Towards Privacy in Enterprise Directory Services: A User-Centric Approach to Attribute Management

Enterprise directory services (EDS) are commonly used to store attributes related to individual users within a corporation, and provide those attributes to authorized users upon request. These attributes may contain sensitive personal information, such as citizenship or social security numbers. Consequently, access to such information is generally controlled, usually by traditional methods such as access control lists. However, if a user-centric identity management model is considered, in which users control their own information and control access to that information, traditional EDS implementations do not provide complete protection from a user perspective. We propose combining public key infrastructure, user-centric identity management, and EDS to allow users control of the personal information stored within a directory as well as who is allowed to access that information. We demonstrate how a user may employ PKI to encrypt individual attributes, then share decryption information with selected entities. Among other advantages, this solution eliminates the possibility of administrative access to users information, a potential threat that exists within many EDS