This document summarizes various technologies related to web identity management and user-centric data protection. It includes technologies for authentication, authorization, anonymity, credentials, access control, privacy, and identity federation. Formats include OAuth, OpenID Connect, U-Prove, Higgins, Shibboleth, and Idemix. Design principles are also covered, such as the 7 Laws of Identity and privacy by design. The landscape shows technologies that empower users to control their online identities and personal data.

1. Landscape of
Web Identity Management
Surveillance
User-centric
Data Protection
RFID
Authentication Credentials
Aggregation
Data Protection
Identity Theft
Transparency
Claims
Tracking Confidentiality Access Control
LBS
Attributes Smartcards Anonymity
Context-awareness
GPS
Loyalty
Personalisation
Cyber Security
Biometry CRM
Policies Privacy
Profiling Interoperability
Technologies
Authorizing
User
Use Ca
e Cases Manage
Ma
Control
Kantara - UMA 2012
User-Managed Access is a protocol designed to give a web
user a unified control point for authorizing who and what
Host can get access to their online personal data (such as identity
Protect Authorization
PEP PDP Delegate
attributes), content (such as photos), and services
Manager
Protected (such as viewing and creating status updates).
Resource Shibboleth is an
eGov
eGov
G nt
eGovernment Internet2 Middleware
ess
ess
eBusiness Initiative project that has
created an architecture and
Authorize
open-source implementation for
Access Identity management and federated
identity-based authentication and
authorization (or Access control)
infrastructure based on SAML.
mar
ma t
art
Smart h
Shibbolet
Requester
ronments
ronments
nm
m
Environments
eHealth
2.0 ect
The OAuth 2.0 authorization proto- Identity Mixer (idemix) is an anonymous
col enables a third-party application
Ide credential system developed at IBM
to obtain limited access to an HTTP
service, either on behalf of a resource u th n mix Research that enables strong authentica-
OA on
owner by orchestrating an approval tion and privacy at the same time. With
Social & Business C identity mixer, users can obtain from an
C rd p
CardSp
interaction between the resource
Hi
owner and the HTTP service, or by issuer a credential containing all the
Corporate
e
te Networks ID
ig
ve
allowing the third-party application to information the issuer is ready to attest
IdM obtain access on its own behalf.
en about them. When a user later wants to
gi
gi
Op
(The OAuth 2.0 Authoriza- prove to a service provider a state-
U-Pro
ns
tion Protocol draft-ietf- ment about her, she employs
s
oauth-v2-25, Higgins – identity mixer to securely
March 8, OpenID Connect transform the
initiated 2003 – is
a e
ac e
2012) OpenID Connect (based
on the OAuth 2.0 protocol) is a framework that issued creden-
a suite of lightweight specifications enables users and enterprises to tial.
that provide a framework for identity integrate identity, profile, and
User Empowerment interactions via RESTful APIs. The simp- relationship information across multi-
lest deployment of OpenID Connect U-Prove is a Windows CardSpace ple systems. Applications can use Higgins
allows for clients of all to request cryptographic tech- is Microsoft's client to create a unified, virtual view of
and receive information about nology that enables software for the Identity identity, profile and relationship
identities and currently the issuance and pre- Metasystem (canceled in information. A key focus of
authenticated sessions. sentation of cryptogra- Feb 2011). CardSpace Higgins is providing a founda-
(Implementer’s Draft, phically protected claims stores references to users' tion for new "user-centric
Privacy by Design Feb. 14, 2012) in a manner that provides
multi-party security. The goal
digital identities for them.
Resistance to phishing attacks
identity" and personal
information
is to enable the exchange of and adherence to Kim management
verified identity information Cameron's "7 Laws of Identity” applica-
User-centric Services from sources (Claims Provider),
under the user’s control (via the
were goals in its design. Windows
CardSpace 2.0 will be extended to
tions.
U-Prove Agent), to the recipients use the U-Prove protocol.
(Relying Party).
Data Protection
Context-awareness
Identity Management Threats
Usable Security Identity Theft
tamper
Surveillance
In the future internet users
Profiling misinform
will be downloaded as apps.
en
t
s sm deny misuse
Privacy Impact A sse Virtual identities
will be created dynamically
Compliance and context-aware. spy
The
to data protec- users master out
tion laws and securi- Authorised Confirmed their identity life
ty policies will subscribers subscribers cycle securely
be built are up-to-date are authorised and confidentially.
in. at any time. to access partial
profiles.
7 Laws of Identity
Contact:
1. User Control and Consent 5. Pluralism of Operators and Technologies Mario Hoffmann
2. Minimal Disclosure for a Constrained Use 6. Human Integration mario.hoffmann@aisec.fraunhofer.de
3. Justifiable Parties 7. Consistent Experience Across Contexts www.identity‐competence‐center.de
4. Directed Identity Kim Cameron (http://www.identityblog.com/stories/2004/12/09/thelaws.html)