This document describes identifier and token issuance considerations and services. It describes two principal categories of privacy friendly identifiers, the persistent and transient Name IDs that are difficult to guess and not shared across participants of a federation.
The data model of the federation databases is discussed and it is noted that the databases of an Identity Provider, discovery, linking service, and ID Mapper are highly similar and that a common implementation choice is to have the same system entity offer all these interfaces from a single database. However, to support separation of duties, an alternate model with separate databases and controlled synchronization is presented as well.
The issuance of tokens by an ID Mapper in various specific situations is discussed. The properties of the tokens and the necessary policy and audit safeguards are presented. We cover user-present, pre-authorized, and not-present cases as well as token based delegation.
A conclusion about token revocations is that most short term tokens do not need a revocation mechanism. In case of the Identity Mapper (IM) bootstrap token, which due to the logistics has to be long lived, specific risk mitigation strategies are adopted. In any case all derived tokens will be short lived and authorized upon token creation, effectively providing revocation of the IM bootstrap.
The role of the Registry Server in locating per-user resources is discussed. We also discuss how the Registry Server integrates with the On-line Compliance Testing and Trust Network's partner intake process.
Finally an exposition of the Trust and Privacy Negotiation functionality is presented, including user interface driven front channel and discovery driven back channel approaches. Gap analysis is provided to see how the two phases of the back channel approach, discovery and service call, satisfy the essential needs to communicate policy pledges and policy requirements.