SlideShare una empresa de Scribd logo

Digital Identity

ZendCon
ZendCon

OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.

Tecnología
1 de 56
Descargar para leer sin conexión
Digital Identity Rob Richards September 17, 2008 http://xri.net/=rob.richards
What is a Digital Identity? • Digital representation of claims about an entity – Domain name – email address – username – I-name • Claims can be made by or about the entity • No built-in assumption of trust 2
Who Am I? =rob.richards jbobhick Jimbob Hick ab3544...@nyms.net Rob Richards Caribou, Maine <personal email> <address> <telephone> rob@mashery.com Rob Richards Sr. Software Architect http://rrichards.pip.verisignlabs.com/ 3
What's the Problem? • Username/Password juggling • Information is being stored – Concerns over privacy issues – Security concerns / Identity Theft • User has no idea who/what is using their information • Continual re-invention of authentication mechanisms • Granting access to personal data to another party *** Sep 17th 2008 *** http://www.enews20.com/ news_Norwegian_tax_authority_mistakenly_leaks_sensitive_data_11597.html 4
7 Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Justifiable Parties • Directed Identity • Pluralism of Operators and Technologies • Human Integration • Consistent Experience Across Contexts Kim Cameron, quot;Laws of Identityquot;, http://www.identityblog.com/?page_id=354 5
Identity Context Examples • Browsing: self-asserted identity for exploring the Web (giving away no real data)‫‏‬ • Personal: self-asserted identity for sites with which I want an ongoing private relationship (including my name and a long-term e-mail address)‫‏‬ • Community: a public identity for collaborating with others • Professional: a public identity for collaborating issued by my employer • Credit card: an identity issued by my financial institution • Citizen: an identity issued by my government Kim Cameron, quot;Laws of Identityquot;, http://www.identityblog.com/?page_id=354 6
OpenID and Information Cards • Allow for Single Sign On • Decentralized – No one entity in control – User has choice and freedom • User-Centric – User is in control of data – User aware of information exchange • Possible reduction in amount of personal information a remote site would need to store • Potential to increase the Web experience while maintaining User privacy 7
Common Terminology • Subject – Entity referenced by identity • Digital Identity – Set of claims made by one digital subject about itself or another • Relying Party (RP) – Site requesting identity • Identity Provider (IdP) / OpenID Provider (OP) – Service that provides or maintains identity information 8
OpenID • URL based – http://rrichards.pip.verisignlabs.com/ – =rob.richards (http://xri.net/=rob.richards)‫‏‬ • Not Machine Dependent • Based on Simplicity – HTTP/S – URLs • PHP Libraries (There are More . . .)‫‏‬ – PHP OpenID library (http://www.openidenabled.com/php-openid/)‫‏‬ – Zend (http://framework.zend.com/manual/en/zend.openid.html) – OpenID for PHP (http://www.openidforphp.org/) 9
OpenID Interaction Based on OpenID 1.1 Relying Party locates User Submits ID Identity Provider (IP)‫‏‬ Relying Party Relying Party Redirects User to IP Establishes Association User Authenticates IP Redirects back Against IP to Relying Party Relying Party Evaluates Response 10
OpenID Validation Example
12
OpenID Verification 13
User Trust Consent 14
OpenID validated 15
OpenID 2.0 • Extension Support – namespaced extensions • Attribute Exchange Extension – Extensible attribute support – Identity Provider can be asked to store certain attributes • HTTP POST Support – No longer limited to URL length – Larger Requests and Responses • Directed Identity – URL can identity Identity Provider – Identity Provider determines what ID to send to Relying Party • Official i-name Support 16
OpenID: Potential Issues • Phishing / Pharming • Cross-Site Scripting (XSS) / Cross-Site Request Forgery (CSRF) – Feature to trust sites and not require login – Attacker could access sites unbeknownst to user • DNS Poisoning • Web Page Defacement • Realm Spoofing – Open Redirect Servers – XSS exploited • ID recycling • Your provider knows every site you use your id on 17
Information Cards: Identities Identities represented as cards in a wallet – Self Asserted – Managed (Third Party provided)‫‏‬ 18
Information Cards: Selectors CardSpace != Information Cards Information Cards are not Microsoft specific 19
Information Cards • Identifier is unique amongst parties – Distinct digital key for each realm • Protections again Phishing – Visual indicators of previous interactions – x509 certificate checking • Complex Technologies – SAML – WS-Security / WS-Policy / WS-Trust – x509 20
Information Cards: Making Claims 21
Information Cards Interaction Source: David Chappell quot;Introducing Windows CardSpacequot; April 2006 22
Information Card Validation Example 23
Information Card Login 24
Site Information 25
Select or Create Card 26
Preview Information To Be Sent 27
Information Card Validated 28
InfoCard Selector Initiation <form id=quot;infocardquot; method=quot;postquot; action=quot;serendipity_admin.phpquot;> <center> <img src=quot;/infocard/infocard.pngquot; onClick=quot;infocard.submit()quot;/> </center> <OBJECT type=quot;application/x-informationCardquot; name=quot;xmlTokenquot;> <PARAM Name=quot;tokenTypequot; Value=quot;urn:oasis:names:tc:SAML:1.0:assertionquot;> <PARAM Name=quot;requiredClaimsquot; Value=quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressquot; /> </OBJECT> </form> 29
InfoCard: PHP Code http://www.cdatazone.org/index.php?/pages/source.html • My own code – xmlseclibs.php • XMLDSig / XMLENC – infocard-lib.php • Decrypts submitted XML Token • Verifies Signed SAML Token • Parses Assertions • Zend_Infocard – http://framework.zend.com/manual/en/zend.infocard.html – Included with 1.5 release 30
Submitted Token <enc:EncryptedData xmlns:enc=quot;...xmlenc#quot; Type=quot;...xmlenc#Elementquot;> <enc:EncryptionMethod Algorithm=quot;...xmlenc#aes256-cbcquot; /> <ds:KeyInfo xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <enc:EncryptedKey> <enc:EncryptionMethod Algorithm=quot;...xmlenc#rsa-oaep-mgf1pquot;> <ds:DigestMethod Algorithm=quot;...xmldsig#sha1quot; /> </enc:EncryptionMethod> <ds:KeyInfo> <wsse:SecurityTokenReference xmlns:wsse=quot;...ssecurity-secext-1.0.xsdquot;> <wsse:KeyIdentifier ValueType=quot;. . .#ThumbprintSHA1quot; EncodingType=quot;. . .#Base64Binaryquot;>7SSj. . .</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <enc:CipherData> . . .</enc:CipherData> </enc:EncryptedKey> </ds:KeyInfo> <enc:CipherData>. . .</enc:CipherData> </enc:EncryptedData> 31
Decrypted Self-Asserted Card <saml:Attribute AttributeName=quot;emailaddressquot; AttributeNamespace=quot;. . ./identity/claimsquot;> <saml:AttributeValue>rrichards@php.net</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;givennamequot; AttributeNamespace=quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimsquot;> <saml:AttributeValue>Rob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;surnamequot; AttributeNamespace=quot;. . ./identity/claimsquot;> <saml:AttributeValue>Richards</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;privatepersonalidentifierquot; AttributeNamespace=quot;. . ./ identity/claimsquot;> <saml:AttributeValue>mzhu+UCL. . .</saml:AttributeValue> </saml:Attribute> 32
Information Cards: Into The Future 33
Information Card Issues • Still in infancy – Few number of selectors – Differing functionality between selectors – Small numbers in production • CardStore not easily transportable • Third party applications required for non Windows systems • Third party applications/plugins required • More difficult to implement than most Identity technologies 34
Digital Identity: What Are You Using It For? • Identity for public or private use? • Is it a part of a reputation? • How valuable is the data to be protected? • What are the individual privacy concerns? • Consequences if a users identity is compromised? 35
OAuth
OAuth API Authorization Delegation 37
OAuth: The Problem 38
OAuth: The Problem Stop Asking For My User Credentials! 39
OAuth: What Is It? Allows a User to grant access to private resources to another entity without giving away the keys to the Kingdom Master Key User Service Provider Consumer 40
OAuth • OAuth Is Not OpenID – Shares common technologies – Workflow Appears similar • Consumer needs to be known to Service Provider • Token Based – Tokens identify the consumer – Tokens identify the combination of user and consumer – Tokens can be given a lifespan – Tokens can be revoked 41
OAuth Security • Requests are signed – Plaintext – HMAC-SHA1 – RSA-SHA1 • Tokens are passed – No sharing of username/password – Tokens can be revoked • Requests pass timestamps – Provides validity timeframe – Can help prevent replay attacks • Nonce can be used – prevent replay attacks 42
OAuth: Access Protected Resource http://api.getsatisfaction.com/me AccessDeniedError 43
OAuth: Consumer Registration • Consumer provides information to Service Provider – Name – URL – Description • Consumer receives unique identifier (Consumer Key) • Information for Signature is shared – Shared secrect (Consumer Secret) – Consumer Public Key for use in RSA-SHA1 verification • Request and Access token endpoints made known 44
OAuth: Consumer Registration 45
OAuth: Consumer Registration 46
OAuth: Get Request Token http://getsatisfaction.com/api/request_token? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=15865e53dbe0c4d4f13d9c2296c49fd8ba7384 &oauth_signature=kwwh%2BMO21uExLTAn25jFwLhZfys%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221478575 &oauth_version=1.0 47
OAuth: Get Request Token (SP Response) oauth_token=2147xxxxvz0i &oauth_token_secret=xuxxtmxxxxxxx60bbn8worxxxxxxxcr1 48
OAuth: User Authorization http://getsatisfaction.com/api/authorize? oauth_token=pspiu7gw5faq &oauth_callback=http%3A%2F%2Fcdatazone.org %2Fexample%2Ftest.php 49
OAuth: User Authorization 50
OAuth: User Authorization (SP Redirect) http://www.cdatazone.org/example/test.php? oauth_token=pspiu7gw5faq 51
OAuth: Get Access Token http://getsatisfaction.com/api/access_token? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=be2ca738ccd024a9524d4eb090c1375b9953 &oauth_signature=2jSjj%2BjqlrxEbvbrxy0HboHrhr0%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221480066 &oauth_token=pspiu7gw5faq &oauth_version=1.0 52
OAuth: Get Access Token (SP Response) oauth_token=s8xxxjxixxxu &oauth_token_secret=powxhxxxxxxxw9m457xxxxxxxjom2o 53
OAuth: Access Protected Resource http://api.getsatisfaction.com/me? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=33cc986c57ee57689665ef331058cacacda6ab &oauth_signature=cWVX7QHX9FedI29fGiw99msSPfA%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221480525 &oauth_token=s8xxxjxixxxu &oauth_version=1.0 54
OAuth: Access Protected Resource 55
Questions? Digital Identity Rob Richards http://xri.net/=rob.richards www.cdatazone.org

Recomendados

Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
Kevin Cody
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Bitcoins
BitcoinsBitcoins
Bitcoins
Tushant sharma
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Bitcoins
BitcoinsBitcoins
Bitcoins
Tushant sharma
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
Dasith Wijesiriwardena
 

Recomendados

Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
Kevin Cody
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Bitcoins
BitcoinsBitcoins
Bitcoins
Tushant sharma
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Bitcoins
BitcoinsBitcoins
Bitcoins
Tushant sharma
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
Dasith Wijesiriwardena
 
KYC using Blockchain
KYC using BlockchainKYC using Blockchain
KYC using Blockchain
ijtsrd
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
A Storage Story #ChefConf2013
A Storage Story #ChefConf2013A Storage Story #ChefConf2013
A Storage Story #ChefConf2013
Kyle Bader
 
Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍
Zhaoyang Wang
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
ZendCon
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
ZendCon
 
MySQL in your laptop
MySQL in your laptopMySQL in your laptop
MySQL in your laptop
Giuseppe Maxia
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability Matters
Mark Swarbrick
 
Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请
Zhaoyang Wang
 
Tiery Eyed
Tiery EyedTiery Eyed
Tiery Eyed
ZendCon
 
Framework Shootout
Framework ShootoutFramework Shootout
Framework Shootout
ZendCon
 
PHP and Platform Independance in the Cloud
PHP and Platform Independance in the CloudPHP and Platform Independance in the Cloud
PHP and Platform Independance in the Cloud
ZendCon
 
Zend Core on IBM i - Security Considerations
Zend Core on IBM i - Security ConsiderationsZend Core on IBM i - Security Considerations
Zend Core on IBM i - Security Considerations
ZendCon
 
Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站
Zhaoyang Wang
 
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilitySolving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
ZendCon
 
MySQL Manchester TT - Security
MySQL Manchester TT - SecurityMySQL Manchester TT - Security
MySQL Manchester TT - Security
Mark Swarbrick
 
MySQL Optimizer Overview
MySQL Optimizer OverviewMySQL Optimizer Overview
MySQL Optimizer Overview
Olav Sandstå
 
MySQL Manchester TT - Replication Features
MySQL Manchester TT - Replication FeaturesMySQL Manchester TT - Replication Features
MySQL Manchester TT - Replication Features
Mark Swarbrick
 

Más contenido relacionado

La actualidad más candente

KYC using Blockchain
KYC using BlockchainKYC using Blockchain
KYC using Blockchain
ijtsrd
 

La actualidad más candente (6)

KYC using Blockchain
KYC using BlockchainKYC using Blockchain
KYC using Blockchain
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 

Destacado

A Storage Story #ChefConf2013
A Storage Story #ChefConf2013A Storage Story #ChefConf2013
A Storage Story #ChefConf2013
Kyle Bader
 

Destacado (20)

A Storage Story #ChefConf2013
A Storage Story #ChefConf2013A Storage Story #ChefConf2013
A Storage Story #ChefConf2013
 
Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
 
MySQL in your laptop
MySQL in your laptopMySQL in your laptop
MySQL in your laptop
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability Matters
 
Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请
 
Tiery Eyed
Tiery EyedTiery Eyed
Tiery Eyed
 
Framework Shootout
Framework ShootoutFramework Shootout
Framework Shootout
 
PHP and Platform Independance in the Cloud
PHP and Platform Independance in the CloudPHP and Platform Independance in the Cloud
PHP and Platform Independance in the Cloud
 
Zend Core on IBM i - Security Considerations
Zend Core on IBM i - Security ConsiderationsZend Core on IBM i - Security Considerations
Zend Core on IBM i - Security Considerations
 
Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站
 
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilitySolving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
 
MySQL Manchester TT - Security
MySQL Manchester TT - SecurityMySQL Manchester TT - Security
MySQL Manchester TT - Security
 
MySQL Optimizer Overview
MySQL Optimizer OverviewMySQL Optimizer Overview
MySQL Optimizer Overview
 
MySQL Manchester TT - Replication Features
MySQL Manchester TT - Replication FeaturesMySQL Manchester TT - Replication Features
MySQL Manchester TT - Replication Features
 
Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践
 
Script it
Script itScript it
Script it
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
 
PHP on Windows - What's New
PHP on Windows - What's NewPHP on Windows - What's New
PHP on Windows - What's New
 

Similar a Digital Identity

OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
Nao Haida
 
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
Kaliya "Identity Woman" Young
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
ownerkhan
 
Smart card emv for dummies
Smart card emv for dummiesSmart card emv for dummies
Smart card emv for dummies
BACKSEATRIDER
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
Matt Lacey
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
WSO2
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 

Similar a Digital Identity (20)

OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure usin...
 
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
Returning to Online Privacy - W3C/ANU Future of the Web Roadshow 20190221
 
Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the living
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenID
 
Smart card emv for dummies
Smart card emv for dummiesSmart card emv for dummies
Smart card emv for dummies
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
 
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Authentication Without Authentication
Authentication Without AuthenticationAuthentication Without Authentication
Authentication Without Authentication
 

Más de ZendCon

Más de ZendCon (20)

I18n with PHP 5.3
I18n with PHP 5.3I18n with PHP 5.3
I18n with PHP 5.3
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go Away
 
Planning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local DatabasesPlanning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local Databases
 
Magento - a Zend Framework Application
Magento - a Zend Framework ApplicationMagento - a Zend Framework Application
Magento - a Zend Framework Application
 
Enterprise-Class PHP Security
Enterprise-Class PHP SecurityEnterprise-Class PHP Security
Enterprise-Class PHP Security
 
PHP and IBM i - Database Alternatives
PHP and IBM i - Database AlternativesPHP and IBM i - Database Alternatives
PHP and IBM i - Database Alternatives
 
Application Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server TracingApplication Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server Tracing
 
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
 
Joe Staner Zend Con 2008
Joe Staner Zend Con 2008Joe Staner Zend Con 2008
Joe Staner Zend Con 2008
 
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
 
DB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications SessionDB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications Session
 
Modernizing i5 Applications
Modernizing i5 ApplicationsModernizing i5 Applications
Modernizing i5 Applications
 
Lesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsLesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP Applications
 
Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"
Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"
Architecting for PHP5 - Why "Runs on PHP5" is not "Written for PHP5"
 
SQL Query Tuning: The Legend of Drunken Query Master
SQL Query Tuning: The Legend of Drunken Query MasterSQL Query Tuning: The Legend of Drunken Query Master
SQL Query Tuning: The Legend of Drunken Query Master
 
ZendCon 2008 Closing Keynote
ZendCon 2008 Closing KeynoteZendCon 2008 Closing Keynote
ZendCon 2008 Closing Keynote
 
Top Zend Studio Secrets
Top Zend Studio SecretsTop Zend Studio Secrets
Top Zend Studio Secrets
 
VIM for (PHP) Programmers
VIM for (PHP) ProgrammersVIM for (PHP) Programmers
VIM for (PHP) Programmers
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 
Rickroll To Go With PHP, WURFL, and Other Open Source Tools
Rickroll To Go With PHP, WURFL, and Other Open Source ToolsRickroll To Go With PHP, WURFL, and Other Open Source Tools
Rickroll To Go With PHP, WURFL, and Other Open Source Tools
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Digital Identity

  • 1. Digital Identity Rob Richards September 17, 2008 http://xri.net/=rob.richards
  • 2. What is a Digital Identity? • Digital representation of claims about an entity – Domain name – email address – username – I-name • Claims can be made by or about the entity • No built-in assumption of trust 2
  • 3. Who Am I? =rob.richards jbobhick Jimbob Hick ab3544...@nyms.net Rob Richards Caribou, Maine <personal email> <address> <telephone> rob@mashery.com Rob Richards Sr. Software Architect http://rrichards.pip.verisignlabs.com/ 3
  • 4. What's the Problem? • Username/Password juggling • Information is being stored – Concerns over privacy issues – Security concerns / Identity Theft • User has no idea who/what is using their information • Continual re-invention of authentication mechanisms • Granting access to personal data to another party *** Sep 17th 2008 *** http://www.enews20.com/ news_Norwegian_tax_authority_mistakenly_leaks_sensitive_data_11597.html 4
  • 5. 7 Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Justifiable Parties • Directed Identity • Pluralism of Operators and Technologies • Human Integration • Consistent Experience Across Contexts Kim Cameron, quot;Laws of Identityquot;, http://www.identityblog.com/?page_id=354 5
  • 6. Identity Context Examples • Browsing: self-asserted identity for exploring the Web (giving away no real data)‫‏‬ • Personal: self-asserted identity for sites with which I want an ongoing private relationship (including my name and a long-term e-mail address)‫‏‬ • Community: a public identity for collaborating with others • Professional: a public identity for collaborating issued by my employer • Credit card: an identity issued by my financial institution • Citizen: an identity issued by my government Kim Cameron, quot;Laws of Identityquot;, http://www.identityblog.com/?page_id=354 6
  • 7. OpenID and Information Cards • Allow for Single Sign On • Decentralized – No one entity in control – User has choice and freedom • User-Centric – User is in control of data – User aware of information exchange • Possible reduction in amount of personal information a remote site would need to store • Potential to increase the Web experience while maintaining User privacy 7
  • 8. Common Terminology • Subject – Entity referenced by identity • Digital Identity – Set of claims made by one digital subject about itself or another • Relying Party (RP) – Site requesting identity • Identity Provider (IdP) / OpenID Provider (OP) – Service that provides or maintains identity information 8
  • 9. OpenID • URL based – http://rrichards.pip.verisignlabs.com/ – =rob.richards (http://xri.net/=rob.richards)‫‏‬ • Not Machine Dependent • Based on Simplicity – HTTP/S – URLs • PHP Libraries (There are More . . .)‫‏‬ – PHP OpenID library (http://www.openidenabled.com/php-openid/)‫‏‬ – Zend (http://framework.zend.com/manual/en/zend.openid.html) – OpenID for PHP (http://www.openidforphp.org/) 9
  • 10. OpenID Interaction Based on OpenID 1.1 Relying Party locates User Submits ID Identity Provider (IP)‫‏‬ Relying Party Relying Party Redirects User to IP Establishes Association User Authenticates IP Redirects back Against IP to Relying Party Relying Party Evaluates Response 10
  • 12. 12
  • 16. OpenID 2.0 • Extension Support – namespaced extensions • Attribute Exchange Extension – Extensible attribute support – Identity Provider can be asked to store certain attributes • HTTP POST Support – No longer limited to URL length – Larger Requests and Responses • Directed Identity – URL can identity Identity Provider – Identity Provider determines what ID to send to Relying Party • Official i-name Support 16
  • 17. OpenID: Potential Issues • Phishing / Pharming • Cross-Site Scripting (XSS) / Cross-Site Request Forgery (CSRF) – Feature to trust sites and not require login – Attacker could access sites unbeknownst to user • DNS Poisoning • Web Page Defacement • Realm Spoofing – Open Redirect Servers – XSS exploited • ID recycling • Your provider knows every site you use your id on 17
  • 18. Information Cards: Identities Identities represented as cards in a wallet – Self Asserted – Managed (Third Party provided)‫‏‬ 18
  • 19. Information Cards: Selectors CardSpace != Information Cards Information Cards are not Microsoft specific 19
  • 20. Information Cards • Identifier is unique amongst parties – Distinct digital key for each realm • Protections again Phishing – Visual indicators of previous interactions – x509 certificate checking • Complex Technologies – SAML – WS-Security / WS-Policy / WS-Trust – x509 20
  • 22. Information Cards Interaction Source: David Chappell quot;Introducing Windows CardSpacequot; April 2006 22
  • 26. Select or Create Card 26
  • 29. InfoCard Selector Initiation <form id=quot;infocardquot; method=quot;postquot; action=quot;serendipity_admin.phpquot;> <center> <img src=quot;/infocard/infocard.pngquot; onClick=quot;infocard.submit()quot;/> </center> <OBJECT type=quot;application/x-informationCardquot; name=quot;xmlTokenquot;> <PARAM Name=quot;tokenTypequot; Value=quot;urn:oasis:names:tc:SAML:1.0:assertionquot;> <PARAM Name=quot;requiredClaimsquot; Value=quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressquot; /> </OBJECT> </form> 29
  • 30. InfoCard: PHP Code http://www.cdatazone.org/index.php?/pages/source.html • My own code – xmlseclibs.php • XMLDSig / XMLENC – infocard-lib.php • Decrypts submitted XML Token • Verifies Signed SAML Token • Parses Assertions • Zend_Infocard – http://framework.zend.com/manual/en/zend.infocard.html – Included with 1.5 release 30
  • 31. Submitted Token <enc:EncryptedData xmlns:enc=quot;...xmlenc#quot; Type=quot;...xmlenc#Elementquot;> <enc:EncryptionMethod Algorithm=quot;...xmlenc#aes256-cbcquot; /> <ds:KeyInfo xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <enc:EncryptedKey> <enc:EncryptionMethod Algorithm=quot;...xmlenc#rsa-oaep-mgf1pquot;> <ds:DigestMethod Algorithm=quot;...xmldsig#sha1quot; /> </enc:EncryptionMethod> <ds:KeyInfo> <wsse:SecurityTokenReference xmlns:wsse=quot;...ssecurity-secext-1.0.xsdquot;> <wsse:KeyIdentifier ValueType=quot;. . .#ThumbprintSHA1quot; EncodingType=quot;. . .#Base64Binaryquot;>7SSj. . .</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <enc:CipherData> . . .</enc:CipherData> </enc:EncryptedKey> </ds:KeyInfo> <enc:CipherData>. . .</enc:CipherData> </enc:EncryptedData> 31
  • 32. Decrypted Self-Asserted Card <saml:Attribute AttributeName=quot;emailaddressquot; AttributeNamespace=quot;. . ./identity/claimsquot;> <saml:AttributeValue>rrichards@php.net</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;givennamequot; AttributeNamespace=quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimsquot;> <saml:AttributeValue>Rob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;surnamequot; AttributeNamespace=quot;. . ./identity/claimsquot;> <saml:AttributeValue>Richards</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=quot;privatepersonalidentifierquot; AttributeNamespace=quot;. . ./ identity/claimsquot;> <saml:AttributeValue>mzhu+UCL. . .</saml:AttributeValue> </saml:Attribute> 32
  • 33. Information Cards: Into The Future 33
  • 34. Information Card Issues • Still in infancy – Few number of selectors – Differing functionality between selectors – Small numbers in production • CardStore not easily transportable • Third party applications required for non Windows systems • Third party applications/plugins required • More difficult to implement than most Identity technologies 34
  • 35. Digital Identity: What Are You Using It For? • Identity for public or private use? • Is it a part of a reputation? • How valuable is the data to be protected? • What are the individual privacy concerns? • Consequences if a users identity is compromised? 35
  • 36. OAuth
  • 39. OAuth: The Problem Stop Asking For My User Credentials! 39
  • 40. OAuth: What Is It? Allows a User to grant access to private resources to another entity without giving away the keys to the Kingdom Master Key User Service Provider Consumer 40
  • 41. OAuth • OAuth Is Not OpenID – Shares common technologies – Workflow Appears similar • Consumer needs to be known to Service Provider • Token Based – Tokens identify the consumer – Tokens identify the combination of user and consumer – Tokens can be given a lifespan – Tokens can be revoked 41
  • 42. OAuth Security • Requests are signed – Plaintext – HMAC-SHA1 – RSA-SHA1 • Tokens are passed – No sharing of username/password – Tokens can be revoked • Requests pass timestamps – Provides validity timeframe – Can help prevent replay attacks • Nonce can be used – prevent replay attacks 42
  • 43. OAuth: Access Protected Resource http://api.getsatisfaction.com/me AccessDeniedError 43
  • 44. OAuth: Consumer Registration • Consumer provides information to Service Provider – Name – URL – Description • Consumer receives unique identifier (Consumer Key) • Information for Signature is shared – Shared secrect (Consumer Secret) – Consumer Public Key for use in RSA-SHA1 verification • Request and Access token endpoints made known 44
  • 47. OAuth: Get Request Token http://getsatisfaction.com/api/request_token? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=15865e53dbe0c4d4f13d9c2296c49fd8ba7384 &oauth_signature=kwwh%2BMO21uExLTAn25jFwLhZfys%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221478575 &oauth_version=1.0 47
  • 48. OAuth: Get Request Token (SP Response) oauth_token=2147xxxxvz0i &oauth_token_secret=xuxxtmxxxxxxx60bbn8worxxxxxxxcr1 48
  • 51. OAuth: User Authorization (SP Redirect) http://www.cdatazone.org/example/test.php? oauth_token=pspiu7gw5faq 51
  • 52. OAuth: Get Access Token http://getsatisfaction.com/api/access_token? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=be2ca738ccd024a9524d4eb090c1375b9953 &oauth_signature=2jSjj%2BjqlrxEbvbrxy0HboHrhr0%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221480066 &oauth_token=pspiu7gw5faq &oauth_version=1.0 52
  • 53. OAuth: Get Access Token (SP Response) oauth_token=s8xxxjxixxxu &oauth_token_secret=powxhxxxxxxxw9m457xxxxxxxjom2o 53
  • 54. OAuth: Access Protected Resource http://api.getsatisfaction.com/me? oauth_consumer_key=qw0xx50kxx29 &oauth_nonce=33cc986c57ee57689665ef331058cacacda6ab &oauth_signature=cWVX7QHX9FedI29fGiw99msSPfA%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1221480525 &oauth_token=s8xxxjxixxxu &oauth_version=1.0 54
  • 55. OAuth: Access Protected Resource 55
  • 56. Questions? Digital Identity Rob Richards http://xri.net/=rob.richards www.cdatazone.org