dix bof digital identity exchange
Download
Skip this Video
Download Presentation
DIX BOF Digital Identity eXchange

Loading in 2 Seconds...

play fullscreen
1 / 100

DIX BOF Digital Identity eXchange - PowerPoint PPT Presentation


  • 380 Views
  • Uploaded on

DIX BOF Digital Identity eXchange. 65 th IETF, Dallas March 21 st 2006. Welcome and Introductions. Chair – Scott Hollenbeck, [email protected] Chair – John Merrells, [email protected] Wiki – http://dixs.org Jabber – [email protected] Housekeeping.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DIX BOF Digital Identity eXchange' - keahi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dix bof digital identity exchange

DIX BOFDigital Identity eXchange

65th IETF, DallasMarch 21st 2006

welcome and introductions
Welcome and Introductions
housekeeping
Housekeeping
  • Use Microphones for those on the audio channel
  • State your name clearly for the scribe
  • Discussion points after each agenda item
  • We need scribes…
  • Wiki – http://dixs.org
  • Jabber – [email protected]
scene setting1
Scene Setting
  • “Enterprise Identity Management” (IdM)
    • Access control for resources
    • Leverages many IETF technologies
      • LDAP, Kerberos, PKIX, TLS
    • Includes
      • Authentication
      • Roles
scene setting2
Scene Setting
  • Web Authentication
    • 1996 survey - 12+ solutions
    • Why this interest?
      • Enterprise Web Applications
      • Required: SSO, Minimal password exposure, browser based
      • Web is easy to hack on
    • So, many open-source, in-house, and commercial solutions, even leveraging IdM
scene setting3
Scene Setting
  • Today’s Web
    • Millions of blogs, homepages, etc
      • Represent online lives
      • Other’s interact with them
      • But: Who’s on my site?(For expression… rather than control)
      • Required: SSO and Information Exchange(But, no enterprise IdM system)
scene setting4
Scene Setting
  • New Goals
    • User-Centric
    • Widely Deployable
    • Good Enough Security
  • Web-scale ubiquity to be compelling
scene setting5
Scene Setting
  • Questions
    • Is new technology required?Or new usage of existing technology required?
    • What are the user requirements?
    • What are the barriers to wide adoption?
    • Different than ‘Enterprise’ technology?Or just part of the whole spectrum?
definitions
Definitions
  • Digital Identity Exchange
  • Identity Agent
  • Relying Party
  • Claim
  • Digital Subject
definitions1
Definitions
  • Digital Identity Exchange
    • “The transmission of digital representation of a set of Claims made by one Party about itself or another Digital Subject, to one or more other Parties.”
    • RL ‘Bob’ Morgan, 14th March 2006, DIX Mailing List
definitions2
Definitions

Identity Agent

Relying Party

Client

definitions3
Definitions
  • Claim
    • An assertion made by a Claimant of the value or values of one or more Identity Attributes of a Digital Subject, typically an assertion which is disputed or in doubt.
definitions4
Definitions
  • Digital Subject
    • An Entity represented or existing in the digital realm which is being described or dealt with.
problem statement
Problem Statement
  • “The Internet is host to many online information sources and services. There is a growing demand for users to identify, and provide information about themselves. Users bear the burden of managing their own authentication materials and repeatedly providing their identity information. Signing in to web pages and completing user registration forms is an example.”

Proposed Draft Charterhttp://dixs.org/index.php/DIX_Charter

problem statement1
Problem Statement
  • For User
    • Manage many Username/Passwords
    • Retyping same data into forms
  • For Service Operator
    • Low conversion ratios
    • Data inaccuracy
    • Minimal data exchange
example
User goes to a web site

User provides some information about themselves

Example
proposed goals
Proposed Goals
  • Automate Digital Identity Exchange between User and Service
  • Protect User’s Privacy
  • Minimize Barriers to Adoption
benefits
Benefits
  • For Users
    • Convenient Digital Identity Exchange
    • Richer experience with Service
  • For Service Operators
    • Increased quality and quantity of identity data
    • Higher conversion rates
role scope of ietf
Role & Scope of IETF
  • Internet related problems
  • “Above the wire and below the application”
  • DIX is within IETF scope
proposed dix scope
Proposed DIX Scope
  • In Scope
  • Out of Scope
  • In/Out of Scope?
  • Narrow, yet also ambitious.
in scope
In Scope
  • Digital Identity Exchange between User and Service
  • HTTP/HTML Transport
  • Browser based applications
out of scope
Out of Scope
  • Digital Identity Exchange between services
  • Federating identifier namespaces
  • Usage of digital certificates
  • Claim schema and type system
  • User authentication with Identity Agent
in out of scope
In/Out of Scope?
  • SIP
  • XMPP
  • Non-browser based applications
  • Third Party Claims
requirements
Requirements

Seven Laws of Identity

  • User Control and Consent
  • Minimal Disclosure for Constrained Use
  • Justifiable Parties
  • Directed Identity
  • Pluralism of Operators and Technologies
  • Human Interaction
  • Consistent Experience Across Contexts

Kim Cameron

http://www.identityblog.com/

requirements digital identity exchange
Requirements – Digital Identity Exchange
  • Move claims from agent to service
  • Move claims from service to agent
  • Unique identifier for User
requirements privacy
Requirements - Privacy
  • Unique Identifier for User
    • No central control
    • Opaque
    • Unidirectional (1:1)
    • Omni-directional (1:N)
    • Separation from Identity Agent
  • Minimal disclosure
requirements claim schema
Requirements - Claim Schema
  • Globally unique Identifier for Names
  • Easily extended
requirements adoption
Requirements - Adoption
  • Nominal client footprint
  • Minimal changes to Service
  • Service can independently extend Claim Schema
  • Leverage existing standards
  • Ad hoc Service and Identity Agent relationship
  • No more security than needed
    • Security Gradient
security gradient example
Security Gradient - Example

High Value: Health Records,…

Extension Points

Identity Transaction Value

DIX

Low Value: Blogs, …

HTTP, DNS, HTTPS

PKI, DNSSEC, …

Security Level

architectural models
Architectural Models
  • Domain Centric
  • Federation
  • User-Centric
domain centric
Domain Centric

Authentication / Attributes / Authorization

Account Credentials

E.g. X.500, LDAP, Kerberos, PKIX, TLS, SASL, HTTP Basic/Digest, …

federation
Federation

SAML Request

SAML Response

SAML Token

SAML Token

E.g. SAML / Liberty, …

federation ad hoc
Federation - Ad Hoc

Discovery

Claims

Identifier URL

E.g. OpenID, LID, XRI, Yadis

user centric
User Centric

Request

Claims

Claims

E.g. SXIP 2.0,WS-Trust / MetaSystem,…

draft merrells dix 00 txt
draft-merrells-dix-00.txt
  • Individual Submission Internet-Draft
    • Title: DIX: Digital Identity Exchange
    • Author: J. Merrells, Sxip Identity
    • Contact: [email protected]
    • Date: Jan 17th, 2005
  • http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt
  • (Wiki has Update: http://dixs.org/index.php/Documents)
sxip 2 0
SXIP 2.0

SXIP Properties

First Name, Last Name, Email Address, Blog URL, Image, …etc…

SXIP Buttons

Membersite

Homesite

DIX Protocol

DIX Protocol

Browser

first visit to geeknews com
Beth receives an email invitation for geeknews.com

She’s going to ‘sign in’ to the website and provide some information about herself…

First Visit to geeknews.com

Membersite

Browser

sxip in
[sxip in]

Membersite

Browser

sxip in1
[sxip in]
  • Consistent User Experience
    • ‘Sign In’
    • Provide Identity Data
dynamic discovery
Dynamic Discovery

ISP.com

GET Homesite Page

Homesite Tag

Membersite

Homesite

Browser

homesite tag bits
Homesite Tag (Bits)

HREF=“

http://isp.com/sxip"

CLASS=“

dix:/core#1

dix://sxip.net/simple#1"/>

Homesite Tag

Homesite

homesite tag
Homesite Tag

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1

Homesite Tag

Homesite

endpoint
Endpoint

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-urlencoded Content-Length: 202 dix:/message-type=dix:/verify-request&dix%3A% 2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D

HTTP POST

http://isp.com/sxip

Homesite

homesite tag1
Homesite Tag

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1

Homesite Tag

Homesite

capability extensibility
Capability Extensibility
  • DIX URI
    • Scheme is DIX
    • Domain is any domain
    • Path is domain specific
fetch request
Fetch Request

Homesite

Membersite

fetch request

Browser

fetch request bits3
Fetch Request (Bits)

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email

fetch request bits4
Fetch Request (Bits)

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email

fetch request bits5
Fetch Request (Bits)

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email

sxip net properties
sxip.net Properties
  • Name: Prefix, First, Middle, Last, Suffix, Alias
  • DOB: Day, Month, Year
  • Phone: Home, Business, Cell, Fax
  • IM: AIM, ICQ, MSN, Yahoo, Jabber, Skype
  • Email: Address, Verified, Hashed
  • Web: Blog, Amazon, Flickr, Delicious
  • Company: Name, Title
  • Media: Spoken Name, Audio Greeting, Video Greeting, Biography, Image
authentication
Authentication

Homesite

Membersite

fetch request

Browser

properties requested
Properties Requested

Homesite

Membersite

fetch request

Browser

persona selection
Persona Selection

Homesite

Membersite

fetch request

Browser

persona
Persona

Work

http://work.com/beth

Homehttp://home.com/beth

Name: Beth Surname

Phone: (604)-678-3500

….

Name: Beth Surname

Phone: (415)-244-5808

identifier
Persona Identifier is a URL

Identifier Choice [0…N]

No Identifier

One per Persona

One per Membersite

No Central Service, just DNS

How claimed?

Identifier

http://work.com/beth

fetch response
Fetch Response

Homesite

Membersite

fetch response

fetch request

Browser

fetch response bits
Fetch Response (Bits)

dix:/message-type= dix:/fetch-response

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/signature= WJhYTYx…

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true

first_name= Beth

email_address= [email protected]

security
Security

Delegation Check

GET Persona URL

http://work.com/beth

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser

security1
Security

Delegation Check

GET Persona URL

http://work.com/beth

Signature Verification

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser

verify request bits
Verify Request (Bits)

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202 dix:/message-type=dix:/verify-request&dix%3A%2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D

verify request bits1
Verify Request (Bits)

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202 dix:/message-type= dix:/verify-request

dix:/signature= NWJhYTYx…

dix:/digest= Yzg3ZjA0…

verify response
Verify Response

Delegation Check

GET Persona URL

http://work.com/beth

Signature Verification

Homesite

signature

Membersite

HTTPS

HTTPS

nonce

Browser

verify response bits
Verify Response (Bits)

HTTP/1.1 200 Ok Connection: close dix:/true

saving data to isp com
Beth decides to leave a comment on a post at geeknews.com

She will provide some Identity Data and save it at her Homesite

Saving Data to isp.com

Membersite

Browser

sxip save
[sxip save]

Membersite

Browser

sxip save1
[sxip save]
  • Consistent User Experience
    • Save Identity Data
sxip save2
[sxip save]

Homesite

Membersite

store request

Browser

store request bits
Store Request (Bits)

dix:/message-type= dix:/store-request

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

dix:/persona-url= http://work.com/beth

dix://sxip.net/media/image=

http://work.com/beth/me.jpg

persona1
Persona

Work

http://work.com/beth

Homehttp://home.com/beth

Name: Beth Surname

Phone: (604)-678-3500

….

Name: Beth Surname

Phone: (415)-244-5808

store response
Store Response

Homesite

Membersite

store response

store request

Browser

store response bits
Store Response (Bits)

dix:/message-type= dix:/store-response

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true

available today
Available Today

Homesite Reference ImplementationPerl

Demonstration App

Membersite Development KitPHP, Perl, Java,

(Ruby, Python)

Plugins

Media Wiki, (Drupal, Ning)

Membersite

Homesite

Browser

resources
Resources
  • Websites:
    • The Vision:identity20.com
    • The Code:sxip.org
    • The Spec:sxip.netdixs.org
    • The Demo: sxore.com
  • Contact:
    • John Merrells, [email protected]
draft merrells dix 00 txt1
draft-merrells-dix-00.txt
  • Individual Submission Internet-Draft
    • Title: DIX: Digital Identity Exchange
    • Author: J. Merrells, Sxip Identity
    • Contact: [email protected]
    • Date: Jan 17th, 2005
  • http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt
  • (Wiki has Update: http://dixs.org/index.php/Documents)
ad