Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell.

Published byKristin Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell."— Presentation transcript:

1 Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell

2 Who are you? Question central to enabling you to do things you're entitled to do, preventing you from doing things you’re not. True in both physical world, online world.

3 Who are you (online)? Past, present, and future: From directories, to identity silos, to ubiquitous, interoperable, user-centric digital identity.

4 The Bad Old Days Username/password per application But that’s preposterous and inconvenient!

5 The Bad Old Present Username/password per web site But that’s preposterous and inconvenient!

6 Enter Directory Services Identity attributes for users in a central repository Allows multiple applications within a domain to share identities Attributes can be retrieved by applications Examples: LDAP implementations Novell eDirectory Microsoft Active Directory

7 Directory Services Advantages Applications within the domain can use the same identity attributes Allows enterprise single-sign-on within participating applications Some directory interoperation via LDAP, virtual directories, meta-directories And, recently shown at Monday's keynote, federation

8 Directory Services Disadvantages Several incompatible protocols – silos Applications know which directory they use Identities only valid usable a single domain Disjoint and overlapping domains are inevitable as organizations evolve

9 Directory Services, Meta and Virtual Directories Very useful systems which solve some of silo problems of overlapping identity domains Accessed as a central repository of identity data by many other services Services and revisions of services accumulate over time Control of repository schema and updates becomes political The central repository tends to become an immovable political mass

10 Identity Silos In the Web and within the enterprise, disjoint identity domains are common Username/password per site X.509, Kerberos, SAML have not helped Each with its own protocol Each operates only within its own silo

11 Enter Federation Enables use of identities at other sites Advantages Extends login identities to other trust domains Standards-based interoperation Disadvantages Requires establishing explicit trust relationships No user choice of which identity to employ relative to each domain Examples SAML based federation WS-Federation based federation OpenID

12 What is a Digital Identity? Set of claims one subject makes about another Many identities for many uses Required for transactions in real world and online Model on which all modern access technology is based

13 The Laws of Identity Established through Industry Dialog 1. User control and consent 2. Minimal disclosure for a defined use 3. Justifiable parties 4. Directional identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts Join the discussion at www.identityblog.com

14 Identity Metasystem We need a unifying “Identity Metasystem” Protect applications from identity complexities Allow digital identity to be loosely coupled: multiple operators, technologies, and implementations Not first time we’ve seen this in computing Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the not-yet- invented wireless protocols

15 Enter User-Centric Identity Enables people to choose which of their identities to use at which sites Analogously to how they choose which card to pull out of their wallet in different circumstances Used through Information Card metaphor Visual cards represent different identities Benefits People in control of their identity interactions Easy to use – no passwords to remember! Strong crypto – instead of shared secrets Phishing-resistant

16 Identity Roles Relying Parties Require identities Subjects Individuals and other entities about whom claims are made Identity Providers Issue identities

17 Contains self-asserted claims about me Stored locally Effective replacement for username/password Eliminates shared secrets Easier than passwords Provided by banks, stores, government, clubs, etc. Cards contain metadata only! Claims stored at Identity Provider and sent only when card submitted Information Cards SELF - ISSUEDMANAGED

18 CardSpace Experience

19 Information Card Properties Cards are references to identity providers Cards have: Address of identity provider Names of claims Required credential Not claim values Information Card data not visible to applications Stored in files encrypted under system key User interface runs on separate desktop Self-issued information cards Stores name, address, email, telephone, age, gender No high value information Effective replacement for username/password

20 Open Identity Architecture Microsoft worked with industry to develop protocols that enable an identity metasystem: WS-* Web Services Encapsulating protocol and claims transformation: WS-Trust Negotiation: WS-MetadataExchange and WS- SecurityPolicy Technology specifically designed to satisfy requirements of an Identity Metasystem

21 Not just a Microsoft thing… Based entirely on open protocols Identity requires cooperation – and you’re seeing it today! Interoperable software being built by Novell, IBM, Sun, Ping, BMC, VeriSign, … For UNIX/Linux, MacOS, mobile devices, … With browser support under way for Firefox, Safari, … Unprecedented things happening Microsoft part of JavaOne opening keynote Microsoft sponsoring BrainShare

22 LINUX Journal Sep ’05 Cover By Doc Searls Linux Journal Editor Author of the “cluetrain manifesto” Introducing “The Identity Metasystem”

23 WIRED Magazine - Mar ’06 By Lawrence Lessig Influential Internet & Public Policy Lawyer Special Master in antitrust case against Microsoft Quotation:

24 Microsoft Open Specification Promise (OSP) Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed Includes all the protocols underlying CardSpace Issued September 2006 http://www.microsoft.com/interop/osp/

25 For More Information http://cardspace.netfx3.com/ http://www.bandit-project.org/ Mike Jones – Mike Jones – mbj@microsoft.com Dale Olds – Dale Olds – dolds@novell.com

26 (Backup Slides)

27 Protocol Drill Down Identity Provider (IP) Relying Party (RP) Client Client wants to access a resource RP provides identity requirements 1 2 User 3 Which IPs can satisfy requirements? User selects an IP 4 5 Request security token 6 Return security token based on RP’s requirements 7 User approves release of token 8 Token released to RP

Download ppt "Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Advances in Digital Identity

Advances in Digital Identity
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Higgins 1: A species of Tasmanian long-tailed mouse 2: An open source identity framework being developed at the Eclipse Foundation.

Higgins 1: A species of Tasmanian long-tailed mouse 2: An open source identity framework being developed at the Eclipse Foundation.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
© 2009 by Mary Ruddy, Manfred Duchrow, Frank Gerhardt, Jochen Hiller, Gunnar Wagenknecht; made available under the EPL v1.0 | 2009-03-24 Identity Management.

© 2009 by Mary Ruddy, Manfred Duchrow, Frank Gerhardt, Jochen Hiller, Gunnar Wagenknecht; made available under the EPL v1.0 | Identity Management.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Similar presentations

Ads by Google