Portable Personal Identity Provider in Mobile Phones

摘要

This paper analyses the prospect of having a Portable Personal Identity Provider (PPIdP, in short) in the mobile phone. The ubiquitous presence of powerful mobile phones equipped with high speed networks can be utilised to make the mobile phone act as a portable and personal Identity Provider (IdP, in short) on behalf of their users. Such an IdP would be helpful for the user in the sense that it will provide a central location to manage different user attributes which are generally scattered among different service providers in the traditional setting of online services. In addition, the user needs to trust the provider to store those attributes securely which may not be always honoured and crucial user attributes may be abused. Creating a Personal Identity Federation using a personal IdP can tackle many of these stated problems. Moreover, such an IdP may provide additional advantages. We have developed such a Mobile IdP for the Android platform based on the Security Assertion Markup Language (SAML) and OpenID as a proof of concept using the Jetty Web Server. In this paper, we discuss the functionalities of our developed IdP and the technical challenges we have faced. Moreover, we analyse the security, privacy and trust issues involved in having such an IdP and the advantages it offers.