Advances in Digital Identity

Steve PlankIdentity Architect

Connectivity

Naming

IP

DNS

Identityno consistency

taught users

typeusernames &passwords

web page

what is identity?

attributes:givenNamesnpreferredName plankydateOfBirth 170685!over18 trueover21 trueover65 falseimage

steveplank

self asserted

verifiable

what claims i make about myself

what claims another party makes about me

elvis presley

only 1 of them is real

probably

trust

make these claims

SECURITY TOKEN

steveplankover 18over 21under 65image

security token service

give it somethingSECURITY TOKEN

StevePlankOver 18Over 21Under 65image

DIFFERENTSECURITYTOKEN

UsernamePassword

BiometricSignature

Certificate

“Secret”

identity metasystem

participants

relying party (website)identity provider

subject

WS-*

securitytoken

service

SAML

WS-*

SAML

securitytoken

serviceWS-*

x509

identity provider

x509

identityprovider

subject

relying party relying party

identity selector

identity selector

human integration

consistent experience across contexts

• contains claims about my identity that I assert

• not corroborated• stored locally• signed and encrypted to prevent

replay attacks

• provided by banks, stores, government, clubs, etc

• locally stored cards contain metadata only!

• data stored by identity provider and obtained only when card submitted

cards

self-issued managed

object tag

login with self issued card

relying party (website)

user

login

select self issued card

relying party (website)

user

Planky

create token from card

relying party (website)

Planky

FN: SteveLN: PlankEmail: splankCO: UK

user

sign, encrypt & send token

relying party (website)

Planky

user

object tag

login with managed card

relying party (website)

user

login

identity provider

select managed card

relying party (website)

userWoodgroveBank

identity provider

WoodgroveBank

request security token

relying party (website)identity provider

user

authN:X509, kerb, SC, U/pwd…

WoodgroveBank

request security token response

relying party (website)identity provider

user

sign, encryptsend

<body>  <form id="form1" method="post" action="login.aspx">  <div>    <button type="submit"> Click here to sign in with your Information Card </button>    <object type="application/x-informationcard" name="xmlToken">      <param name="tokenType"

value="urn:oasis:names:tc:SAML:1.0:assertion" />      <param name="issuer

value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />      <param name="requiredClaims" value="        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname       

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object>  </div>  </frm></body>

relying party (website)

token decrypter

claims extractor

first name

last name

email

phone

user database

123456789

456

xmlToken(signed &encrypted)

xmlToken(plaintext)

ppid

inde

x in

to D

B

demo

review• identity layer

• phishing, phraud

• human integration

• consistent experience across contexts

• ip

• rp

• user

• identity selector

Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt