Mobile Cloud Identity Profile Version 1.0
Total Page:16
File Type:pdf, Size:1020Kb

Mobile Cloud Identity Profile Version 1.0
Committee Note Draft 01 / Public Review Draft 01 10 June 2013 Specification URIs This version: mobile/v1.0/cnprd01/IDCloud-mobile-v1.0-cnprd01.doc (Authoritative) mobile/v1.0/cnprd01/IDCloud-mobile-v1.0-cnprd01.html mobile/v1.0/cnprd01/IDCloud-mobile-v1.0-cnprd01.pdf Previous version: N/A Latest version: v1.0.doc (Authoritative) v1.0.html v1.0.pdf Technical Committee: OASIS Identity in the Cloud TC Chairs: Anil Saldhana ([email protected]), Red Hat Anthony Nadalin ([email protected]), Microsoft Editors: Anil Saldhana ([email protected]), Red Hat Dominique Nguyen ([email protected]), Bank of America mobile/v1.0/cnprd01/IDCloud-mobile-v1.0-cnprd01.html Public Review Draft/ 01 01. CloudMobile Identity Version Profile 1.0 [IDCloud-mobile-v1.0] format used: referencing should be the following document When this citation format: Citation at page by using Committeethe “ Committee’s Technical emailOthersto list. commentsshould send the Technical the Committeeon to document Technical members comments this should send for possibleabove laterlocation noted revisions of document. this Thedate. alsothe “Latest above level of is version” approval listed above. Check the Cloud was TCinthe last the OASIS on This revised Identity document orby approved Status: istoprofile a intendedprovide This document for Mobile Identity Management. Abstract: work: Related Kappler ( Chris IDCloud-mobile-v1.0-cnprd01 translate it intolanguages than other English. applicable copyrights, to as forthset IPR in the Policy,must OASIS be or required followed) as to ordocument deliverable produced by Technical an Committee OASIS (in which case the rules copyright the references notice OASIS, or to asexcept for needed purpose the of developing any However, thisdocumentworks. itself may be not modified in any including way, by removing abovethat the copyright notice and this section included are on all such derivative copies and published, copied, distributed, and orin whole part, without restriction anyof kind, provided works that on comment explain or otherwise it or assist in its implementation may be prepared, documentThis and of translations it may be furnishedcopied and to others, and derivative website.OASIS PropertyIntellectual Rights (the IPR Policy Policy"). "OASIS The full All capitalized interms the text following have the meanings assigned them to in the OASIS Copyright OASIS© Open All Rights2013. Reserved. Non-Standards TrackNon-Standards usecases-v1.0-cn01.html 01. is to: related This document Identity in the Cloud in UseIdentity the Cases Version 1.0 [email protected] The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply Send A Comment Send A This Non-Standards is a Work Product. Track . ), PricewaterhouseCoopers LLP . 10 June 2013. Note OASIS June 2013. 10 Committee Draft . ” button onCommittee’s button the Technical web” . 08 May 2012. OASIS Committee May08 Note OASIS2012. . Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . . Policy . may be found at the 10 June 102013 Page 2 of 13
[Type the document title] PURPOSE. ORRIGHTS MERCHANTABILITY ANY WARRANTIES IMPLIED OF OR FOR A FITNESS PARTICULAR THATWARRANTY OF THEUSE THE OWNERSHIP HEREIN INFRINGE INFORMATION WILL NOT ANY EXPRESS ALLINCLUDINGDISCLAIMS WARRANTIES, ORBUT IMPLIED, LIMITED ANYNOT TO documentThis and the containedinformation is herein provided an on "AS IS" andbasis OASIS successors or assigns. The limited permissions granted aboveare perpetual not and will be by revoked OASIS or its IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 10 June 102013 Page 3 of 13
[Type the document title] 5 4 3 2 1 Table Contentsof IDCloud-mobile-v1.0-cnprd01 C.Appendix B.Appendix A.Appendix Non-Standards TrackNon-Standards B.1 AppendixB.1 Subsidiary Section 5.3 Authorization 5.2 ManagementIdentity Provisioning Identity5.1 Federated Standards 4.4 AuthenticationMobile User and Device Registration 4.3 connectionsSecure 4.2 Authorization Identity4.1 Federated Support Case 3.1 Use Mobile21: Customers’Identity Authentication Using Provider Cloud 1.1 References (non-normative) B.1.1 Sub-subsidiary B.1.1 Section Appendix Standards Challenges Relevant3.1.2 applicable standards Short3.1.1 description Use Cases Definitions Introduction ...... Some Appendix Acknowledgments Revision HistoryRevision ...... The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply ...... This Non-Standards is a Work Product. Track ...... Copyright © Copyright OASIS Open Reserved.Rights© All 2013...... 10 June 102013 Page 4 of 13 12 12 12 11 10 10 10 10 13 9 9 9 9 9 8 8 8 8 6 5 5
[Type the document title] usecases-v1.0-cn01.html May08 2012 OASIS in Identity theM.Rutkowski, Cloud Use StandardsCases v1.0, OASIS Consortium, [IDCLOUD-USECASES-1.0] 164/sp800_164_draft.pdf Resource Center (CSRC), Computer Division– Security Computer Security (Draft), Recommendationsof the Institute ofNational Standards Technology (NIST)and - L. Chen, Franklin,J. A/ Regenshcheid, Guidelines Hardware-Rooted on in Security Mobile Devices [NIST-SP800-164] 145/SP800-145.pdf Resource Center (CSRC), andStandards Technology (NIST) Computer- Security ComputerDivision – Security Mell, P. T. Grance, [NIST-SP800-145] 1.1 model. authentication use challengescase, and applicable standards in the Cloud -As-A-Service (*aaS) documentThis describes the mobile consumers’ authenticationdevice as additional an strong 1 IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards References (non-normative) Introduction . . The NISTDefinitionThe of Cloud SP800-145Computing The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply October 2012 January 2011 This Non-Standards is a Work Product. Track . . . Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . National. Instituteof . 10 June 102013 Page 5 of 13
[Type the document title] A device device A may a establish unique identitydevice forthe of purpose authentication. device of state the microphonethe as on either or etc. off, off, or on either as encryption file of state the not, or validated either as OS an of state the unverified, or verified either as firmware of state the represent to assertions use may devices Mobile authentication. device of purpose the for identity device unique a more establish may device A or Owner. Information one the to make through to device is a allows Owner state Device the trusted that assertions this communicating for has mechanism device The A party. party. relying relying a by trusted is that state a by trusted is a that state a in are configurations hardware and firmware, software, in its if integrity be to shown be a can of device the software of and firmware hardware, state the the if integrity device maintained has in it that evidence provide can device mobile corruption A device. of absence the is integrity Device mobile Every example. for devices, mobile from hasdevice single a OwnerDevice and or one moreInformation Owners. resources an to or access provider, allows product that digital a enterprise provider, application-specific an be can Owner Information Information An is anOwner entity whose information storedis and/or processed a on device. An device. mobile a of ownership [NISTSP800-164] maintains minimal and purchased has that with entity an is storage, Owner released Device A and servers, provisioned networks, rapidly (e.g., be resources can computing that management effort or service provider interaction. services) configurable and of applications, pool shared a to access network on-demand convenient, ubiquitous, enabling for model a is computing Cloud 2 IDCloud-mobile-v1.0-cnprd01 AUTHENTICATION F Information an owner. as Cloud the with interaction identity Device Mobile typical a at look now We Non-Standards TrackNon-Standards IGURE Definitions
The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply SERVICE M This Non-Standards is a Work Product. Track OBILE
UNIQUE Copyright © Copyright OASIS Open Reserved.Rights© All 2013.
10 June 102013 Page 6 of 13
[Type the document title] Authentication scenario sequence includes: IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards 9. 8. 7. 6. 5. 4. 3. 2. 1. Secure channel channel Secure terminates. completesThe Mobile client transaction and logsoff. connectionSecure maintains throughout the session. to access the system conductto financial transaction. allow to system banking the to forward passed and authenticated is client Mobile The (user credential attributes). client unique device’s Mobile mobile other number, phone the (mobile secure credential device validates and credential to provider service established authentication is Cloud channel secure and invoked authentication information and attributes passed wirelessnetwork.over is authentication Mutual entersThe Mobile client credential for authentication. authentication- Cloud the to directed is client Mobile the pre-arrangement, on Based via website service on-line (FI) Institution’s Financial device the to on logs client Mobile A The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 10 June 102013 Page 7 of 13
[Type the document title] 1.2.2 1.2.2 intermediary an abetween consumer and business a as enterprise. used is service identity –based Cloud when solutions provisioning and on, sign- single authentication, strong management, credential proofing, identity offering services to authentication identity Management Access and Identity secure Cloud-based in exists that user standard consumer mobile authenticate a have to need the demonstrates document This 1.2.1 1.2 3 IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards Use CaseUse 21:MobileCustomers’ Identity Authentication Cloud Using Use Cases Use Provider Relevantstandards applicable descriptionShort PMRM WS-Trust XSPA OAuth SAML The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 10 June 102013 Page 8 of 13
[Type the document title] One potentialOne solution asis follows: There is need authenticatea to the mobileuser. 1.6 and Application.Enterprise Owner Information Cloud Device, Mobile between connection secure ensure to need a is There 1.5 There is need performa to authorization of resources applications and users andby processes. 1.4 There is need supporta to Federated Identities in any model. *aaS 1.3 4 IDCloud-mobile-v1.0-cnprd01 pin. and certificate a of means by done is authentication user established is channel secure a Once The carrier. and manufacturer a of independent manner hashing so is done of none the isinfo sent clear as texta over carrier. same the in obtained be also can They carriers. all and manufacturers all to common are they because is used are attributes these reason The number. serial card SIM the and Number IMEI phone the The of channel. combination a the is up hash sets hash a Sending channel. secure a using user a identify to is goal The Non-Standards TrackNon-Standards There's 2There's provisioning: ways of Mobile User AuthenticationMobile User and Device Registration Secure connections Authorization Federated Identity Support Challenges If the device is not company owned, then the hash is sent out at first installation by a by secure channel. installation first at out sent is hash the then owned, company not is device the If deviceIf the owned, is company then the hash result inserted is directly in the system. The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 10 June 102013 Page 9 of 13
[Type the document title] 1.9 1.9 • OASISThe Standards following Managementfor Identity provisioning applicable:are 1.8 • • • OASISThe standards following Federated for Identity applicable:are 1.7 The standards that applicable are *-as-a-Serviceto are into divided followingthe sections. 5 IDCloud-mobile-v1.0-cnprd01 • • OASISThe Standards following for Authorizationare applicable: Non-Standards TrackNon-Standards OASIS SPML OASIS XACML OASIS OAuth OASIS XSPA profile OASIS SAML of WS-TrustOASIS and WS-Federation SAML OASIS Authorization ProvisioningIdentity Management Federated Identity Standards Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 10 June 102013 10 of 13
[Type the document title] John Tolbert, TheJohn Boeing Company Broberg,Jeffrey CA Technologies Thomas Hardjono, MIT Dominique BankNguyen, of America Abbie BankBarbir, America of Chris Kappler, Pricewaterhousecoopers IBMDavid Kern, Rutkowski,Matt IBM David Turner, Microsoft Nadalin,Anthony Microsoft Anil Saldhana, Red Hat Participants: acknowledged: gratefully are and specification this of creation the in participated have individuals following The A.Appendix IDCloud-mobile-v1.0-cnprd01 Drgon, Michele Individual Bass, Roger Individual IndividualGershon Jannsen, David Chadwick, Individual Dale SoftwareMoberg, Axway Cathy Tilton, Daon Gomex NECFelix Marmol, Corporation Gines Tormo,Dolera NEC Corporation Non-Standards TrackNon-Standards Acknowledgments The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 10 June 102013 11 of 13
[Type the document title] text. B.1.1 Text. B.1 Text. B. Appendix IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards Subsidiary AppendixSubsidiary Section Sub-subsidiary AppendixSectionSub-subsidiary Some Some Appendix The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 10 June 102013 12 of 13
[Type the document title] 1.0b 1.0 a Appendix C.Appendix IDCloud-mobile-v1.0-cnprd01 Non-Standards TrackNon-Standards Revision 10,2013 June 2013 13, May Date
The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply Revision History This Non-Standards is a Work Product. Track Chris Kappler Dominique Nguyen Anil Saldhana and Editor Changes MadeChanges Copyright © Copyright OASIS Open Reserved.Rights© All 2013. Device Registration Mobile User Authentication and Dominique Initial with fromVersion content . Page Page 10 June 102013 13 of 13
[Type the document title]