Upload
keahi
View
28
Download
0
Tags:
Embed Size (px)
DESCRIPTION
DIX BOF Digital Identity eXchange. 65 th IETF, Dallas March 21 st 2006. Welcome and Introductions. Chair – Scott Hollenbeck, [email protected] Chair – John Merrells, [email protected] Wiki – http://dixs.org Jabber – [email protected]. Housekeeping. - PowerPoint PPT Presentation
Citation preview
DIX BOFDigital Identity eXchange65th IETF, DallasMarch 21st 2006
Welcome and Introductions
Chair – Scott Hollenbeck,[email protected]
Chair – John Merrells, [email protected]
Wiki – http://dixs.org
Jabber – [email protected]
Housekeeping Use Microphones for those on the audio channel
State your name clearly for the scribe
Discussion points after each agenda item
We need scribes…
Wiki – http://dixs.org
Jabber – [email protected]
Agenda
Time Topic
10 Agenda Bashing
20 Problem / Goals / Benefits
30 Scope
20 Requirements
20 Architectural Options / Related Work
10 draft-merrells-dix-00.txt (dmd0)
40 Discussion
Scene Setting
Scene Setting “Enterprise Identity Management” (IdM)
Access control for resources
Leverages many IETF technologies
LDAP, Kerberos, PKIX, TLS
Includes
Authentication
Roles
Scene Setting Web Authentication
1996 survey - 12+ solutions
Why this interest?
Enterprise Web Applications
Required: SSO, Minimal password exposure, browser based
Web is easy to hack on
So, many open-source, in-house, and commercial solutions, even leveraging IdM
Scene Setting Today’s Web
Millions of blogs, homepages, etc
Represent online lives
Other’s interact with them
But: Who’s on my site?(For expression… rather than control)
Required: SSO and Information Exchange(But, no enterprise IdM system)
Scene Setting New Goals
User-Centric
Widely Deployable
Good Enough Security
Web-scale ubiquity to be compelling
Scene Setting Questions
Is new technology required?Or new usage of existing technology required?
What are the user requirements?
What are the barriers to wide adoption?
Different than ‘Enterprise’ technology?Or just part of the whole spectrum?
Definitions
Digital Identity Exchange
Identity Agent
Relying Party
Claim
Digital Subject
Definitions
Digital Identity Exchange
“The transmission of digital representation of a set of Claims made by one Party about itself or another Digital Subject, to one or more other Parties.”
RL ‘Bob’ Morgan, 14th March 2006, DIX Mailing List
Definitions
Relying Party
Client
Identity Agent
Definitions
• Claim
• An assertion made by a Claimant of the value or values of one or more Identity Attributes of a Digital Subject, typically an assertion which is disputed or in doubt.
Definitions
• Digital Subject
• An Entity represented or existing in the digital realm which is being described or dealt with.
Problem Statement
“The Internet is host to many online information sources and services. There is a growing demand for users to identify, and provide information about themselves. Users bear the burden of managing their own authentication materials and repeatedly providing their identity information. Signing in to web pages and completing user registration forms is an example.”
Proposed Draft Charterhttp://dixs.org/index.php/DIX_Charter
Problem Statement
For User
Manage many Username/Passwords
Retyping same data into forms
For Service Operator
Low conversion ratios
Data inaccuracy
Minimal data exchange
Example
User goes to a web site
User provides some information about themselves
Proposed Goals
Automate Digital Identity Exchange between User and Service
Protect User’s Privacy
Minimize Barriers to Adoption
Benefits
For Users
Convenient Digital Identity Exchange
Richer experience with Service
For Service Operators
Increased quality and quantity of identity data
Higher conversion rates
Role & Scope of IETF
Internet related problems
“Above the wire and below the application”
DIX is within IETF scope
Proposed DIX Scope
In Scope
Out of Scope
In/Out of Scope?
Narrow, yet also ambitious.
In Scope
Digital Identity Exchange between User and Service
HTTP/HTML Transport
Browser based applications
Out of Scope
Digital Identity Exchange between services
Federating identifier namespaces
Usage of digital certificates
Claim schema and type system
User authentication with Identity Agent
In/Out of Scope?
SIP
XMPP
Non-browser based applications
Third Party Claims
Scope Discussion?
Requirements
Seven Laws of Identity
1. User Control and Consent
2. Minimal Disclosure for Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Interaction
7. Consistent Experience Across Contexts
Kim Cameron
http://www.identityblog.com/
Requirements – Digital Identity Exchange
Move claims from agent to service
Move claims from service to agent
Unique identifier for User
Requirements - Privacy Unique Identifier for User
No central control
Opaque
Unidirectional (1:1)
Omni-directional (1:N)
Separation from Identity Agent
Minimal disclosure
Requirements - Claim Schema Globally unique Identifier for Names
Easily extended
Requirements - Adoption Nominal client footprint
Minimal changes to Service
Service can independently extend Claim Schema
Leverage existing standards
Ad hoc Service and Identity Agent relationship
No more security than needed
Security Gradient
Security Gradient - Example
Iden
tity
Tra
nsa
ctio
n V
alu
e
Security Level
DIX
Extension Poin
ts
Low Value: Blogs, …
High Value: Health Records,
…
HTTP, DNS, HTTPS PKI, DNSSEC, …
Threat Analysis
Vulnerabilities and security limitations will need to be analyzed and well documented
Requirements Discussion?
Architectural Models Domain Centric
Federation
User-Centric
Domain Centric
Account Credentials
Authentication / Attributes / Authorization
E.g. X.500, LDAP, Kerberos, PKIX, TLS, SASL, HTTP Basic/Digest, …
Federation
E.g. SAML / Liberty, …
SAML Token SAML Token
SAML Request
SAML Response
Federation - Ad Hoc
Identifier URLE.g. OpenID, LID, XRI, Yadis
Discovery
Claims
User Centric
Claims
Claims
E.g. SXIP 2.0,WS-Trust / MetaSystem,…
Request
Discussion?
draft-merrells-dix-00.txt Individual Submission Internet-Draft
Title: DIX: Digital Identity Exchange
Author: J. Merrells, Sxip Identity
Contact: [email protected]
Date: Jan 17th, 2005
http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt
(Wiki has Update: http://dixs.org/index.php/Documents)
SXIP PropertiesFirst Name, Last Name, Email Address, Blog URL, Image, …etc…
DIX ProtocolDIX Protocol
SXIP 2.0
MembersiteHomesite
Browser
SXIP Buttons
Beth
First Visit to geeknews.com Beth receives an email
invitation for geeknews.com
She’s going to ‘sign in’ to the website and provide some information about herself…
Membersite
Browser
[sxip in]
Membersite
Browser
[sxip in]
Consistent User Experience
‘Sign In’
Provide Identity Data
Homesite
GET Homesite Page
Dynamic Discovery
Homesite Tag
Membersite
Browser
ISP.com
Homesite Tag (Bits)
<LINK REL="dix:/homesite"
HREF=“
http://isp.com/sxip"
CLASS=“
dix:/core#1
dix://sxip.net/simple#1"/> Homesite
Homesite Tag
Homesite Tag
Endpoint
http://isp.com/sxip
Capabilities
dix:/core#1
dix://sxip.net/simple#1 Homesite
Homesite Tag
Endpoint
POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-urlencoded Content-Length: 202
dix:/message-type=dix:/verify-request&dix%3A% 2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D
http://isp.com/sxip
HTTP POST
Homesite
Homesite Tag
Endpoint
http://isp.com/sxip
Capabilities
dix:/core#1
dix://sxip.net/simple#1 Homesite
Homesite Tag
Capabilities
Capability Services
dix:/core#1
Fetch Messages
Store Messages
Verify Messages
dix://sxip.net/simple#1 SXIP Properties
Capability Extensibility
Capability Services
dix://domain.com/… Some Service
DIX URI
Scheme is DIX
Domain is any domain
Path is domain specific
fetch request
Fetch Request
Homesite Membersite
Browser
Fetch Request (Bits)<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path” value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>
Fetch Request (Bits)<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path” value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>
Fetch Request (Bits)<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path” value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>
Fetch Request (Bits)
dix:/message-type= dix:/fetch-request
dix:/message-id= 23AC-34B8-BFD1-459A
dix:/membersite-url= http://geeknews.com/sxip
dix:/membersite-path= geeknews.com
first_name= dix://sxip.net/contact/name/first
email= dix://sxip.net/contact/internet/email
Fetch Request (Bits)
dix:/message-type= dix:/fetch-request
dix:/message-id= 23AC-34B8-BFD1-459A
dix:/membersite-url= http://geeknews.com/sxip
dix:/membersite-path= geeknews.com
first_name= dix://sxip.net/contact/name/first
email= dix://sxip.net/contact/internet/email
Fetch Request (Bits)
dix:/message-type= dix:/fetch-request
dix:/message-id= 23AC-34B8-BFD1-459A
dix:/membersite-url= http://geeknews.com/sxip
dix:/membersite-path= geeknews.com
first_name= dix://sxip.net/contact/name/first
email= dix://sxip.net/contact/internet/email
Capabilities
Property Capability Property Label
dix://sxip.net /contact/name/first
First Name
dix://sxip.net /contact/internet/email
Email Address
Capability Extensibility
Property Capability Property Label
dix://domain.com/path/…
Some Label
sxip.net Properties Name: Prefix, First, Middle, Last, Suffix, Alias
DOB: Day, Month, Year
Phone: Home, Business, Cell, Fax
IM: AIM, ICQ, MSN, Yahoo, Jabber, Skype
Email: Address, Verified, Hashed
Web: Blog, Amazon, Flickr, Delicious
Company: Name, Title
Media: Spoken Name, Audio Greeting, Video Greeting, Biography, Image
Authentication
fetch request
Homesite Membersite
Browser
Properties Requested
fetch request
Homesite Membersite
Browser
Homesite Membersite
Persona Selection
fetch request
Browser
Persona
Name: Beth SurnamePhone: (604)-678-3500….
Name: Beth SurnamePhone: (415)-244-5808…
Homehttp://home.com/beth
Workhttp://work.com/beth
Identifier
Persona Identifier is a URL
Identifier Choice [0…N]
No Identifier
One per Persona
One per Membersite
No Central Service, just DNS
How claimed?
http://work.com/beth
Identifier (Bits)
<LINK
REL=“dix:/homesite“
HREF="http://isp.com“
/>
Homesite
http://work.com/beth
fetch response
fetch request
Fetch Response
Homesite Membersite
Browser
Fetch Response (Bits)
dix:/message-type= dix:/fetch-response
dix:/message-id= 23AC-34B8-BFD1-459A
dix:/signature= WJhYTYx…
dix:/homesite-url= http://isp.com/sxip
dix:/status-success= dix:/true
first_name= Beth
email_address= [email protected]
MembersiteHomesite
Delegation CheckGET Persona URL
Security
nonce
signature
HTTPS HTTPS
http://work.com/beth
Browser
MembersiteHomesite
Delegation CheckGET Persona URL
Signature Verification
Security
nonce
signature
HTTPS HTTPS
http://work.com/beth
Browser
Verify Request (Bits)
POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202
dix:/message-type=dix:/verify-request&dix%3A%2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D
Verify Request (Bits)
POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202
dix:/message-type= dix:/verify-request
dix:/signature= NWJhYTYx…
dix:/digest= Yzg3ZjA0…
MembersiteHomesite
Delegation CheckGET Persona URL
Signature Verification
Verify Response
nonce
signature
HTTPS HTTPS
http://work.com/beth
Browser
Verify Response (Bits)
HTTP/1.1 200 Ok Connection: close
dix:/true
Saving Data to isp.com Beth decides to leave a
comment on a post at geeknews.com
She will provide some Identity Data and save it at her Homesite
Membersite
Browser
[sxip save]
Membersite
Browser
[sxip save]
Consistent User Experience
Save Identity Data
Homesite Membersite
store request
[sxip save]
Browser
Store Request (Bits)
dix:/message-type= dix:/store-request
dix:/membersite-url= http://geeknews.com/sxip
dix:/membersite-path= geeknews.com
dix:/persona-url= http://work.com/beth
dix://sxip.net/media/image=
http://work.com/beth/me.jpg
Persona
Name: Beth SurnamePhone: (604)-678-3500….
Name: Beth SurnamePhone: (415)-244-5808…
Homehttp://home.com/beth
Workhttp://work.com/beth
Homesite Membersite
Store Response
store response
store request
Browser
Store Response (Bits)
dix:/message-type= dix:/store-response
dix:/homesite-url= http://isp.com/sxip
dix:/status-success= dix:/true
Available Today
MembersiteHomesite
Browser
Homesite Reference ImplementationPerl
Demonstration App
Membersite Development KitPHP, Perl, Java,(Ruby, Python)
PluginsMedia Wiki, (Drupal, Ning)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Resources Websites:
The Vision: identity20.com
The Code: sxip.org
The Spec: sxip.netdixs.org
The Demo: sxore.com
Contact:
John Merrells, [email protected]
draft-merrells-dix-00.txt Individual Submission Internet-Draft
Title: DIX: Digital Identity Exchange
Author: J. Merrells, Sxip Identity
Contact: [email protected]
Date: Jan 17th, 2005
http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt
(Wiki has Update: http://dixs.org/index.php/Documents)
General Discussion?