A match made in heaven or is hell freezing over?

Bram van Pelt

Identity 3.0 and Oracle

Who Am I

• Bram van Pelt

• Expert lead Security

• Security Consultant

What will we be covering

Agenda

• The evolution of the identity

• Identity 3.0

• Oracle POC implementation

Definitions

• Account

• Identity

• User

The history of digital Identity

Identity 1.0

• Jericho Forum

• De-perimeterisation

• COA Framework

COA Framework

• Technologies

– Endpoint security

– Secure communications

– Secure data (DRM)

COA Framework

• Processes

– People Lifecycle Management

– Risk Management

– Information Lifecycle Management

– Device Lifecycle Management

– Enterprise Lifecycle Management

COA Framework

• Services

– Identity management and federation

– Policy Management

– Information Classification

– Information Asset Management

– Audit

Identity 2.0

• Securely collaborating in clouds

• Identity, Entitlement & Access Management Commandments

Identity, Entitlement & Access Management Commandments

• 14 Guidelines on how to secure an identity

• An Entity can have multiple, separate Persona (Identities) and related unique identifiers

• The source of the attribute should be as close to the authoritative source as possible

• A resource owner must define Entitlement (Resource Access Rules)

Identity 3.0

• Bring your own identity

• Using identity to enhance privacy

• “We believe that with a single global identity eco-system all this is possible.”

Identity 3.0 definitions

• External identifier

A provider for attributes other than the user.

• Core identifier

The “bring your own identity” attribute provider

• Persona

A mix of attributes which are provided by the core identifier and optionally external

identifiers

Identity 3.0 principles: Risk

• Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.

• Attributes of an Identity will be signed by the authoritative source for those attributes.

Identity 3.0 principles: Privacy

• Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.

• The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.

• Entities will only maintain attributes for which they are the authoritative source.

Identity 3.0 principles: Functionality

• The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.

• The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.

• Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.

The inner workings

Inner workings

• Personas

• One way trust

Persona’s

19

[Entity: Organization]

Government

[Entity: Person]

Yourself

Citizen Persona with authoritative

(cryptographically) signed

attributes

Date of Birth = 01 Jan 2000

Place of Birth = London, UK

Sex at Birth = Male

Name at Birth = John Doe

Citizenship = Full British

Issued = 01 Jan 2015

Revalidation = gid.citizen.gov.uk

Trust

One way trust

• I trust you, so you can access my resources

• Does not mean you can access unauthenticated

How does this work?

• Site demands identity

• You give your attrbutes

• Your login to the

External identifier

How does this work?

• Reusable

• Web of identities

Why would you want this

• No more user storage

• Personalisation options

• Transparancy to end users

• Enhanced privacy

How would we build this?

• Ingredients:

– The core identity and identifier

– The persona’s implementation

– The external identifier / authenticators

The core identity and Identifier

• This is a personal device which you have on you, if possible…

• Phones

• Dyn-dns via browsers

• Personal component

The Persona implementation

• Basically an “identity cookbook”

• Trusts to identifiers

• One way cryptographic trust

– Signed attributes

The external identifier / authenticator

• Basically an external identification source

• Chosen by the application

How would we build this?

• Oracle Weblogic Server

– SAML Trust to an access manager

• Oracle Access Manager

– Key retrieval using dyndns

– External authentication (Using SAML or OAuth2)

• Personal authenticators…

– Todo…

Let’s picture it

What do we need

• Oracle:

– Authentication modules to authenticate using DYNDNS / IPV6

– Personal authenticators

– Expanded control over authentication chains

YOU

Special Thanks

• Global Identity Foundation

• Jericho Forum

• Bram van Pelt

• Twitter: @BramPelt

• LinkedIn: http://linkedin.com/in/bram-van-pelt-77a15021