You are here: Resources > FIDIS Deliverables > HighTechID > D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management > 

D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

Requirements Analysis  Title:
 Advantages and Disadvantages




The idea behind the architecture is to benefit from the advantages of different TCG specifications in order to establish a trusted infrastructure that allows fulfilment of the requirements mentioned above. The architecture is shown below, together with the protocol needed for establishing the trust, especially across identity domains. 

Figure 8: Interoperable credentials across Identifier Domains [140] 


  1. The architecture integrates the role of Privacy-CA explained in section 8.6.2. The Privacy-CA’s main role in this case is to check the trustworthiness of the Identity Provider residing in Identifier Domain A, and to issue him an AIK credential with authorizing attribute. For this purpose, the Identity Provider has to communicate his Endorsement Key provided by his TPM vendor, and an AIK generated by his TPM (cf. 4.2.2).  

  2. After regular authentication and authorization of the user, which is usually based on a pre-defined policy, the Identity Provider will then be able to issue an identity credential for the requesting user. This credential should include the AIK credential obtained from the Privacy-CA, in addition to status information in the form of integrity measurements performed and stored in the TPM.

  3. The user will then use his identity credential to authenticate and authorize himself at a Service Provider belonging to Identifier Domain B. 

  4. Since the status information is TPM-generated, it can be compared to reference values. The Service Provider will attempt to validate the identity credential of the user based on the AIK credential provided by the Privacy-CA, and the verification of the status information trustworthiness.


With this protocol, a Service Provider residing in Identifier Domain B will be able to accept identity credentials issued by Identity Providers in Identifier Domain A, and that is based on the trust in the Privacy-CA, and the integration of TPM hardware and functionalities. 


Requirements Analysis  fidis-wp3-del3.9_Study_on_the_Impact_of_Trusted_Computing_on_Identity_and_Identity_Management_v1.1.sxw  Advantages and Disadvantages
32 / 38