Title: Overview on IMS EXECUTIVE SUMMARY

Executive Summary

This document gives an overview on existing identity management systems (IMS). Using definitions established in the FIDIS Network of excellence (Deliverable 2.1) taking a look at the procedures of the management and the data managed leads to three types of IMS:

1. Type 1: IMS for account management, implementing authentication, authorisation, and accounting,

2. Type 2: IMS for profiling of user data by an organisation,e.g. detailed log files or data warehouses which support e.g., personalised services or the analysis of customer behaviour,

3. Type 3: IMS for user-controlled context-dependent role and pseudonym management. 

A search on existing implementations of IMS including prototypes and concepts leads to three classes of solutions:

1. Class 1: Pure IMS whose main objective is to support or implement identity management functionality 

2. Class 2: Systems/applications with another core functionality, but based on and thereby supporting at least some identity management functionality 

3. Class 3: Systems/applications which are independent from identity management functionality, but nevertheless offer at least some identity management functionality, such as add-ons 

In this document 60 IMS were investigated and categorised in these three classes and 14 corresponding purpose oriented subclasses. Most of the examined type 3 IMS are tools and programs with partial functionality of IMS; they are not integrated solutions. 

To get an overview of the variety of existing technical implementations different designs of IMS are presented. These examples are focused on IMS of type 1 and 3; IMS of type 2 will be covered in Deliverable 7.2 within the FIDIS NoE. In this chapter relevant standards and basic technologies such as “Liberty Alliance”, XML/SOAP and the “idemix” credential system are presented. In addition, examples of existing implementations of IMS (Sun Java Access Manager as type 1 and iManager as type 3) showing the main functionalities and the basic architecture of such systems are discussed. Finally, an example of good practice for the implementation of an IMS (in this case type 1) is presented, i.e. a project in a Hungarian bank including the analysis of the requirements and the selection and implementation of an appropriate technical solution.

An additional important part of this document is the description of mechanisms with respect to privacy for IMS. Ten main mechanisms related to the main functionality of IMS: security, privacy enhancing technologies and designs, interoperability and a successful market penetration are introduced and discussed in context of the three types of IMS. For type 1 and type 3 IMS, recommendations and examples of technical implementations of these mechanisms are presented. This structure can be used to categorise existing privacy enhancing technologies (PET) for IMS.

According to studies carried out e.g. by the Gartner Group, the Yankee Group and the Radicati Group, the market of IMS of type 1 is expected to grow fast at least until 2008. Turnaround prognosis starts from 748 million US $ in 2004 and varies from 3 billion US $ in 2007 to 10.2 billion US $ in 2008. Technologically we observe a trend of further integration of related solutions such as customer relationship management systems (CRM) and further decentralisation of the account administration (Federated IMS).

For type 3 IMS we observe a technological trend towards new standards such as OASIS XDI/XR.

In general we notice that the originally quite strict borders between the defined three types of IMS are diminishing. Type 1 IMS (account management systems) currently are expanding towards customer relationship management (CRM), which could as well be used in the context of type 2 IMS. In addition to the organisation-side view, type 2 IMS (profiling systems) have a client-side view, which could as well be considered to be identity management of type 3. The categorisation into three types originally designed for different products still serves well to describe a certain view on more and more integrated solutions.

Using the economic lifecycle model for products with the identified types of IMS, we observe that IMS of the types 1 and 2 are in the second phase (expansion) of this model. The mechanisms of market (such as the competition between various manufacturers, supported standards like XML/SOAP, LDAP, SQL etc.) are working quite well with these types of IMS. Looking at IMS of type 3, we observe that they are in the phase “experimental” of the economic lifecycle model. The large variety of existing solutions presented in this document, the low degree of commercial activities (compared to the IMS of Type 1 and 2) and significant public activities (public promoted projects, public research) lend support to this classification. 

Looking at technological aspects of the described types of IMS, there is no public technology promotion necessary for IMS of type 1 and 2. Areas of research and development are integration of related and so far independent systems and technologies. This could lead to further development of the framework of European legislation (especially in the sector of privacy compliance) or its application.  

While the necessity for activities in the legislation is the same with type 3 IMS as with IMS of type 1 and 2 there are additional needs. Barriers towards expanding markets and possible activities for overcoming those barriers are:

1. The perception differs widely of what identity management is. A clearer taxonomy and public awareness are necessary. 

2. While current concepts and technologies for identity management are not commonly understood, new technologies such as RFID and Ambient Intelligence are emerging. The technical opportunity of remote readout of e.g. the RFID without any notice by the user raises new questions towards identity management. Most today established IMS know an authentication done actively by the user.     
   In addition, known technologies such as the use of mobile devices and biometrics are developing towards new services or applications (e.g. location based services and ID documents). The public reception influenced by technology friendly placement and a lack of integrated concepts is dominated by the discussion of risks. Technological, political, social and economic opportunities have to be looked at in combination with legislation (including human rights and privacy compliance). As a result there will be recommendations for further integrated technological development and development of legislation towards those technologies.

3. Integration of the existing, technologically feasible solutions is generally poor, interoperability therefore a major area of interest. 

4. While there are some prototypes with good usability features (e.g. iManager), many tools and application examined in this document are of poor usability (e.g. first generation remailer). This applies especially to those tools addressing special technical solutions for privacy. To gain a better acceptance in the market usability has to be improved.

5. For type 3 IMS privacy, compliance is a unique selling proposition. On the other hand dependability and risk minimisation (understood as elements of security) are important for the provider of commercial or governmental services. This disjunction is leading to a separate discussion on fraudulent use together with criminal and forensic aspects of identity and identity management. Recommendations for further development of legislation based on an integrated understanding of the underlying technologies and social systems could be one result of this discussion.