• Home

  • Documents

  • Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy...
10
Identity Management Hannes Tschofenig

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Embed Size (px)

Citation preview

Page 1: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Identity ManagementHannes Tschofenig

Page 2: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Motivation

• OAuth was created to allow secure and privacy friendly sharing of data.

• OAuth is not an authentication protocol. – Works with any user authentication protocol

(e.g., OATH, FIDO, W3C CryptoAPI, etc.)– Federated login possible with OpenID Connect

• OAuth is widely used on the Internet.– Example: Salesforce, Google, MSFT Azure, Deutsche

Telekom, GSMA mobile connect (Orange, Telekom Italia)

http://www.openauthentication.org/
http://fidoalliance.org/
http://openid.net/connect/
Page 3: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

$ Identity: Any subset of an individual's attributes, including names, that identifies the individual within a given context. Individuals usually have multiple identities for use in different contexts.(RFC 6973)

Page 4: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Players

Courtesy to Justin Richer for the figure.

Token

Token

Page 5: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication
Page 6: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Players: “Payment Terminology”

Courtesy to Justin Richer for the figure.

Merchant

Customer

Payment Infrastructure

Token

Token

Page 7: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Layering Payment on Top of Identity Infrastructure?

Page 8: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Insights we gained

• It works and is deployed. – Even password sharing practice has been significantly decreased.

• High interest to be the identity provider but not necessarily relying party.

• Incentivizing the issuance of strong credentials (i.e., stronger than passwords) is difficult.

• Design for a distributed mechanism can still lead to silos.• Some companies use the standardized OAuth/OpenID

Connect but add extensions that make their solution non-interoperable.– Lack of understanding? Mistake? Intention?

Page 9: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

Insights we gained, cont.

• Relationship between relying party and identity provider is more than just technology.– Influenced by business agreements and legal frameworks

OIX• Security guidance we provide in our specifications (e.g.,

RFC 6819) is sometimes “kindly ignored”.• Privacy: – Consent mechanism lead to better privacy. – Relying parties still ask for too much but this is a deployment

choice rather than something a standard can dictate. – Choice offered is often limited “take it or leave it”

http://openidentityexchange.org/
Page 10: Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication

More Info?

• OpenID Connect might be a good platform for a payment protocol.

• Look at IETF OAuth working group for core specifications.

• OAuth Tutorial:– Slides– Recording

(Might require to download a Cisco Webex ARF player at http://www.webex.com/go/down_player_win_arf)

http://openid.net/connect/
https://ietf.org/wg/oauth/charter/
https://ietf.org/wg/oauth/charter/
https://ietf.org/wg/oauth/charter/
https://ietf.org/wg/oauth/charter/
https://ietf.org/wg/oauth/charter/
http://www.tschofenig.priv.at/tutorials/OAuth-Tutorial.pdf
http://www.tschofenig.priv.at/tutorials/OAuth-Tutorial.arf
http://www.webex.com/go/down_player_win_arf

The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1

The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1

Documents
Next Generation 112 Long Term Definition - · PDF fileCommittee Long Term Definition Working Group developed the “Detailed ... Hannes Tschofenig Nokia Siemens Networks ... 4.8.1

Next Generation 112 Long Term Definition - · PDF fileCommittee Long Term Definition Working Group developed the “Detailed ... Hannes Tschofenig Nokia Siemens Networks ... 4.8.1

Documents
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)

Documents
Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig … · OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig … · OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Documents
1 Confidential Authentication Session Hannes Tschofenig

1 Confidential Authentication Session Hannes Tschofenig

Documents
Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Documents
Next Generation 112 Long Term Definition - · PDF fileThe Next Generation 112 Long Term Definition document is based on the NENA i3 ... Hannes Tschofenig Nokia Siemens Networks / EENA

Next Generation 112 Long Term Definition - · PDF fileThe Next Generation 112 Long Term Definition document is based on the NENA i3 ... Hannes Tschofenig Nokia Siemens Networks / EENA

Documents
Sung-Hyuck Lee, Seong-Ho Jeong, Hannes Tschofenig, Xiaoming Fu, Jukka Manner

Sung-Hyuck Lee, Seong-Ho Jeong, Hannes Tschofenig, Xiaoming Fu, Jukka Manner

Documents
Interconnecting Smart Objects with the Internet Workshop Hannes Tschofenig

Interconnecting Smart Objects with the Internet Workshop Hannes Tschofenig

Documents
The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

Documents
Example oAuth Exchange - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/oauth-tutorial.pdf · History, cont. March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig

Example oAuth Exchange - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/oauth-tutorial.pdf · History, cont. March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig

Documents
Internet Standards- Emergency Services Hannes Tschofenig Mail comments to Hannes.Tschofenig@nsn.com and/or ecrit@ietf.org.Hannes.Tschofenig@nsn.comecrit@ietf.org

Internet Standards- Emergency Services Hannes Tschofenig Mail comments to [email protected] and/or [email protected]@[email protected]

Documents
Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Documents
The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
Hannes Tschofenig (IETF#79, SAAG, Beijing)

Hannes Tschofenig (IETF#79, SAAG, Beijing)

Documents
Oauth Tutorial

Oauth Tutorial

Documents
Standardizing IP-based Emergency Services Richard Barnes BBN Technologies IETF GEOPRIV Chair rbarnes@bbn.com Hannes Tschofenig Nokia-Siemens IETF ECRIT

Standardizing IP-based Emergency Services Richard Barnes BBN Technologies IETF GEOPRIV Chair [email protected] Hannes Tschofenig Nokia-Siemens IETF ECRIT

Documents
Internet Protocol-based Emergency Services Hannes Tschofenig 112 Rescue Forum, 11 th October 2012, Žilina, Slovakia

Internet Protocol-based Emergency Services Hannes Tschofenig 112 Rescue Forum, 11 th October 2012, Žilina, Slovakia

Documents
H. Tschofenig - datatracker.ietf.org. Tschofenig Nokia Siemens ... working documents as Internet-Drafts. The list of current Internet- ... As an example, the News International phone-hacking

H. Tschofenig - datatracker.ietf.org. Tschofenig Nokia Siemens ... working documents as Internet-Drafts. The list of current Internet- ... As an example, the News International phone-hacking

Documents
The Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation

Documents
1 Design Patterns for Connected Devices Hannes Tschofenig Michael Koster

1 Design Patterns for Connected Devices Hannes Tschofenig Michael Koster

Documents
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig

CIS 2015 How to secure the Internet of Things? Hannes Tschofenig

Technology
1 Hannes Tschofenig. 2 The Internet of Things Today Enormous potential “Tens of billions of new devices” … but market growing slower than expected

1 Hannes Tschofenig. 2 The Internet of Things Today Enormous potential “Tens of billions of new devices” … but market growing slower than expected

Documents
Authentication Session Hannes Tschofenig

Authentication Session Hannes Tschofenig

Documents
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011

Documents
Performance Investigations - Internet Engineering Task · PDF filePerformance Investigations Hannes Tschofenig, Manuel Pégourié-Gonnard 25th March 2015 . 2 Motivation ! In we tried

Performance Investigations - Internet Engineering Task · PDF filePerformance Investigations Hannes Tschofenig, Manuel Pégourié-Gonnard 25th March 2015 . 2 Motivation ! In we tried

Documents
Incorporating OAuth: How to integrate OAuth into your mobile app

Incorporating OAuth: How to integrate OAuth into your mobile app

Technology
1 Performance Investigations Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

1 Performance Investigations Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

Documents
Next Generation 112 Long Term Definition - EENA · The Next Generation 112 Long Term Definition document is based on the NENA i3 ... Cristina Lumbreras EENA Hannes Tschofenig Nokia

Next Generation 112 Long Term Definition - EENA · The Next Generation 112 Long Term Definition document is based on the NENA i3 ... Cristina Lumbreras EENA Hannes Tschofenig Nokia

Documents