Facebook Twitter LinkedIn

FIDO

Combined Session
Wednesday, May 10, 2017 15:30—16:30
Location: AMMERSEE II

Using FIDO to implement the W3C Verifiable Claims Model

Today’s federated identity management infrastructures suffer from a number of problems, in particular with regard to the privacy of users. First, many Identity Providers (IdPs) are not willing to release the user attributes that Service Providers (SPs) require in order to provide the fine grained authorization they need. This necessitates the pulling of user identity attributes from other Attribute Authorities (AAs). In order to solve this 'attribute aggregation' problem, the assignment of a persistent globally unique identifier to each user is proposed by many. But this has severe privacy implications for the user, as it provides a correlating handle that can be used to track the user everywhere. Second, the IdPs are the centre of the identity eco-system, and issue short-lived identity assertions on demand. Consequently, they know about when the user is visiting each SP. This again compromises the user's privacy. Finally, IdPs can stop users visiting SPs they do not ‘trust’ by refusing to issue assertions to the user for these SPs.

By way of comparison, consider the use of plastic cards in the physical world today. A card holder can show his/her card to any Service Provider they wish, without the permission of the issuer (i.e. the IdP). Furthermore the IdP may not be aware that the SP has seen the card and used it for authorisation. The user can combine or aggregate cards as required by the SP. The user has much more control over his/her plastic cards than over the electronic identity assertions that are issued by IdPs today.

The W3C Credentials Community Group and its Verifiable Claims Task Force have produced a set of specifications for Verifiable Credentials (http://opencreds.org/specs/) that more clearly mirror the use of plastic cards today. Verifiable Credentials are long lived electronic credentials that the user stores under his/her control and uses as he/she wishes. A series of use cases has also been published (http://opencreds.org/specs/source/use-cases/).

Researchers at the Universities of Kent (UK) and Paul Sabatier (France) have implemented the W3C Verifiable Claims data model (http://opencreds.org/specs/source/claims-data-model/) using the Fast Identity Online (FIDO) Alliance’s Universal Authentication Framework (UAF) infrastructure. FIDO UAF does not rely on passwords to authenticate the user to the SP, but rather on public/private key pairs, so is much stronger. Because a different key pair is used for each SP, the user’s privacy is protected, which would not be the case if the same public key was used with all SPs (e.g. as in the original X.509 model). FIDO UAF is now appearing in many new smart phones such as the Galaxy S6 and S7 and Fujitsu ARROWS F-04G. By adding verifiable credentials to FIDO enabled devices, we now have, for the first time, the user in full control of which credentials he/she shows to which SPs during authentication and authorization.

Key Takeaways:

Using FIDO to implement the W3C Verifiable Claims Model
Presentation deck
Using FIDO to implement the W3C Verifiable Claims Model
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. David Chadwick
Dr. David Chadwick
University of Kent / Verifiable Credentials Ltd.
Prof David Chadwick has been working in identity management for over 20 years and has written over a 100 papers on the topic. He was the chief architect and designer of the PERMIS open source...

Strong Authentication using Keys on your Devices Controlled by You

The W3C Web Authentication enables web applications to sign in using stronger methods than passwords – using authenticators that utilize private keys held on your devices that are used with user permission, typically by employing a user “gesture” such as a biometric or PIN. This can also be used with the FIDO 2.0 Client To Authenticator Protocol (CTAP) protocol, which enables remote authenticators, such as those on phones, to be used when signing in.

Strong Authentication using Keys on your Devices Controlled by You
Presentation deck
Strong Authentication using Keys on your Devices Controlled by You
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. Michael B. Jones
Dr. Michael B. Jones
Microsoft
Michael B. Jones is a Standards Architect at Microsoft. He is an editor of the OpenID Connect specifications, several IETF OAuth specifications, including JSON Web Token (JWT), the IETF JOSE (JSON...

Token Binding Standards and Applications

The IETF Token Binding standards enable data structures to be bound to a particular TLS channel – preventing them from being stolen and reused in unintended places. Data structures that can be Token Bound include browser cookies, ID Tokens, Access Tokens, and Refresh Tokens. This presentation will discuss the Token Binding mechanisms, the kinds of threats they mitigate, and the current deployment status.

Token Binding Standards and Applications
Presentation deck
Token Binding Standards and Applications
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. Michael B. Jones
Dr. Michael B. Jones
Microsoft
Michael B. Jones is a Standards Architect at Microsoft. He is an editor of the OpenID Connect specifications, several IETF OAuth specifications, including JSON Web Token (JWT), the IETF JOSE (JSON...
Subscribe for updates
Please provide your email address