A match made in heaven or is hell freezing over? Bram van Pelt

Identity 3.0 and Oracle

Who Am I

• Bram van Pelt• Expert lead Security• Security Consultant

What will we be covering

Agenda• The evolution of the identity

• Identity 3.0

• Oracle POC implementation

Definitions

• Account

• Identity

• User

The history of digital Identity

Identity 1.0

• Jericho Forum

• De-perimeterisation

• COA Framework

COA Framework

• Technologies – Endpoint security

– Secure communications

– Secure data (DRM)

COA Framework

• Processes – People Lifecycle Management – Risk Management – Information Lifecycle Management – Device Lifecycle Management – Enterprise Lifecycle Management

COA Framework

• Services – Identity management and federation – Policy Management – Information Classification – Information Asset Management – Audit

Identity 2.0

• Securely collaborating in clouds• Identity, Entitlement & Access Management Commandments

Identity, Entitlement & Access Management Commandments

• 14 Guidelines on how to secure an identity

• An Entity can have multiple, separate Persona (Identities) and related unique identifiers

• The source of the attribute should be as close to the authoritative source as possible

• A resource owner must define Entitlement (Resource Access Rules)

Identity 3.0

• Bring your own identity• Using identity to enhance privacy• “We believe that with a single global identity eco-system all this is

possible.”

Identity 3.0 definitions

• External identifierA provider for attributes other than the user.

• Core identifierThe “bring your own identity” attribute provider

• PersonaA mix of attributes which are provided by the core identifier and optionally external identifiers

Identity 3.0 principles: Risk

• Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.

• Attributes of an Identity will be signed by the authoritative source for those attributes.

Identity 3.0 principles: Privacy

• Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.

• The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.

• Entities will only maintain attributes for which they are the authoritative source.

Identity 3.0 principles: Functionality

• The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.

• The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.

• Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.

The inner workings

Inner workings

• Personas• One way trust

Persona’s

19

[Entity: Organization]Government

[Entity: Person]Yourself

Citizen Persona with authoritative(cryptographically) signed

attributes

Date of Birth = 01 Jan 2000Place of Birth = London, UKSex at Birth = MaleName at Birth = John DoeCitizenship = Full BritishIssued = 01 Jan 2015Revalidation = gid.citizen.gov.uk

Trust

One way trust

• I trust you, so you can access my resources

• Does not mean you can access unauthenticated

How does this work?

• Site demands identity• You give your attrbutes• Your login to the External identifier

How does this work?

• Reusable• Web of identities

Why would you want this

• No more user storage• Personalisation options• Transparancy to end users• Enhanced privacy

How would we build this?

• Ingredients:– The core identity and identifier– The persona’s implementation– The external identifier / authenticators

The core identity and Identifier

• This is a personal device which you have on you, if possible…• Phones • Dyn-dns via browsers• Personal component

The Persona implementation

• Basically an “identity cookbook”• Trusts to identifiers• One way cryptographic trust

– Signed attributes

The external identifier / authenticator

• Basically an external identification source

• Chosen by the application

How would we build this?

• Oracle Weblogic Server– SAML Trust to an access manager

• Oracle Access Manager– Key retrieval using dyndns– External authentication (Using SAML or OAuth2)

• Personal authenticators…– Todo…

Let’s picture it

What do we need

• Oracle:– Authentication modules to authenticate using DYNDNS / IPV6– Personal authenticators– Expanded control over authentication chains

YOU

Special Thanks

• Global Identity Foundation• Jericho Forum

• Bram van Pelt• Twitter: @BramPelt• LinkedIn: http://linkedin.com/in/bram-van-pelt-

77a15021