Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft."— Presentation transcript:

1 Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft

2 The Goal A ubiquitous, user-centric identity solution for the Internet that moves identity beyond incompatible identity technology silos and results in a safer, more trustworthy Internet.

3 What is a digital identity? A set of claims someone makes about me Many identities for many uses Required for transactions in real world and online Useful to distinguish from profiles

4 Metasystem Players Relying Parties Require identities Subjects Individuals and other entities about whom claims are made Identity Providers Issue identities

5 Demo: User Experience

6 Preconditions to Ubiquity –Secure design and implementation Resist accelerating attacks such as phishing and pharming –Integrate existing technologies and incorporate emerging ones –Accommodate breadth of use cases, including those with contradictory requirements, for example: When browsing web, don’t disclose sites visited to identity providers In some governmental and financial settings, audit record of sites visited using an identity may be required –Incremental and parallel deployment Must co-exist with and complement existing solutions No “forklift upgrades” required

7 What is Success? –Metrics Ubiquity Security-enhancing design and implementations Single, simple user experience across systems Simplicity of the programming model –How to achieve success? Broad collaborations Encapsulation and transformation Applying technology standards Ensuring that all participants benefit

8 Need Four Kinds of Risk Analysis Business analysis –What will get identity providers,relying parties, and end users to buy in? Security threat analysis –What kinds of attacks can be staged and how can they be mitigated? Privacy threat analysis –How can privacy be compromised through identity and how can we make sure that doesn’t happen? Performance analysis –Make sure it works at scale for both identity providers and relying parties

9 “Identity 1.0” (old) Enterprise-Centric Model Identity Provider intermediates between user and Relying Party IP offers a service that can be consumed directly by RP IP has panoptical view of RPs serving a user Back channels in use Identity of RP exposed to IP when releasing attributes RP dependent on IP for access to user

10 “Identity 2.0” (new) User-Centric Model User intermediates between identity provider and relying party User decides when to release identity information to RP No requirement that IP knows anything about RPs serving a user (including their network addresses) No reliance on back channels Relying Party is NOT dependent on identity provider for access to user

11 Incremental Addition of InfoCard User Web Farm HTTP Server HTTP Server HTTP Server HTTP Server Forms Based Login InfoCard Login Authentication Cookie Authentication Cookie

12 Specific Design Choices

13 Protocol ≠ Payload Switch payloads without changing protocols Single protocol set allowing: –Specification of requirements –Negotiation of capabilities –Transformation of payload –Transmission of payload Protocol stays stable as payload evolves Design decision: Do not tie solution to protocol designed around a single payload type

14 Identity Selector ≠ Identity Provider Identity Selector independent of any specific Identity Provider (technology or operator) Plug in multiple providers and technologies to make open architecture that can embrace both existing systems and those yet to be invented Allow Identity Provider to live anywhere – e.g. “in the cloud”, at ISP, on a device (dongle, media player, or cell phone), on a PC, … Design decision: Identity Selector does not run in same process as IP. Local IP just one IP amongst many

15 Identity Selector ≠ Metadata Store User interface separate from InfoCard metadata pointing to Identity Providers UI wherever you want it: on telephone or media player or PC using same metadata store Metadata stored wherever you want: on PC or telephone or IPod or dongle or in the cloud (including physical tokens supporting roaming) Design decision: Metadata store does not run in identity selector process

16 Auditing ≠ Non-auditing IPs Auditing IPs know which RPs you have visited Non-auditing IPs do not know which RPs you have visited Need to support both requirements Design Decision: Support ability to either reveal or provide a one-way function of the identity of the RP to IP

17 Guarantee Separation of Contexts Unidirectional identifiers: –Identifiers given to one RP ≠ identifiers given to another –Automatically generate pairwise identifiers –No URL or GUID to serve as a correlation handle Set of claims released varies on a per RP basis

18 Facilitate “Data Rejection” Currently sites retain a dossier of information about you: “Customer Record” With metasystem, users supply sites information about them at every sign-on Result: Sites can throw away information about you between interactions –Since you’ll give it to them when they need it

19 Claims ≠ “Trust” Factor out the trust decisions –Avoid building them into the protocol and payload as is the case with X.509 PKIX, for example –Verify cryptography but leave trust analysis for a higher layer that runs on top of the identity metasystem

20 Human Token ≠ Computational Token Identity Selector must be able to display claims so user can control them It must be easy to introduce new payloads and display them without introducing new attack vectors (new code!) on the Identity Selector Allow complex claims Design decision: Cryptographically bind display token and computation claims to allow audit of IP by user or RP auditor

21 Authentication Goes Both Ways Identity systems typically used to prove identity of user to the Relying Party Phraud possible because identity of the Relying Parties not proven to users Design Decision: Prove identity of sites to users before users ever interact with sites

22 Protection of Human Communication Based on narrowband state engine –Suppression of complexity (noise) Familiar, predictable interactions An InfoCard is an InfoCard in spite of underlying technology or operator –Use familiarity to protect against social engineering You recognize your own wallet Isolation from Pharmland –Separate desktop to prevent interprocess snooping Localization of secrets –Visual representations, keys, ledger

23 Decisions, Decisions! Decisions intended to result in: –Widely accepted –Broadly applicable –Inclusive –Compensable –Privacy enhancing –Security enhancing –Identity Solution Let’s talk about it!

24 Demo: The Real Thing!

Download ppt "Design Choices Underlying the Identity Metasystem Proposal Kim Cameron and Mike Jones Microsoft."

Similar presentations

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Technical Architectures

Technical Architectures
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.
CS 268: Future Internet Architectures Ion Stoica May 1, 2006.

CS 268: Future Internet Architectures Ion Stoica May 1, 2006.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Similar presentations

Ads by Google