220 likes | 684 Views
Meeting the Privacy Goals of NSTIC in the Short Term. Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen P. Lewison Pomcor. Contents.
E N D
Meeting the Privacy Goals of NSTIC in the Short Term Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen P. Lewison Pomcor Pomcor
Contents • The following slides illustrate protocol steps described in the white paper “Achieving the Privacy Goals of NSTIC in the Short Term” available at http://pomcor.com/whitepapers/NSTICWhitePaper.pdf • There are three protocol variations: • Attribute verification • Delegated authorization • Social login Pomcor
Attribute Verification Pomcor
Attribute Provider Relying Party Attribute request + Callback URL Browser Step 1
Attribute request + one-time Public Key Attribute Provider Relying Party User’s long term TLS certificate Retains callback URL. Produces one-time key pair, retains one-time private key. Browser Step 2
One-time cert binding attribute to one-time public key Attribute Provider Relying Party Browser Step 3
Attribute Provider Relying Party Asks user’s permission to pass attribute to relying party Browser Step 4
Attribute Provider Relying Party Success Targets callback URL One-time cert used as TLS client cert Browser Browser Uses one-time private key in TLS handshake Step 5
Delegated Authorization Pomcor
Site holding user’s account Web application Access request + One-time public key + Callback URL Browser Step 1
Site holding user’s account Access request + one-time Public Key Web application User’s long term TLS certificate Retains callback URL Browser Step 2
Site holding user’s account One-time cert binding access grant to one-time public key Web application Browser Step 3
Site holding user’s account Web application Asks user’s permission to grant access to application Browser Step 4
Site holding user’s account Web application One-time cert with access grant Targets callback URL Browser Browser Step 5
Site holding user’s account Web application One-time cert with access grant used as TLS client cert Browser Browser Step 6
Social Login Combines attribute verification And delegated authorization Pomcor
Attribute Provider Web application Attribute request, access request, app’s one-time public key, callback URL Browser Step 1
Attribute request, browser’s one-time public key, access request, app’s one-time public key Attribute Provider Web application User’s long term TLS certificate Retains callback URL. Produces browser’s one-time key pair, retaining private key. Browser Step 2
One-time cert binding attribute to browser’s one-time public key + one-time cert binding access grant to app’s one-time public key Attribute Provider Web application Browser Step 3
Attribute Provider Web application Asks user’s permission to pass attribute and grant access to application Browser Step 4
Attribute Provider Web application One-time cert with access grant Targets callback URL One-time cert with attribute used as TLS client cert Browser Browser Uses one-time private key in TLS handshake Step 5
Attribute Provider Web application One-time cert with access grant used as TLS client cert Browser Browser Step 6