1

OpenID Foundation Workshop for the GSMA

Agenda 3:00 to 3:10pm CET

Introduction by Workshop Hosts Gautam Hazarii, Helene Vigue – GSMA Dawid Wroblewski – Deutsche Telekom, Chair IDG Bjorn Hjelm -  Vice-Chair OpenID Foundation 

3:10-3:30  Convergence of Traditional & New Identity Paradigms

Gail Hodges - Executive Director, OpenID Foundation

3:30-3:50 OpenID Foundation MODRNA Standard  • Objectives, MNO Use cases • Standard review, Current discussions/ links to GSMA work • How to join

Bjorn Hjelm - Vice-Chair OpenID Foundation   

3:50-4:30 OpenID Connect for Identity Assurance   • Objectives, MNO Use cases • Standard review • Reference implementation: (yes.com) • Global Assured Identity Whitepaper

Mark Haine -- Considrd Consulting & Co-chair eKYC & IDA WG     To join POC: GAINPOC@oidf.org

4:30-4:40pm Break    4:40-5:00 OpenID Connect Grant Management 

• Objective: consent management • Use cases • Standard review

Dima Postnikov – Principal Identity Architect & OIDF Contributor

5:00-5:20 Shared Signals & Events • Objectives, MNO Use cases • Standard review • Reference implementation

Atul Tulshibagwale -- Google & Co-chair Shared Signals and Events WG

5:20-5:40 Open Banking & Open Data and the Financial-Grade API Security Profile • Open Banking/Data Regulation & MNO implications • FAPI as dominant security profile standard • Use cases (UK, Brazil, Australia)

Joseph Heenan – Authlete & OIDF Certification Program & Contributor

5:40-6:00pm Call to Action Questions & Wrap

Helene Vigue, Gautam Hazari, Dawid Wroblewski Bjorn Hjelm, Gail Hodges 

OpenID Foundation Overview Bjorn Hjelm – Vice Chair OpenID Foundation

What is the OpenID Foundation? §  Non-profit open standards body focused on identity infrastructure enables billions of

transactions per day

§  Global adoption includes:

o OpenID Connect – Verify a user and get basic user profile information to a relying party. •  Wide application: web & mobile, enterprise & consumer, on prem & cloud, federated

vs user, basic claims & multiple claims •  Android, Apple, AOL, Deutsche Telekom, Google, GSMA Mobile Connect, KDDI,

Microsoft, NEC, NTT, Orange, Salesforce, Softbank, Symantec, Telefónica, Verizon, Yahoo! Japan

o FAPI – A security profile for APIs to authenticate the sender, receiver, user, message while retaining confidentiality and averting phishing and replay attacks.

•  Open Banking (UK, Australia, Brazil, US/Canada, Russia) •  Applicable across verticals, facilitates global interoperation

What OpenID Standards can do for you

1. MNO as an Identity Service Provider

3. MNOs that want to Share Signals

2. MNO that wants to Verify Attributes

4. MNO as a Relying Party to Third Party Identity

Services

6. MNO Identity Services for Employees, Systems, &

Things

5. MNO that need to Conform to Open Banking

(Data) Regulations

Each MNO will think strategically whether to engage in (1)-(3), and how they can optimize their investments in (4)-(6)

MNO use cases that use OIDF Standards

Convergence of Traditional & New Identity Paradigms Gail Hodges – Executive Director OpenID Foundation

Convergence of Traditional & New Identity Paradigms

Physical Documents

Digital Documents

Today

Government Issued

Data Bureaus KYC/IDA Services

Private Services

Internet / Standards

Digital Platforms

Login Proliferation

Federated Identity

Standards

Assured Identity Standards

Open Banking

Open Finance/ Open Data

Wallets / Crypto Digital Wallets

Bitcoin Blockchain Verifiable

Credentials

Digital Wallets

Financial Services New / Remote Account Opening

Identity Layers Emerging

The <untrusted> Internet

Interoperable + Security Model

OpenID Connect (Billions users, millions apps)

Verifiable Credential + Blockchain Installed Base

(~100m users, 10k apps)

Dominant standard?

Multi-lingual, Interoperable End-game

Why?

What action MNOs may want

to take now…

§  A question of timing, not if multiple identity technologies will coexist. They may be interoperable to some degree, but many ecosystem participants will speak more than one “language.”

§  These services will redefine how users and businesses consume your services, and how you operate those services. Global interoperability is required, but likely to move through national/regional steps first.

§  Some advantage to solutions with mature standards, security models, and installed base of users (e.g. OIDC known to developers, drivers license/mDL understood by users, RPs and policy makers)

§  New technologies with emerging standards (e.g. verifiable credentials linked to blockchain services) may benefit from policy support, digital platform support, links to crypto/ wallets.

§  Participate in standards/ policy WGs to help build identity infrastructure foundations society & economy need §  Test and learn e.g. GAIN POC hosted by OIDF; ISO 18013-5 mDL interop tests, etc.

§  Bring internal teams, executives up the learning curve to inform strategic decisions, resource investments

§  Help educate, inform policymakers on landscape

OpenID Foundation MODRNA Standard Bjorn Hjelm – Vice Chair OpenID Foundation

Purpose §  Support GSMA technical development of Mobile Connect and similar

industry and standards development. §  Enable Mobile Network Operators (MNOs) to become Identity Providers. §  Developing (1) a profile of and (2) an extension to OpenID Connect for use

by MNOs providing identity services.

Participants and Contributors

WG Status §  Approved CIBA Core

specification for Final Publication.

§  Three specifications in Implementer’s Draft status. o  Authentication Profile,

Account Porting, User Questioning API.

§  Preparing MODRNA CIBA Profile specification for Implementer’s Draft.

§  Advancing remaining draft specifications towards Implementer’s Draft. o  Discovery Profile and

Registration Profile. §  Receiving feedback from

deployments in Europe and USA. §  Planning for OpenID Certification

of several profile specifications. More information available at https://openid.net/wg/mobile/status/

MODRNA WGCollaborations and Outreach

1

2

3

Evolution of Mobile Connect architecture, functionality and identity services.

RCS (Rich Communications Services) services and MaaP support for OpenID Connect.

Configuration of device-based services with embedded SIM (ODSA, C-V2X) leveraging OpenID Connect for authentication.

3GPP Mission Critical Services 3GPP (Third Generation Partnership Project) Mission Critical (MC) services support PSA (Public Safety Agencies) and other critical communications.

Identity management is part of MC system security architecture and OpenID Connect MCX Profile defined for user authentication.

Development of SEAL (Service Enabler Architecture Layer) to support vertical applications (such as V2X) services is based on MC architecture.

Identity Management is a common capability supporting mission critical and other vertical applications.

MNO as an Identity Service Provider

MNO Best Fit Live Examples OIDF Standards

MNO services central to user’s digital life q  Trusted brand q  Pervasive use of services through

the MNO (e.g. payment, social media platforms)

q  User sees Identity service as a natural extension

q  Relying parties see MNO as a natural identity service provider

OpenID Connect + MODRNA q  Three party model: MNO, User,

and Relying party, requires secure and federated exchange of identity data

q  MNO specific requirements addressed in MODRNA spec

q  CIBA protocol allows relying parties to exchange data direct with Identity Service provider without browser redirects

q  Certification available

ZenKey q  Verizon, T-Mobile, AT&T joint entity

offering identity services to relying parties

q  Case study in OIDF Workshop

MNO offers user Identity Service (usually $0) and offers identity service to relying parties (usually $).

OpenID Connect for Identity Assurance Mark Haine – Considrd Consulting & Co-chair eKYC & IDA WG

OpenID Connect for Identity Assurance What is the business case?

§ Reduced friction and cost by lowering the number of validation & verification processes an end user needs to perform

§ Fewer credentials for consumers to manage

§ Data minimization for Relying Parties who are able to specify which information they need for their use case

OpenID Connect for Identity AssuranceUse Cases Presenting Digital Identity whenever the level of assurance needs to be clear § Opening an account § Account recovery § Staff onboarding § Accessing restricted services

o Government o Night Club o Alcohol/tobacco o Healthcare o etc.

§ MNO as ID Provider o Number Porting o Access other services

§ MNO as Relying Party

o Buy a SIM o Number Porting o Consumer Login o Account recovery

Open ID Connect

What is “OpenID Connect”?

A Signed Claims Passing Protocol with added verification metadata

Claims: Alice Mirror DOB: Jan 1 1970 Verified by whom Verified How Verified When Evidence Used

What is “OpenID Connect for Identity Assurance”?

OpenID for Identity Assurance flow

1.  Initial consumer interaction with RP 2.  RP asks IDP for specific information 3.  IDP Authenticates consumer 4.  IDP gets authorization to share data 5.  IDP provides data to RP 6.  RP provides service to consumer

Request D

ata

OpenID for IDA Response example { "verified_claims": {

"verification": { "trust_framework": "phonia_tf", "assurance_level": "substantial", "time": "2021-05-11T14:29Z", "txn": "85r3ds3254120132",

"evidence": [ { "type": "document",

"validation_method": { "type": "vri"

}, "time": "2021-04-09T14:12Z", "document_details": {

"type": "driving_permit", "date_of_expiry": "2030-12-31" }

}, { "type": "electronic_record",

"txn": "71662937582385239", "verifier": {

"organization": "Phonia" }, "procedure": "subscription_data", "score": {

"number_type": "Mobile", "blocked": false, "last_sim_swap": "2018-05-11T11:02Z", "risk_score": "low"

} } ] } }, "claims": {

"msisdn": "919825098250", "given_name": "Sarah", "family_name": "Meredyth", "address": {

"postal_code": "EH1 9GP", "country": "UK", "street_address": "122 Burns Crescent"

} } }

Link to policy domain

Transaction

Driving License document details

- verified remotely

Phone subscription information - from electronic records

Verified digital identity claims

OpenID Connect for Identity AssuranceStatus § Implementers draft 3 was recently approved § Heading to ‘final’ next § Interoperability testing event underway § Beta version of Conformance testing tool well underway § 2 production services exist today others are in progress

§ Additional features will be delivered through other drafts and profiles

§  Advanced Syntax for claims §  Selective abort/omit §  OpenID for Authority

§  Profiles for specific assurance standards e.g. o  NIST 800-63-3 o  GPG45

Global Assurance Identity Network (GAIN) Overview Dr. Torsten Lodderstedt – yes.com & Co-Chair GAIN POC

Global Assured Identity Whitepaper (GAIN) A blueprint of the business, legal and technical components needed for digital identities to be internationally interoperable. §  Focused on international interoperability §  Pragmatic not dogmatic §  Technology agnostic §  Based on open standards §  Internet scale

No new standards or standards

organizations were proposed

https://xkcd.com/927/

The GAIN hypothesis for global interoperability

§  Financial crimes cost 5% global GDP

§  Those with resources benefit from anonymity

§  Everyone else is pervasively tracked, or worse, unable to participate in formal economy

The image part with relationship ID rId4 was not found in

Interoperability

GAIN Vision

The <untrusted> Internet

Trusted Networks

Islands of trust exist; GAIN is an interoperable system bridging islands

The crowdsourced paper simply suggests a start– and the means to catalyze the global community to action.

-

Identity Providers (IDPs) §  Connect their own claim sources to

OpenID Connect 4 Identity Assurance API §  Deliver verified user claims with the user’s

consent to RPs §  OIDC for Identity Assurance certification

tests available §  Natural role for banks and other regulated

entities with existing KYC infrastructure Relying Parties (RPs)

§  Use ‘IDP Chooser’ §  Request and receive verified user claims

from the user selected IDP, option to request FIDO/WebAuthN authenticators

§  OIDC for Identity Assurance certification tests available to simplify interoperability

GAIN POC uses OpenID for Identity Assurance

§  OIX: rules and governance required for legal, operational and identity assurance interoperability.

§  OIDF: The new POC Community Group testing technical approaches in an open and collaborative environment.

§  CSC: cloud electronic signature standards

§  GLEIF: legal entities standards

§  IIF: network of financial services leaders

§  Other non-profits: encouraged to join

OIDF

OIX

GAIN Forum

GAIN brings together non-profits to deliver this vision

IIF CSC

Global Interoperability WG

GAIN Community Group POC

GAIN Roadmap

Time Q4 2021 Q1 2022 Q2 2022 Q3 2022 Q4 2022

Alpha POC

OIDF Working Groups

Trust Conference

‘GAIN’ Network Operational establishment >>> Commercial initiation

Participation Agreement

Contribution Agreement

Participation Agreement

Certification & Conformance

Requirements Gathering

Contract Development

Global Interoperability Requirements

Assurance Level Mapping

Trustmark

Principles

Governance

Legal & Regulatory

Scheme Requirements

Roles

OIX Guide to Trust Frameworks §  Trust frameworks are complex

§  We must ‘slice the elephant’

§  Decide which areas are key for interoperability across frameworks

§  The OIX Global Interoperability Working Group will explore the requirements to define a Global Interoperability Framework

Break

OpenID Connect Grant Management Dima Postnikov – Principal Identity Architect & OIDF Contributor

Grant Management A complete security protocol requires a holistic consent management  Modules: §  Specify authorization (including fine grained)

o  Rich Authorization Requests (https://tools.ietf.org/html/draft-ietf-oauth-rar)

§  Management of consents o  Grant Management (https://bitbucket.org/openid/fapi/src/master/

Financial_API_Grant_Management.md)

§  Client awareness for complex approval processes (e.g. every data provider needs to approve) o  Extension to Grant Management

Grant Management

Grant Management – why? Authorisation == Grant (in OAuth terminology) Grant: 

§  the set of permissions confirmed by the owner of services or data for a certain client

§  AS issues access tokens (and refresh token) based on the grant Grant lifecycle managed by the AS only in traditional OAuth Several Open Banking initiatives (e.g. UK, BG, FDX, CDR) require grant management capabilities for clients/data recipients/tpps Use Cases

§  Establish concurrent grants  §  Update existing grants §  Revoke grants

Grant Management – scope

§  Support concurrent, independent grants 

§  Support update of grants

§  Make grant (status) accessible and manageable by clients 

Grant Management

Grant Management – scope

Grant Management - example POST /token HTTP/1.1Host: www.holder.com.auContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&code=i1WsRn1uB1&code_verifier=iWsBrn1uBR&client_id=s6BhdRkqt3&HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-cache, no-store{{

 "access_token": "2YotnFZFEjr1zCsicMWpAA……..", "token_type": "bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA…..", "refresh_token_expires_at": "1311281970", "grant_id":"TSdqirmAxDa0_-DB_1bASQ"

}}# Decoded JWT{  "iss": "https://www.holder.com.au",  "sub": "a9ebbef6-1f0b-44eb-96cf-0c5b51b37ab2",  "aud": "a7AfcPcsl2",  "exp": 1311281970,  "scope": "openid bank:accounts.basic:read",  "authorization_details": [    {      "type": "cdr_sharing_v1",      "sharing_duration": 7776000,      "actions": [        "bank:accounts",        "basic:read"      ],      "sharing_expires_at": 1311281970,      "sharing_status": "ACTIVE"    }  ]}

Grant Management – part of FAPI 2 Framework

Grant Management - status

§  September 2021 – Implementer’s draft 1 has been approved by OIDF 

§  Implementers have started development

§  December 2021 – Implementer’s draft 2 to be published for review and approval 

Shared Signals & Events Atul Tulshibagwale -- Google & Co-chair Shared Signals and Events WG

Shared Signals & Events

§  Secure, privacy protecting framework for webhooks o Shared subject identifiers o Asynchronous publish and subscribe model o Stream management

§  Two current applications:

o Zero-Trust: Continuous Access Evaluation Protocol (CAEP) o Account Security: Risk Incident Sharing and Coordination (RISC)

§  Active participants: Google, Microsoft, AWS, Cisco, SailPoint, Thales and others

Google Cross Account Protection Service ❑  RISC events about Google Sign-In

users ❑  Millions of events per day to hundreds

of thousands of relying parties Microsoft Continuous Access Evaluation ❑  CAEP-like events between Azure AD,

Microsoft Teams and Exchange Online

MNO Best Fit Live Examples OIDF Standards

MNOs with sophisticated fraud teams ❑  MNOs that see the inherent value

in sharing data to fight cybercrime ❑  MNOs with the technical ability to

generate and exchange signals with selected partners

❑  Reduce the cost of ownership for risk data previously only generated and consumed in house (e.g. Sim swap, phone number change)

❑  Strengthening identity services for ecosystem as a whole

Shared Signals & Events

❑  Two party: Entity 1 & Entity 2 that mutually agree to share data, using standards that allows interoperability with other parties technically

❑  Standard is extensible to a wide range of ecosystem participants (e.g. digital platforms, banks, MNOs)

MNO that sees the value in sharing data with trusted 3rd parties to jointly (and collectively) mitigate fraud

Status and Next Steps: Shared Signals and Events

§  Current Status o Open Source library available today from SailPoint enables

encoding and decoding SSE events o SSE and CAEP Implementer’s Drafts approved by OIDF

§  Next Steps

o More companies working on production implementations o Working on improvements to Stream Management aspects of the

SSE Framework o Exploring open source Transmitter and Receiver implementations o RISC spec being revised for Implementer’s Draft review

Open Banking & Open Data and the Financial-Grade API Security Profile Joseph Heenan – Authlete, OIDF Certification Team & Contributor

FAPI: Financial-grade API

FinancialGeneral-Purpose High-Security API Protection Protocol based on OAuth 2.0 family of specifications.

FAPI Working Group Founded in June 2016 §  Originally targeted financial use-cases §  Strong support to generalise the profile so that it can be used in other

markets such as healthcare, telecommunications, utilities, transportation and others – “open data”.

§  Financial-grade API (FAPI) security profile ← Note the insertion. §  FAPI is for everybody that needs to be secure

o  Designed for higher security o  For transactions with higher values at stake or to exchange sensitive

data o  Security properties formally verified against web attacker model

Financial-grade API 1.0 – Part 1: Baseline Security Profile Financial-grade API 1.0 – Part 2: Advanced Security Profile

Why?

§  Based on OAuth 2.0 and OpenID Connect suite of standards, but with less optionality and the requirement to use modern security best practices.

§  Clear point-by-point specifications that implementers can use as a “check list”

§  Exhaustive conformance tests to allow implementers to ensure their software is secure and interoperable

Final Specifications

Financial-grade API: Client Initiated Backchannel Authentication Profile Why? To enable “decoupled” authorization flows. Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) Why? To enable signed responses from the AuthZ endpoint without requiring OpenID Connect.

Implementers Drafts

Financial-grade API 2.0: Baseline Security Profile Financial-grade API 2.0: Attacker Model Why?

FAPI 2.0 has a broader scope than FAPI 1.0. It aims for complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server. It also has a more clearly defined attacker model to aid formal analysis.

FAPI 2.0

Financial-grade API 2.0: Advanced Security Profile Grant Management for OAuth 2.0 Simple HTTP Message Integrity Protocol Why?

Preventing the wheel from being re-invented by jurisdictions implementing FAPI.

Working Group Drafts

§  RFC8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

§  OAuth JAR - JWT Secured Authorization Request (JAR)

§  OAuth PAR - Pushed Authorization Requests §  OAuth RAR - Rich Authorization Requests §  OAuth DPoP - Demonstrating Proof-of-Possession at

the Application Layer §  OAuth 2.0 Authorization Server Issuer Identifier in

Authorization Response

Relevant IETF Drafts

FAPI Certifications https://openid.net/certification/#FAPI_OPs

FAPI Implementations

§  Data & payment §  9 banks must be FAPI conformant & certified; no RP obligation §  Data only. §  Australia encourages FAPI; 40+ banks participate, 2 FAPI certified; no RP obligation §  Data & payment §  Largest banks certified; remaining banks by October §  FAPI conformance & certification required for banks §  RPs likely to have a certification mandated §  FAPI security profile and CIBA selected by FDX

§  FAPI is in review by 4 markets

Bank & RP Behaviors & Impacts §  Bank behaviors

o  If banks are not required to implement open banking they are unlikely to do so voluntarily

o  If banks are not required to implement FAPI, they rarely certify proactively

o  If banks are required to conform & certify they will do so o  If banks are not required to renew certifications, then

implementations start to break and bank motivation is low to remediate

o  Banks are starting to build their own products as RPs

§  Relying Party behaviors o  Some relying parties take a “Minimum Viable Product” approach,

developing to a single bank and not the spec, then launching production services before security and multi-bank service is in place

o  Some RPs blamed bank implementations for their own RP errors

Impacts

o  User experience o  Security risks human

errors o  People resource

wasted

o  User data & experience risks

o  Security risks from human errors & inexperience

o  People resource wasted o  Brand risks

Key Learnings

§  Open Banking is in its infancy, but it is cascading rapidly around the world

§  The FAPI security profile & certification test suite are robust, and adaptable to local requirements

§  Not all ecosystem participants are motivated to deploy high quality implementations

§  Efforts to avoid/ delay certification requirements pose significant security risks and “false economies” §  Efforts to divert from global specifications will undermine global interoperability in the future

§  Any market that seeks to deploy Open Banking should require FAPI conformance and certification by banks & relying parties

MNO with Open Banking (Data) Regulation Emerging

MNO Best Fit Live Examples OIDF Standards

MNOs with existing or anticipated Open Banking (Data) regulation q  Key industries required to release data

to RP/TPPs when requested by users to avoid screen scraping & enable competition

q  Current laws apply to MNOs in some markets where they offer payment/ bank services

q  Laws in some markets will extend to cover carrier data

q  Australia, Canada and Brazil leading; underway in Russia, Saudi, Bahrain, US, Canada. Local approaches in Germany, Singapore, India.

FAPI q  Secure APIs that authenticate the

sender, receiver, user, message, while retaining user confidentiality and averting phishing/and reply attacks

q  Implementing FAPI as the security profile offers ecosystem participants high confidence (it is a well proven standard)

q  Option of leveraging OIDF certification (mandated by some governments)

UK & Brazil Open Banking Australia Open Data US/Canada FDX v5 q  FAPI standard is widely

recommended (or mandated) by governments & their open banking management partners

q  FAPI enables markets to opt into global interoperability in the future

MNOs in many markets already expect Open Banking regulation to apply to their industry and expand to Open Data including MNOs

MNO Identity services for Employees, Systems, Things

MNO Best Fit Live Examples OIDF Standards

All q  Need to identify employees q  Often legal obligations to identify

supplier q  Work from home/ take your device to

work programs distribute devices q  Staff devices, IoT, fleets of cars-

distributed and networked “things”

Open ID Connect + Profiles q  Depends on use case

Emerging q  Watch this space!

MNOs need to identify employees, enable access to internal systems & buildings, access to things (e.g. devices, IoT), and suppliers

Call to Action

Call to Action • 

§  Joint the OIDF as a Member at openid.net

§  Learn more about working groups, review specifications, & watch presentations at openid.net

§  Join the GAIN POC at GAINPOC@oidf.org