Dix bof digital identity exchange
Download
1 / 100

DIX BOF Digital Identity eXchange - PowerPoint PPT Presentation


  • 297 Views
  • Uploaded on

DIX BOF Digital Identity eXchange. 65 th IETF, Dallas March 21 st 2006. Welcome and Introductions. Chair – Scott Hollenbeck, [email protected] Chair – John Merrells, [email protected] Wiki – http://dixs.org Jabber – [email protected] Housekeeping.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DIX BOF Digital Identity eXchange' - keahi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dix bof digital identity exchange

DIX BOFDigital Identity eXchange

65th IETF, DallasMarch 21st 2006


Welcome and introductions
Welcome and Introductions

  • Chair – Scott Hollenbeck, [email protected]

  • Chair – John Merrells, [email protected]

  • Wiki – http://dixs.org

  • Jabber – [email protected]


Housekeeping
Housekeeping

  • Use Microphones for those on the audio channel

  • State your name clearly for the scribe

  • Discussion points after each agenda item

  • We need scribes…

  • Wiki – http://dixs.org

  • Jabber – [email protected]




Scene setting1
Scene Setting

  • “Enterprise Identity Management” (IdM)

    • Access control for resources

    • Leverages many IETF technologies

      • LDAP, Kerberos, PKIX, TLS

    • Includes

      • Authentication

      • Roles


Scene setting2
Scene Setting

  • Web Authentication

    • 1996 survey - 12+ solutions

    • Why this interest?

      • Enterprise Web Applications

      • Required: SSO, Minimal password exposure, browser based

      • Web is easy to hack on

    • So, many open-source, in-house, and commercial solutions, even leveraging IdM


Scene setting3
Scene Setting

  • Today’s Web

    • Millions of blogs, homepages, etc

      • Represent online lives

      • Other’s interact with them

      • But: Who’s on my site?(For expression… rather than control)

      • Required: SSO and Information Exchange(But, no enterprise IdM system)


Scene setting4
Scene Setting

  • New Goals

    • User-Centric

    • Widely Deployable

    • Good Enough Security

  • Web-scale ubiquity to be compelling


Scene setting5
Scene Setting

  • Questions

    • Is new technology required?Or new usage of existing technology required?

    • What are the user requirements?

    • What are the barriers to wide adoption?

    • Different than ‘Enterprise’ technology?Or just part of the whole spectrum?


Definitions
Definitions

  • Digital Identity Exchange

  • Identity Agent

  • Relying Party

  • Claim

  • Digital Subject


Definitions1
Definitions

  • Digital Identity Exchange

    • “The transmission of digital representation of a set of Claims made by one Party about itself or another Digital Subject, to one or more other Parties.”

    • RL ‘Bob’ Morgan, 14th March 2006, DIX Mailing List


Definitions2
Definitions

Identity Agent

Relying Party

Client


Definitions3
Definitions

  • Claim

    • An assertion made by a Claimant of the value or values of one or more Identity Attributes of a Digital Subject, typically an assertion which is disputed or in doubt.


Definitions4
Definitions

  • Digital Subject

    • An Entity represented or existing in the digital realm which is being described or dealt with.


Problem statement
Problem Statement

  • “The Internet is host to many online information sources and services. There is a growing demand for users to identify, and provide information about themselves. Users bear the burden of managing their own authentication materials and repeatedly providing their identity information. Signing in to web pages and completing user registration forms is an example.”

    Proposed Draft Charterhttp://dixs.org/index.php/DIX_Charter


Problem statement1
Problem Statement

  • For User

    • Manage many Username/Passwords

    • Retyping same data into forms

  • For Service Operator

    • Low conversion ratios

    • Data inaccuracy

    • Minimal data exchange


Example

User goes to a web site

User provides some information about themselves

Example


Proposed goals
Proposed Goals

  • Automate Digital Identity Exchange between User and Service

  • Protect User’s Privacy

  • Minimize Barriers to Adoption


Benefits
Benefits

  • For Users

    • Convenient Digital Identity Exchange

    • Richer experience with Service

  • For Service Operators

    • Increased quality and quantity of identity data

    • Higher conversion rates


Role scope of ietf
Role & Scope of IETF

  • Internet related problems

  • “Above the wire and below the application”

  • DIX is within IETF scope


Proposed dix scope
Proposed DIX Scope

  • In Scope

  • Out of Scope

  • In/Out of Scope?

  • Narrow, yet also ambitious.


In scope
In Scope

  • Digital Identity Exchange between User and Service

  • HTTP/HTML Transport

  • Browser based applications


Out of scope
Out of Scope

  • Digital Identity Exchange between services

  • Federating identifier namespaces

  • Usage of digital certificates

  • Claim schema and type system

  • User authentication with Identity Agent


In out of scope
In/Out of Scope?

  • SIP

  • XMPP

  • Non-browser based applications

  • Third Party Claims



Requirements
Requirements

Seven Laws of Identity

  • User Control and Consent

  • Minimal Disclosure for Constrained Use

  • Justifiable Parties

  • Directed Identity

  • Pluralism of Operators and Technologies

  • Human Interaction

  • Consistent Experience Across Contexts

    Kim Cameron

    http://www.identityblog.com/


Requirements digital identity exchange
Requirements – Digital Identity Exchange

  • Move claims from agent to service

  • Move claims from service to agent

  • Unique identifier for User


Requirements privacy
Requirements - Privacy

  • Unique Identifier for User

    • No central control

    • Opaque

    • Unidirectional (1:1)

    • Omni-directional (1:N)

    • Separation from Identity Agent

  • Minimal disclosure


Requirements claim schema
Requirements - Claim Schema

  • Globally unique Identifier for Names

  • Easily extended


Requirements adoption
Requirements - Adoption

  • Nominal client footprint

  • Minimal changes to Service

  • Service can independently extend Claim Schema

  • Leverage existing standards

  • Ad hoc Service and Identity Agent relationship

  • No more security than needed

    • Security Gradient


Security gradient example
Security Gradient - Example

High Value: Health Records,…

Extension Points

Identity Transaction Value

DIX

Low Value: Blogs, …

HTTP, DNS, HTTPS

PKI, DNSSEC, …

Security Level


Threat analysis

Vulnerabilities and security limitations will need to be analyzed and well documented

Threat Analysis


Requirements discussion

Requirements Discussion? analyzed and well documented


Architectural models
Architectural Models analyzed and well documented

  • Domain Centric

  • Federation

  • User-Centric


Domain centric
Domain Centric analyzed and well documented

Authentication / Attributes / Authorization

Account Credentials

E.g. X.500, LDAP, Kerberos, PKIX, TLS, SASL, HTTP Basic/Digest, …


Federation
Federation analyzed and well documented

SAML Request

SAML Response

SAML Token

SAML Token

E.g. SAML / Liberty, …


Federation ad hoc
Federation - Ad Hoc analyzed and well documented

Discovery

Claims

Identifier URL

E.g. OpenID, LID, XRI, Yadis


User centric
User Centric analyzed and well documented

Request

Claims

Claims

E.g. SXIP 2.0,WS-Trust / MetaSystem,…


Discussion

Discussion? analyzed and well documented


Draft merrells dix 00 txt
draft-merrells-dix-00.txt analyzed and well documented

  • Individual Submission Internet-Draft

    • Title: DIX: Digital Identity Exchange

    • Author: J. Merrells, Sxip Identity

    • Contact: [email protected]

    • Date: Jan 17th, 2005

  • http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt

  • (Wiki has Update: http://dixs.org/index.php/Documents)


Sxip 2 0
SXIP 2.0 analyzed and well documented

SXIP Properties

First Name, Last Name, Email Address, Blog URL, Image, …etc…

SXIP Buttons

Membersite

Homesite

DIX Protocol

DIX Protocol

Browser


Beth analyzed and well documented


First visit to geeknews com

Beth receives an email invitation for geeknews.com analyzed and well documented

She’s going to ‘sign in’ to the website and provide some information about herself…

First Visit to geeknews.com

Membersite

Browser


Sxip in
[sxip in] analyzed and well documented

Membersite

Browser


Sxip in1
[sxip in] analyzed and well documented

  • Consistent User Experience

    • ‘Sign In’

    • Provide Identity Data


Dynamic discovery
Dynamic Discovery analyzed and well documented

ISP.com

GET Homesite Page

Homesite Tag

Membersite

Homesite

Browser


Homesite tag bits
Homesite Tag (Bits) analyzed and well documented

<LINK REL="dix:/homesite"

HREF=“

http://isp.com/sxip"

CLASS=“

dix:/core#1

dix://sxip.net/simple#1"/>

Homesite Tag

Homesite


Homesite tag
Homesite Tag analyzed and well documented

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1

Homesite Tag

Homesite


Endpoint
Endpoint analyzed and well documented

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-urlencoded Content-Length: 202 dix:/message-type=dix:/verify-request&dix%3A% 2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D

HTTP POST

http://isp.com/sxip

Homesite


Homesite tag1
Homesite Tag analyzed and well documented

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1

Homesite Tag

Homesite


Capabilities
Capabilities analyzed and well documented


Capability extensibility
Capability Extensibility analyzed and well documented

  • DIX URI

    • Scheme is DIX

    • Domain is any domain

    • Path is domain specific


Fetch request
Fetch Request analyzed and well documented

Homesite

Membersite

fetch request

Browser


Fetch request bits
Fetch Request (Bits) analyzed and well documented

<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path”  value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>


Fetch request bits1
Fetch Request (Bits) analyzed and well documented

<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path”  value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>


Fetch request bits2
Fetch Request (Bits) analyzed and well documented

<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path”  value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/><input type=”submit”/> </FORM> </BODY> </HTML>


Fetch request bits3
Fetch Request (Bits) analyzed and well documented

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email


Fetch request bits4
Fetch Request (Bits) analyzed and well documented

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email


Fetch request bits5
Fetch Request (Bits) analyzed and well documented

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email


Capabilities1
Capabilities analyzed and well documented


Capability extensibility1
Capability Extensibility analyzed and well documented


Sxip net properties
sxip.net Properties analyzed and well documented

  • Name: Prefix, First, Middle, Last, Suffix, Alias

  • DOB: Day, Month, Year

  • Phone: Home, Business, Cell, Fax

  • IM: AIM, ICQ, MSN, Yahoo, Jabber, Skype

  • Email: Address, Verified, Hashed

  • Web: Blog, Amazon, Flickr, Delicious

  • Company: Name, Title

  • Media: Spoken Name, Audio Greeting, Video Greeting, Biography, Image


Authentication
Authentication analyzed and well documented

Homesite

Membersite

fetch request

Browser


Properties requested
Properties Requested analyzed and well documented

Homesite

Membersite

fetch request

Browser


Persona selection
Persona Selection analyzed and well documented

Homesite

Membersite

fetch request

Browser


Persona
Persona analyzed and well documented

Work

http://work.com/beth

Homehttp://home.com/beth

Name: Beth Surname

Phone: (604)-678-3500

….

Name: Beth Surname

Phone: (415)-244-5808


Identifier

Persona Identifier is a URL analyzed and well documented

Identifier Choice [0…N]

No Identifier

One per Persona

One per Membersite

No Central Service, just DNS

How claimed?

Identifier

http://work.com/beth


Identifier bits

<LINK analyzed and well documented

REL=“dix:/homesite“

HREF="http://isp.com“

/>

Identifier (Bits)

http://work.com/beth

Homesite


Fetch response
Fetch Response analyzed and well documented

Homesite

Membersite

fetch response

fetch request

Browser


Fetch response bits
Fetch Response (Bits) analyzed and well documented

dix:/message-type= dix:/fetch-response

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/signature= WJhYTYx…

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true

first_name= Beth

email_address= [email protected]


Security
Security analyzed and well documented

Delegation Check

GET Persona URL

http://work.com/beth

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser


Security1
Security analyzed and well documented

Delegation Check

GET Persona URL

http://work.com/beth

Signature Verification

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser


Verify request bits
Verify Request (Bits) analyzed and well documented

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202 dix:/message-type=dix:/verify-request&dix%3A%2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D


Verify request bits1
Verify Request (Bits) analyzed and well documented

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202 dix:/message-type= dix:/verify-request

dix:/signature= NWJhYTYx…

dix:/digest= Yzg3ZjA0…


Verify response
Verify Response analyzed and well documented

Delegation Check

GET Persona URL

http://work.com/beth

Signature Verification

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser


Verify response bits
Verify Response (Bits) analyzed and well documented

HTTP/1.1 200 Ok Connection: close dix:/true


Saving data to isp com

Beth decides to leave a comment on a post at geeknews.com analyzed and well documented

She will provide some Identity Data and save it at her Homesite

Saving Data to isp.com

Membersite

Browser


Sxip save
[sxip save] analyzed and well documented

Membersite

Browser


Sxip save1
[sxip save] analyzed and well documented

  • Consistent User Experience

    • Save Identity Data


Sxip save2
[sxip save] analyzed and well documented

Homesite

Membersite

store request

Browser


Store request bits
Store Request (Bits) analyzed and well documented

dix:/message-type= dix:/store-request

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

dix:/persona-url= http://work.com/beth

dix://sxip.net/media/image=

http://work.com/beth/me.jpg


Persona1
Persona analyzed and well documented

Work

http://work.com/beth

Homehttp://home.com/beth

Name: Beth Surname

Phone: (604)-678-3500

….

Name: Beth Surname

Phone: (415)-244-5808


Store response
Store Response analyzed and well documented

Homesite

Membersite

store response

store request

Browser


Store response bits
Store Response (Bits) analyzed and well documented

dix:/message-type= dix:/store-response

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true


Available today
Available Today analyzed and well documented

Homesite Reference ImplementationPerl

Demonstration App

Membersite Development KitPHP, Perl, Java,

(Ruby, Python)

Plugins

Media Wiki, (Drupal, Ning)

Membersite

Homesite

Browser


Resources
Resources analyzed and well documented

  • Websites:

    • The Vision:identity20.com

    • The Code:sxip.org

    • The Spec:sxip.netdixs.org

    • The Demo: sxore.com

  • Contact:

    • John Merrells, [email protected]


Draft merrells dix 00 txt1
draft-merrells-dix-00.txt analyzed and well documented

  • Individual Submission Internet-Draft

    • Title: DIX: Digital Identity Exchange

    • Author: J. Merrells, Sxip Identity

    • Contact: [email protected]

    • Date: Jan 17th, 2005

  • http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt

  • (Wiki has Update: http://dixs.org/index.php/Documents)


General discussion

General Discussion? analyzed and well documented


ad