Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Â
IIW-11 Beyond Attribute Exchange
1. OpenID Attributes
beyond AX / SREG
Where should attributes come from ?
How should they be managed ?
Convener: Jay Unger
2. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Simplicity v. Completeness
Some thoughts on the âtensionâ
between simplicity and function.
âEverything should be made as simple as
possible, but not simpler.â
Albert Einstein
âSeek simplicity but distrust itâ
Alfred North Whitehead
âItâs really hard to design products by
focus groups. A lot of times, people donât
know what they want until you show it to
themâ Steve Jobs
âThere aren't any rules around here.
We're trying to accomplish something.â
Thomas Edison
3. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Simplicity & Good Ideas
âDr. Pauling, how is it you have so many good ideas?â
Nova Interviewer
âThe hard thing is to figure out which ones are the bad onesâ
Jay Unger
âThe way to get good ideas is to get lots of ideas,
and throw the bad ones awayâ Linus Pauling
Interview 1977
4. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Attributes are the only information supplied to
Relying Parties
credentials
Beyond OpenID AX
User
Relying
Party
Identity
Provider
attributes
firewall
user controlled
â Rule 1: Authentication and attribute exchange are entirely separated:
ďŽ Authentication information and associated methods are NEVER revealed to
Relying Parties.
ďŽ âStrengthâ and âAssuranceâ information about authentication means may be
communicated between Identity Providers and Relying parties.
âRule 2: Attribute exchange is always under control of the user.
ďŽ A pseudonym is the only attribute always provided to a Relying Party.
ďŽ Users must always be asked to grant permission to as to whether and what
additional attributes are supplied to a Relying Party.
5. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Attribute Flow and Management
Beyond OpenID AX
User
Relying
Party
Identity
Provider
attributes
user controlled
Attribute
Provider
self asserted
attributes
⢠All attributes should be digitally
signed
⢠By their provider
⢠To insure integrity
⢠To record provenance
⢠Attributes should include:
⢠Assertion (key : value)
⢠Conditions:
⢠Duration ( valid / expires )
⢠Usage Restrictions
⢠Level / Strength of Assurance
⢠Dependencies
⢠On other Attributes (chaining)
⢠On external information or processes
(vetting)
(SAML XML already has most of this)
â˘User
⢠Should be able to control what
attributes are released to which
relying partiers
⢠Should be able to manage what
attributes are accepted from
Attribute providers.
â˘Attribute Provider
⢠Should be able to revoke or modify
attributes that they have provided
to any user.
⢠User should be informed
Both Users and Relying Parties can
also act as Attribute Providers.
attributes
6. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Attribute Flow and Management
Beyond OpenID AX
User
Relying
Party
Identity
Provider
attributes
user controlled
Attribute
Provider
self asserted
attributes
⢠Relying Party
⢠Ultimately decides what attributes
they believe they can trust
⢠Based on:
⢠Identity Provider Trust
⢠Authentication âstrengthâ
⢠Attribute Provider Trust
⢠Attribute details
⢠Their own policies and
requirements
attributes
7. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
Beyond OpenID AX
â Attribute Expression
â Syntax: Attributes should use the JSON syntax being
proposed for signing and encryption.
â Schema(s)
ďŽ Need some sort of extensible mechanism and process for defining,
relating and âtransformingâ attribute data.
â Referenced like axschema.org (URI)
â Support formatting definition and/or âsynonymâ and transformation.
â Probably some sort of hierarchical (shallow) namespace.
â Possibly âbaseâ schema (like Portable Contacts) could be a âdefaultâ namespace with
minimal syntactic requirements
â Operations:
ďŽ âFetchâ and âStoreâ and possibly âverifyâ primitives for RPs
ďŽ Required and option âfetchâ might be composed with authentication
requests as in current AX / SREG.
ďŽ RPC-like model could also be supported directly between RPs and
OPs.
Pseudonym should be handled like an attribute but always
returned