IDsec: Virtual Identities on the Internet
IDsec

Overview

Identity in IDsec means that a user is known by a certain profile that contains precisely those attributes that the user wants to reveal to the requester of his profile. Access to profile attributes is managed by the user himself. Certificates and public/private key mechanisms ensure that information is exchanged in a secure way only between parties that trust each other.

Profiles are stored with so-called Profile Managers somewhere on the Internet. Profile Managers are parties that have a trusted relationship with the Profile Owners whose Profiles they have stored in their databases.

A Profile Manager runs a server application that allows his clients to modify their Profile over a secure connection. In addition to modification of attributes and their values, Profile Owners can assemble Access Control Lists that specify which attributes are accessible to which Profile Requesters. Access Control Lists are based on certificate information.

Upon starting an Internet action that requires the use of IDsec, a Profile Owner will login with the Profile Manager. This "session login" will result in the creation of a "session certificate" that is sent to the Owner. The session certificate represents the Owner in the current Internet session and it contains a reference to the location of his Profile.

The Profile Owner sends the session certificate to the IDsec enabled Profile Requester. The Requester in his turn, sends it together with his own root certificate to the location specified in the session certificate. The Profile Manager uses the session certificate to identify the Owner and to assemble a Profile Requester specific Profile based on the Requester credentials and the Access Control List that the Owner specified.

The Profile Requester now has a customer Profile that he can use to personalize content, to do accounting and/or billing (eventually in combination with a third party) and any other business that he would normally do with locally stored customer data.

Notice that IDsec supports "anonymous browsing" and single sign-on; it does not neccesarily reveal the name and address of the Profile Owner or any other attribute that uniquely identifies the Profile Owner. IDsec transmits exactly those attributes that an Owner trusts to be sent to the Requester.

SourceForge Logo Send your comments to Hans Zandbelt.