SlideShare ist ein Scribd-Unternehmen logo

IIW-11 Beyond Attribute Exchange

•Als PPT, PDF herunterladen•
•
J
JayUnger

IIW-11 Session Presentation November 2-4, 2010

Technologie
1 von 7
OpenID Attributes beyond AX / SREG Where should attributes come from ? How should they be managed ? Convener: Jay Unger
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity v. Completeness Some thoughts on the “tension” between simplicity and function. “Everything should be made as simple as possible, but not simpler.” Albert Einstein “Seek simplicity but distrust it” Alfred North Whitehead “It’s really hard to design products by focus groups. A lot of times, people don’t know what they want until you show it to them” Steve Jobs “There aren't any rules around here. We're trying to accomplish something.” Thomas Edison
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity & Good Ideas “Dr. Pauling, how is it you have so many good ideas?” Nova Interviewer “The hard thing is to figure out which ones are the bad ones” Jay Unger “The way to get good ideas is to get lots of ideas, and throw the bad ones away” Linus Pauling Interview 1977
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attributes are the only information supplied to Relying Parties credentials Beyond OpenID AX User Relying Party Identity Provider attributes firewall user controlled ● Rule 1: Authentication and attribute exchange are entirely separated:  Authentication information and associated methods are NEVER revealed to Relying Parties.  “Strength” and “Assurance” information about authentication means may be communicated between Identity Providers and Relying parties. ●Rule 2: Attribute exchange is always under control of the user.  A pseudonym is the only attribute always provided to a Relying Party.  Users must always be asked to grant permission to as to whether and what additional attributes are supplied to a Relying Party.
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • All attributes should be digitally signed • By their provider • To insure integrity • To record provenance • Attributes should include: • Assertion (key : value) • Conditions: • Duration ( valid / expires ) • Usage Restrictions • Level / Strength of Assurance • Dependencies • On other Attributes (chaining) • On external information or processes (vetting) (SAML XML already has most of this) •User • Should be able to control what attributes are released to which relying partiers • Should be able to manage what attributes are accepted from Attribute providers. •Attribute Provider • Should be able to revoke or modify attributes that they have provided to any user. • User should be informed Both Users and Relying Parties can also act as Attribute Providers. attributes
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • Relying Party • Ultimately decides what attributes they believe they can trust • Based on: • Identity Provider Trust • Authentication “strength” • Attribute Provider Trust • Attribute details • Their own policies and requirements attributes
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Beyond OpenID AX ● Attribute Expression ● Syntax: Attributes should use the JSON syntax being proposed for signing and encryption. ● Schema(s)  Need some sort of extensible mechanism and process for defining, relating and “transforming” attribute data. – Referenced like axschema.org (URI) – Support formatting definition and/or “synonym” and transformation. – Probably some sort of hierarchical (shallow) namespace. – Possibly “base” schema (like Portable Contacts) could be a “default” namespace with minimal syntactic requirements ● Operations:  “Fetch” and “Store” and possibly “verify” primitives for RPs  Required and option “fetch” might be composed with authentication requests as in current AX / SREG.  RPC-like model could also be supported directly between RPs and OPs. Pseudonym should be handled like an attribute but always returned

Empfohlen

De Todo C Orazon
De Todo C OrazonDe Todo C Orazon
De Todo C OrazonJoaquin PerezAponte
 
IIW-11 NSTIC Update
IIW-11 NSTIC UpdateIIW-11 NSTIC Update
IIW-11 NSTIC UpdateJayUnger
 
Online Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptOnline Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptDr Rachel O'Connell
 
Giedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationGiedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationAgile Lietuva
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Rajeev Soni
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1Mike Stone
 
EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EISLibrarian
 

Empfohlen

De Todo C Orazon
De Todo C OrazonDe Todo C Orazon
De Todo C OrazonJoaquin PerezAponte
 
IIW-11 NSTIC Update
IIW-11 NSTIC UpdateIIW-11 NSTIC Update
IIW-11 NSTIC UpdateJayUnger
 
Online Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptOnline Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptDr Rachel O'Connell
 
Giedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationGiedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationAgile Lietuva
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Rajeev Soni
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1Mike Stone
 
EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EISLibrarian
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Getting value from IoT, Integration and Data Analytics
 
Logic Studio Jan 2018
Logic Studio Jan 2018 Logic Studio Jan 2018
Logic Studio Jan 2018 EISLibrarian
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)Steve Posick
 
Osint
OsintOsint
OsintKamal Rathaur
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsI AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsForgeRock
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software TestersTechWell
 
IIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyIIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyJayUnger
 
Requirements
RequirementsRequirements
RequirementsHarry Marlin, PMP
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1Abbie Barbir
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accuratelyDavid Kelts, CIPT
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOAPeter Henley
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 

Weitere ähnliche Inhalte

Ähnlich wie IIW-11 Beyond Attribute Exchange

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 
Logic Studio Jan 2018
Logic Studio Jan 2018 Logic Studio Jan 2018
Logic Studio Jan 2018 EISLibrarian
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)Steve Posick
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsI AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsForgeRock
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software TestersTechWell
 
IIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyIIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyJayUnger
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1Abbie Barbir
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accuratelyDavid Kelts, CIPT
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOAPeter Henley
 

Ähnlich wie IIW-11 Beyond Attribute Exchange (20)

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
 
Logic Studio Jan 2018
Logic Studio Jan 2018 Logic Studio Jan 2018
Logic Studio Jan 2018
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
 
Osint
OsintOsint
Osint
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsI AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software Testers
 
IIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyIIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for Privacy
 
Requirements
RequirementsRequirements
Requirements
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accurately
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
 

KĂźrzlich hochgeladen

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vĂĄzquez
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

KĂźrzlich hochgeladen (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

IIW-11 Beyond Attribute Exchange

  • 1. OpenID Attributes beyond AX / SREG Where should attributes come from ? How should they be managed ? Convener: Jay Unger
  • 2. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity v. Completeness Some thoughts on the “tension” between simplicity and function. “Everything should be made as simple as possible, but not simpler.” Albert Einstein “Seek simplicity but distrust it” Alfred North Whitehead “It’s really hard to design products by focus groups. A lot of times, people don’t know what they want until you show it to them” Steve Jobs “There aren't any rules around here. We're trying to accomplish something.” Thomas Edison
  • 3. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity & Good Ideas “Dr. Pauling, how is it you have so many good ideas?” Nova Interviewer “The hard thing is to figure out which ones are the bad ones” Jay Unger “The way to get good ideas is to get lots of ideas, and throw the bad ones away” Linus Pauling Interview 1977
  • 4. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attributes are the only information supplied to Relying Parties credentials Beyond OpenID AX User Relying Party Identity Provider attributes firewall user controlled ● Rule 1: Authentication and attribute exchange are entirely separated:  Authentication information and associated methods are NEVER revealed to Relying Parties.  “Strength” and “Assurance” information about authentication means may be communicated between Identity Providers and Relying parties. ●Rule 2: Attribute exchange is always under control of the user.  A pseudonym is the only attribute always provided to a Relying Party.  Users must always be asked to grant permission to as to whether and what additional attributes are supplied to a Relying Party.
  • 5. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • All attributes should be digitally signed • By their provider • To insure integrity • To record provenance • Attributes should include: • Assertion (key : value) • Conditions: • Duration ( valid / expires ) • Usage Restrictions • Level / Strength of Assurance • Dependencies • On other Attributes (chaining) • On external information or processes (vetting) (SAML XML already has most of this) •User • Should be able to control what attributes are released to which relying partiers • Should be able to manage what attributes are accepted from Attribute providers. •Attribute Provider • Should be able to revoke or modify attributes that they have provided to any user. • User should be informed Both Users and Relying Parties can also act as Attribute Providers. attributes
  • 6. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • Relying Party • Ultimately decides what attributes they believe they can trust • Based on: • Identity Provider Trust • Authentication “strength” • Attribute Provider Trust • Attribute details • Their own policies and requirements attributes
  • 7. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Beyond OpenID AX ● Attribute Expression ● Syntax: Attributes should use the JSON syntax being proposed for signing and encryption. ● Schema(s)  Need some sort of extensible mechanism and process for defining, relating and “transforming” attribute data. – Referenced like axschema.org (URI) – Support formatting definition and/or “synonym” and transformation. – Probably some sort of hierarchical (shallow) namespace. – Possibly “base” schema (like Portable Contacts) could be a “default” namespace with minimal syntactic requirements ● Operations:  “Fetch” and “Store” and possibly “verify” primitives for RPs  Required and option “fetch” might be composed with authentication requests as in current AX / SREG.  RPC-like model could also be supported directly between RPs and OPs. Pseudonym should be handled like an attribute but always returned