20
An Identity on the Internet Steve Plank Identity Architect Microsoft UK

An Identity on the Internet

  • Upload
    herman

  • View
    47

  • Download
    0

Tags:

Embed Size (px)

DESCRIPTION

An Identity on the Internet. Steve Plank Identity Architect Microsoft UK. topics. phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector. web server. www.identitytheft.com. - PowerPoint PPT Presentation

Citation preview

Page 1: An Identity on the Internet

An Identity on the Internet

Steve PlankIdentity Architect

Microsoft UK

Page 2: An Identity on the Internet

topics

• phishing, phraud

• identity layer

• 7 laws

• human integration

• consistent experience across contexts

• Identity metasystem

• ip

• rp

• user

• identity selector

Page 3: An Identity on the Internet

bad person’s database

web server

under thecontrol ofsomebody else

[email protected]

****************

www.identitytheft.comwww.mybank.com.net.iwill.take.over.your.life.com/dodgy.php

Page 4: An Identity on the Internet

IIS

Credentials database

FormsAuthentication.SetLoginCookie()

www.newcorp.com

www.megacorp.com

Application Error:

Cross-domain cookie.A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator.

Custom Solution

Custom Solution

Custom Solution

Page 5: An Identity on the Internet

Connectivity

Naming

IP

DNS

Identityno consistency

Page 6: An Identity on the Internet

• User control and consent

• Minimal disclosure for a defined use

• Justifiable parties

• Directional identity

• Pluralism of operators and technologies

• Human integration

• Consistent experience across contexts

Page 7: An Identity on the Internet

• Human integration

• Consistent experience across contexts

Planky’s Card

Card Collection

Page 8: An Identity on the Internet

Identity Provider

First name Last name Email .......

Steve Plank [email protected] ......

Bob Smith [email protected] ......

Identity Selector

Subject

1:1 relationship between cards and identity providers

Locally installed software: not under somebody else’scontrol

Page 9: An Identity on the Internet

Metadata:

URI of the Identity ProviderClaims you can get from the IP

givenname:lastname:

email:user-id:

etc:

Identity Provider

First name Last name Email .......

Steve Plank [email protected] ......

Bob Smith [email protected] ......

digitalsignature

Page 10: An Identity on the Internet

Identity Provider

digitalsignature

cryptographic binding between the card and the IP

Page 11: An Identity on the Internet

• Pluralism of operators and technologies

• Human integration

• Consistent experience across contexts

There will be many Identity Providerseach running its

own technology stack

OR

Page 12: An Identity on the Internet

Relying PartyIdentity Provider

Subject

Identity Metasystem

Microsoft IdentityMetaSystem

WS-* HTML

WS-*

Web Service

WS-*

Web Site

HTML

<sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> ... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/surname” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/email”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> ...</sp:IssuedToken>

<object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>

Page 13: An Identity on the Internet

Relying Party

Identity Selector’s Built-in Identity

Provider

Subject

Identity Metasystem

2 degrees of store protection:

System Key

Password Key

Personal Cards: fixed schema

Page 14: An Identity on the Internet

personal cardspersonal cards

managed cardsmanaged cards

what claims i make about myself

what claims another party makes about me

fixed schema (protectfixed schema (protectthe users fromthe users fromthemselves!)themselves!)

flexible schemaflexible schema

Page 15: An Identity on the Internet

elvis presley

only 1 of them is real

probably

Page 16: An Identity on the Internet

SECURITY TOKEN

StevePlankOver 18Over 21Under 65image

SAML TokenXrML LicenseX.509 CertificateKerberos ticket......others

Page 17: An Identity on the Internet

security token servicesecurity token service

give it somethinggive it something

DIFFERENTSECURITYTOKEN

UsernamePassword

BiometricSignature

Certificate

Page 18: An Identity on the Internet

relying partyidentity provider

subject

click login button

policy:uri of iprequired claimsoptional claimstoken type

get policyauthenticateRST

identity.provider.com requires username and password to validate this request. Enter the information below

policy:authn reqstoken types...

RSTR

[ ][ ]s e

Page 19: An Identity on the Internet

relying partyidentity provider

subject

real token

display token

*givenname: Steve*surname: Plank*emailaddress: [email protected]*privatepersonalidentitifer: planky123

Do you want to send this card to: ip.sisa.com

ip.sisa.com

ip.sisa.com

[ ][ ]

token authentication

token decryption

Page 20: An Identity on the Internet

topics

• phishing, phraud

• identity layer

• 7 laws

• human integration

• consistent experience across contexts

• Identity metasystem

• ip

• rp

• user

• identity selector


Identity-Protected Internet Access · enable cyber activities without attribution to you. Identity-Protected Internet Access (703) 870-7481 ... cloud-based service that ... Lossless

Identity-Protected Internet Access · enable cyber activities without attribution to you. Identity-Protected Internet Access (703) 870-7481 ... cloud-based service that ... Lossless

Documents
Identity, the Internet of Things and the Blockchain

Identity, the Internet of Things and the Blockchain

Business
Okta | Identity for the internet

Okta | Identity for the internet

Documents
AN EXPLORATION OF IDENTITY RE-CREATION IN THE CONTEXT OF INTERNET

AN EXPLORATION OF IDENTITY RE-CREATION IN THE CONTEXT OF INTERNET

Documents
Graphic identity for internet shop – logo, website design ... · Graphic identity for internet shop – logo, website design, business cards and labels design, promotional materials

Graphic identity for internet shop – logo, website design ... · Graphic identity for internet shop – logo, website design, business cards and labels design, promotional materials

Documents
Delivering Identity at Internet Scale

Delivering Identity at Internet Scale

Technology
Navigating the Identity Landscape · 2012. 6. 19. · Overview An overview of US and EU government and industry-driven identity management initiatives to develop a trusted internet

Navigating the Identity Landscape · 2012. 6. 19. · Overview An overview of US and EU government and industry-driven identity management initiatives to develop a trusted internet

Documents
Identity Tracking: An Extension of Identity … Tracking: An Extension of Identity Management ... SAP IDM Driver ... Identity Tracking: An Extension of Identity Management | 8

Identity Tracking: An Extension of Identity … Tracking: An Extension of Identity Management ... SAP IDM Driver ... Identity Tracking: An Extension of Identity Management | 8

Documents
The Invention of Internet IdentityInternet Identity · Integration of Internet identity • Ability to deploy a variety of identity types to solve a use case • Gateways and other

The Invention of Internet IdentityInternet Identity · Integration of Internet identity • Ability to deploy a variety of identity types to solve a use case • Gateways and other

Documents
Identity Theft and the Internet

Identity Theft and the Internet

Documents
Digital Identity Management on the Internet

Digital Identity Management on the Internet

Documents
Identity Online: What does it mean to be an American, writing, on the internet?

Identity Online: What does it mean to be an American, writing, on the internet?

Documents
Internet of Things: Identity & Security with Open Standards

Internet of Things: Identity & Security with Open Standards

Technology
Ankur Taly, Google Inc. An Identity and Authorization ...theory.stanford.edu/~ataly/Talks/vcew2015.pdf · An Identity and Authorization Model for Internet of Things (IOT) Ankur Taly,

Ankur Taly, Google Inc. An Identity and Authorization ...theory.stanford.edu/~ataly/Talks/vcew2015.pdf · An Identity and Authorization Model for Internet of Things (IOT) Ankur Taly,

Documents
Internet Identity Workshop 10 - Introduction to the User-Centric Identity Community

Internet Identity Workshop 10 - Introduction to the User-Centric Identity Community

Technology
Security & Identity for the Internet of Things Webinar

Security & Identity for the Internet of Things Webinar

Software
Updates on Internet Identity

Updates on Internet Identity

Documents
Internet Identity Theft By: Kaitlyn McRann Neera Pradhan

Internet Identity Theft By: Kaitlyn McRann Neera Pradhan

Documents
Identity-Defined Privacay & Security for Internet of Things

Identity-Defined Privacay & Security for Internet of Things

Technology
Aalborg Universitet Identity Management Framework for Internet … · Identity Management Framework for Internet of Things Mahalle, Parikshit N. Publication date: 2014 Document Version

Aalborg Universitet Identity Management Framework for Internet … · Identity Management Framework for Internet of Things Mahalle, Parikshit N. Publication date: 2014 Document Version

Documents
Internet Safety Day ‘Exploring Identity Online’ KS2 2020

Internet Safety Day ‘Exploring Identity Online’ KS2 2020

Documents
The Evolution of Internet Identity

The Evolution of Internet Identity

Technology
Identity Management approach in Internet of Thingsprojekter.aau.dk/projekter/files/213564402/VZ_master_FINAL_02.06.… · Identity Management Approach in Internet of Things Supervisor:

Identity Management approach in Internet of Thingsprojekter.aau.dk/projekter/files/213564402/VZ_master_FINAL_02.06.… · Identity Management Approach in Internet of Things Supervisor:

Documents
The Internet, Empowerment, and Identity: An Exploration of ...e-space.mmu.ac.uk/4669/1/RefugeeWomenArticle.pdfdiaspora. Accepting the importance of geographic location in identity

The Internet, Empowerment, and Identity: An Exploration of ...e-space.mmu.ac.uk/4669/1/RefugeeWomenArticle.pdfdiaspora. Accepting the importance of geographic location in identity

Documents
Internet Scams, Identity Theft And

Internet Scams, Identity Theft And

Technology
Center for Identity Webcast: The Internet of Things

Center for Identity Webcast: The Internet of Things

Internet
Scaling identity to internet proportions

Scaling identity to internet proportions

Technology
National and State Trends in Fraud & Identity Theft · 2019. 12. 11. · Definition of "Internet-related": A fraud complaint is "Internet-related" if: it concerns an Internet product

National and State Trends in Fraud & Identity Theft · 2019. 12. 11. · Definition of "Internet-related": A fraud complaint is "Internet-related" if: it concerns an Internet product

Documents
Identity A desiderata for the Next Generation Internet

Identity A desiderata for the Next Generation Internet

Documents
Internet Related Identity Theft Marco Gercke

Internet Related Identity Theft Marco Gercke

Documents