Integrating User Identity Management Systems with the Host Identity Protocol Marc Barisch Institute of Communication Networks and Computer Engineering University of Stuttgart marc.barisch@ikr.uni-stuttgart.de Alfredo Matos Institute of Telecommunications University of Aveiro alfredo.matos@av.it.pt Abstract—Identity Management (IdM) on the appli- cation layer improves the usability and security for end users by offering features like Single Sign-On and attribute provisioning. Unrelated approaches on the net- work layer introduce identity concepts to solve mobility problems and support multihoming. This paper describes a novel approach to the integration of IdM on the application layer with identity concepts introduced by the Host Identity Protocol (HIP). We propose an integrated architecture combining the advantages of both domains. In this scope, we tackle the mapping between the HIP namespace and user IdM namespace as well as we the management and assignment of user and host identities. The new architecture provides a unified view over user and host identities, enabling the exchange of user and host attributes, while it also provides enhanced security and network features. I. I NTRODUCTION As the notion of Identity finds its way into more and more areas of information and communication technology, digital Identity and Identity Management (IdM) are becoming key pillars of the future Internet. Identity concepts at the application layer are linked to new opportunities for users, like video-sharing, social-networking and context-aware services. From a technical perspective, concepts like attribute sharing and Single Sign-On (SSO), which improve the security and the convenience for users, are coupled to identities and IdM. There are several initiatives, like Microsoft CardSpace [1], Liberty Alliance [2] and OpenID [3] that compete for the best IdM solution. Additionally, identity related concepts are also emerging on the network layer. Proposals that target the identifier locator split problem are one example of introducing identities on the network layer, trying to solve complex problems like mobility and multihom- ing, with either an implicit [4] or explicit notion [5] of identities. In the remainder of this paper the term host identity will be used to reflect these concepts. Even if the purpose of identities at the application and network layer is different, the general idea of identities and IdM is shared. In both cases, an identity describes an entity represented by a set of attributes within a specific context [6]. Fig. 1 contrasts the two different perspectives. The left side illustrates a user identity on the application layer, which is made up Fig. 1. User and Host Identities of attributes like name or postal address. Moreover, legal contracts and credentials to be used with Service Providers (SP) or Identity Providers (IdP) are part of an identity. In contrast, host identities shown on the right side of Fig. 1 are focused on the characteristics of hosts and devices. Thus, locators like the IP address play a major role. At first glance, user and host identities, each labelled by a identifier, are unrelated. However, we believe that user identities and host identities can not be considered independent of each other. An integrated view on identities across the user and host level is required, due to several reasons, presented below. First, with the introduction of personal computers and the high distribution of mobile phones, user identi- ties and host identities get more and more coupled. It is not always sensible to differentiate between attributes of the user and attributes of the host, e.g. location. Second, it is required to consider user and host iden- tities together to evaluate privacy risks. For example, IP addresses which are assigned to hosts can be used to reveal characteristics of the user identity [7]. Third, an integrated view allows to benefit from the advantages, which are provided by both identity con- cepts. A detailed discussion of the mutual advantages of both identity concepts is provided in Section II-C. We conclude that host identities are coupled to user identities, which makes an integrated consideration necessary. In this paper we present the integration of user and host identity concepts through an architecture that integrates the Host Identity Protocol (HIP), as a network level protocol capable of delivering mobility and multihoming heavily based on identity concepts,