Home



Who can use it?

How it works

Features

PDAs

The manager

Services



Screenshots

Q&A

User guide

License terms

Integrators



GRIC

AxiomaticTokenizer

Emoney

 

AxiomaticId

Digital Identity Management Solution

 

 

 

 

History is a string of unique moments... Meet one!

The name "AxiomaticId" comes from "Axiomatic Identity". "Axiomatic" means "self-evident truth".

Identities are axiomatic! They are self-evident relationships established among trusting partners who communicate and do business together.

Axiomatic identities work based on the principle "first come, always served", that is, once a relationship between two parties has been established, those parties need never know the biometric identity of each other.

AxiomaticId is a solution for the management of digital identities. It uses digital signatures to allow people to authenticate themselves to various (online) service providers.

AxiomaticId is designed to secure a user's decisions to execute actions at various service providers. For maximum security, hardware isolation can be used to create the action requests. Hardware isolation refers, for example, to a PDA which is not connected to any kind of network, and is always carried by the user.

AxiomaticId allows people to protect their physical identity by substituting it with a digital one. AxiomaticId lets people create multiple digital identities which can be used in various places, over the Internet.

AxiomaticId empowers people to create digital identities which can be hidden from other people. For example, if the PDA on which AxiomaticId runs, is stolen or taken by force, the hidden identities would remain hidden from the aggressor, that is, the aggressor would never know that there are hidden identities on the PDA.

AxiomaticId is an open source project developed in C# and is specifically designed for mobile devices like PDAs.



Who can use it?

Users

The purpose of AxiomaticId is to allow a user to identify himself to a service provider, like a payment service, as being the owner of a specific service account. AxiomaticId has nothing to do with what the service does and how it works. AxiomaticId simply authenticates users to perform actions in their accounts.



Services

Any service (online or offline), like a payment service, which needs to authenticate users as being the owners of their accounts, can use AxiomaticId to process the actions which users request to be executed in their accounts.

For integration details look here.



Merchants

Merchants can use AxiomaticId to know for sure that their payment service tells them, using digitally signed confirmations, that a certain client has paid for his purchase. The payment service can send such confirmations through email.

An employee of the merchant can then simply load the confirmations into AxiomaticId to verify that the payment was indeed made, to see what merchandise was requested, and to see where the merchandise has to be shipped.



Organizations

Organizations may get significant benefits from using group identities. A group identity simply groups the identities of several people who work for the same organization.

A group identity allows a service provider to require that in order to execute an action in a service account, all the members of the organization (or a minimum number of members) must sign the request for the execution of the action.

For example, an organization might have an account with a payment service where it keeps (some of) its money. The organization would not want any single member to have full access to this account, but rather request that the payment service executes only payments which are signed by 3 (out of 5) members of the organization. AxiomaticId can make this happen.

A group identity also allows a user of AxiomaticId to encrypt a document for the organization. It is possible to encrypt the document so that each member of the organization could decrypt the document independently, or it's possible to require (with cryptographic strength) that all members of the group be present in order to decrypt the document.

Even further, it's possible to encrypt a document in a way which requires that most members of the group be present in order to decrypt the document, but some members could miss. Moreover, it doesn't matter who is present and who misses from the decryption process. All that matters is that the minimum number of members is met.

For example, if the board of directories of the organization has 5 people, but only 3 of them are required to decrypt documents sent to the organization, AxiomaticId can make this happen.



Document repositories

AxiomaticId is useful not only for payment services, but also for document repositories. Consider that your company has an online service which allows your employees to download documents for reading.

If the security of the service is limited to a passphrase, if a thief gets the name and passphrase of an employee's account, he has access to all the documents which can be accessed by the employee.

However, if your company integrates AxiomaticId, every employee would be required to request a document through a digitally signed AxiomaticId document. This way, even if a thief can get a hold of an unencrypted downloaded document, he wouldn't have access to all the documents which could be downloaded by the employee.



How it works

The main purpose of AxiomaticId is to allow users to securely access the accounts they have with various service providers. Here are the steps which are taken by both sides:

  • The service provider uses AxiomaticId to create an identity for itself.

  • The service provider creates a service descriptor which includes its presentation identity and what kind of actions can be requested by users.

  • The service provider publishes, on its website, the service descriptor.

  • The user who wants to use the service, imports the service descriptor into his AxiomaticId application.

  • The user uses AxiomaticId to create an identity for himself.

  • The user creates an account with the service. He sends his presentation identity to be used as authentication information for the account.

  • The user requests, through AxiomaticId, that a certain action is executed by the service in his account. AxiomaticId starts a wizard which guides the user step by step to fill in the data necessary for the action to be executed.

  • On a computer which is connected to the Internet, the user runs the file created by AxiomaticId. The user's action is sent signed and encrypted to the service.

  • The service verifies the signature of the action request using the authentication information from the user's account.

  • If the action is authenticated, the service executes the requested action.



Features

Works on PDAs.

Identities for individuals and for groups / organizations.

Symmetric encryption for personal privacy. Data can be encrypted to a fixed size in order to be possible to deny that there is anything but random data.

Asymmetric encryption for communication privacy.

Encryption to a group, either for each member of the group, or for all members to decrypt (with the ability to allow some members to miss from the decryption process).

Signing to authenticate a document. Using stand-alone signatures, it's possible to sign the hash of a document (in order to protect the privacy of the document). Multiple signatures are allowed in any place where there are signatures.

Signing by a group, including the ability to specify to others to accept signatures when not all group members have signed a document.

Separate asymmetric key pairs for encryption and signing.

Certifications for proving certain information to other parties. For example, the physical age of a person can be certified by certification services.

Certification powers delegations. Only some identities are allowed by AxiomaticId to validate certifications. However, using certification power delegations it's possible that the identities which are allowed by AxiomaticId to validate certifications, delegate their power to other identities (which don't even need to be in the user's AxiomaticId application).

Inheritors which can access a service account if the owner of the account doesn't access the account for a number of years. Multiple inheritors may simultaneously access an account, and each may be allowed to access only a percentage of an account's value.

Recovery identity for service account. Normally, an identity which protects a service account is generated from random data. However, if such identities and all their backups are lost, access to the accounts they protect is also lost and is absolute. In order to protect users from such a catastrophe, a recovery identity is re-generated at any time from a passphrase.

Custom signatures.

Custom authenticated information in signatures.

Ability to store different types of stand-alone signatures or certifications in a single collection of objects, like different cards are stored in a wallet.

Ready for new cryptographic algorithms.



PDAs

AxiomaticId is specifically designed to run on PDAs because they can be carried around all the time and because they can offer physical isolation for running AxiomaticId (and thus provide better security).

For running AxiomaticId, we are considering only PDAs with the following technical specifications:

Required features:

  • Operating system: Microsoft Windows Mobile 6.

  • Microprocessor: minimum 300 Mhz.

  • RAM: minimum 64 MB.

  • Internal persistent memory (available to user): minimum 16 MB.

  • Battery: minimum 1000 mAh.

  • Display: touch-sensitive (with optional stylus), minimum 16 colors.

  • Display diagonal: minimum 2.8 inches.

  • Display resolution: minimum 240 * 320.

  • SD card slot, or a USB port for a memory stick. An SD card reader for desktop computers can be easily purchased.

  • Weight: maximum 200 grams.



Features which must not be present in a dedicated device, but unfortunately are present in PDAs:

  • Photocamera and videocamera.

  • Microfon.

  • Wireless (like bluetooth / infrared) connections.

  • Phone.

  • GPS.

  • Over-the-air programming.



The manager

AxiomaticIdManager is an open source application developed in C# and is specifically designed for mobile devices (like PDAs). The source code for AxiomaticId can be downloaded from here.

For now, AxiomaticIdManager is a work in progress.

Main window screenshot

Download AxiomaticIdManager

The AxiomaticIdManager which you will download is only a skeleton application! It is intended just for you to see how it will be. Use it only for testing!

Currently, you can use it only to change the color scheme (see the "Color schemes" wizard), and to create a full identity (see the "Identities \ Create identity" wizard; the identity is saved in the AxiomaticId storehouse).

Version released on 05.09.2007, size 600 KB. It works on Windows (any desktop edition with DotNet, at least version 2). You can download the DotNet redistributable archive from Microsoft.

There are no special requirements to run the program. To install the program, just run the downloaded file.

It doesn't run on Mono because Mono doesn't yet implement the graphical user interface from DotNet.



Services

If you are interested in entities which provide various AxiomaticId-related services, please go here.

 

Copyright by George Hara