Authentication and Authorisation Infrastructures in b2c e-Commerce

One of the reasons for the failure of PKI in b2c e-commerce might be that too much effort was put in entity authentication. In many applications it is not necessary to know who an entity actually is, but to be sure that he/she possesses the proper rights to perform the desired action. This is exactly the purpose of Authentication and Authorisation Infrastructures (AAIs). Today several proposals and running AAIs are available focusing on different aspects. The purpose of this paper is firstly to introduce common representatives and to discuss their focus, secondly to develop criteria and requirements that any AAI for b2c e-commerce has to fulfil and finally evaluate the proposals against the developed criteria. Candidates for evaluation are Kerberos, SESAME, PERMIS, AKENTI, Microsoft Passport, Shibboleth and the Liberty Framework