Use of DANE to Improve the Security for Identity Federations

The identity of individuals need to be confirmed for various reasons, both in reality and on the Internet. Identity federations is a way to build a standard for online services similar to the one in real life with identification cards and signatures. However, there are more security aspects to take in to account online. This report analyse the security mechanism used to achieve data integrity in an identity federation and specifically the use of X.509 certificates. Also, an evaluation of the possibility to use DNS-Based Authentication of Named Entities (DANE) to improve the security for an identity federation. The report is a result of literature studies, practical work on setting up a test environment and discussions with experts. We conclude in the report that improvements can be made on how identity federations handle their own metadata and trust other entities metadata. DANE is today only a draft, but when DANE with TLS/TLSA becomes a RFC standard or when a standard for how DANE handles SAML certificates, it can be used to improve the initial trust bonding.Validerat; 20120620 (anonymous