Identity management stands as one of most complex problems towards the unification of diverse network technologies and the creation of the so called “Future Internet”. A unified solution capable of supporting the identity management problems for every case, has not yet been proposed. Nearly all existing solutions claim that they are capable of expanding and be operational in a global scale, however, this is valid only if specific requirements are met. Their applicability highly depends on proprietary features like the use of specific global identity formats (e.g. Open-ID, VID, XID) and protocols (e.g. SAML), while their scope is confined in closed trusted groups (Federations) with statically defined procedures and mechanisms.
DIMANDS (Dynamic Identity Mapping, Association N’ Discovery System) introduces a different approach for addressing the identity management problem in global scale. Its main principle is to avoid the development of a huge system that would embrace everything, capable of supporting all cases and systems, and instead create a system that could support existing networks and contexts, to independently deal with their own identity management problems. This approach, which is presented the following example, indicates that there must be a clear separation between identity data discovery and identity data exchange. In Figure 1 provider “supplier.com” simultaneously participates in two Federations. Federation A, which is formed to provide online purchase services, and Federation B, which is formed by organizations and providers located in a specific country. A user logs on to his account in provider “webstore.com”, using the identifier “user@webstore.com”, and requests a specific service (online purchase). In order to complete the transaction, “webstore.com” must contact other providers from Federation A. The “supplier.com” though needs to validate user’s age, before completing his part of the transaction. However, this information (user’s age) does not exist in any of the participating providers in Federation A, but in a provider participating in Federation B.
Federations A and B are formed to serve different purposes and it makes no sense to integrate. On the other hand, providers cannot reject or limit their service provisioning based only on data available in a specific context. “Supplier.com” has already established procedures and trust to acquire all the required information it needs to complete the transaction. Existing literature fails to support this case because “supplier.com” cannot autonomously discover where the desired information resides and even if it somehow knew that the information existed in the “gov.com”, the username “user@webstore.com” means nothing to “gov.com”.
Figure 1: Cross federation service delivery using existing protocols and procedures
In the heterogeneous environment of the FI, providers will most likely participate in many different federations and will have established protocols and procedures to communicate in them. Instead of trying to create a global system, it is more feasible to look for a solution that interconnects different contexts (domains, federations etc) and enables identity consumers (identity consumer: someone who needs to access identity data in order to complete an operation) to independently deal with their own specific identity issues. This approach does NOT handle any identity related operations (each context can design its own solution) but only acts as the GLUE between diverse identity information scattered across various network places. This example clearly highlights the need for a framework capable of discovering and associating user identity data necessary to complete a specific operation complemented with a formal procedure to ask for them.
More information about the DIMANDS system can be found in the following publications:
Lampropoulos K., Denazis S., “Identity management directions in Future Internet”, In IEEE Communications Magazine, Vol 49 – Issue 12 (December 2011), pp 74- 83, DOI:10.1109/MCOM.2011.6094009
Lampropoulos K., Diaz-Sanchez D., Almenares F., Weik P., Denazis S., “Introducing a cross federation identity solution for converged network environments”. In Principles, Systems and Applications of IP Telecommunications (IPTComm ’10) ACM, August 2-3, 2010, Munich, Germany, pp 1-11, DOI: https://dl.acm.org/doi/10.1145/1941530.1941532