SlideShare a Scribd company logo

IIW-11 Beyond Attribute Exchange

Download as PPT, PDF
J
JayUnger

IIW-11 Session Presentation November 2-4, 2010

Technology
1 of 7
OpenID Attributes beyond AX / SREG Where should attributes come from ? How should they be managed ? Convener: Jay Unger
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity v. Completeness Some thoughts on the “tension” between simplicity and function. “Everything should be made as simple as possible, but not simpler.” Albert Einstein “Seek simplicity but distrust it” Alfred North Whitehead “It’s really hard to design products by focus groups. A lot of times, people don’t know what they want until you show it to them” Steve Jobs “There aren't any rules around here. We're trying to accomplish something.” Thomas Edison
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity & Good Ideas “Dr. Pauling, how is it you have so many good ideas?” Nova Interviewer “The hard thing is to figure out which ones are the bad ones” Jay Unger “The way to get good ideas is to get lots of ideas, and throw the bad ones away” Linus Pauling Interview 1977
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attributes are the only information supplied to Relying Parties credentials Beyond OpenID AX User Relying Party Identity Provider attributes firewall user controlled ● Rule 1: Authentication and attribute exchange are entirely separated:  Authentication information and associated methods are NEVER revealed to Relying Parties.  “Strength” and “Assurance” information about authentication means may be communicated between Identity Providers and Relying parties. ●Rule 2: Attribute exchange is always under control of the user.  A pseudonym is the only attribute always provided to a Relying Party.  Users must always be asked to grant permission to as to whether and what additional attributes are supplied to a Relying Party.
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • All attributes should be digitally signed • By their provider • To insure integrity • To record provenance • Attributes should include: • Assertion (key : value) • Conditions: • Duration ( valid / expires ) • Usage Restrictions • Level / Strength of Assurance • Dependencies • On other Attributes (chaining) • On external information or processes (vetting) (SAML XML already has most of this) •User • Should be able to control what attributes are released to which relying partiers • Should be able to manage what attributes are accepted from Attribute providers. •Attribute Provider • Should be able to revoke or modify attributes that they have provided to any user. • User should be informed Both Users and Relying Parties can also act as Attribute Providers. attributes
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • Relying Party • Ultimately decides what attributes they believe they can trust • Based on: • Identity Provider Trust • Authentication “strength” • Attribute Provider Trust • Attribute details • Their own policies and requirements attributes
Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Beyond OpenID AX ● Attribute Expression ● Syntax: Attributes should use the JSON syntax being proposed for signing and encryption. ● Schema(s)  Need some sort of extensible mechanism and process for defining, relating and “transforming” attribute data. – Referenced like axschema.org (URI) – Support formatting definition and/or “synonym” and transformation. – Probably some sort of hierarchical (shallow) namespace. – Possibly “base” schema (like Portable Contacts) could be a “default” namespace with minimal syntactic requirements ● Operations:  “Fetch” and “Store” and possibly “verify” primitives for RPs  Required and option “fetch” might be composed with authentication requests as in current AX / SREG.  RPC-like model could also be supported directly between RPs and OPs. Pseudonym should be handled like an attribute but always returned

Recommended

De Todo C Orazon
De Todo C OrazonDe Todo C Orazon
De Todo C Orazon
Joaquin PerezAponte
 
IIW-11 NSTIC Update
IIW-11 NSTIC UpdateIIW-11 NSTIC Update
IIW-11 NSTIC Update
JayUnger
 
Online Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptOnline Age Checking - Proof of Concept
Online Age Checking - Proof of Concept
Dr Rachel O'Connell
 
Giedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationGiedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. Communication
Agile Lietuva
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Blockchain and Hook model of engagement
Blockchain and Hook model of engagement
Rajeev Soni
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
Mike Stone
 
EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234
EISLibrarian
 

Recommended

De Todo C Orazon
De Todo C OrazonDe Todo C Orazon
De Todo C Orazon
Joaquin PerezAponte
 
IIW-11 NSTIC Update
IIW-11 NSTIC UpdateIIW-11 NSTIC Update
IIW-11 NSTIC Update
JayUnger
 
Online Age Checking - Proof of Concept
Online Age Checking - Proof of ConceptOnline Age Checking - Proof of Concept
Online Age Checking - Proof of Concept
Dr Rachel O'Connell
 
Giedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. CommunicationGiedrius Krisčiukaitis. Communication
Giedrius Krisčiukaitis. Communication
Agile Lietuva
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Blockchain and Hook model of engagement
Blockchain and Hook model of engagement Blockchain and Hook model of engagement
Blockchain and Hook model of engagement
Rajeev Soni
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
Mike Stone
 
EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234EPQ workshop for Bishop Douglass School Dec 2017 1234
EPQ workshop for Bishop Douglass School Dec 2017 1234
EISLibrarian
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
Bram van Pelt
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
Getting value from IoT, Integration and Data Analytics
 
Logic Studio Jan 2018
Logic Studio Jan 2018 Logic Studio Jan 2018
Logic Studio Jan 2018
EISLibrarian
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Andrew Hughes
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
Steve Posick
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
Sloan Carne
 
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsI AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
ForgeRock
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
EC-Council
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
Joel Aleburu
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software Testers
TechWell
 
IIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyIIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for Privacy
JayUnger
 
Requirements
RequirementsRequirements
Requirements
Harry Marlin, PMP
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
Abbie Barbir
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accurately
David Kelts, CIPT
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
Peter Henley
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 

More Related Content

Similar to IIW-11 Beyond Attribute Exchange

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software Testers
TechWell
 

Similar to IIW-11 Beyond Attribute Exchange (20)

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
 
Logic Studio Jan 2018
Logic Studio Jan 2018 Logic Studio Jan 2018
Logic Studio Jan 2018
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity ManagementWSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
 
DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)DACS - The Internet of Things (IoT)
DACS - The Internet of Things (IoT)
 
Osint
OsintOsint
Osint
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship PitfallsI AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
I AM NOT MY PHONE - Avoiding Identity Relationship Pitfalls
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software Testers
 
IIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for PrivacyIIW-11 Pseudonyms for Privacy
IIW-11 Pseudonyms for Privacy
 
Requirements
RequirementsRequirements
Requirements
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accurately
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Recently uploaded (20)

Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

IIW-11 Beyond Attribute Exchange

  • 1. OpenID Attributes beyond AX / SREG Where should attributes come from ? How should they be managed ? Convener: Jay Unger
  • 2. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity v. Completeness Some thoughts on the “tension” between simplicity and function. “Everything should be made as simple as possible, but not simpler.” Albert Einstein “Seek simplicity but distrust it” Alfred North Whitehead “It’s really hard to design products by focus groups. A lot of times, people don’t know what they want until you show it to them” Steve Jobs “There aren't any rules around here. We're trying to accomplish something.” Thomas Edison
  • 3. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Simplicity & Good Ideas “Dr. Pauling, how is it you have so many good ideas?” Nova Interviewer “The hard thing is to figure out which ones are the bad ones” Jay Unger “The way to get good ideas is to get lots of ideas, and throw the bad ones away” Linus Pauling Interview 1977
  • 4. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attributes are the only information supplied to Relying Parties credentials Beyond OpenID AX User Relying Party Identity Provider attributes firewall user controlled ● Rule 1: Authentication and attribute exchange are entirely separated:  Authentication information and associated methods are NEVER revealed to Relying Parties.  “Strength” and “Assurance” information about authentication means may be communicated between Identity Providers and Relying parties. ●Rule 2: Attribute exchange is always under control of the user.  A pseudonym is the only attribute always provided to a Relying Party.  Users must always be asked to grant permission to as to whether and what additional attributes are supplied to a Relying Party.
  • 5. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • All attributes should be digitally signed • By their provider • To insure integrity • To record provenance • Attributes should include: • Assertion (key : value) • Conditions: • Duration ( valid / expires ) • Usage Restrictions • Level / Strength of Assurance • Dependencies • On other Attributes (chaining) • On external information or processes (vetting) (SAML XML already has most of this) •User • Should be able to control what attributes are released to which relying partiers • Should be able to manage what attributes are accepted from Attribute providers. •Attribute Provider • Should be able to revoke or modify attributes that they have provided to any user. • User should be informed Both Users and Relying Parties can also act as Attribute Providers. attributes
  • 6. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Attribute Flow and Management Beyond OpenID AX User Relying Party Identity Provider attributes user controlled Attribute Provider self asserted attributes • Relying Party • Ultimately decides what attributes they believe they can trust • Based on: • Identity Provider Trust • Authentication “strength” • Attribute Provider Trust • Attribute details • Their own policies and requirements attributes
  • 7. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 Beyond OpenID AX ● Attribute Expression ● Syntax: Attributes should use the JSON syntax being proposed for signing and encryption. ● Schema(s)  Need some sort of extensible mechanism and process for defining, relating and “transforming” attribute data. – Referenced like axschema.org (URI) – Support formatting definition and/or “synonym” and transformation. – Probably some sort of hierarchical (shallow) namespace. – Possibly “base” schema (like Portable Contacts) could be a “default” namespace with minimal syntactic requirements ● Operations:  “Fetch” and “Store” and possibly “verify” primitives for RPs  Required and option “fetch” might be composed with authentication requests as in current AX / SREG.  RPC-like model could also be supported directly between RPs and OPs. Pseudonym should be handled like an attribute but always returned