Abstract
Federated identity management allows a user to efficiently authenticate and use identity information from data distributed across multiple domains. The sharing of data across domains blurs security boundaries and potentially creates privacy risks. We examine privacy risks and fundamental privacy protections of federated identity- management systems. The protections include minimal disclosure and providing PII only on a “need-to-know” basis. We then look at the Liberty Alliance system and analyze previous privacy critiques of that system. We show how law and policy provide privacy protections in federated identity-management systems, and that privacy threats are best handled using a combination of technology and law/policy tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Acquisti, A.: Identity Management, Privacy, and Price Discrimination. IEEE Security and Privacy 6(2), 46–50 (2008)
Alsaleh, M., Adams, C.: Enhancing Consumer Privacy in the Liberty Alliance Identity Federation and Web Services Frameworks. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 59–77. Springer, Heidelberg (2006)
Bhargav-Spantzel, A., Squicciarini, A., Bertino, E.: Establishing and Protecting Digital Identity in Federation Systems. CERIAS Tech Report 2007-18
Gevers, S., Verslype, K., De Decker, B.: Enhancing Privacy in Identity Management Systems. In: Workshop on Privacy in the Electronic Society, pp. 60–63 (2007)
Hardt, D.: Identity 2.0 Keynote, http://youtube.com/watch?v=RrpajcAgR1E
idemix for Internet anonymity, http://www.zurich.ibm.com/security/idemix/ptext.html (last viewed April 29, 2008)
inCommon Federation, http://www.incommonfederation.org/
Jøsang, A., AlZomai, M., Suriadi, S.: Usability and Privacy in Identity Managements Systems. In: Australasian Information Security Workshop: Privacy Enhancing Technologies 2007 (2007)
Wason, T. (ed.): Liberty Alliance Project, Liberty ID-FF Architecture Overview, Version 1.2 (2005)
Landau, S. (ed.): Liberty Alliance Project, Liberty ID-WSF Security and Privacy Overview, Version 1.0 (2003)
Varney, C. (ed.): Liberty Alliance Project, Privacy and Security Best Practices, Version 2.0, November 12 (2003)
Varney, C., Sheckler, V. (eds.): Liberty Alliance Project, Deployment Guidelines for Policy Decision Makers, Version 2.9, September 21 (2005)
Liberty Alliance Project, An Overview of the Id Governance Framework, ed (July 2007), http://projectliberty.org/liberty/content/download/3500/23156/file/overview-id-governance-framework-v1.0.pdf
Hodges, J., Kemp, J., Aarts, R., Whitehead, G., Madsen, P. (eds.): Liberty Alliance Project, Liberty ID-WSF SOAP Binding Specification, Version 2.0 July 7 (2007), http://www.projectliberty.org/liberty/content/download/897/6267/file/liberty-idwsf-soap-binding-v2.0.pdf
Liberty Alliance Papers, http://projectliberty.org/liberty/resource_center/papers (last viewed March 27, 2008)
Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Identity Management. IEEE Security and Privacy 6(2), 16–23 (2008)
McKenzie, R., Crompton, M., Wallis, C.: Use Cases for Identity Management in E-Government. IEEE Security and Privacy 6(2), 51–57 (March/April)
Office of the Chief Information and Privacy Officer, Province of Ontario, Privacy Impact Assessment Guidelines (December 1999) (updated June 2001)
Pfitzmann, B.: Privacy in Enterprise Identity Federation –Policies for Liberty 2 Single Signon. Elsevier Information Security Technical Report (ISTR), 9/1, pp. 45–58 (2004); preliminary version appeared as Pfitzmann, B.: Privacy in enterprise identity federation. In: Dingledine, R. (ed.) PET 2003, LNCS. vol. 2760, pp. 189–204. Springer, Heidelberg (2003)
Pfitzmann, B., Waidner, M.: Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE Internet Computing, 38–44 (November/December 2003)
Ranger, S.: NHS e-record opt-out offered. IT Management News, December 19 (2006), http://news.zdnet.co.uk/itmanagement/0,1000000308,39285203,00.htm (last viewed January 18, 2009)
Shamir, A.: Secureclick: A web payment system with disposable credit card numbers. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 232–242. Springer, Heidelberg (2002)
Stubblebine, S.G., Syverson, P.F.: Authentic Attributes with Fine-Grained Anonymity Protection. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 276–294. Springer, Heidelberg (2001)
U-Prove SDK Overview, April 16 (2007), http://www.credentica.com/ (last viewed May 3, 2008)
Wilson, Y.: Personal communication
Winn, J.: Information Technology Standards as a Form of Consumer Protection Law. In: Winn, J. (ed.) Consumer Protection in the Age of the Information Economy, Ashgate (2006)
Web Services Policy 1.5 Framework (October 2007), http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Landau, S., Le Van Gong, H., Wilton, R. (2009). Achieving Privacy in a Federated Identity Management System. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-03549-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03548-7
Online ISBN: 978-3-642-03549-4
eBook Packages: Computer ScienceComputer Science (R0)