Advances in digital identity
Download
1 / 29

Advances in Digital Identity - PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on

Advances in Digital Identity. Steve Plank Identity Architect. Identity. no consistency. Naming. DNS. Connectivity. IP. taught users. type. usernames & passwords. web page. what is identity?. attributes: givenName sn preferredName planky dateOfBirth 170685! over18 true

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advances in Digital Identity' - gwyn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Advances in digital identity

Advances in Digital Identity

Steve PlankIdentity Architect


Advances in digital identity

Identity

no consistency

Naming

DNS

Connectivity

IP


Advances in digital identity

taught users

type

usernames &

passwords

web page



Advances in digital identity

attributes:

givenName

sn

preferredNameplanky

dateOfBirth 170685!

over18 true

over21 true

over65 false

image

steve

plank


Advances in digital identity

self asserted

what claims i make

about myself

verifiable

what claims another party

makes about me


Advances in digital identity

elvis presley

only 1 of them is real

probably


Advances in digital identity

trust

claims

make these


Advances in digital identity

SECURITY TOKEN

steve

plank

over 18

over 21

under 65

image


Advances in digital identity

SECURITY TOKEN

Steve

Plank

Over 18

Over 21

Under 65

image

security token service

give it something

DIFFERENT

SECURITY

TOKEN

Username

Password

Biometric

Signature

Certificate

“Secret”



Participants
participants

identity provider

subject

relying party (website)


Advances in digital identity

SAML

x509

SAML

x509

WS-*

subject

identity

provider

identity

provider

relying party

relying party

security

tokenservice

WS-*

security

token

service

WS-*

identity selector



Advances in digital identity

human integration

consistent experience across contexts


Cards
cards

self-issued

managed

  • contains claims about my identity that I assert

  • not corroborated

  • stored locally

  • signed and encrypted to prevent replay attacks

  • provided by banks, stores, government, clubs, etc

  • locally stored cards contain metadata only!

  • data stored by identity provider and obtained only when card submitted


Login with self issued card
login with self issued card

object tag

login

user

relying party (website)


Select self issued card
select self issued card

Planky

user

relying party (website)


Create token from card
create token from card

Planky

user

FN: Steve

LN: Plank

Email: splank

CO: UK

relying party (website)


Sign encrypt send token
sign, encrypt & send token

Planky

user

relying party (website)


Login with managed card
login with managed card

object tag

login

identity provider

user

relying party (website)


Select managed card
select managed card

identity provider

user

Woodgrove

Bank

relying party (website)


Request security token
request security token

identity provider

user

authN:X509, kerb, SC, U/pwd…

Woodgrove

Bank

relying party (website)


Request security token response
request security token response

identity provider

user

sign, encrypt

send

Woodgrove

Bank

relying party (website)


Advances in digital identity

<body>

<formid="form1"method="post"action="login.aspx">

<div>

<buttontype="submit">

Click here to sign in with your Information Card

</button>

<objecttype="application/x-informationcard"name="xmlToken">

<paramname="tokenType"value="urn:oasis:names:tc:SAML:1.0:assertion"/>

<paramname="issuervalue="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/>

<paramname="requiredClaims"value="

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/

privatepersonalidentifier

/>

</object>

</div>

</frm>

</body>


Advances in digital identity

xmlToken

(signed &

encrypted)

token

decrypter

relying party (website)

xmlToken

(plaintext)

123

789

claims

extractor

ppid

456

user database

first name

last name

index into DB

email

456

phone



Review
review

identity layer

phishing, phraud

human integration

consistent experience across contexts

ip

rp

user

identity selector

Presentation style mercilessly stolen off

Lawrence Lessig, BBC News 24 and Dick Hardt