Dissertation Ivonne Scherfenberg

The open and decentralized nature of Service-oriented Architectures demands for new security concepts that take these characteristics into account. In the field of identity management, open identity management models have been designed to allow the controlled sharing of identity information across multiple security domains. Designated identity services, so called identity providers are at the heart of these new models and issue identity assertions on behalf of users.

A necessity to share identity information across security domains is the willingness of involved parties to trust on information that is received from a foreign domain. To raise this trust, relying parties require to know something about the origin and management of asserted identity statements. Using existing identity assurance frameworks, identity providers are rated by a single level of trust that is derived from pre-defined assessment criteria.

The approach introduced in this thesis, exceeds the possibilities provided by state-of-the-art assurance frameworks by introducing a more fine-layered view on identity assurance. In the presented trust model, two main trust aspects are considered: (a)trust in an identity provider as the issuer of assertions and (b) trust in single attributes that an identity provider manages. The presented approach is implemented in a logicbased framework that allows a flexible configuration of trust criteria as well as an automated reasoning over collected trust knowledge. This way, trust requirements of service providers can be matched easily with existing organizational and technical trust conditions of identity providers.

Several use cases have been implemented in which the proposed approach and corresponding library are used, among them an online system which allows institute members to use their digital identity with various web and web-service based applications within and outside the Hasso-Plattner-Institute, the HPI Identity Provider.