A Consistency Model for Identity Information in Distributed Systems

In distributed IT systems, replication of information is commonly used to strengthen the fault tolerance on a technical level or the autonomy of an organization on a business level. In particular, information related to the identity of a user, which is used to authorize service access, is often replicated for these reasons. To ensure correct authorization decisions, replicas have to be kept consistent. However, an appropriate definition of “consistency” is required that takes into account the need for the following aspects: (i) semantic and causal relations between identity information, and (ii) temporal aspects with respect to an acceptable duration of the dissemination of occurring attribute changes. Both identity-information specifics and temporal aspects are not addressed sufficiently by existing consistency models. In this paper we introduce a consistency model for identity information in distributed systems named ID-consistency. ID-consistency is based on a formalization of identity information and considers semantic and causal relations as well as a so-called inconsistency window that denotes the time period between a change to information and the moment when the change is fully disseminated. Therefore, the model reveals the fundamental structure of an IdM system and helps in the design and analysis of corresponding dissemination middleware in distributed systems. We exemplarily show how to make use of the concept of ID-consistency to analyze and improve a real-world IdM system using CardSpace for demonstration purposes.

[1]  Hannes Hartenstein,et al.  FedWare: Middleware Services to Cope with Information Consistency in Federated Identity Management , 2010, 2010 International Conference on Availability, Reliability and Security.

[2]  Amin Vahdat,et al.  Design and evaluation of a continuous consistency model for replicated services , 2000, OSDI.

[3]  Pierre Jouvelot,et al.  Semantic file systems , 1991, SOSP '91.

[4]  David W. Chadwick,et al.  Attribute Aggregation in Federated Identity Management , 2009, Computer.

[5]  Sabrina De Capitani di Vimercati,et al.  Access control in federated systems , 1996, NSPW '96.

[6]  Elisa Bertino,et al.  An Interoperable Approach to Multifactor Identity Verification , 2009, Computer.

[7]  Fernando Gustavo Tinetti,et al.  Distributed systems: principles and paradigms (2nd edition): Andrew S. Tanenbaum, Maarten Van Steen Pearson Education, Inc., 2007 ISBN: 0-13-239227-5 , 2011 .

[8]  Andrew S. Tanenbaum,et al.  Distributed systems - principles and paradigms, 2nd Edition , 2007 .

[9]  Amit P. Sheth,et al.  Semantic Issues in Multidatabase Systems - Preface by the Special Issue Editor , 1991, SIGMOD Rec..

[10]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[11]  Vipul Kashyap,et al.  Semantic and schematic similarities between database objects: a context-based approach , 1996, The VLDB Journal.

[12]  Min Tjoa Consistency of User Attribute in Federated Systems , 2007 .

[13]  Phillip J. Windley Digital identity , 2005 .

[14]  Michael Uschold,et al.  Ontologies and semantics for seamless connectivity , 2004, SGMD.

[15]  Abhilasha Bhargav-Spantzel,et al.  User centricity: a taxonomy and open issues , 2006, DIM '06.

[16]  Natalya F. Noy,et al.  Semantic integration: a survey of ontology-based approaches , 2004, SGMD.

[17]  Amin Vahdat,et al.  Design and evaluation of a conit-based continuous consistency model for replicated services , 2002, TOCS.

[18]  Messaoud Benantar,et al.  Access Control Systems: Security, Identity Management and Trust Models , 2005 .

[19]  Hiroki Itoh,et al.  Challenges to Supporting Federated Assurance , 2009, Computer.

[20]  W. Marsden I and J , 2012 .

[21]  Werner Vogels,et al.  Eventually consistent , 2008, CACM.