- TYPE: Combined Session DATE: Wednesday, May 10, 2017 TIME: 15:30-16:30 LOCATION: AMMERSEE II
Today’s federated identity management infrastructures suffer from a number of problems, in particular with regard to the privacy of users. First, many Identity Providers (IdPs) are not willing to release the user attributes that Service Providers (SPs) require in order to provide the fine grained authorization they need. This necessitates the pulling of user identity attributes from other Attribute Authorities (AAs). In order to solve this 'attribute aggregation' problem, the assignment of a persistent globally unique identifier to each user is proposed by many. But this has severe privacy implications for the user, as it provides a correlating handle that can be used to track the user everywhere. Second, the IdPs are the centre of the identity eco-system, and issue short-lived identity assertions on demand. Consequently, they know about when the user is visiting each SP. This again compromises the user's privacy. Finally, IdPs can stop users visiting SPs they do not ‘trust’ by refusing to issue assertions to the user for these SPs.
By way of comparison, consider the use of plastic cards in the physical world today. A card holder can show his/her card to any Service Provider they wish, without the permission of the issuer (i.e. the IdP). Furthermore the IdP may not be aware that the SP has seen the card and used it for authorisation. The user can combine or aggregate cards as required by the SP. The user has much more control over his/her plastic cards than over the electronic identity assertions that are issued by IdPs today.
The W3C Credentials Community Group and its Verifiable Claims Task Force have produced a set of specifications for Verifiable Credentials (http://opencreds.org/specs/) that more clearly mirror the use of plastic cards today. Verifiable Credentials are long lived electronic credentials that the user stores under his/her control and uses as he/she wishes. A series of use cases has also been published (http://opencreds.org/specs/source/use-cases/).
Researchers at the Universities of Kent (UK) and Paul Sabatier (France) have implemented the W3C Verifiable Claims data model (http://opencreds.org/specs/source/claims-data-model/) using the Fast Identity Online (FIDO) Alliance’s Universal Authentication Framework (UAF) infrastructure. FIDO UAF does not rely on passwords to authenticate the user to the SP, but rather on public/private key pairs, so is much stronger. Because a different key pair is used for each SP, the user’s privacy is protected, which would not be the case if the same public key was used with all SPs (e.g. as in the original X.509 model). FIDO UAF is now appearing in many new smart phones such as the Galaxy S6 and S7 and Fujitsu ARROWS F-04G. By adding verifiable credentials to FIDO enabled devices, we now have, for the first time, the user in full control of which credentials he/she shows to which SPs during authentication and authorization.
- learn about some of the weaknesses in current federated identity management models
- be introduced to the W3C Verifiable Claims work that puts the user in full control of his/her digital identity
- be introduced to the FIDO UAF strong authentication model and smart phones that support it
- see how FIDO can be used for both authentication and authorization and can be used to support the Verifiable Claims model
The W3C Web Authentication enables web applications to sign in using stronger methods than passwords – using authenticators that utilize private keys held on your devices that are used with user permission, typically by employing a user “gesture” such as a biometric or PIN. This can also be used with the FIDO 2.0 Client To Authenticator Protocol (CTAP) protocol, which enables remote authenticators, such as those on phones, to be used when signing in.
The IETF Token Binding standards enable data structures to be bound to a particular TLS channel – preventing them from being stolen and reused in unintended places. Data structures that can be Token Bound include browser cookies, ID Tokens, Access Tokens, and Refresh Tokens. This presentation will discuss the Token Binding mechanisms, the kinds of threats they mitigate, and the current deployment status.
- Registration fee:
- Contact person:
Mr. Levent Kara
+49 211 23707710
- May 09 - 12, 2017 Munich, Germany