In identity- and access management (IAM), an identity provider (IdP) forwards identity attributes to a service provider (SP) on an untrusted network. The Transport Layer Security (TLS) protocol protects the integrity and the confidentiality of these attributes in transit, but it only establishes protection in between nodes and not from one end to the other end, which means that intermediaries, such as IdPs, have access to sensitive information.
Proxy Cryptography is a privacy enhancing-technology that can be used to protect the confidentiality of attributes end-to-end. This document provides a guideline for IAM software producers and standards organizations to integrate proxy cryptography into existing IAM software. The guideline describes how to realize an attribute exchange infrastructure with end-to-end encryption. At the same time, the chosen design grants users control over their identity and minimizes the effort of integrating the changes.
The guideline builds upon two IAM scenarios which we introduce in this document. In the first scenario, the exchanged attributes belong to an end user, who manages the interactions independently. In the second scenario, the attributes belong to employees of a company and the interactions are partly managed by IT professionals of that company.
For each scenario, this document discusses which changes need to be made in the systems that handle the IAM process and at which events the changes occur. We propose an abstracted view of events that happen prior and during the attribute exchange. This abstraction is mostly independent of specific IAM protocols or -technologies, which improves the applicability of the proposed changes. We discuss each event and derive conditions that, if fulfilled, realize the scenarios. Eventually, the document summarizes all conditions in the form of a checklist. IAM developers can use this checklist to assess development and integration effort for components and to evaluate the readiness of deployment.