110 likes | 125 Views
Explore the feasibility of a universal identity system amidst diverse requirements, risks, and cultural sensitivities. Discover a federated model as a solution emphasizing privacy, scalability, and ease of integration for various platforms. Learn about Windows CardSpace and the potential of a multiprotocol federation. Dive into resources for a secure, interoperable, and user-centric identity layer on the internet.
E N D
www.oasis-open.org Building "One Size Fits All" Identity SystemsPossible or Fantasy?Ronny BjonesSecurity ArchitectMicrosoft Corporate
Is it realistic? • Different requirements between businesses, consumers, governments, corporate users, etc • Different risk profiles implying different measures to prove (mutual) identities • Different cultural sensitivities when it comes to identities (e.g. eID) • Yet another IDA system to which we have to adapt our applications! • And what about all these different platforms?
Haven't we heard this before? + - + - + -
A new approach should… • be based on a federated model providing an SSO experience • have privacy protection build into the heart of the system • increase the overall security on the Internet, scalable according to risk model • be very easy to use by businesses and consumers • easily be integrated into services and applications
Identity Metasystem Members Only User D.O.L. Club Site Identity Selector Bank Identity Providers Pet Site Relying Parties Medical Card Store Card Insurance Card Employee Card Bank Card DOL Card Employer Other Sites Personal Card E-mail Card JunkCard WS* WEB* Gov. Store Sites TokenNameAccountStatus
Strong Identity and Access is Complicated • For developers • For users
Security Token Service User Experience Service What is Windows CardSpace? • Identity Selector for Windows • Digital identities represented by cards • When user selects a card • Get security token from Identity Provider • Give it to the Relying Party after user consent • User is in control
Wallet Metaphor • A set of claims someone makes about me • Claims are packaged as security tokens • Many identities for many uses
Framework for Interoperability • TCP/IP of Identities • Defined on open standards – WS* • Extended by CardSpace’s definition of CLAIMS • http://download.microsoft.com/download/2/7/c/27c16ebb-bf83-4abd-8002-21fa111ba7ac/infocard-profile-v1-techref.pdf • CardSpace is security token agnostic • SAML, Kerberos, X.509, custom • Identity Providers can bridge different identity technologies • Multiprotocol Federation Interoperability Demonstration • Burton Group – Gerry Gebel - November 1th 2005
Resources • http://www.identityblog.com/ • Laws of Identity • Identity Metasytem • Zermatthttps://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=642&DownloadID=12937 • Netfx3http://cardspace.netfx3.com
Conclusions • Identity layer on the Internet should: • Incorporate privacy, security, usability by design • Interoperability, interoperability, interoperability, … • Make live easy for developers and not raise the bar