olli jussila adaptive r&d teliasonera - terena · pdf file• 3 industrial partners,...
Post on 16-Mar-2018
217 Views
Preview:
TRANSCRIPT
Olli JussilaAdaptive R&DTeliaSonera
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 2
Agenda
• TeliaSonera at a glance• Project presentation• Technical results• Business model and actor benefits• End user experience• Dissemination activities• Conclusion
The Nordic and Baltic leader in telecommunications
E S T O N I A
L A T V I A
L I T H U A N I A
F I N L A N D
S W E D E N
D E N M A R K
N O R W A Y
23.5 million customers
Number of Customers as of December, 2006
Number of employees: 28,000
Net sales 2006EUR 9790 million
Strong positions in mobile in Eurasia, Russia and Turkey through subsidiaries and associated companies
Mobile services launched in Spain at the end of 2006
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 4
Identity Management Nightmare !Multiple accounts, multiple credentials everywhere
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 5
Circle of trust
WSPAttribute Provider
Profiles
The Liberty solution
Identifiers
IDP Identity Provider
SP Service Provider
SP Service Provider
Sign on SPs with
my IDP account
1
Id-ff
3
Share My personal
information
Id-wsf
2 Single Sign On
To other website
Id-ff
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 6
FIDELITY –project assumptions• Potential Identity Providers and Circles of Trust are numerous• Users will navigate among these Circles of Trust• One CoT should be able to establish trust relations with another
CoT to allow Identity roaming
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 7
FIDELITY –project in a nutshell
• Set up 4 heterogeneous Circles of Trust
• Deploy strong authentication mechanisms
• Demonstrate the inter-operability of these Circles of Trust regarding:– Liberty Alliance technical specifications
– Business model
– EU legal constraints
– User experience
• Provide standardisation and implementation contributions
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 8
FIDELITY –project members
• 4 telcos, setting up the CoTs :– France Telecom, Amena, Telenor, TeliaSonera
• 3 industrial partners, providing ID platforms and software– Ericsson, Gemalto, Italtel
• 3 SMEs, and 1 university, providing specific skills and software– TB-Security, Linus, Moviquity, Oslo university college
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 9
FIDELITY final results
Technical results
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 10
Implementation of principal COTs/interCOT infrastructure and services
• The four CoTs in France, Finland, Norway and Spain have been established.
• Each CoT has – an Identity Provider– some Service Providers with Web service consumers WSC– and some Attribute Providers (Web service providers WSP)
• In each COT:– ID-FF V1.2 (Identity Federation and SSO) has been fully tested– ID-WSF V1.1(Identity Web Service Framework) has been tested
• Product from different vendors have been used in order to test interoperability of Liberty software implementation
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 11
Architecture and Information flow (simplified view)
Service Provider
with WSC V-IdP
V-DS
H-IdP
H-DS
H-WSP
1
V-CoT
H-CoT
2
4
35
6
7
8
9
1011
1. A user access a service2. SP re-directs user to V-IDP
3. V-IDP re-directs/proxies user to H-IDP 4. H-IDP maps the authentication context request of V-IDP and authenticates a user.
5-6. Auth. assertion including DS info is returned and to V-IDP and V-SP
7-8. SP (WSC) requests end point of H-WSP from H-DS.
9-10. SP (WSC) requests service from H-WSP
11. According privacy settings H-WSP initiates user-consent process via SP and Interaction service. WSP is also able to request stronger authentication via WSC/SP
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 12
The French CoT
IDPIdentity Provider
WSPPersonalProfile
WSPGeolocation Profile
WSPWalletProfile
SPWhereRestaurantSP
Student exchange
SPBook a Hotel IDP
Technical
DS
User/passord
EAP/SIM
+ password
Software PKI
SPAttribute registration
SPWallet registration
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 13
The Finnish CoT
IDP / DSIdentity Provider
WSPPersonalProfile
WSPGeolocProfile
WSPCalendarProfile
WSPWalletProfile
SPWhereRestaurantSP
Registerwith a mobile
SPBookA Hotel
SPPrivacyManager
User/passordOT sms
(+ password)
WPKI
EAP / SIM
GPRS
HLR
WSPStudentProfile
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 14
InterCoT Single Sign On • Authentication Contexts
User Agent
V-SP V-IDP H-IDP
NOMobile TP – ISO – OTPNOPC + Mobile OTPModerate
NOMobile USB – OTP
YESPC EAP/SIM
NOPC PKIStrongYESMobile WPKINOPC eGate EMV
SSL UserID/passwordPlain UserID/password
GPRS authenticationPC 3.48/SIM
Methods
NOYES
YESBasicNO
Supported?Level
NOMobile TP – ISO – OTPNOPC + Mobile OTPModerate
NOMobile USB – OTP
YESPC EAP/SIM
NOPC PKIStrongYESMobile WPKINOPC eGate EMV
SSL UserID/passwordPlain UserID/password
GPRS authenticationPC 3.48/SIM
Methods
NOYES
YESBasicNO
Supported?Level
NOMobile TP – ISO – OTPNOPC + Mobile OTPModerate
YESMobile USB – OTP
NOPC EAP/SIM
YESPC PKIStrongNOMobile WPKINOPC eGate EMV
SSL UserID/passwordPlain UserID/password
GPRS authenticationPC 3.48/SIM
Methods
YESYES
NOBasicNO
Supported?Level
NOMobile TP – ISO – OTPNOPC + Mobile OTPModerate
YESMobile USB – OTP
NOPC EAP/SIM
YESPC PKIStrongNOMobile WPKINOPC eGate EMV
SSL UserID/passwordPlain UserID/password
GPRS authenticationPC 3.48/SIM
Methods
YESYES
NOBasicNO
Supported?Level
2. PC EAP/SIM please?
8.Authenticated ok, empty context
Or
Requested
context
7. Mobile USB-OTP
4. PC EAP/SIM please?
5. Some other from the same level?
6. Authentication with the user
1. User accesses service provider
3.
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 15
InterCoT attribute sharing (ID-WSF)
• InterCoT Discovery Service
– Direct Access. By using this method, the V-WSC requests directly the Discovery Service of the H-CoT (H-DS)
– DS-proxying. By using this method, the Discovery Service of the V-CoT (V-DS) acts as a DS-proxy between the V-WSC and the H-DS.
– DS-chaining. By using this method, the V-WSC requests first the V-DS which redirects it to the H-DS.
If direct access is used, then we recommend the deployment of a Trust model based on PKI
Tested
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 16
ID-WSF trust model for attribute sharing –IntraCoT vs. InterCoT
• In IntraCoT, every (H-)SP – (H-)WSP pair has a direct business agreement implying direct trust relationship
– Technically, the trust between ID-WSF entities is established by exchanging metadatas on a bilateral basis
• In InterCoT, the business agreements are established only between IDPs but there is no direct business relationship between V-SP and H-WSP
– Technically, exchanging metadatas between every V-SP – H-WSP pair would be far too exhaustive → provisioning of metadatas would require too much effort
• Fidelity PKI trust model enables business model for InterCoT attribute sharing between V-SP and H-WSP
– Technically, this is implemented by using hierarchical certificate path validation (RFC3280)
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 17
IDP 2WSP IDP 1
---------
---------
CoT CA
---------
---------
Root
InterCoT Relationship Establishment
• CA certificate exchange
---------
---------
CoT CA
---------
---------
RootSP
WSP
SP
• IDPs exchange the CA certificate chains, and delivers them to theirother IntraCoT entities(SPs and WSPs)
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 18
WSP
---------
---------
CoT CA cert
---------
---------
Root CA cert
InterCoT Relationship Establishment
SP / WSC
Visited CoTHome CoT
---------
---------
Service request
---------
---------
SP cert
includes CoT CRL
CoT CA
Certification revocation status check
trusts
is associated with
Compliant with RFC3280
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 19
FIDELITY final results
Business Scenarios, Actors benefits
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 20
Business scenarios
• Closed Scenario:– Single Company IDP
and SP
• Open Scenario:– Telecom as IDP for
external SP
• Inter-CoT Scenario:– Telecom Operator
alliances with internal and external SPs
• Inter-CoT Scenario Multi-domains
– Multi domain IDP alliances with internal and external SPs
IDP
SP
IDs
SP
IDs
IDP
SP
IDs
SP
IDs
IDP
SP
IDs
SP
IDs
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 21
Actors Benefits• Identity Provider
– Large user base – Attract new user – Enforce their trust relation with the
user – Offer (sell) strong and complex
authentication methods
• Service Providers– Attract users– Simplify local user management – Use Strong authentication – Rely on user identity attributes
• User– Simple and secure authentication – Ease of attribute management, control
of data dissemination– Respect of his privacy
More users
More services
The virtuous circle :
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 22
FIDELITY final results
End User Experience
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 23
• Concepts explanation and representation– Explain to the user what is a CoT, what is CoCoT– Represent concepts with pictures:
Circle of Trust (CoT) and Circle of CoT (CoCoT)
CoCoT logo/brand
CoT logo/brand Key = SP credentials
Master Key = IDP credentials
• CoT Homepage– Disclaimer– SSO description– Attribute sharing description– List of the SP belonging to the CoT– Map of the CoT and the CoT's partners (CoCoT)– Registration area– Personal area for registered users
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 24
FIDELITY final results
Dissemination activities
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 25
Advisory Boards in each telcoLiberty Meetings (plenary, TEG)3GSM World Congress 2007IST 2006E challengeISSE in RomaInternet Global Congress BarcelonaSecurity and identity management event in BarceloneFrance Telecom R&D result event in ParisTelecom I+D, MadridCeltic and Eureka events
Website : www.celtic-fidelity.orgDemo Kit : www.celtic-fidelity.org/fidelity/flash/ Public documents : www.celtic-fidelity.org/fidelity/Documentation.jsp
Standardization activities (Wallet + calendar ID-WSF Serv. Interf. spec)
Fidelity: Dissemination
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 26
Conclusion of the FIDELITY project
• From a technical, business, legal and ergonomic point of view, Liberty solves the IDM issue and can be extended to InterCoT.– But read our public recommendations anyway…
• The very good cooperation and acceptance between all partners was the basis for the success of the project.
• The consortium is satisfied with the results obtained and will now begin to exploit them.
TERENA EuroCAMP 2007 Helsinki
23/02/07 Page 27
Thank you for your attention
Any questions?
top related