1 / 29

Advances in Digital Identity

Advances in Digital Identity. Steve Plank Identity Architect. Identity. no consistency. Naming. DNS. Connectivity. IP. taught users. type. usernames & passwords. web page. what is identity?. attributes: givenName sn preferredName planky dateOfBirth 170685! over18 true

gwyn
Download Presentation

Advances in Digital Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advances in Digital Identity Steve PlankIdentity Architect

  2. Identity no consistency Naming DNS Connectivity IP

  3. taught users type usernames & passwords web page

  4. what is identity?

  5. attributes: givenName sn preferredNameplanky dateOfBirth 170685! over18 true over21 true over65 false image steve plank

  6. self asserted what claims i make about myself verifiable what claims another party makes about me

  7. elvis presley only 1 of them is real probably

  8. trust claims make these

  9. SECURITY TOKEN steve plank over 18 over 21 under 65 image

  10. SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image security token service give it something DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate “Secret”

  11. identity metasystem

  12. participants identity provider subject relying party (website)

  13. SAML x509 SAML x509 WS-* subject identity provider identity provider relying party relying party security tokenservice WS-* security token service WS-* identity selector

  14. identity selector

  15. human integration consistent experience across contexts

  16. cards self-issued managed • contains claims about my identity that I assert • not corroborated • stored locally • signed and encrypted to prevent replay attacks • provided by banks, stores, government, clubs, etc • locally stored cards contain metadata only! • data stored by identity provider and obtained only when card submitted

  17. login with self issued card object tag login user relying party (website)

  18. select self issued card Planky user relying party (website)

  19. create token from card Planky user FN: Steve LN: Plank Email: splank CO: UK relying party (website)

  20. sign, encrypt & send token Planky user relying party (website)

  21. login with managed card object tag login identity provider user relying party (website)

  22. select managed card identity provider user Woodgrove Bank relying party (website)

  23. request security token identity provider user authN:X509, kerb, SC, U/pwd… Woodgrove Bank relying party (website)

  24. request security token response identity provider user sign, encrypt send Woodgrove Bank relying party (website)

  25. <body> <formid="form1"method="post"action="login.aspx"> <div> <buttontype="submit"> Click here to sign in with your Information Card </button> <objecttype="application/x-informationcard"name="xmlToken"> <paramname="tokenType"value="urn:oasis:names:tc:SAML:1.0:assertion"/> <paramname="issuervalue="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/> <paramname="requiredClaims"value=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object> </div> </frm> </body>

  26. xmlToken (signed & encrypted) token decrypter relying party (website) xmlToken (plaintext) 123 789 claims extractor ppid 456 user database first name last name index into DB email 456 phone

  27. demo

  28. review identity layer phishing, phraud human integration consistent experience across contexts ip rp user identity selector Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt

More Related