Hidehito Gomi

Dynamic Identity Delegation Using Access Tokens in Federated Environments

Identity delegation is an act whereby an entity delegates his or her authority to use identity information to another entity. It has most often been implemented in enterprise environments, but previous studies have focused little on the dynamic data and access management model as well as the design from a practical viewpoint. An identity delegation framework is described for using access tokens across security domains. The framework enables fine-grained access control with limited overhead cost for access management and permission assignment for delegated access.

An authentication trust metric for federated identity management systems

A formalisation of authentication trust is proposed for federated identity management systems. Identity federation facilitates user interaction with Web services that control access, but it is more difficult for a service provider to evaluate the assurance of a users identity if the creation and propagation of user authentication assertions involve different authentication authorities and mediators. On the basis of this formal representation, an aggregated trust value is calculated for evaluating the trustworthiness of a users identity from the users authentication assertions propagated through multiple entities.

User-centric identity governance across domain boundaries

Identity management is a set of viable technologies for supporting electronic interactions requiring identity information in the digital world. Although numerous elemental technologies have been developed in support of emerging standards and specifications, there has been little research on identity governance across domain boundaries from the users viewpoint. It is thus still difficult for users to understand how their own identity information is being maintained, used, and propagated. An identity management framework is described for tracing the history of how a users identity information is handled after it is transferred across domains of control. With this framework, organizations that manage identity information can improve accountability for their data practices and thereby increase their trustworthiness. The framework also enables users to control and optimize the propagation of their identity information in a user-centric manner.

Access Control Model and Design for Delegation Using Authorization Tokens

Delegation of authority is an act whereby an entity delegates his or her authority to use personal information to another entity. It has most often been implemented in enterprise environments, but previous studies have focused little on the dynamic data and access management model or the design from a practical viewpoint. An access control model and its design framework is described in which access tokens are used across security domains. The framework enables fine-grained access control with limited overhead for access management and permission assignment for delegated access.

Policy Provisioning for Distributed Identity Management Systems

A policy provisioning framework is described that supports the management of the lifecycle of identity information distributed beyond security domains. A model for creating data handling policies reflecting the intentions of its system administrator and the privacy preferences of the data owner is explained. Also, algorithms for systematically integrating data handling policies from system entities in different administrative domains are presented. This framework enables data handling policies to be properly deployed and enforced in a way that enhances security and privacy.

Policy Provisioning and Its Access Control Beyond Administrative and Collaborative Domains

A policy provisioning framework is described that supports management of the lifecycle of personal information and its data-handling policies distributed beyond security domains. A model for creating data-handling policies reflecting the intentions of its system administrator and the privacy preferences of the data owner is explained. Also, algorithms for systematically propagating and integrating data-handling policies from system entities in different administrative domains are presented. This framework enables data-handling policies to be properly deployed and enforced in a way that enhances security and privacy.