Post on 11-Jan-2016
transcript
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 1
User-centric Identity
Hank Mauldin
CE Meeting - February 26, 2008
Cisco Systems
Diagram by Francis Shanahan
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 2
•This discussion represents the work done to date for a white paper on User-Centric Identity.
•Proposed a 1 year research project - 3 months into studyExplore a different area and new technologies in identity
No preconceived ideas or theories
Are there real solutions here?
Discover what are the advantages and disadvantages
Ultimately what is the impact on Cisco?
Can Cisco leverage these technologies?
•Discussing promising technologies/protocols
EDCS-647257 - first draft available
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 3
Agenda
• Introduction
• Historical Perspective on IdentityCentralized Approach
Distributed Approach with Federation
User-centric Approach
• TechnologiesXRI
OpenID
OAuth
EV SSL Certificates
Information Cards
• Do these technologies address user’s problems
• Impact on Cisco
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 4
YOU
• Book club• Family
Cor
eCom
mun
ities
of In
tere
stOnline shopping
Social
Networks
Personal
Finance
Virtual
Spaces
• eCommerce (e.g. Amazon, eBay)• Social Networking (e.g. LinkedIn)
• Book club• Family
• Professional networks• Dating networks
• Second Life• Croquet• WOW• SharePoint
Users have ‘zillions’ of digital identities…
YouTube
open socialMySpace
FacebookLinkedin
eBay
Amazonnewegg
Audible
Second Life
Croquet
WOW
Source Forge
flickr
del.ici.ous
AOL
wikipedia
Yahoo
MSN
brokerage
bank account
car loan
paypal
mortgage / rent
401k
VISA
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 5
Common Issues for Users• Credential Management
Too many login ids and password combinations to remember or worse they are all the same
Using lowest strength credentials (passwords) for high value transactions
• Ease of Use
Remembering which credentials to use with a site
Filling in the same information for registration forms at different sites
• User Concern over personal informationConcern about the information collected by sites and what happens to the data after collection
Protection from impersonation and identity theft
• PhishingHow does a user really know they are at the site they think they are?
• Issue over vetting process of user’s identityUser proves identity by ownership of email address
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 6
Terms
Identity Provider
Relying Party
User(Principal)
•User: an actor requesting access to the network or an application within the network.
•Service Provider (SP): From a principal’s perspective, a service provider is providing services and/or goods, typically through a website.
•Identity Provider (IdP): A special service provider that manages identity information on behalf of principals and provides assertions of the principals authentication to other providers.
•Relying Party (RP): A special service provider that is the recipient of a message that relies on a request message and associated assertions to determine whether to provide a requested service.
MyOpenIDVersign
AOL
eBayAmazon
FaceBookFlickr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 7
Relationship between entities
Trust is the foundation of any security model. Trust is the expression between entities that one entity will believe statements (claims) made by another entity; it is based on evidence – history, experience, contracts, etc. – and risk tolerance.
Identity Provider
Relying Party
User(Principal)
Authenticates
TrustsUses services
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 8
Basic Use Case
Identity Provider
1
2
3
4
Relying Party
User(Principal)
1. User tries to access protected resource2. User needs to be authenticated - browser
redirected to Identity Provider3. User is authenticated by Identity Provider4. Authentication assertion sent to Relying
Party
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 9
Concept of user-centric identity
•User in the middle of transaction
•User has a consistent user experience
•User is in control of their personal attributes
Identity Provider
Relying Party
User(Principal)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 10
Historical Perspective
Diagram by Francis Shanahan
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 11
Timeline
2000 2001 2002 2003 2004 2005 2006 2007
Liberty “Phase 1”
Liberty ID-FF 1.1
Liberty ID-FF 1.2
SAML 1.0 SAML 1.1 SAML 2.0
Shibboleth 1.0/1.1
Shibboleth 1.2
Shibboleth 1.3
WS-* Specifications (WS-Federation)
CardSpace
Higgins
sxip
LID
OpenID 1.0OpenID 2.0
Microsoft .Net Passport Windows Live ID
XRI i-names
Distributed Approacheswith Federation
Information Cards
URL-based
Centralized Approach
User-centric Approaches
XRI-based
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 12
User-centric approaches
•URL-based LID
sxip
OpenID
•XRI-basedi-names
• Information CardsCardSpace
Higgins
Bandit project
Higgins
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 13
•Open, decentralized, free framework
•Can transform an existing URI from one’s blog, profile page, etc. to be an identifier
• IdP discovery is built into the URI
•Authentication scheme provides a way to prove that a principal owns an Identity URL without passing around their password or email address.
• Light-weight default trust model
•Ease of integration into scripted web platforms
OpenID 2.0
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 14
•i-names are called unified digital addressesHuman readable (i-numbers are machine readable)
•Provides an address one can keep for life
i-names (XRI)
Permission-basedResolution
Privacy Barrier
EmailAddresses
PostalAddresses
CurrentLocation
FaxNumbers
PhoneNumbers
Any attribute referenced by a URI or encoded in XML
An i-name is a new “superaddress” that gives its owner complete control over its use
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 15
Information Cards• CardSpace
Central feature is the identity selector - allows one to pick a credential visually represented as a card to send to an RP
Token-based system
Two types of cards supported:
Personal cards - self issued
Managed cards - provided by identity providers
Separation of authentication and storage of personal information
Microsoft has released all their associated IP
• HigginsProvides a software infrastructure to support all the popular digital identity protocols
Extends types of cards - r-cards, z-cards, & s-cards
Selectors available for Windows, Linux and Mac OS X
• Bandit Currently providing a CardSpace compatible card selector for Linux and Mac OS X based on the Higgins card selector
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 16
Summary of Identity Spaces
Credit for this Venn Diagram goes to Paul Madsen and Johannes Ernst
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 17
OSIS (Open Source Identity System)
Identityin 2007
URL-based(grassroots, opensource, blogging)
URL-based(grassroots, opensource, blogging)
SAML-based(Liberty Alliance
companies)
SAML-based(Liberty Alliance
companies)
WS-*-based(MicrosoftVista)
WS-*-based(MicrosoftVista)
OSIS Agreement“historic development” (ZDNet)
Identifier-basedparadigm
Card-basedparadigm
Invisibleto the user
• Microsoft• IBM• Verisign• Red Hat• Novell• Cordance• Higgins• Shibboleth• Sxip• Sun• NetMesh
• Microsoft• IBM• Verisign• Red Hat• Novell• Cordance• Higgins• Shibboleth• Sxip• Sun• NetMesh
OSIS started to bring together identity-related projects in order to synchronize and harmonize the construction of an interoperable identity layer for the Internet.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 18
Technologies
Diagram by Francis Shanahan
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 19
•XRI
•OpenID
•OAuth
•EV SSL Certificates
•CardSpace
•Higgins
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 20
XRI (Extensible Resource Identifier)
•XRIs can identify people, organizations, concepts, applications, devices, digital objects or anything else
•XRI builds on the IRI (International Resource Identifier, RFC 3987) by extending the syntax
•XRI start with “xri://” followed an authority segment and a path portion (if any)
xri://broadview.library.example.com/(urn:isbn:0-395-36341-1)
•The idea is that web addresses evolve from URLs to XRIs
•Foundational technology for XDI (XRI Data Interchange), the Higgins project and useful for OpenID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 21
XRI Characteristics• XRIs come in pairs
i-name which is human readable and changeable
i-number which is permanent (links use the i-number)
• Adds a layer of indirection on top of DNS- and IP-based URLs to enable better control over their persistent identity
• This indirection allows semantic mapping for sharing of identifiers across domains
• Reserved global context symbols:+ , for general dictionary tags like +blog, +salmon, +love
$, for special dictionary tags like $d (date), $v (version)
=, for a personal persistent address like =hank.mauldin
@, for an organization like @example.company
• When using global context symbols, one does not need to use a protocol prefix (xri://)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 22
Extended Validation SSL Certificates
• Phishing scams are a big issue
• Answer needs to address two issues1. Provide a method that ensures users know the true owner of
a website
2. Provide a browser interface that makes it easy to see the identity when its known and recognize when it isn’t
• Proposed Answer is a new category of SSL certificate with an issuing process that helps ensure the entity is who it claims to be, and browser modifications
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 23
EV Certificate Guidelines
•CA/Browser Forum consisting of CAs, Internet browser vendors and American Bar Assoc. released version 1.0 of EV Certificate Guidelines for a new EV certificate.
•Uses existing SSL certificate format, but provides a strictly enforced issuance policy with revocation measures.
•The issuers must:Verify the legal, physical and operational existence of identity
Verify the identity of entity matches official records
Verify the entity has exclusive rights to use domain specified in certificate
Verify the entity has properly authorized the issuance of the EV certificate
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 24
EV Browser Modifications
•When a browser visits a site secured with a EV certificate, the address bar will turn green and display the name of the organization listed in the certificate as well as the issuing CA.
• If on a bogus site, the address bar will not display green
•The security status bar shows the transaction was encrypted and the organization has been authenticated
•Microsoft IE 7 is first browser to meet the new standard
•FireFox browsers have a plug-in available
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 25
Example of Address & Security Bar
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 26
Thoughts on EV SSL Certs
• Appears to be a step in the right direction
• One concern is the cost of the new certificate
• New CA vendors dependent on browser vendors
• It seems to be a couple of years away for wide spread use, but some companies (eBay and PayPal) are already using these certs.
Current Cost
(One year)
One Year Two Year
Verisign $399 $1,499 $2,695
Twawte $899 $1,495
Digicert $99 $495 $795
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 27
OpenID 2.0
•Fastest growing user-centric identity system
• Because AOL (63 million users) and Yahoo (248 million users) provided all their users with OpenIDs automatically
•Specifically addresses web single sign-on (SSO) use cases
•Replace the self generated usernames & passwords with a single login credential
•Provides simple attribute exchange
•Only requires an unmodified browser
• Light-weight protocols and easy for RPs to implement
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 28
OpenID Protocol Drilldown
Identity Provider(IdP)
Relying Party(RP)
Client
User
http://openid.aol.com/screenname=hank.mauldin
1 User wants to access their LiveJournal blog
2 Redirected to myOpenID.com
3
Authentication
4 Redirected back to LiveJournal account http://mosby.myopenid.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 29
OpenID Concerns
•No real trust framework
•Basic principle between IdP and RP is to TRUST
•Advantage: IdPs and RPs can work together without prior relationships
•Neutral: only good for low value transactions such as blog or wiki comments
•Concern: OpenID potentially makes the Phishing problem worst
A person can put up a great site that takes OpenID and phish the Identity Providers site to harvest the user’s credentials
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 30
OpenID Concerns (continued)
•Concern: User has one unique identifier and so a IdP can track all the websites a user logs into.
Cross site profiling would be easy
Privacy issue for users
Cannot be used for delegation of authority (instead using OAuth)
•Neutral: If person uses a domain-name URL as their OpenID, they must be careful not to lose the domain name (expires, and not renewed)
•Neutral: Unclear what the business case is for the smaller IdPs (OpenID Providers)
Giving away free OpenIDs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 31
Thoughts on OpenID
•Top 4 issues the OpenID community wants to fixSolve the Phishing issue
Make the UI experience a little less geeky (typing in URLs)
Single Sign-out
Optimize performance
•My belief is they will move towards using a combination of EV SSL certificates and Information Cards to solve the first issue above
•Microsoft, IBM, Google, Yahoo and Verisign have joined the OpenID Foundation Board - announced February 2008
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 32
OAuth
•OAuth Core version 1.0 is released
•Offers secure delegation of authority
•Complements rather than replaces authenticationExtends the usefulness of OpenID
•Brings together in one standardized way delegation of authority by many of the major well established security protocols
Google AuthSub
AOL OpenAuth
Yahoo BBAuth
Upcoming API
Flickr API
Amazon Web Services API
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 33
Information Cards
•Microsoft Identity MetasystemCardSpace
•Higgins projectBandit
Higgins
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 34
Seven Laws of Identity
•Kim Cameron (Microsoft) developed the 7 laws which shaped the design of the Identity Metasystem
•The Seven Laws are:User Control and Consent - only reveal information with user’s consent
Minimal Disclosure - release least amount of information and limit its use
Justifiable Parties - limit to entities that are necessary in identity relationship
Directed Identity - protect against correlation across services
Pluralism of Operators - enable multiple technologies and identity providers
Human Integration - integrated into system and protect against id attacks
Consistent Experience - provide simple, consistent experience across different contexts
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 35
Identity Metasystem Concepts
• Digital Identity: A set of claims in a security token provided by (and about) a user
• Roles in the identity meta-system:
User (subject)
Identity Provider
Relying Party
• Protocol:
User goes to site for a resource
User is asked for identity (and required claims) from RP
User chooses an identity provider
Identity provider gives user a security token (meeting required claims)
User passes the token to the RP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 36
WS-Trust, WS-Trust, WS-MetadataExchange, WS-SecurityWS-MetadataExchange, WS-Security
SubjectSubject
KerberosKerberos
IdentityProvider
(Token Capabilities)
WS-SecurityPolicy
STS
SAMLSAML
RelyingParty
(Token Requirements)
WS-SecurityPolic
y
X.509,X.509,Kerberos,Kerberos,CustomCustom
RelyingParty
(Token Requirements)
WS-SecurityPolic
y
Identity Selector
X.509X.509
IdentityProvider
(Token Capabilities)
WS-SecurityPolicy
STS
WS-* MetaSystem Architecture
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 37
Identity Provider(IdP)
Relying Party(RP)
ClientClient wants to access a resource
RP provides identity requirements
1
2
User
3 Which IdPs can satisfy requirements?
User selects an IdP4
5Request security token (authentication required e.g. X509, Kerberos, username/pwd,
self-issued token)
6
Return security token based on RP’s requirements (any format) – and optional signed display token
7 User approves release of token
8 Token released to RP (RP reads token and allows access)
Windows CardSpace
CardSpace Protocol Drilldown
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 38
CardSpace Card Selector
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 39
CardSpace Cards
• Contains claims about my identity that I assert
• Fixed set of claims
• Not corroborated
• Card and data stored locally
• Signed and encrypted to prevent replay attacks
• Presented by user during account sign-up
• Created and signed by IdPs, such as banks, stores, government, clubs, etc.
• Provisions .CRD file via email, website, group policy etc. which user installs
• Locally stored cards contain metadata only (not values)
• Data stored at Identity Provider and obtained only when card submitted (from STS)
Self-Issued Card Managed Cards
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 40
• CardSpace Environment (secure shell)
Runs under separate desktop and restricted account
Isolates CardSpace runtime from Windows desktop – no programmatic access
• All data encrypted (inc. memory) until use
• All parties strongly identified
• Privacy
RP can be hidden from IdP
Signing key for self-issued token varies for each RP
User controls release of information
Cards can be protected with a PIN
• Parties must identify themselves via Trust Dialog
Verifies provided certificate for all parties that interact with user
RP: Appears on first visit, IdP: when user imports card
CardSpace Security
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 41
• Advantages:• Replace login ids & passwords with cryptographically strong tokens containing identity claims• Consistent login and registration• Centers around a simple to use Identity Selector
Digital identities represented by cards• Multi-factor authentication• Helps avoid phishing • Users in control
• Disadvantage:• Not a single sign-in solution
• Concerns:• Identity portability• Revocation
Thoughts on CardSpace
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 42
Higgins Project
•Higgins provides the same user experience as CardSpace
• It functions with the same card metaphor, but extends the types of cards
•However, Higgins is a framework to provide interoperability between different identity systems
An abstraction layer for identity and social networking services
•Allows plug-ins from different contexts
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 43
Higgins Framework
Identity Attribute Service (IdAS)
Application Programming Interface (API)
Context Provider Interface (CPI)
STS
Identity Selector Service (ISS)
Higgins BrowserExtension (HBX)
Relying Party Policy/Tags
End User Applications
Interoperability Framework
Information Card Selector
Plug-ins
Context Data Sources: LDAP AD Files Directories Social Networks Databases
Web Services Eclipse Rich Client Platforms Browser extensions
Plug-insPlug-ins
CardSpace OpenID SAML Context Providers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 44
Identity Attribute Service (IdAS)
•Aggregate and federate identity information
•Uses the Higgins Data ModelRepresents an identity and its attributes in a context
•The plug-ins enable the IdAS to read and data from the contexts and map the data to the Higgins Data model
•Each context can may have its own ontology defined using higgins.owl
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 45
45
Interoperability
• Requirements for interoperabilityCommon data model
API abstraction/framework
Schema mapping
#1 addressed by Higgins
#2 can be addressed using the Higgins Identity Attribute Service (aka IdAS)
#3 addressed by industry collaborations within Identity Commons and other groups
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 46
Digital Subjects and their attributes
•Digital Subjects are representations of entities (e.g. real world people, groups, organizations, etc.)
•Digital Subjects are sets of identity, profile and relationship attributes
Digital Subject
“Normal” attributes (e.g. String, number, boolean, etc.)
= Digital Subject that represent entity #1 (e.g. you)
Relation attribute
Correlation attribute (a specialization of relation)
A profile
= Digital Subject that represents some entity other than #1 (e.g. someone other than you)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 47
i-cards•Store credentials, profiles, personal data, and social
networks –not just for sign-in!
•New types of i-cards definedr-cards (relationship cards)
data partially owned by both entities
s-cards (SAML cards)
for interoperability with SAML 2.0
z-cards (zero-knowledge cards)
selectively disclosure of claims
zero-knowledge proofs
sole authority over claim values
IBM to deliver based on their idemix technology
Hank Mauldin
Personal i-card
Hank Mauldin
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 48
Bandit Card Selector showing claims
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 49
49
•Higgins 1.0 Development done by 12/31Supports the self-issued and managed cards
•Ongoing series of multi-company (Microsoft, etc.) interoperability events for the past year and ongoing
• IBM and Novell have announced they will ship Higgins based products
•Parity is offering to host Higgins based services
Higgins software project status
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 50
Thoughts on Higgins
• In general, I believe the card metaphor will succeed in the market place
•Higgins has already shown it can interoperate with CardSpace
•Several influential vendors (IBM, Novell) are committed to delivering Higgins implementations
•A large challenge to meet their goals for the framework, especially around the data model and schemas
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 51
Do these technologies address user issues?
Diagram by Francis Shanahan
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 52
Credential Management
•Both OpenID and Information Cards provide a solution to the issue of too many passwords to remember
•Both help with registration at web sites rather than just form filling
•OpenID provides SSO, but uses a single identifier
• Information Cards do not provide SSO, but provides better privacy by using a different personal id per site
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 53
Ease of Use
•OpenID requires a user to type in an URICommon complaint is that is a little geeky
Current browsers do not store URI as they do usernames
My belief is OpenID community will move towards using information card as optional front-end in certain situations
• Information Cards provide a metaphor that most people grasp instantly
Seems to me to be useful on the mobile devices (smartphones)
Importing the managed cards is not as simple as it could be
Recovery from PC crash or loss not well defined (problem similar to losing one’s wallet)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 54
User Control over their personal info
•OpenID with attribute exchange supports user control
•OpenID with delegation can only give “full delegation” so can not provide only certain services - a security risk
•OAuth is being used due to this restriction in OpenID
• Information Cards allow user to review, edit and decide which claims to release prior to being sent
Does keep track of which attributes have been sent to a site, so user has a record of which attributes have been released to which relying parties
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 55
Phishing
•OpenID has a perceived problem with phishingSome discussion about using Information Cards to authenticate at IdP to help avoid phishing
• Information Cards are phishing resistentSelector keeps track of which card has been used at a site
User receives a visual indication when not a proper site
•EV SSL certificates helps with this problem when widely deployed and browsers updated
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 56
Vetting of Users
•Not really a technical issue, but is becoming a legal issue due to identity theft and an organizational issue
Banks are being sued by their clients for identity fraud
New employees already have “identities” and may want to use those versus getting a new company identity.
• I believe an individual’s reputation is becoming one of the most valuable assets; therefore protecting one’s own reputation from abuse by others will become an important issue
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 57
What impact on Cisco?
Diagram by Francis Shanahan
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 58
Cisco can be a player
Cisco is moving up the stack
across the stack
Infrastructure changes to occur
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 59
CMSG
•There is a web portal project that front-ends a media solution
Using OpenID as user authentication method
User’s login id is transformed to URL and sent to back-end OpenID provider service
It is a closed system, and not accepting other OpenID users
Use of OpenID is invisible to user
•Moving into social networking (Eos) that is consumer facing, Cisco will need to make choices about authentication methods as we have been discussing
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 60
Linksys
•Have been in discussions regarding a Linksys portal that is consumer facing (loosely coupled with Connected Home)
Provides access to content in “cloud”
Provide access to home network
•Discussion of identity in home network for devices and users
•Need to be aware trends in consumer authentication space
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 61
Service Node project
•Developing a media content delivery system using peer-to-peer technology
•There is again a consumer facing portal
•Had a brief discussion regarding more advanced future solutions around social networking
Interested in learning about user-centric systems
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 62
Enterprise
•Many enterprises have consumer facing web sitesUse of EV SSL certificates recommended
Can see value in relationship i-cards for customers
•Some IdM vendors have announced support for OpenID and CardSpace
•Sun employees use OpenIDs
• In the future for internal employees, managed information cards could replace username and passwords - pin protected of course
No longer reset of passwords or change every 6 months
•Federation between partners still satisfied by SAML or WS-* solutions
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 63
Yankee Group released a Report on OpenID and Enterprises
• “OpenID is a disuptive technology that allows web sites to share identity information and streamline authentication processes. Enterprises with a significant online presence can increase contact with their customers by adopting OpenID.”
By Andrew Jaquith, Program Manager at Yankee Group
•By 2010, Yankee Group expects that a differentiated, stratified ecosystem of OpenID-Plus identity providers will emerge to make OpenID useful enough for businesses to adopt en masse.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 64
Actions Moving Forward
• Become more involved with Higgins Project
Cost - $150k/year to be on board and set direction
$30k/year to suggest new work groups
$5k/year to participate as a member
Join as a member at the $5k level
• Create a cross functional team to work with Higgins
• Cisco should consider using EV SSL certificates for CCO
• Consider using SAML 2.0 assertions as the encapsulation for moving identity claims around
• Investigate the gap between network and application identities
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 65
Next Steps
• Continue discussion with known internal groups
• Do deeper dives into OpenID, CardSpace and HigginsSet up IdP, and RPs for the different systems in lab
Get some practical experience with the systems
Provide recommendations
• Look at how Cisco might work with IdM vendors to find a way to leverage the network authentications and posture information with application spaceSolution requires Cisco to be retaining state for authentications
(Some work is going on here by Vinnie Gupta, SA and Brian Ford, CE)
3 possible approaches:
1. Create an API (no standard exists)
2. Develop an Higgins plug-in
3. Virtual directory
• Complete the research and white paper
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 66
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 67
Discussion