Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advances in Digital Identity

Published byTheodore Matson Modified over 10 years ago

Similar presentations

Presentation on theme: "Advances in Digital Identity"— Presentation transcript:

1 Advances in Digital Identity
Steve Plank Identity Architect

2 Identity no consistency DNS Naming Connectivity IP

3 taught users type usernames & passwords web page

4 what is identity?

5 attributes: givenName sn preferredName planky dateOfBirth ! over18 true over21 true over65 false image steve plank

6 what claims another party makes about me
self asserted what claims i make about myself verifiable what claims another party makes about me

7 elvis presley only 1 of them is real probably

8 trust claims make these

9 SECURITY TOKEN steve plank over 18 over 21 under 65 image

10 security token service
give it something SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate “Secret”

11 identity metasystem

12 relying party (website)
participants subject identity provider relying party (website)

13 identity provider identity provider relying party relying party SAML SAML x509 x509 security token service WS-* security token service WS-* WS-* identity selector subject

14 identity selector

15 human integration consistent experience across contexts

16

17 cards contains claims about my identity that I assert not corroborated
self-issued managed Cards contain no actual identity data – only metadata: A list of the claims that a card represents Where to go in order to obtain the claims A signature identifying the card The actual data behind a card is dynamically obtained from the IP: From a local store for “self-issued cards” From the Identity Provider’s Secure Token Service (STS) for “managed cards” contains claims about my identity that I assert not corroborated stored locally signed and encrypted to prevent replay attacks provided by banks, stores, government, clubs, etc locally stored cards contain metadata only! data stored by identity provider and obtained only when card submitted 17

18 login with self issued card
user object tag login relying party (website)

19 select self issued card
Planky user relying party (website)

20 relying party (website)
create token from card Planky FN: Steve LN: Plank splank CO: UK user relying party (website)

21 sign, encrypt & send token
Planky user relying party (website)

22 login with managed card
user object tag login identity provider relying party (website)

23 relying party (website)
select managed card Woodgrove Bank user identity provider relying party (website)

24 request security token
Woodgrove Bank user authN: X509, kerb, SC, U/pwd … identity provider relying party (website)

25 request security token response
Woodgrove Bank user identity provider sign, encrypt send relying party (website)

26 <body>   <form id="form1" method="post" action="login.aspx">   <div>     <button type="submit"> Click here to sign in with your Information Card </button>     <object type="application/x-informationcard" name="xmlToken">       <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />       <param name="issuer value=" />       <param name="requiredClaims" value="                         privatepersonalidentifier /> </object>   </div>   </frm> </body>

27 relying party (website)
xmlToken (signed & encrypted) token decrypter relying party (website) xmlToken (plaintext) claims extractor ppid 456 user database first name last name index into DB 123 456 789 phone

28 demo

29 roadmap Built into Windows Vista
Q2 Q3 Q1 2006 Q4 2005 B1 CTP B2 RCx V1 RTM Built into Windows Vista Available for Windows XP & Windows Server 2003 Betas & CTPs available from: RTM 2nd half 2006 More Information & Samples at

30 review Presentation style mercilessly stolen off
identity layer phishing, phraud human integration consistent experience across contexts ip rp user identity selector Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt

Download ppt "Advances in Digital Identity"

Similar presentations

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).

Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).
Help File For User Creation Click the “Course” button for Creating/Add User.

Help File For User Creation Click the “Course” button for Creating/Add User.
steve plank “planky” microsoft Lest we forget windows azure appfab

steve plank “planky” microsoft Lest we forget windows azure appfab
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Federal Acquisition Service U.S. General Services Administration Submitting Electronic Contract Offers and Modifications. Name: Keonia Cobbins Title: Program.

Federal Acquisition Service U.S. General Services Administration Submitting Electronic Contract Offers and Modifications. Name: Keonia Cobbins Title: Program.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
11 steve plank (“planky”) identity architect microsoft uk.

11 steve plank (“planky”) identity architect microsoft uk.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
11. 2 1.read policy for submitOrder() client application 2. call submitOrder() including [planky, ****] submitOrder() requires [name,password] cred.

read policy for submitOrder() client application 2. call submitOrder() including [planky, ****] submitOrder() requires [name,password] cred.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.

Similar presentations

Ads by Google