FileSpace

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

FileSpace: an alternative to CardSpace that supports multiple token authorisation and portability between devices

Full text

Pdf (611 KB)

Source

IDtrust; Vol. 373 archive
Proceedings of the 8th Symposium on Identity and Trust on the Internet table of contents

Gaithersburg, Maryland

SESSION: Information cards table of contents

Pages 94-102

Year of Publication: 2009

ISBN:978-1-60558-474-4

Author

David Chadwick

University of Kent, Canterbury

Sponsors

: Internet2
: OASIS IDtrust Member Section
FPKIPA : Federal Public Key Infrastructure Policy Authority
: The National Institute of Standards and Technology

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 7, Downloads (12 Months): 64, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1527017.1527030 What is a DOI?

ABSTRACT

This paper describes a federated identity management system based on long lived encrypted credential files rather than virtual cards and short lived assertions. Users obtain their authorisation credential files from their identity providers and have them bound to their public key certificates, which can hold any pseudonym the user wishes. Users can then use these credentials multiple times without the identity providers being able to track their movements and without having to authenticate to the IdP each time. The credentials are worthless to an attacker if lost or stolen, therefore they do not need any special protection mechanisms. They can be copied freely between multiple devices, and users can use multiple credentials in a single transaction. Users only need to authenticate to their private key store in order for it to produce a signed token necessary for the service provider to authenticate the user and decrypt the authorisation credentials. The signed token is bound to the service provider and is short lived to prevent man in the middle attacks.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	David Chappell. "Introducing Windows CardSpace". MSDN. April 2006. Available from http://msdn.microsoft.com/en-us/library/aa480189.aspx
	2	S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson. "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile". RFC3820, June 2004.
	3	OASIS (2005) "Security Assertion Markup Language (SAML) V2.0", March, available at http://saml.xml.org/saml-specifications (accessed 24 October 2008).
	4	Morgan, R. L., Cantor, S., Carmody, S., Hoehn, W., and Klingenstein, K. (2004), "Federated Security: The Shibboleth Approach", Educause Quarterly, Vol. 27, No. 4, available at http://connect.educause.edu/Library/EDUCAUSE+Quarterl y/FederatedSecurityTheShibb/39889 (accessed 24 October 2008).
	5	David W Chadwick, Sean Anthony. "Using WebDAV for Improved Certificate Revocation and Publication". In LCNS 4582, "Public Key Infrastructure. Proc of 4^th European PKI Workshop, June, 2007, Palma de Mallorca, Spain. pp 265--279.
	6	ISO 9594-8/ITU-T Rec. X.509 (2005) The Directory: Public-key and attribute certificate frameworks
	7	D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk. "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," RFC 5280, May 2008
	8	M. Myers , R. Ankney , A. Malpani , S. Galperin , C. Adams, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, RFC Editor, 1999
	9	Thomas Weigold , Thorsten Kramp , Reto Hermann , Frank Höring , Peter Buhler , Michael Baentsch, The Zurich Trusted Information Channel --- An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks, Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications, March 11-12, 2008, Villach, Austria [doi>10.1007/978-3-540-68979-9_6]
	10	Susan Landau , Deirdre K. Mulligan, I'm Pc01002/SpringPeeper/ED288l.6; Who are You?, IEEE Security and Privacy, v.6 n.2, p.13-15, March 2008 [doi>10.1109/MSP.2008.34]
	11	Rachna Dhamija , Lisa Dusseault, The Seven Flaws of Identity Management: Usability and Security Challenges, IEEE Security and Privacy, v.6 n.2, p.24-29, March 2008 [doi>10.1109/MSP.2008.49]
	12	William E. Burr, Donna F. Dodson, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, Emad A. Nabbus. "Electronic Authentication Guideline", NIST Special Publication NIST Special Publication 800-63-1, Feb 2008
	13	Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available from http://ec.europa.eu/justice_home/fsj/privacy/law/index_en. htm
	14	Arun Nanda. "Identity Selector Interoperability Profile V1.0" April, 2007. Microsoft Corporation.
	15	Arun Nanda, Michael B. Jones. "Identity Selector Interoperability Profile V1.5" July 2008. Microsoft Corporation
	16	Darren Mundy , David W. Chadwick, An XML Alternative for Performance and Security: ASN.1, IT Professional, v.6 n.1, p.30-36, January 2004 [doi>10.1109/MITP.2004.1265540]