Abstract
To foster the secure use of telematic services provided by public institutions, most European countries – and others in the rest of the world – are promoting electronic identification systems among their citizens to enable fully reliable identification. However, in today’s globalized environment, it is becoming more common for citizens and entities of a given country, with their own electronic credentials under the legal framework of their country, to seek access to the public services provided by other countries with different legal frameworks and credentials. At present, a number of projects in the European Union are attempting to solve the problem through the use of pan-European identity management systems that ensure interoperability between the public institutions of different Member States. However, the solutions adopted to date are inadequate, for they do not envision all possible cases of user interaction with institutions. Specifically, they fail to address a very important aspect provided in different national legal systems, namely delegation of identity, by which a citizen can authorize another to act on his or her behalf in accessing certain services provided by public institutions. This paper provides a thorough analysis of problems of delegation and proposes an architecture based on X.509 Proxy Certificates and SAML assertions to enable delegation in provision of services in the complex and heterogeneous environment presented by the public institutions of the European Union as a whole.
Chapter PDF
Similar content being viewed by others
Keywords
References
Liberty Alliance Project, http://www.projectliberty.org
Wason, T.: Liberty ID-FF Architecture Overview. Version: 1.2-errata-v1.0. Liberty Alliance Project (2005), http://www.projectliberty.org/liberty/content/download/318/2366/file/draft-liberty-idff-arch-overview-1.2-errata-v1.0.pdf
The Modinis IDM Study Team; Modinis Study on Identity Management in eGovernment: Common Terminological Framework for Interoperable Electronic Identity Management. Version 2.01. eGovernment Unit, DG Information Society and Media, European Commission, November 23 (2005)
Komura, T., Nagai, Y., Hashimoto, S., Aoyagi, M., Takahashi, K.: Proposal of Delegation Using Electronic Certificates on Single Sign-On System with SAML-Protocol. In: SAINT ’09. Ninth Annual International Symposium on Applications and the Internet, July 20-24 (2009)
Alrodhan, W., Mitchell, C.J.: A Delegation Framework for Liberty. In: Proceedings of the 3rd Conference on Advances in Computer Security and Forensics (ACSF’08), pp. 67–73 (2008)
Gomi, H., Hatakeyama, M., Hosono, S., Fujita, S.: A delegation framework for federated identity management. In: Proceedings of the 2005 workshop on Digital identity management, Fairfax, VA, USA, November 11 (2005)
Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S., Siebenlist, F.: X.509 Proxy Certificates for Dynamic Delegation. In: 3rd Annual PKI R&D Workshop (2004)
Peeters, R., Simoens, K., De Cock, D., Preneel, B.: Cross-Context Delegation through Identity Federation. In: Brömme, A., Busch, C., Hühnlein, D. (eds.) Proceedings of the Special Interest Group on Biometrics and Electronic Signatures. LNI, vol. P-137, pp. 79–92. Bonner Köllen Verlag (2008)
Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure Proxy Certificate Profile. RFC3820, IETF (June 2004)
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization, RFC 3281, IETF (April 2002)
Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security Assertion Markup Language (SAML) V2.0 Technical Overview - Committee Draft 02 (March 25, 2008), http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf
GridShib, http://gridshib.globus.org/
Globus Toolkit®, http://www.globus.org/toolkit/
Shibboleth®, http://shibboleth.internet2.edu/
Berners-Lee, T., Fielding, R., Masinter, R.: Uniform Resource Identifier (URI): Generic Syntax. RFC 3986, IETF (January 2005)
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280, IETF (April 2002)
ModinisIDM, https://www.cosic.esat.kuleuven.be/modinis-idm/twiki/bin/view.cgi/Main/WebHome
Bruegger, B.P., Hühnlein, D., Schwenk, J.: TLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated Identity Management, http://porvoo14.dvla.gov.uk/documents/tls_federation_final.pdf
GUIDE, Creating a European Identity Management Architecture for eGovernment, http://istrg.som.surrey.ac.uk/projects/guide/overview.html
STORK, Secure idenTity acrOss boRders linked, http://www.eid-stork.eu/
PEPPOL, Pan-European Public Procurement Online, http://www.peppol.eu/
Commission of the European Communities; i2010 eGovernment Action Plan: Accelerating Government in Europe for the Benefit of All. Brussels (April 2006), http://ec.europa.eu/idabc/servlets/Doc?id=25286
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sánchez García, S., Gómez Oliva, A. (2010). Improvements of pan-European IDM Architecture to Enable Identity Delegation Based on X.509 Proxy Certificates and SAML. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds) Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices. WISTP 2010. Lecture Notes in Computer Science, vol 6033. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12368-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-12368-9_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12367-2
Online ISBN: 978-3-642-12368-9
eBook Packages: Computer ScienceComputer Science (R0)