User centricity: A taxonomy and open issues*
Issue title: The Second ACM Workshop on Digital Identity Management – DIM 2006
Guest editors: A. Goto
Article type: Research Article
Authors: Bhargav-Spantzel, Abhilashaa | Camenisch, Janb | Gross, Thomasb | Sommer, Dieterb
Affiliations: [a] Department of Computer Science, Purdue University, West Lafayette, IN 47907 USA E-mail: bhargav@cs.purdue.edu | [b] IBM Research GmbH, Zürich Research Laboratory, Säumerstrasse 4, CH-8803 Rüschlikon, Switzerland. E-mail: jca@zurich.ibm.com, tgr@zurich.ibm.com, dso@zurich.ibm.com
Note: [*] Part of the work reported in this paper is supported by the European Commission through the IST Project PRIME. The PRIME project receives research funding from the European Community’s Sixth Framework Programme and the Swiss Federal Office for Education and Science.
Abstract: User centricity is a significant concept in federated identity management (FIM), as it provides for stronger user control and privacy. However, several notions of user-centricity in the FIM community render its semantics unclear and hamper future research in this area. Therefore, we consider user-centricity abstractly and establish a comprehensive taxonomy encompassing user-control, architecture, and usability aspects of user-centric FIM. We highlight the various mechanisms to achieve the properties identified in the taxonomy. We show how these mechanisms may differ based on the underlying technologies which in turn result in different trust assumptions. We classify the technologies into two predominant variants of user-centric FIM systems with significant feature sets. We distinguish credential-focused systems, which advocate offline identity providers and long-term credentials at a user's client, and relationship-focused systems, which rely on the relationships between users and online identity providers that create short-term credentials during transactions. Note that these two notions of credentials are quite different. The former encompasses cryptographic credentials as defined by Lysyanskaya et al., in Selected Areas in Cryptography, LNCS, vol. 1758, and the latter encompasses federation tokens as used in today's FIM protocols like Liberty. We raise the question where user-centric FIM systems may go – within the limitations of the user-centricity paradigm as well as beyond them. Firstly, we investigate the existence of a universal user-centric FIM system that can achieve a superset of security and privacy properties as well as the characteristic features of both predominant classes. Secondly, we explore the feasibility of reaching beyond user centricity, that is, allowing a user of a user-centric FIM system to again give away user control by means of an explicit act of delegation. We do neither claim a solution for universal user-centric systems nor for the extension beyond the boundaries of user centricity, however, we establish a starting point for both ventures by leveraging the properties of a credential-focused FIM system.
Keywords: Identity management, security, privacy
DOI: 10.3233/JCS-2007-15502
Journal: Journal of Computer Security, vol. 15, no. 5, pp. 493-527, 2007