Information Technology Reference
In-Depth Information
in bold relief on the paper, confirm-
ing the duplication. This technique
allows us to distinguish the originals
and those duplicated. In our study,
since the certificate issued by the uni-
versity as well as one that is printed at
the store had to be original, the Tint-
Block Printing technique was applied
onto the paper.
location of some part of them) from servers to
users' own devices.
In the real world, many of us have already
registered our personal information on a variety
of Websites. Since it is unrealistic to imagine
all the personal information distributed over the
Internet can be immediately gathered up on our
own computers, this paper focuses on identity
management protocols to pass and receive identity
information over the Internet, and discusses the
potential bottlenecks and our solution approach.
We explain why HTTP redirect is commonly used
and thus is a common problem in the identity
management protocols. Previous work, which was
explored by The Liberty Alliance Project and was
then adopted in OASIS SAML is also illustrated.
The analysis of SAML profiles shows another
problem, the selection of the Identity Providers
(The entities that identify or authenticate users),
from the viewpoint of user-centrism. We describe
our approach, an enhanced Identity Provider (IDP)
proxying protocol, and the design issues includ-
ing the flexibility and the security of its system
model. We evaluate our prototype implementation
of this protocol, showing the results of perfor-
mance measurement. As the name implies, our
model implementation is based on Identity Fed-
eration mechanism, but is also applicable to non
federation-based identity management protocols.
Note that HTTP redirect is also used in the
other identity management protocols including
OASIS SAML and Liberty. The following part
of this section discusses current approach used in
SAML and The Liberty Alliance Project.
To avoid negative side effects of HTTP redi-
rect, Liberty introduced an entity, Liberty Enabled
Client or Proxy (LECP) to its identity federa-
tion framework (ID-FF) and a similar concept,
enhanced client or proxy (ECP) was introduced
to SAML2.0 later. This paper refers to the ECP
profile of SAML2.0, because it was ratified later
than ID-FF1.2 of Liberty, and is expected to be
more up to date. Before explaining more about
ECP, we briefly explain about SAML and ID-FF.
HTTP redirect is a convenient scheme to move
a Web browser from one Website to another, and
is widely used in identity management protocols,
including newly emerging User-Centric Identity
Management technologies. HTTP redirect, how-
ever, can cause a performance bottleneck in the
identity management processes. Although this
problem is already explored partially in OASIS
SAML and the Liberty Alliance Project, this paper
discusses how the approach used in them can be
enhanced from the viewpoint of user centrism. We
developed a new model to replace HTTP redirect
with server-to-server communication. Perfor-
mance evaluation of our prototype implementation
shows significant improvement of turnaround
time for authentication by avoiding HTTP redirect
over a 64kbps wireless communication channel.
Citizen-Centrism is an emerging principle
to design solutions in digital identity manage-
ment. There is, however, still no widely accepted
definition of Citizen-Centric Identity Manage-
ment. One example definition, which might not
cover all aspects, is that Citizen-Centric Identity
Management is about controlling one's identity
data without central repository of his or her own
personal data. We believe the concept of Citizen-
Centric Identity Management includes at least
two types of technologies. One type, including
SXIP and OpenID, is to make users specify his or
her identity repository. The other type, including
Windows CardSpace (formerly InfoCard) and
Higgins Trust Framework Project, is to shift the
control of personal information (and the physical
Search WWH ::
Custom Search