290 likes | 424 Views
Advances in Digital Identity. Steve Plank Identity Architect. Identity. no consistency. Naming. DNS. Connectivity. IP. taught users. type. usernames & passwords. web page. what is identity?. attributes: givenName sn preferredName planky dateOfBirth 170685! over18 true
E N D
Advances in Digital Identity Steve PlankIdentity Architect
Identity no consistency Naming DNS Connectivity IP
taught users type usernames & passwords web page
attributes: givenName sn preferredNameplanky dateOfBirth 170685! over18 true over21 true over65 false image steve plank
self asserted what claims i make about myself verifiable what claims another party makes about me
elvis presley only 1 of them is real probably
trust claims make these
SECURITY TOKEN steve plank over 18 over 21 under 65 image
SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image security token service give it something DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate “Secret”
participants identity provider subject relying party (website)
SAML x509 SAML x509 WS-* subject identity provider identity provider relying party relying party security tokenservice WS-* security token service WS-* identity selector
human integration consistent experience across contexts
cards self-issued managed • contains claims about my identity that I assert • not corroborated • stored locally • signed and encrypted to prevent replay attacks • provided by banks, stores, government, clubs, etc • locally stored cards contain metadata only! • data stored by identity provider and obtained only when card submitted
login with self issued card object tag login user relying party (website)
select self issued card Planky user relying party (website)
create token from card Planky user FN: Steve LN: Plank Email: splank CO: UK relying party (website)
sign, encrypt & send token Planky user relying party (website)
login with managed card object tag login identity provider user relying party (website)
select managed card identity provider user Woodgrove Bank relying party (website)
request security token identity provider user authN:X509, kerb, SC, U/pwd… Woodgrove Bank relying party (website)
request security token response identity provider user sign, encrypt send Woodgrove Bank relying party (website)
<body> <formid="form1"method="post"action="login.aspx"> <div> <buttontype="submit"> Click here to sign in with your Information Card </button> <objecttype="application/x-informationcard"name="xmlToken"> <paramname="tokenType"value="urn:oasis:names:tc:SAML:1.0:assertion"/> <paramname="issuervalue="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/> <paramname="requiredClaims"value=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object> </div> </frm> </body>
xmlToken (signed & encrypted) token decrypter relying party (website) xmlToken (plaintext) 123 789 claims extractor ppid 456 user database first name last name index into DB email 456 phone
review identity layer phishing, phraud human integration consistent experience across contexts ip rp user identity selector Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt