OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
6 likes•1,242 views
The document discusses the evolution and future of OpenID and identity management, highlighting significant technological advancements and frameworks such as OAuth and OpenID Connect. It examines early design decisions in these systems, including the shift towards JSON and REST, and addresses the importance of ethical consent management. The document also reflects on current implementations in various industries, including enterprise access control and customer relationship management.
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
- 1. Nomura Research Institute OpenID in the digital ID landscape: a perspective from the past to the future Nat Sakimura (@_nat_en) Research Fellow, Nomura Research Institute Chairman of the board, OpenID Foundation www.kuppingercole.com _nat_en https://nat.Sakimura.org/youtube.php https://www.linkedin.com/in/natsakimura https://nat.sakimura.org Nomura Research Institute
- 4. Nomura Research Institute Open, Sesame! (Source)Albert Robida (1848-1926) - public domain An example of long-term weak shared key
- 5. Nomura Research Institute Rome 5 (Source)Roman soldiers on the cast ofTrajan's Column in theVictoria and Albert museum, London.– public domain Shared weak symmetric key, rotated daily with ACK based key delivery protocol
- 6. Nomura Research Institute MIT’s CTSS system (1961) used LOGIN & PASSWORD – An example of individual password 6 (Source) http://en.wikipedia.org/wiki/IBM_7090#mediaviewer/File:IBM_7094_console2.agr.JPG
- 7. Nomura Research Institute Per System identity 7 Service 1 Service 2 Service N
- 9. Nomura Research Institute 9 IDENTITY Nomura Research Institute
- 10. Nomura Research Institute 10 Real Name Professional qualification department Geo-location Employee number Entity Identity
- 11. Nomura Research Institute 11 Real Name Professional qualification department Geo-location Employee number Entity Authenticated IdentityAuthentication Server Provides claims username password Geo-location Device info Etc. Identity Register Verification (authenticatio n)
- 12. Nomura Research Institute 12 (source)Created by the author based on ISO/IEC 24760-1 Identity management framework: Part1 Unknown※ Established Active Archived Suspended suspend reactivate maintain delete archive activate adjust register Re-establish delete Identity Management
- 13. Nomura Research Institute 13 Real Name Professional qualification department Geo-location Employee number Entity Authenticated IdentityAuthentication Server Provides claims username password Geo-location Device info Etc. Identity Register Verification (AuthN)
- 14. Nomura Research Institute Per System identity 14 Service 1 IR Service 2 Service N IR IR
- 15. Nomura Research Institute Shared identity 15 Service 1 Service 2 Service N IR IR
- 17. Nomura Research Institute Shared identity 17 Service 1 Service 2 Service N IR IR password
- 18. Nomura Research Institute Federated identity 18 Service 1 Service 2 Service N IdP IR Get Token ID Token ID Token
- 19. Nomura Research Institute 19 OpenID Authentication 2.0 (key=value) 2002 2005 20142012 SAML 2.0 (XML, XML SIG, SOAP) SAML 1.0 2007 OAuth 1.0 (Key=value)
- 27. Nomura Research Institute 27 Nat Sakimura (NRI) John Bradley (Mercenary working for NRI) Breno de Madeiros (Google)
- 28. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 28 JSON Simple Signature (JSS) & Encryption (JSE)
- 29. Nomura Research Institute Then, there was a parallel work Magic Signature & JSON Token 29 John Panzer Dirk Balfanz
- 30. Nomura Research Institute And there came Mike Jones “You guys should come together and standardize it at IETF. Don’t worry. I can take care of the editing!” 30 JSON Simple Signature (JSS) & Encryption (JSE) Magic Signature & JSON Tokens JWx
- 31. Nomura Research Institute JWx JWS: JSON Web Signature JWE: JSON Web Encryption JWT: JSON Web Token etc. 31
- 32. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 5. JWx 32 Dick Hardt Allen Tom
- 33. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 5. JWx 6. Base on OAuth WRAP 33 2.0
- 34. Nomura Research Institute 34 OAuth 2.0 OpenID Authentication 2.0 (key=value) 2002 2005 2012 SAML 2.0 (XML, XML SIG, SOAP) SAML 1.0 2007 2014 OpenID Connect (JSON, JWS, REST) OAuth 1.0 Dave Recordon
- 35. Nomura Research Institute 35 Nomura Research Institute HTTPS OAuth 2.0 JWS/JWE/JWKS ID Token
- 36. Nomura Research Institute Over 90% of Azure AD App Authentication are Over OpenID Connect as of April 2018 36 Alex Simmons at EIC 2018
- 37. Nomura Research Institute 37 OpenID Financial-grade API (FAPI) Security Profile https://www.openbanking.org.uk/provider-categories/account-providers/ ABN AMRO Bank NV AIB Group (UK) plc Bank of Cyprus UK Ltd Bank of Ireland (UK) Plc Bank of Scotland plc Barclays Bank Plc Clydesdale Bank PLC HSBC UK Bank Plc ICBC (London) plc Lloyds Bank PLC etc…
- 38. Nomura Research Institute That is perfectly fit for not only Enterprise access control Real Name Professional qualification department Geo- location Employee number Entity Authenticated IdentityAuthentication Server Provides Claims username password Geo-location Device info Etc. Identity Register AuthN Log Audit Anomaly Detection Resource PolicyPAP PDP PEP metadata PEP2 Admin ID Token
- 40. Nomura Research Institute Customer Relationship Management (CRM) 40 Including Customer on-boarding … and
- 41. Nomura Research Institute Social & Bank Identities 41 BYOID
- 42. Nomura Research Institute Host your own IdP on-premise / cloud 42
- 43. Nomura Research Institute It can be on your local machine 43
- 44. Nomura Research Institute Self-issued OP – Never taken away 44 HOSTED ON YOUR LOCAL MACHINE. NO NEED FOR IDP DISCOVERY BECAUSE IT IS LOCAL. USER IDENTIFIER IS THE HASH OF THE PUBLIC KEY GENERATED BY THE SOFTWARE.
- 45. Nomura Research Institute 3 Claims Models Simple AggregatedDistributed 45
- 46. Nomura Research Institute Simple Claims 46 ID Token IdP Client
- 47. Nomura Research Institute Aggregated claims 47 Signed Claims (Token) Signed Claims (Token) ID Token IdP Claims Provider Claims Provider Client Claims are Verifiable
- 48. Nomura Research Institute Distributed Claims 48 Signed Claims (Token) ID Token including pinters ClientClaims are Verifiable
- 49. Nomura Research Institute An example of on- going activities on the claims-set 49 Minimum Viable eKYC Framework (eID/KYC Expert Group @ EC)
- 50. Nomura Research Institute CIBA: Client Initiated Backchannel Authentication -- O2O: Online Authentication for Offline Transaction Use-case 1: Customer authentication @ Call centers 50
- 51. Nomura Research Institute 51Trusted Personal Data Management Service (TPDMS) - Consent Management Worked on by Japanese government. Ethical Assistance to combat “Over consenting” Note: Cambridge Analytica incident happened because of “over consent” Public comment period for the certification scheme started Nov. 22. Expected to find the first certified service by the end of March. ISO/IEC 29100, 29134, 29184, 27552 Kantara Initiative Consent Receipt
- 52. Nomura Research Institute Projected Landscape 52 Signed Claims (Token) Signed Claims (Token) ID Token Access Token IdP Claims Provider Claims Provider Client Keys Keys eKYC Continuous AuthN + Risk Info FAPI+CIBA Consent Management (Ethical Assistance)
- 54. Nomura Research Institute OpenID in the digital ID landscape: a perspective from the past to the future Nat Sakimura (@_nat_en) Research Fellow, Nomura Research Institute Chairman of the board, OpenID Foundation www.kuppingercole.com _nat_en https://nat.Sakimura.org/youtube.php https://www.linkedin.com/in/natsakimura https://nat.sakimura.org