D7.5 Gap Analysis for Current Identity Management Standards

Contributing Partners

ATOS, GUF, ICERT, SIC, TUG

Executive Summary 

The goal of the CREDENTIAL project is to develop a privacy-preserving data sharing platform (Wallet) with an integrated identity provider (IdP), which can be used to share authorized data without the Wallet learning any of the user’s personal information. The CREDENTIAL Wallet will use novel cryptographic mechanisms such as proxy re-encryption to ensure end-to-end protection of critical identity data. The functionality and added value of these services will be showcased by pilots from three different domains: e-Government, e-Health, and e-Business.

A central task that has to be performed in order to develop such a data sharing platform is to evaluate current identity management standards and technologies and to develop approaches to integrate proxy re-encryption (PRE) into their work flow. Additionally, to identify how the standards are influenced with the introduction of proxy re-encryption and how the current specifications of the identity management standards lack in supporting encrypted data.

In this report, we present a setting which enables an identity provider to re-encrypt the identity attributes requested by the service provider using a proxy re-encryption scheme upon user’s consent. This setting is designed considering the CREDENTIAL use cases and requirements which require the private key of the user to be accessible only within the user’s trust zone. Then, we selected standards and technologies that are relevant in a federated identity management scenario and categorized them as: identity and access management protocols, transport encoding and cryptographic APIs. To integrate proxy re-encryption into established standards and technologies following the setting, we designed protocol specific approaches to extend these standards to support additional transactions and data introduced by a PRE scheme. Eventually, we identify the technical gaps in the current specifications of the selected standards, which limits them from supporting proxy re-encryption scheme specific transactions and handling encrypted identity data. Finally, we report the identified gaps and discuss what exactly the standards has to provide in order to support proxy re-encryption.

Additionally, based on the initial assessment, and on the continually developing CREDENTIAL results, the gaps identified in the identity management standards could be potentially used to initiate standardization and liaison activities.

*This deliverable will be made available after acceptance by the European Commission in late 2018.