05/03/2011Pomcor 1 Meeting the Privacy Goals of NSTIC in the Short Term Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen P. Lewison Pomcor
05/03/2011Pomcor 2 Contents The following slides illustrate protocol steps described in the white paper “ Achieving the Privacy Goals of NSTIC in the Short Term ” available at There are three protocol variations: Attribute verification Delegated authorization Social login
05/03/2011Pomcor 3 Attribute Verification
Attribute Provider Browser Relying Party Attribute request + Callback URL Step 1
Attribute Provider Browser Relying Party Attribute request + one-time Public Key Retains callback URL. Produces one-time key pair, retains one-time private key. User’s long term TLS certificate Step 2
Attribute Provider Browser Relying Party One-time cert binding attribute to one-time public key Step 3
Attribute Provider Browser Relying Party Asks user’s permission to pass attribute to relying party Step 4
Attribute Provider Browser Relying Party Uses one-time private key in TLS handshake Step 5 One-time cert used as TLS client cert Targets callback URL Browser Success
05/03/2011Pomcor 9 Delegated Authorization
Site holding user’s account Browser Web application Access request + One-time public key + Callback URL Step 1
Browser Access request + one-time Public Key Retains callback URL User’s long term TLS certificate Step 2 Site holding user’s account Web application
Browser One-time cert binding access grant to one-time public key Step 3 Site holding user’s account Web application
Browser Asks user’s permission to grant access to application Step 4 Site holding user’s account Web application
Browser Step 5 Browser One-time cert with access grant Targets callback URL Site holding user’s account Web application
Browser Step 6 Browser One-time cert with access grant used as TLS client cert Site holding user’s account Web application
05/03/2011Pomcor 16 Social Login Combines attribute verification And delegated authorization
Attribute Provider Browser Attribute request, access request, app’s one-time public key, callback URL Step 1 Web application
Attribute Provider Browser User’s long term TLS certificate Step 2 Retains callback URL. Produces browser’s one-time key pair, retaining private key. Attribute request, browser’s one-time public key, access request, app’s one-time public key Web application
Attribute Provider Browser One-time cert binding attribute to browser’s one-time public key + one-time cert binding access grant to app’s one-time public key Step 3 Web application
Attribute Provider Browser Asks user’s permission to pass attribute and grant access to application Step 4 Web application
Attribute Provider Browser Step 5 Browser One-time cert with access grant Uses one-time private key in TLS handshake One-time cert with attribute used as TLS client cert Targets callback URL Web application
Attribute Provider Browser Step 6 Browser One-time cert with access grant used as TLS client cert Web application