Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

Slides:



Advertisements
Similar presentations
WP8 Security and Privacy Identity Management 15. November 2012 Wolfgang Steigerwald (DT) Robert Seidl (NSN)
Advertisements

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.
WSO2 Identity Server Road Map
A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.
10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.
SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
1 Confidential Authentication Session Hannes Tschofenig.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
The Cloud Identity Security Leader. © 2012 Ping Identity Corporation Nair the twain shall meet Enterprise Social Mobile.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
1 Design Patterns for Connected Devices Hannes Tschofenig Michael Koster.
Mobile Payments Antti Pihlajamäki Slide 2 Helsinki University of Technology Seminar on Networking Business Outline Introduction  Terminology.
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
Payment workshop Identity, Security and Privacy Timothy Ng
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.
© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Openid Connect
Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
Geneva, Switzerland, September 2014 ITU-T SG 17 Identity management (IdM) Progress Report Abbie Barbir Ph.D., ITU-T Study Group 17 Q10/17 (Identity.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
OASIS Cloud Authorization TC (CloudAuthZ) Rakesh Radhakrishnan, TC Member.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
Access Policy - Federation March 23, 2016
Cyber Security Means Locking the Front Door Too: Use High-Assurance Identity Management to Control Access to the Federal Bridge.
Dr. Michael B. Jones Identity Standards Architect at Microsoft
GEOSS Federated Single Sign-On
Azure Active Directory - Business 2 Consumer
Federation made simple
Phil Hunt, Hannes Tschofenig
Data and Applications Security Developments and Directions
Introduction to Networking
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Connect Working Group
ACS and ADFS.
PLUG-N-HARVEST ID: H2020-EU
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
Appropriate Access InCommon Identity Assurance Profiles
Building "One Size Fits All" Identity Systems Possible or Fantasy
07 | Introduction to Authentication
OpenID Connect Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
Operator Based Authentication
OpenID Enhanced Authentication Profile (EAP) Working Group
Presentation transcript:

Identity Management Hannes Tschofenig

Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. – Works with any user authentication protocol (e.g., OATH, FIDO, W3C CryptoAPI, etc.)OATHFIDO – Federated login possible with OpenID ConnectOpenID Connect OAuth is widely used on the Internet. – Example: Salesforce, Google, MSFT Azure, Deutsche Telekom, GSMA mobile connect (Orange, Telekom Italia)

$ Identity: Any subset of an individual's attributes, including names, that identifies the individual within a given context. Individuals usually have multiple identities for use in different contexts. (RFC 6973)

Players Courtesy to Justin Richer for the figure. Token

Players: “Payment Terminology” Courtesy to Justin Richer for the figure. Merchant Customer Payment Infrastructure Token

Layering Payment on Top of Identity Infrastructure?

Insights we gained It works and is deployed. – Even password sharing practice has been significantly decreased. High interest to be the identity provider but not necessarily relying party. Incentivizing the issuance of strong credentials (i.e., stronger than passwords) is difficult. Design for a distributed mechanism can still lead to silos. Some companies use the standardized OAuth/OpenID Connect but add extensions that make their solution non- interoperable. – Lack of understanding? Mistake? Intention?

Insights we gained, cont. Relationship between relying party and identity provider is more than just technology. – Influenced by business agreements and legal frameworks  OIXOIX Security guidance we provide in our specifications (e.g., RFC 6819) is sometimes “kindly ignored”. Privacy: – Consent mechanism lead to better privacy. – Relying parties still ask for too much but this is a deployment choice rather than something a standard can dictate. – Choice offered is often limited  “take it or leave it”

More Info? OpenID Connect might be a good platform for a payment protocol. OpenID Connect Look at IETF OAuth working group for core specifications.IETF OAuth working group OAuth Tutorial: – Slides Slides – Recording (Might require to download a Cisco Webex ARF player at Recording

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.