Today’s federated identity management infrastructures suffer from a number of problems, in particular with regard to the privacy of users. First, many Identity Providers (IdPs) are not willing to release the user attributes that Service Providers (SPs) require in order to provide the fine grained authorization they need. This necessitates the pulling of user identity attributes from other Attribute Authorities (AAs). In order to solve this 'attribute aggregation' problem, the assignment of a persistent globally unique identifier to each user is proposed by many. But this has severe privacy implications for the user, as it provides a correlating handle that can be used to track the user everywhere. Second, the IdPs are the centre of the identity eco-system, and issue short-lived identity assertions on demand. Consequently, they know about when the user is visiting each SP. This again compromises the user's privacy. Finally, IdPs can stop users visiting SPs they do not ‘trust’ by refusing to issue assertions to the user for these SPs.
By way of comparison, consider the use of plastic cards in the physical world today. A card holder can show his/her card to any Service Provider they wish, without the permission of the issuer (i.e. the IdP). Furthermore the IdP may not be aware that the SP has seen the card and used it for authorisation. The user can combine or aggregate cards as required by the SP. The user has much more control over his/her plastic cards than over the electronic identity assertions that are issued by IdPs today.
The W3C Credentials Community Group and its Verifiable Claims Task Force have produced a set of specifications for Verifiable Credentials (http://opencreds.org/specs/) that more clearly mirror the use of plastic cards today. Verifiable Credentials are long lived electronic credentials that the user stores under his/her control and uses as he/she wishes. A series of use cases has also been published (http://opencreds.org/specs/source/use-cases/).
Researchers at the Universities of Kent (UK) and Paul Sabatier (France) have implemented the W3C Verifiable Claims data model (http://opencreds.org/specs/source/claims-data-model/) using the Fast Identity Online (FIDO) Alliance’s Universal Authentication Framework (UAF) infrastructure. FIDO UAF does not rely on passwords to authenticate the user to the SP, but rather on public/private key pairs, so is much stronger. Because a different key pair is used for each SP, the user’s privacy is protected, which would not be the case if the same public key was used with all SPs (e.g. as in the original X.509 model). FIDO UAF is now appearing in many new smart phones such as the Galaxy S6 and S7 and Fujitsu ARROWS F-04G. By adding verifiable credentials to FIDO enabled devices, we now have, for the first time, the user in full control of which credentials he/she shows to which SPs during authentication and authorization.
Key Takeaways: