[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]Re: [CoreTeam]IDsec meeting
|
From: |
Hans Zandbelt |
|
Subject: |
[Auth]Re: [CoreTeam]IDsec meeting |
|
Date: |
Thu, 29 Nov 2001 15:58:53 +0100 |
Norbert,
At 13:13 11/29/2001 +0100, Norbert Bollow wrote:
>Would it be possible to also make some information about IDsec
>public quickly (e.g. by posting it to the auth list)?
I've sent you a slightly more detailed description (about half a page)
about IDsec before. I've attached it below.
I'm preparing sort of a white paper about the architecture and
implementation, which I want to put on an IDsec website later.
Hans.
------------------------------------------------------------
Hans Zandbelt address@hidden
Telematica Instituut http://www.telin.nl
P.O.Box 589, 7500 AN Phone: +31 53 4850445
Enschede, Netherlands Fax: +31 53 4850400
I D s e c
---------
IDsec is a mechanism that provides an identity for users on the internet.
Identity in our system means that a user is known by a certain profile which
contains precisely those attributes that the user wants to reveal to the
requester of
his profile.
Access to profile attributes is managed by the user himself. Certificates and
public/private key mechanisms ensure that information is exchanged in a
secure way between parties that trust eachother.
Overview
--------
User profiles are stored with so-called Profile Providers somewhere on the
Internet. Profile Providers are parties that have a trusted relationship with
the users whose profiles they have stored in their databases.
A Profile Provider runs a server application that allows his clients to modify
their profile over a secure connection. Typically this will be implemented as a
web-service that can be accessed by a web-browser that is HTTPS capable. In
addition to modification of user attributes and their values, users can assemble
so-called Access Control Lists that specify which attributes are accessible to
which Content Providers. Access Control Lists are based on certificates.
When starting a web session that requires the use of IDsec, the user will login
with the Profile Provider with a username/password combination. This "session
login"
will result in the creation of a so-called session certificate that is sent to
the user.
The session certificate merely consists of a session identifier and a URL that
indicates the location of the user's profile.
The users web-client sends the session certificate to the IDsec enabled web-site
of the Content Provider. The Content Provider in his turn, sends it together
with
his own certificate to the URL specified in the session certificate over a
secure
connection. The Profile Provider uses the session certificates to identify the
user
and assembles a Content-Provider-specific user profile based on the Content
Provider
credentials and the Access Control List that the user specified.
The Content Provider now has a user profile that he can use to personalize
content,
to do accounting and/or billing (eventually in combination with a third party)
and
any other business that he would normally do with a customer database.
Notice that IDsec supports "anonymous browsing"; it does not neccesarily reveal
the
name and/or address of the user. IDsec transmits exactly those attributes that
a user
trusts to be sent to the requester.
- [Auth]Re: [CoreTeam]IDsec meeting,
Hans Zandbelt <=