Decentralized Identity for the Digital Business Ecosystem
by Jean-Marc Seigneur
Trustworthy decentralized identity mechanisms are promising to foster the Digital Business Ecosystem (DBE), an EU-funded FP6 IST Integrated Project. While progress has been made and driver SMEs are lobbying for more, such mechanisms still remain on the research agenda.
The Digital Business Ecosystem (DBE) funding consists of a €14 million three-year research project supported by the European Commission's 6th Framework Programme IST Thematic Priority. The project started in November 2003 and is planned to end in October 2006. Twenty partners from ten EU Member States are involved. Regional involvement ensures that the end objective is to benefit SMEs.
Thanks to the technical commons provided by the DBE, even micro-companies will soon have access to advanced information and communication technologies to grow their business. A minimal set-up example may be a simple broadband connection to the Internet combined with a running peer-to-peer version of the DBE SERVENT (SERVer/clieNT) to have access to the free common DBE services (such as business Web presence and networking). Thanks to the open-source DBE Studio, more customized services or revenue-generating owned services could just as easily be developed and served.
This example highlights a few visible aspects in favour of the sustainability of the DBE: the use of basic means to access the Internet; the provision of valuable open-source building blocks; and the unobtrusive sharing of unused computer resources of those who found value in running the basic building blocks. The research so far has focused on the scalability, availability and reusability of the technical commons. Advances have been made in peer-to-peer replication; firewall/NAT transparent transversal; service composition; business ontology modelling, learning and evolution; and self-organization of service proxy and super peers.
The interest from driver SMEs has been so significant that many of these driver companies have lobbied for a faster implementation of a more secure version of the technical commons. Indeed, without authentication of the interacting entities, the three main security properties confidentiality, integrity and availability can be trivially violated.
Unfortunately, the current state of the art in security for identity management is challenged by open large-scale decentralized environments, such as peer-to-peer on top of the Internet. The Identity Gang task force has recently been set up to discuss whether or not the new Microsoft Identity Meta-system proposal is a sound basis on which to build decentralized identity management. This proposal seems to scale down the scope of Microsoft's previous Passport effort with regard to identity management. It appears to indicate that federated identity management may never be globally adopted by SMEs due to their overheads.
In addition, in the spirit of a self-organized DBE, identity management in DBE should be an entity-centric identity management solution rather than a system-imposed identity management. Entity-centric identity management is inherently decentralized because any entity is free to choose how its identifiers and credentials are managed. The current proposal is to store IDBEs the identifiers and their associated credentials in CREdential Servers (CRES), similarly to the GRID MyProxy credential repository. In fact, the GRID initiative has similar security requirements to those of DBE, especially to coordinate resource sharing in dynamic, multi-institutional virtual organizations. The worldwide Grid community has put a lot of effort into security between decentralized virtual organizations. It therefore makes sense to reuse their work, which eventually consists of a comprehensive tool kit called the Grid Security Infrastructure (GSI). However, since securely using the GSI involves quite a steep learning curve, we envisage a simplified version of the GSI, with more convenient graphical user interfaces than the basic GSI command line tools. We are also working towards a more portable CRES than the MyProxy credential server.
The CRES may be either local or remote and would be used to retrieve X509 Proxy Certificates credentials when needed. The advantage of a remote CRES is that users can use IDBEs on different computers without undertaking the risky task of moving the long-term credentials between these computers. If the CRES is managed by a professional CRES DBE service provider, the long-term credentials become better protected thanks to the knowledgeable security staff of the provider. The choice of the trusted Certificate Authorities (CAs) is left to the SERVENT owners. By default, the trusted CAs may be limited to CAs run by known DBE regional catalysts. However, our approach is open to external providers such as the current main Internet CAs or specific peers running a DBE CRES service. Thus, we allow the DBE peers to use a spectrum of technical trust in IDBEs: from self-signed, to certified by a web of computational trust or free CAs, such as CAcert, to current professional CAs including insurance and fraud protection services.
DBE website: http://www.digital-ecosystem.org
The DBE team at Trinity College Dublin (thanks to DSG DBE for the general discussions and David O'Callaghan for his comments with regard to Grid security): http://www.dsg.cs.tcd.ie/?category_id=-55
GRID Security Infrastructure: http://www.globus.org/security/
Computational trust: http://www.trustcomp.org/
The Identity Gang: http://www.identitygang.org/
Example DBE driver SME lobbying for more security: http://yukatan.fi/display/yukatan/2005/07/12/DBE+updates
Jean-Marc Seigneur, Trinity College Dublin, Ireland
Tel: +353 1 608 1761