Presentation is loading. Please wait.

Presentation is loading. Please wait.

Laws for Secure Credentialing

Published byCharlene Rose Modified over 5 years ago

Similar presentations

Presentation on theme: "Laws for Secure Credentialing"— Presentation transcript:

1 Laws for Secure Credentialing
Gilles Lisimaque Steve Howard Dave Auman

2 The Laws of Identity User Control and Consent
Minimal Disclosure for a Constrained Use Justifiable Parties Directed Identity Pluralism of Operators and Technologies Human Integration Consistent Experience Across Contexts Source: “The Laws of Identity”, Kim Cameron, Architect of Identity, Microsoft Corporation

3 How does this apply to smart tokens
The credential should never be used without implicit or explicit user’s consent The credential should reveal only the minimum information required for a given interaction All parties involved should be authenticated Entities interacting with a smart token should be able to prove the capacity in which they are acting There will always be multiple technologies as well as multiple identity issuing authorities involved The rules of the game should be understandable by humans Identity systems should be designed with coherence and appear consistent for all users

4 Definitions (1/2) Subject is a person, system or object with associated attributes Attribute is a quality or characteristic inherent in or ascribed to a subject Claim is an assertion by a subject about the value of an attribute Vetting is the process of inspection and adjudication of claims An Identity is an association between vetted claims and a subject, certified by a trusted authority A Credential is a physical or logical representation of an identity or privilege issued by an authority

5 Definitions (2/2) Identity Authority is a trusted authority able to do the vetting of a subject’s claims Application Authority defines the rules of the application and attribute disclosure required from a subject to be disclosed in order to provide the service which may be delegated to a service provider A Challenge is the demand for disclosure of one or more attributes related to a subject made by a service authority Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. A Privilege is an authorization granted by an application authority for a subject to perform an action

6 Identity & Privilege Relationship
Authority Transfer Trust Establish Trust An ID card asserts the identity of the legitimate cardholder, but may not grant explicit privilege Link at privilege granting Link at enrollment and vetting Identity Assertion Attribute Certification Application Authority Person/Subject Subject Verification Link at use

7 Identity or Privilege credential?
The privilege (or service access) may be linked to An attribute, part of an identity, which may not be linked to a given subject (e.g. whoever uses my EzPass, it will work) The biometrics of a given subject without any other attributes being required ( Registered Traveler) Or a bit of both when a credential is used by another application than the one it was created for In either case, any number identifying the user for this privilege (becomes an attribute) should change with the credential and never be permanent for the user

8 Consequences for Smart ID Tokens
A Smart ID Token should never reveal any user attribute to a client application which has not been authenticated A Smart ID Token should always protect the confidentiality of any user attribute (including token identifiers) A Smart ID Token should restrict disclosure of user’s attributes according to the application authority of the requestor Before taking any action on the behalf of its legitimate user a Smart ID Token should always have the user authenticated A Smart ID Token should keep a log, available to its legitimate user, of all interactions

9 Thanks you for your attention
Gilles Lisimaque Stephen Howard Dave Auman

Download ppt "Laws for Secure Credentialing"

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Advances in Digital Identity

Advances in Digital Identity
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.

AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.

United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.
11 steve plank (“planky”) identity architect microsoft uk.

11 steve plank (“planky”) identity architect microsoft uk.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Identity October 9, 2008.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Identity October 9, 2008.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Similar presentations

Ads by Google