cally and the user can use DFSP3 to access services from DFSP1. An implementation based on SAML was presented to show the applicability of their proposal. The main limitation of the proposal is that it is required to alter SAML extensively in order to accommodate the interaction between different DFSPs. Furthermore, the discussion regarding the trust nego- tiation procedure is vague since it is not clear what type of information is needed during the trust negotiation procedure and how the negotiation procedure establishes different level of trust.
There is another solution proposed in [27] where trust values are calculated based on the modified Dijkstra algorithm and to calculate a distributed reputation based on the PageRank algorithm from Google and use the trust and reputation value to create dynamic federations. Like in [25], their proposal deals with the issue of dynamic trust establishment between different entities and does not consider how they can be federated dynamically. Furthermore, this also requires a major change of the SAML Protocol to integrate and utilise such trust values during protocol flow.
2.4
User-controlled Identity Management Systems
In this researche, the concept of a User-controlled Identity Management System is proposed for tackling several problems of existing Identity Management Systems and for allowing users to have more control over their own attributes. To enable this, a user-controlled Portable Personal IdP, which is hosted in a mobile device of the user, is introduced. Being a novel topic, there in no published literature on the User-controlled Identity Management System. The closest to the theme of the User-controlled Identity Management System is the concept of the Portable Identity Provider which is a special type of IdP. The initial concept of such an IdP can be found in [28] where the authors proposed their idea of Identity-aware Devices. An identity-aware device contains a local IdP hosted inside a Trusted Processing Module (TPM) in the device. The local IdP is coupled with a telecom provider which acts as the principal IdP. The user needs to create an account with the telecom provider and link the local IdP with the principal IdP. The linking procedure allows the local IdP to fetch some crucial user attributes from the principal IdP and store them safely in the local storage. Using the local IdP, the user can release those attributes to access services from an SP which is a part of the same federation as the principal IdP. Being part of the same federation as the principal IdP, the SP can validate the released attributes using existing technologies such as SAML. The idea of the user-controlled IdP is similar to this approach with one major difference: this approach requires a user to heavily rely on the principal IdP, i.e. the telecom operator whereas the proposed concept advocates the need to decouple the reliance on any other external IdP. Another work related to this theme can be found in [29] in which a portable Liberty Al-2.4. User-controlled Identity Management Systems 21
liance1-enabled IdP installed in a mobile phone is presented. The IdP is installed on the
phone and is accompanied by a Relay Server which is maintained by a Mobile Operator. The relay server is responsible for providing the URL of the IdP. During authentication, the user provides the URL to the SP which uses it to send authentication request from the re- lay server which in turn forwards the request to the IdP. The IdP then authenticates a user using the PIN (Personal Identification Number) of the SIM (Subscriber Identity Module). The advantage of such a portable IdP is that the authentication information is not transmitted over the network. However, there is no discussion on how the federation is established and, with the absence of a federation, how an assertion can be validated. Moreover, the mobile operator has to establish a relay server meaning the operator has to offer a new service for it. Without any business prospect on their part, many operators may not be interested in bearing the associated cost. Moreover, apart from authenticating a user, this approach does not state how user attributes will be transmitted to an SP.
In [31], the author proposes a form of device-centric identity which allows a user to authorise a device to use a cryptographic key to identify the user and allow access to online services. The user can add new devices or remove old ones from the list of authorised devices. In essence, the authorised device can act as an IdP. The proposal is only an outline and how such a proposal can be envisaged is not explained.
Current popular smartphone Operating Systems such as Android [32], iOS [33] and Windows [34] are associated with their respective identity providers. For Android, the IdP is Google Account [35], AppleID [36] for iOS and Windows Live ID [37] for Windows. Among them, Apple ID and Windows Live ID are mostly used to access services associated with Apple and Windows respectively. Only Google has a Federated Login service based on the OpenID protocol to allow users to use their Google accounts to access services offered by other service providers [38]. Users carrying a mobile phone having a Google account can access supported online services while on the move. Even though it adds an element of portability, the Google IdP is not installed in a mobile phone and acts just like any third party IdP holding user attributes. Hence, it cannot be tagged as a user-controlled IdP.
Also, it is worth noting that every Identity Management System is bound by a set of func- tional, security, privacy and trust requirements. Unfortunately, none of the works mentioned in this section provides a thorough analysis of these requirements. In this thesis, these re- quirements will be introduced and analysed at appropriate chapters.
1More precisely the “Identity Federation Framework” (ID-FF) formulated by the Liberty Alliance (LA, in