IntelliGrid Architecture

 

 

Home

Parent Menu

Security Concerns
Security Processes
Security Domains
Security Services
Security Policy Issues
Security Risk Assessment
Protocol-Specific Recomm
Security Service vs. QoS
Security Tech Overview
Security Recommendations
Security Future Work
Security Services

Same Level Menu

Audit Common Service
Auth for Access Control
Confidentiality
Credential Conversion
Credential Renewal
Delegation Service
Firewall Traversal
Identity Establishment
Identity Mapping Service
Information Integrity
Inter-Domain Security
Non-repudiation
Path Routing & QOS
Security Policies
Policy Exchange
Privacy Service
User Profile Service
Quality of Identity
Denial-of-Service
Security Assurance Mgmt
Security Protocol Mapping
Security Avail Discovery
Verifying User Auth
Single Sign On
Trust Establishment
User and Group Mgmt

Child Menu

 

Search IntelliGrid Site

Questions/Comments

Questions

 

Responses

 

 

Quality of Identity Service

This service allows an entity to determine the trust level associate with the identity being conveyed. This is of particular interest where the source Identity, of the original transaction, has been mapped several times.

This service represents a specific capability that could be viewed as a subset of the Identity Service. However, technical evaluations of existing solutions indicate that no solutions provide this ability and therefore are worthy of being defined independently so that the service requirement is not lost.

This is a service that is not widely recognized, although QID-01 makes a strong case for its need. The basic issue raised by QID-01 is that of the ability to trust an identity being established if the identity has been mapped or its credentials converted several times. At a minimum, without a mechanism for originator determination, there is a relevant issue. However, originator determination could be provided by and adequate audit mechanism, but this does not assist the receptor of a transaction. Thus there is a need to provide a mechanism to allow the receptor to determine a level of trust based upon the number of mappings that have occurred along the transaction path.

Table 28: References Relating to Quality of Identity

QID-01

Audun Josang, An Algebra for Assessing Trust in Certification Chains, Telnor R&D
email: audun.josang@fou.telenor.no

 

 

Technological Assessment and Relevant Specifications

There are two aspects in regards to Quality of Identity, the ability to determine the number of times that an identity has been transformed, which is a superset of the number of times that credentials have been converted.

There are no relevant specifications/solutions that can be applied to the generalized identity mapping issue, as many of these mappings are local issues.

However, in the particular case of digital certificate conversion, the SAML specification yields a possible solution. However, the solution would require that attribute definitions and attribute chaining be added to SAML’s use within IntelliGrid Architecture environment.

There are no such solutions for username/password and it may be worthwhile to develop such a specification based upon the SAML principles.

For address based credentials, source routing offers a potential solution (see Path Routing and QS service).

 

Table 29: Relevant Specification for the Quality of Identity Service

Identification Number

Name

Comment

OASIS Security Technical Committee

Attribute Profiles for SAML 2.0

Available from:

http://www.oasis-open.org/committees/download.php/6344/sstc-hughes-mishra-baseline-attributes-03.pdf

Incomplete, but is on the correct track.

OASIS Security Technical Committee

SAML 2.0: Security Assertion Markup Language Version 2.0

Recommended

OASIS Security Technical Committee

Bindings for OASIS Security Assertion Markup Language (SAML) V2.0

Available from:

http://www.oasis-open.org/committees/download.php/6773/sstc-saml-bindings-2.0-draft-11-diff.pdf

Draft that specifies how to bind SAML over various protocols. Highly recommended.

OASIS Security Technical Committee

Authentication Context

Available from:

http://www.oasis-open.org/committees/download.php/6539/sstc-saml-authn-context-2.0-draft-04a-diff.pdf

Draft that is needed to establish identity within a SAML environment.

 

 

 

 

IntelliGrid Architecture
Copyright EPRI 2004