Liberty Alliance Identity Assurance Framework from a practical point of view ... in a Danish context Jan Riis jri lakeside.dk @ IDTrust’08 - NIST - Gaithersburg - 2008-03-05
A little History • Danish Healthcare has been working 3 years with Identity Based Web Services • 2005 MedCom and Danish Regions • ”Competed” for the first standard/profile • No governance towards standardization: • No Authentication levels defined • No high level architecture for WS communication • No criteria for assuring trust of key WSP’s
Consequences • Parties started out with 6 levels of ”authenticity” • Some based on PKI • Some based on username/pwd • Some levels for ”delegated trust”(systems vouching for user authenticity) • Some levels target cross-cutting security properties(non-repudiation of messages etc.)
There is a need for IAF! • ITST standardized authentication levels in 2006 for all public systems • Directly referred to NIST work • 2007 Health sector standards were aligned with national guidelines • Without the national/international standards, this would not have happened!
Trust relationships? • NIST Authentication levels does not relate directly to “trust” • So how will the concept of “trust” be used in Danish Health Care? • Enter: “Digital Health Denmark” • Aims at increasing treatment quality by “enabling” access to all relevant information
A few years from now? Public Regional Solutions Other Health Solutions Governmental services (eg. public Medication/Prescription) Private HospitalSolutions Private Practitioners Solutions
Solution 1 - establish trust? Public Regional Solutions Other Health Solutions S T S S T S Governmental services (eg. public Medication/Prescription) Private HospitalSolutions Private Practitioners Solutions S T S S T S
Solution 2 - National ESB+PKI? Other Health Solutions Public Regional Solutions NationalESB+STSsolution Private Practitioners Solutions Private HospitalSolutions Governmental services (eg. public Medication/Prescription)
National Distributed ESB+PKI Other Health Solutions Public Regional Solutions NationalESB+STSsolution Private Practitioners Solutions Private HospitalSolutions Governmental services (eg. public Medication/Prescription)
Preconditions for implementation • Based on a “Federated ESB” pattern • Other parties are now exposing services on the “National ESB” • Digital Health is responsible for QoS etc. • Preconditions: • Common understanding of levels of authentication assurance • Very strong governance as to which criteria must be met to join the national ESB • Assessment criteria for services for the ESB • Accreditation and certification rules = Many parts of IAF
Taking IAF further? • IdP’s/STS’ are also WSP’s • My wish:Separate the WSP assessment criteria from and create “SPAF” • Make IAF an IdP specialization of “SPAF”
Trust! Another example of IAF usage • Health Professionals will once and again need access to other domains (other federations) IdP/STS
Thank You! ? Questions?