Toward an Identity Metasystem
17
Toward an Identity Metasystem Robert Richardson, Director Computer Security Institute (CSI) 4/28/2008| Session G2 Lots of Activity
-
Upload
digitallibrary -
Category
Technology
-
view
739 -
download
0
description
Many Web users are resigned to the fact that their identities are perpetually at risk, because authentication mechanisms are either too weak or too difficult to manage. Yet, some efforts�OpenID and Windows CardSpace�aim to create an identity metasystem that is strong, flexible, trivial to use and can work across any site on the Internet. Learn how these systems work and discuss what else needs to happen before truly secure online identity and access management can become a reality.
Transcript of Toward an Identity Metasystem
Toward an Identity Metasystem
Robert Richardson, DirectorComputer Security Institute (CSI)
4/28/2008| Session G2
Lots of Activity
Lots of Activity
Lots of Activity
Answer the questions:
What’s all this mayhem that’s going on in the “Identity 2.0” space?
Which pieces matter?
Answer the questions:
How can we talk about the pieces in ways that encourage fruitful discussion about best practices for user-centric identity management?
Lots of Activity• LID• Yadis
• X.509• Kerberos
• OASIS• SAML• SOAP• CardSpace
• Active Directory• WS-*• Liberty Alliance• CAp
• OpenID • STS
Forwards
Redesigned Apps
Known Users
Trusted Credentialing
Back to Our Agenda:
• Blatantly ignore stuff like LDAP & Active Di tDirectory
• Take a look at specifics of OpenID and use it as a sort of reference framework
• Compare it to Microsoft’s CardSpaceExplain why some solutions may be better• Explain why some solutions may be better than others
An OpenID Approach
• I won’t authenticate you—someone else illwill
• My ticket to your authentication process is a URL
• You provide the URL and I talk to the Identity Provider who serves that URLIdentity Provider, who serves that URL
• Identity Provider (IP)• Relying Party (RP)• User or Subject
Three Key Components
OpenID
IP 1. URLIP
UserRP
OpenID
IP 1. URLNote that
context was IPsuch that URL was understood as an identifier
– no negotiation over what ID
was being used
UserRP
OpenID
IP1. Lemme In2 Get ProofThis is an HTTP IP 2. Get ProofThis is an HTTP
Post Packet, & one of 4 OpenIDmessage types
UserRP
OpenID
IP1. Lemme In2. Get ProofThis is an HTTP IP 3. AuthenticateRedirect,
Leading User Browser to IP for
authentication
UserRP
OpenID
IP1. Lemme In2. Get Proof
3. AuthenticateIP 4. Deliver token
UserRP
OpenID
IP
1. Lemme In2. Get Proof
3. Authenticate4 DeliverIP 4. Deliver
Token5. Verify Credential
UserRP
IP Trust Admin
ID Admin
Selector
AuthToken
ID 2.0 Components
SelectorRPAccess
Negotiation
IP Trust Admin
ID Admin
SelectorRP
AuthToken
ID 2.0 Components
RPAccess
Negotiation
Enter Microsoft / Cardspace
Bandit
IP Trust Admin
ID Admin
T k
SelectorRP AccessNegotiation
AuthToken
ID 2.0 Components
WS-MetadataExchange
IP Trust Admin
ID Admin
SelectorRP
AuthToken
User
ID 2.0 Components
RPAccess
Negotiation
• Username• SAML• X.509• Kerberos• Rights Expression Language
WS-Security Token Profiles
• Assertion – Authentication Statement– Attribute Statement
SAML Token
• OpenID is gaining traction because it’s i l d i l t d t d d tsimple and simple to understand and try,
but it has some potential flaws from a privacy and security point of view.
Some Issues
• Privacy: OpenID lacks non-auditing mode.
Some Issues
• OpenID’s lack of card metaphor muddies th i f diff t l i S l tthe issue of different claims. Selector concept, though, provides a great metaphorical structure and inherent phishing protection.
Some Issues
• The safe desktop is a powerful idea but, h t f TPM t f l fshort of a TPM, may create false sense of
security
Some Issues
• Maintaining data for IDs has some i h t bl th t b diffi lt iinherent problems that may be difficult in real-world, scaled out scenarios.
Some Issues
• Picking IPs at will sounds great, but in lit i ti ill t t kreality, organizations will want to make
wholesale federation decisions.
Some Issues
• Systems that invoke an OS-provided “safe d kt ” d i ifi t itdesktop” mode are a significant security advantage. Browser-plugin selectors are a great shortcut in the current world, but don’t necessarily make real security gains.
Some Issues
Thanks!
Robert RichardsonContact me at: [email protected]
• Digital Identity, Phillip J. Windley, O’Reilly, ISBN 0-596-00878-3
• Get Ready for OpenID Rafeeq Ur Rehman ISBN 978-0-• Get Ready for OpenID, Rafeeq Ur Rehman, ISBN 978-0-9724031-2-2
• Beginning Information Cards and CardSpace, Marc Mercuri, Apress, ISBN 1-59059-807-5
• Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities (Independent Technology Guides) by Vittorio Bertocci
Book Resources
(Independent Technology Guides) by Vittorio Bertocci, Garrett Serack, and Caleb Baker, 0321496841
![Identity Metasystem Interoperabilitydocs.oasis-open.org/imi/identity/v1.0/cd/identity-1.0-spec-cd-02.pdf · XML 1.0] elements for identity provided as part of WS-Addressing Endpoint](https://static.fdocuments.us/doc/165x107/5f02e7ce7e708231d406980a/identity-metasystem-xml-10-elements-for-identity-provided-as-part-of-ws-addressing.jpg)
