Lincolnite.wikipedia. Savitashri. Oezenwa. Reedy. Prikryl. Daniel. Retired username. Pedant17. Technowonk. EUPRIVACYINSTITUTE. WRK. Sceptre.

Woohookitty. TubularWorld. Tra. 37 anonymous edits 155 .Article Sources and Contributors Soifranc.

php?title=File:IllinoisTelephoneAndTelegraphAd.wikipedia. Poff.0  Contributors: User:LarryAucoin .png  License: Fair Use  Contributors: Beao Image:Liberty-actors.php?title=File:SyncopeArchitecture. Fetchcomms.wikipedia.php?title=File:DigitalMe.wikipedia.svg  License: Public Domain  Contributors: User:E Pluribus Anthony.png  License: unknown  Contributors: User:Blowdart Image:DigitalMe. Nethac DIU.org/w/index.0  Contributors: Ilgrosso Image:SyncopeArchitecture. The Evil IP address.php?title=File:Liberty-protocol-history. Kenmayer.5  Contributors: Paulmadsen Image:Liberty-protocol-history.png  License: unknown  Contributors: User:Blowdart Image:Cardspace_identity_selector.wikipedia File:Loudspeaker. Licenses and Contributors 156 Image Sources.wikipedia.0  Contributors: Shohami File:Flag of Canada.org/w/index.org/w/index.gif  Source: http://en.php?title=File:OpenPTK_logo. Indolences.wikipedia.org/w/index.png  License: GNU Free Documentation License  Contributors: Sfehrman File:Oprimal IdM LOGO.php?title=File:Flag_of_the_United_States.php?title=File:SyncopeLogo.png  Source: http://en.jpg  Source: http://en.jpg  Source: http://en. employed by the Illinois Telephone and Telegraph Co.wikipedia.org/w/index.org/w/index.wikipedia.php?title=File:Cardspace_identity_selector. File:Hitachi-id-systems.png  License: Creative Commons Attribution-Sharealike 3.gif  Source: http://en.wikipedia.php?title=File:Flag_of_Canada.wikipedia.org/w/index.gif  License: Creative Commons Zero  Contributors: Irradiance (talk) File:RecaptchaLogo.php?title=File:Wiki_p_passwindow_demo.org/w/index. Image:SyncopeLogo. Licenses and Contributors File:Captcha.gif  Source: http://en. OsamaK.wikipedia File:KCAPTCHA with crowded symbols.org/w/index.png  Source: http://en.png  Source: http://en.gif  License: Public Domain  Contributors: Original uploader was Kruglov at en.org/w/index. Wst.gif  License: Creative Commons Attribution-Sharealike 3.gif  Source: http://en.png  License: Creative Commons Attribution-Sharealike 3.org/w/index.0  Contributors: Ilgrosso Image:SyncopeConsole.php?title=File:Captcha.org/w/index.gif  License: Copyrighted free use  Contributors: The Marketing Team at Courion File:Flag of the United States.php?title=File:Modern-captcha.org/w/index.org/w/index.svg  Source: http://en. Túrelio.wikipedia.png  License: Public Domain  Contributors: unknown. Omegatron.svg  Source: http://en.wikipedia. Zscout370.wikipedia.jpg  License: Creative Commons Attribution 3. 5 anonymous edits File:Modern-captcha. Wouterhagens. Fryed-peach.0  Contributors: Ilgrosso File:Courionlogo.wikipedia. Thorjoetunheim. Iamunknown. Gmaxwell.wikipedia.5  Contributors: Paulmadsen File:IllinoisTelephoneAndTelegraphAd.php?title=File:SyncopeConsole.gif  License: Creative Commons Attribution-Sharealike 3.org/w/index. 9 anonymous edits Image:Wiki p passwindow demo.php?title=File:Liberty-actors.svg  License: Public Domain  Contributors: Dbenbenn.org/w/index.png  License: unknown  Contributors: Novell Image:InfoCardIcon.svg  License: Public Domain  Contributors: Bayo.png  Source: http://en.org/w/index.Image Sources.org/w/index.jpg  License: Creative Commons Attribution-Sharealike 2.org/w/index. Pfctdayelise.php?title=File:Cardspace_identity_selector.org/w/index.svg  Source: http://en. Husky.jpg  License: Public Domain  Contributors: Dbenzhuser. Technion.wikipedia. Jacobolus.png  Source: http://en.png  Source: http://en.wikipedia.wikipedia.org/w/index.php?title=File:KCAPTCHA_with_crowded_symbols.wikipedia.gif  Source: http://en.php?title=File:Courionlogo.0  Contributors: Josang Image:Cardspace identity selector.png  License: Creative Commons Attribution-Sharealike 3.org/w/index. Dewil. Myself488. User:Mzajac Image:OpenPTK logo.jpg  Source: http://en.jpg  Source: http://en.jpg  Source: http://en.jpg  License: Public Domain  Contributors: Original uploader was BMaurer at en.png  License: unknown  Contributors: TimmmmCam Image:Identity-concept.wikipedia.png  Source: http://en.svg  License: Public Domain  Contributors: reCAPTCHA File:Recaptcha.php?title=File:Recaptcha. Rocket000.wikipedia.org/w/index.wikipedia.php?title=File:InfoCardIcon.php?title=File:Loudspeaker.wikipedia.svg  Source: http://en.php?title=File:Oprimal_IdM_LOGO.php?title=File:Identity-concept. Matt314.php?title=File:RecaptchaLogo.png  Source: http://en.org/w/index.wikipedia.php?title=File:Hitachi-id-systems.wikipedia.png  Source: http://en.jpg  License: Creative Commons Attribution-Sharealike 2.png  Source: http://en.

License 157 License Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. 0/ . org/ licenses/ by-sa/ 3.

You're Reading a Free Preview