[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]Re: [CoreTeam]IDsec meeting

From: Hans Zandbelt
Subject: [Auth]Re: [CoreTeam]IDsec meeting
Date: Thu, 29 Nov 2001 15:58:53 +0100


At 13:13 11/29/2001 +0100, Norbert Bollow wrote:
>Would it be possible to also make some information about IDsec
>public quickly (e.g. by posting it to the auth list)?

I've sent you a slightly more detailed description (about half a page)
about IDsec before. I've attached it below.

I'm preparing sort of a white paper about the architecture and
implementation, which I want to put on an IDsec website later.


Hans Zandbelt                         address@hidden 
Telematica Instituut            
P.O.Box 589, 7500 AN                   Phone: +31 53 4850445 
Enschede, Netherlands                    Fax: +31 53 4850400 

I D s e c

IDsec is a mechanism that provides an identity for users on the internet.
Identity in our system means that a user is known by a certain profile which
contains precisely those attributes that the user wants to reveal to the 
requester of
his profile.
Access to profile attributes is managed by the user himself. Certificates and
public/private key mechanisms ensure that information is exchanged in a
secure way between parties that trust eachother.


User profiles are stored with so-called Profile Providers somewhere on the
Internet. Profile Providers are parties that have a trusted relationship with
the users whose profiles they have stored in their databases.

A Profile Provider runs a server application that allows his clients to modify
their profile over a secure connection. Typically this will be implemented as a
web-service that can be accessed by a web-browser that is HTTPS capable. In
addition to modification of user attributes and their values, users can assemble
so-called Access Control Lists that specify which attributes are accessible to
which Content Providers. Access Control Lists are based on certificates.

When starting a web session that requires the use of IDsec, the user will login
with the Profile Provider with a username/password combination. This "session 
will result in the creation of a so-called session certificate that is sent to 
the user.
The session certificate merely consists of a session identifier and a URL that
indicates the location of the user's profile.

The users web-client sends the session certificate to the IDsec enabled web-site
of the Content Provider. The Content Provider in his turn, sends it together 
his own certificate to the URL specified in the session certificate over a 
connection. The Profile Provider uses the session certificates to identify the 
and assembles a Content-Provider-specific user profile based on the Content 
credentials and the Access Control List that the user specified.

The Content Provider now has a user profile that he can use to personalize 
to do accounting and/or billing (eventually in combination with a third party) 
any other business that he would normally do with a customer database.

Notice that IDsec supports "anonymous browsing"; it does not neccesarily reveal 
name and/or address of the user. IDsec transmits exactly those attributes that 
a user
trusts to be sent to the requester.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]