 Now, we are going to talk about a very important aspect of NGNs, that is the identification management of the entities which are interacting with each other to transfer data and to communicate with each other. So, we shall first of all look at what is the purpose of identity management. Then we look at some interesting relationships which exist between different aspects known as the attributes, credentials and the particular identity types. Then we look at the scope of identity management and we look at the best practices or the principles which are adopted for identity management to make sure that a user develops a trust level with the network. So, as a next generation network, a vendor or a service provider or an operator has to provide identification management according to some functional architecture and this is where the identity management framework comes into play. It uses very important information regarding the network and the user to offer certain services purely from the business and security viewpoint. The information that a user can offer is the user subscription, the location information, the policy that governs provisioning certain security and business related services, access to that user and the presence of user in a certain proximity at a point in time. There are certain network elements which play their role in offering identity management. These include the HSS, the call control functions and the service border control. The identity information is essentially from multiple angles and dimensions. For instance, the identifiers of the IDs themselves, then their credentials and then the attributes. All these identities and their aspects actually refer to the entities which are involved in the network. The most important entity is of course the user that has certain subscription. So it means a user can be a network user or it can be a subscriber to a certain service. This can be an organization if it's a commercial organization or it's a government organization or it could be even an individual. The entities could also include the network elements which are part of the NGN, the user devices which a user can switch from a tablet to a smartphone, etc. Then there are certain objects which are not tangible in terms of their physical presence but are virtually present. For instance, there could be network elements which are run on a single physical server or a single physical machine. Then there are certain objects which could be the network parameter settings, the profiles, etc. So it means that every entity which is present in NGN has to have at least one ID or it can have more depending upon different types of interactions and different types of services that the user might be interested in. Consider an individual on NGN if it has access to different services and different quality of service profiles it can have multiple digital identifiers. The obvious purpose of identity management is to facilitate. Facilitate using certain services which would be identity management services, the implementation of these services through certain functions and depending upon how comprehensive a certain identity management system within NGN is, there would be some capabilities which could be very high end capabilities or it could be very rudimentary or basic capabilities. So the IDM actually provides business and security applications with certain services. So these services actually can be considered to be present on the transport stratum and the services stratum. It actually means that the identity management covers both the transport and service strata of NGN. Let us look at the overall identity management as a relationship between the business and security applications and the identity management functions and capabilities and the definitions that we have just looked at in the form of identifiers, credentials and attributes. Let's look at the top first. So we have the business and security applications. For instance, we have multimedia application, IPTV, security protection, access to certain resources. So this actually is the application layer perspective of identity management. Then we have a more technical or functional level of identification management. That is how the information is managed in the form of a database. How is it organized in the form of a tree? What is the basically authentication mechanism to have access to the IDs of users or group of users? What is the assurance mechanism that this ID management system is going to be reliable, trustworthy? How the identity management systems can be discovered and how can an endpoint exchange certain credentials and important information with the identity management system or how one IDM can interact with other IDMs? Then the last part, which is of course the part is the entities. If we look at the entities, these entities actually have certain identities. The identities are marked through identifiers, which are the physical IDs of, for instance, service provider, IP address, account number of a certain subscription. And then against each ID, we can have some credentials. For instance, these credentials could be time limited, for instance, tokens issued for a certain time period or digital certificate issued by a third party. Then we have against every identifier, we can have certain attributes. For instance, for a certain user, we can have limited attributes, for instance, telephone number only or an email ID. We can even take it further by taking the context, the location, etc. of the user into account so that a user can be provided better service. So it means that the overall identity management becomes a very complex task. At the more entities level, we have the users, we have the devices and we have the network elements that we've already discussed. Let's look at the identifiers in a little more detail. Depending upon the subscription information, an identifier is issued. An identifier can actually differentiate between the access which a user is entitled to. For instance, if it's a residential user or an enterprise, then the network elements through which the connectivity is provided need to be identified. And the service provider amongst a multitude of operators and service providers needs to be identified. And this is typically done through the URL or the domain name that identifies a certain service provider. The attributes which the identity is going to have actually is the feature or the aspect of a certain user device or network interface. For instance, we can have the email ID, the identifier in the form of URI, an IP address, the authentication method through which this particular entity can be authorized or authenticated. Then the physical location or the relative network location of this particular entity. Then we have lastly the credentials. As I said earlier, these credentials actually determine the overall validity of a certain service to a certain user. For instance, the username and password as the token, the digital certificate or token for a certain service. Now we are going to look at a very important aspect. No matter how comprehensive the identity management for certain NGN may be, there are certain golden principles or thumb rules which would ensure that a user trusts the network. The first one is of course that data binding for a certain specific service would only be activated depending upon the attributes, the credentials, etc. Once that service is being provided, so it means once a service is not being used, the associated data should not be recalled or should not be accessed from the identity management system. Then multiple applications should not share this information with each other. It means that there should be no pass the information or relay the information subsequently from one application to the other. This is going to result into secure information leakage. So even if it has to be done, it has to be done through explicit users consent. So it means that if multiple applications are going to use certain identifiers and certain attributes and credentials, these have to be accessed from the IDM system and this transaction has to be recorded so that it is known who accessed what information regarding a certain user at a point in time. Then we also have to consider that limited identity information should be shared. This is known as the need to do basis or being discrete. So it means if certain information is required, which only deals with the IP address, then in addition, the domain name, the URL should not unnecessarily be shared. The last one is that at the end of the day, it is the user who is paying the network for certain services. So a user has to be the super administrator or the super user to manage, share, delete and update the personally identifiable identifiers. It means if a user can be identified through a certain IP address and certain username and password and if a user wishes to change one, delete one, keep the other, then everything has to be done through proper user based control.