Facebook Twitter LinkedIn

Using FIDO to implement the W3C Verifiable Claims Model

Combined Session
Wednesday, May 10, 2017 15:30—16:30
Location: AMMERSEE II

Today’s federated identity management infrastructures suffer from a number of problems, in particular with regard to the privacy of users. First, many Identity Providers (IdPs) are not willing to release the user attributes that Service Providers (SPs) require in order to provide the fine grained authorization they need. This necessitates the pulling of user identity attributes from other Attribute Authorities (AAs). In order to solve this 'attribute aggregation' problem, the assignment of a persistent globally unique identifier to each user is proposed by many. But this has severe privacy implications for the user, as it provides a correlating handle that can be used to track the user everywhere. Second, the IdPs are the centre of the identity eco-system, and issue short-lived identity assertions on demand. Consequently, they know about when the user is visiting each SP. This again compromises the user's privacy. Finally, IdPs can stop users visiting SPs they do not ‘trust’ by refusing to issue assertions to the user for these SPs.

By way of comparison, consider the use of plastic cards in the physical world today. A card holder can show his/her card to any Service Provider they wish, without the permission of the issuer (i.e. the IdP). Furthermore the IdP may not be aware that the SP has seen the card and used it for authorisation. The user can combine or aggregate cards as required by the SP. The user has much more control over his/her plastic cards than over the electronic identity assertions that are issued by IdPs today.

The W3C Credentials Community Group and its Verifiable Claims Task Force have produced a set of specifications for Verifiable Credentials (http://opencreds.org/specs/) that more clearly mirror the use of plastic cards today. Verifiable Credentials are long lived electronic credentials that the user stores under his/her control and uses as he/she wishes. A series of use cases has also been published (http://opencreds.org/specs/source/use-cases/).

Researchers at the Universities of Kent (UK) and Paul Sabatier (France) have implemented the W3C Verifiable Claims data model (http://opencreds.org/specs/source/claims-data-model/) using the Fast Identity Online (FIDO) Alliance’s Universal Authentication Framework (UAF) infrastructure. FIDO UAF does not rely on passwords to authenticate the user to the SP, but rather on public/private key pairs, so is much stronger. Because a different key pair is used for each SP, the user’s privacy is protected, which would not be the case if the same public key was used with all SPs (e.g. as in the original X.509 model). FIDO UAF is now appearing in many new smart phones such as the Galaxy S6 and S7 and Fujitsu ARROWS F-04G. By adding verifiable credentials to FIDO enabled devices, we now have, for the first time, the user in full control of which credentials he/she shows to which SPs during authentication and authorization.

Key Takeaways:

Using FIDO to implement the W3C Verifiable Claims Model
Presentation deck
Using FIDO to implement the W3C Verifiable Claims Model
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. David Chadwick
Dr. David Chadwick
University of Kent / Verifiable Credentials Ltd.
Prof David Chadwick has been working in identity management for over 20 years and has written over a 100 papers on the topic. He was the chief architect and designer of the PERMIS open source...
Subscribe for updates
Please provide your email address