DIX BOF Digital Identity eXchange

transcript

DIX BOFDigital Identity eXchange65th IETF, DallasMarch 21st 2006

Welcome and Introductions

Chair – Scott Hollenbeck,shollenbeck@verisign.com

Chair – John Merrells, merrells@sxip.com

Wiki – http://dixs.org

Jabber – dix@rooms.jabber.ietf.org

Housekeeping Use Microphones for those on the audio channel

State your name clearly for the scribe

Discussion points after each agenda item

We need scribes…

Wiki – http://dixs.org

Jabber – dix@rooms.jabber.ietf.org

Agenda

Time Topic

10 Agenda Bashing

20 Problem / Goals / Benefits

30 Scope

20 Requirements

20 Architectural Options / Related Work

10 draft-merrells-dix-00.txt (dmd0)

40 Discussion

Scene Setting

Scene Setting “Enterprise Identity Management” (IdM)

Access control for resources

Leverages many IETF technologies

LDAP, Kerberos, PKIX, TLS

Includes

Authentication

Scene Setting Web Authentication

1996 survey - 12+ solutions

Why this interest?

Enterprise Web Applications

Required: SSO, Minimal password exposure, browser based

Web is easy to hack on

So, many open-source, in-house, and commercial solutions, even leveraging IdM

Scene Setting Today’s Web

Millions of blogs, homepages, etc

Represent online lives

Other’s interact with them

But: Who’s on my site?(For expression… rather than control)

Required: SSO and Information Exchange(But, no enterprise IdM system)

Scene Setting New Goals

User-Centric

Widely Deployable

Good Enough Security

Web-scale ubiquity to be compelling

Scene Setting Questions

Is new technology required?Or new usage of existing technology required?

What are the user requirements?

What are the barriers to wide adoption?

Different than ‘Enterprise’ technology?Or just part of the whole spectrum?

Definitions

Digital Identity Exchange

Identity Agent

Relying Party

Digital Subject

Definitions

Digital Identity Exchange

“The transmission of digital representation of a set of Claims made by one Party about itself or another Digital Subject, to one or more other Parties.”

RL ‘Bob’ Morgan, 14th March 2006, DIX Mailing List

Definitions

Relying Party

Client

Identity Agent

Definitions

• Claim

• An assertion made by a Claimant of the value or values of one or more Identity Attributes of a Digital Subject, typically an assertion which is disputed or in doubt.

Definitions

• Digital Subject

• An Entity represented or existing in the digital realm which is being described or dealt with.

Problem Statement

“The Internet is host to many online information sources and services. There is a growing demand for users to identify, and provide information about themselves. Users bear the burden of managing their own authentication materials and repeatedly providing their identity information. Signing in to web pages and completing user registration forms is an example.”

Proposed Draft Charterhttp://dixs.org/index.php/DIX_Charter

Problem Statement

For User

Manage many Username/Passwords

Retyping same data into forms

For Service Operator

Low conversion ratios

Data inaccuracy

Minimal data exchange

Example

User goes to a web site

User provides some information about themselves

Proposed Goals

Automate Digital Identity Exchange between User and Service

Protect User’s Privacy

Minimize Barriers to Adoption

Benefits

For Users

Convenient Digital Identity Exchange

Richer experience with Service

For Service Operators

Increased quality and quantity of identity data

Higher conversion rates

Role & Scope of IETF

Internet related problems

“Above the wire and below the application”

DIX is within IETF scope

Proposed DIX Scope

In Scope

Out of Scope

In/Out of Scope?

Narrow, yet also ambitious.

In Scope

Digital Identity Exchange between User and Service

HTTP/HTML Transport

Browser based applications

Out of Scope

Digital Identity Exchange between services

Federating identifier namespaces

Usage of digital certificates

Claim schema and type system

User authentication with Identity Agent

In/Out of Scope?

Non-browser based applications

Third Party Claims

Scope Discussion?

Requirements

Seven Laws of Identity

1. User Control and Consent

2. Minimal Disclosure for Constrained Use

3. Justifiable Parties

4. Directed Identity

5. Pluralism of Operators and Technologies

6. Human Interaction

7. Consistent Experience Across Contexts

Kim Cameron

http://www.identityblog.com/

Requirements – Digital Identity Exchange

Move claims from agent to service

Move claims from service to agent

Unique identifier for User

Requirements - Privacy Unique Identifier for User

No central control

Opaque

Unidirectional (1:1)

Omni-directional (1:N)

Separation from Identity Agent

Minimal disclosure

Requirements - Claim Schema Globally unique Identifier for Names

Easily extended

Requirements - Adoption Nominal client footprint

Minimal changes to Service

Service can independently extend Claim Schema

Leverage existing standards

Ad hoc Service and Identity Agent relationship

No more security than needed

Security Gradient

Security Gradient - Example

Security Level

Extension Poin

Low Value: Blogs, …

High Value: Health Records,

HTTP, DNS, HTTPS PKI, DNSSEC, …

Threat Analysis

Vulnerabilities and security limitations will need to be analyzed and well documented

Requirements Discussion?

Architectural Models Domain Centric

Federation

User-Centric

Domain Centric

Account Credentials

Authentication / Attributes / Authorization

E.g. X.500, LDAP, Kerberos, PKIX, TLS, SASL, HTTP Basic/Digest, …

Federation

E.g. SAML / Liberty, …

SAML Token SAML Token

SAML Request

SAML Response

Federation - Ad Hoc

Identifier URLE.g. OpenID, LID, XRI, Yadis

Discovery

Claims

User Centric

Claims

E.g. SXIP 2.0,WS-Trust / MetaSystem,…

Request

Discussion?

draft-merrells-dix-00.txt Individual Submission Internet-Draft

Title: DIX: Digital Identity Exchange

Author: J. Merrells, Sxip Identity

Contact: merrells@sxip.com

Date: Jan 17th, 2005

http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt

(Wiki has Update: http://dixs.org/index.php/Documents)

SXIP PropertiesFirst Name, Last Name, Email Address, Blog URL, Image, …etc…

DIX ProtocolDIX Protocol

SXIP 2.0

MembersiteHomesite

Browser

SXIP Buttons

First Visit to geeknews.com Beth receives an email

invitation for geeknews.com

She’s going to ‘sign in’ to the website and provide some information about herself…

Membersite

Browser

[sxip in]

Membersite

Browser

[sxip in]

Consistent User Experience

‘Sign In’

Provide Identity Data

Homesite

GET Homesite Page

Dynamic Discovery

Homesite Tag

Membersite

Browser

ISP.com

Homesite Tag (Bits)

<LINK REL="dix:/homesite"

HREF=“

http://isp.com/sxip"

CLASS=“

dix:/core#1

dix://sxip.net/simple#1"/> Homesite

Homesite Tag

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1 Homesite

Homesite Tag

Endpoint

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-urlencoded Content-Length: 202

dix:/message-type=dix:/verify-request&dix%3A% 2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D

http://isp.com/sxip

HTTP POST

Homesite

Homesite Tag

Endpoint

http://isp.com/sxip

Capabilities

dix:/core#1

dix://sxip.net/simple#1 Homesite

Homesite Tag

Capabilities

Capability Services

dix:/core#1

Fetch Messages

Store Messages

Verify Messages

dix://sxip.net/simple#1 SXIP Properties

Capability Extensibility

Capability Services

dix://domain.com/… Some Service

DIX URI

Scheme is DIX

Domain is any domain

Path is domain specific

fetch request

Fetch Request

Homesite Membersite

Browser

Fetch Request (Bits)<HTML> <BODY Onload=“document.forms[0].submit()”> <FORM METHOD=“POST” CLASS=”DIX” ACTION=“http://isp.com/sxip”> <input type=”hidden” name=“dix:/message-type” value=”dix:/fetch-request”/> <input type=”hidden” name=“dix:/message-id” value=”23AC-34B8- BFD1-459A”/> <input type=”hidden” name=“dix:/membersite-url” value=”http://geeknews.com/sxip”/> <input type=”hidden” name=“dix:/membersite-path” value=”geeknews.com/”/> <input type=”hidden” name=”first_name” value=”dix://sxip.net/contact/name/first”/> <input type=”hidden” name=”email” value=”dix://sxip.net/contact/internet/email”/> <input type=”submit”/> </FORM> </BODY> </HTML>

Fetch Request (Bits)

dix:/message-type= dix:/fetch-request

dix:/message-id= 23AC-34B8-BFD1-459A

dix:/membersite-url= http://geeknews.com/sxip

dix:/membersite-path= geeknews.com

first_name= dix://sxip.net/contact/name/first

email= dix://sxip.net/contact/internet/email

Capabilities

Property Capability Property Label

dix://sxip.net /contact/name/first

First Name

dix://sxip.net /contact/internet/email

Email Address

Capability Extensibility

Property Capability Property Label

dix://domain.com/path/…

Some Label

sxip.net Properties Name: Prefix, First, Middle, Last, Suffix, Alias

DOB: Day, Month, Year

Phone: Home, Business, Cell, Fax

IM: AIM, ICQ, MSN, Yahoo, Jabber, Skype

Email: Address, Verified, Hashed

Web: Blog, Amazon, Flickr, Delicious

Company: Name, Title

Media: Spoken Name, Audio Greeting, Video Greeting, Biography, Image

Authentication

fetch request

Homesite Membersite

Browser

Properties Requested

fetch request

Homesite Membersite

Browser

Homesite Membersite

Persona Selection

fetch request

Browser

Persona

Name: Beth SurnamePhone: (604)-678-3500….

Name: Beth SurnamePhone: (415)-244-5808…

Homehttp://home.com/beth

Workhttp://work.com/beth

Identifier

Persona Identifier is a URL

Identifier Choice [0…N]

No Identifier

One per Persona

One per Membersite

No Central Service, just DNS

How claimed?

http://work.com/beth

Identifier (Bits)

REL=“dix:/homesite“

HREF="http://isp.com“

Homesite

fetch response

fetch request

Fetch Response

Homesite Membersite

Browser

Fetch Response (Bits)

dix:/message-type= dix:/fetch-response

dix:/signature= WJhYTYx…

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true

first_name= Beth

email_address= beth@surname.com

MembersiteHomesite

Delegation CheckGET Persona URL

Security

signature

HTTPS HTTPS

Browser

MembersiteHomesite

Signature Verification

Security

signature

HTTPS HTTPS

Browser

Verify Request (Bits)

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202

dix:/message-type=dix:/verify-request&dix%3A%2Fsignature=NWJhYTYxZTRjOWI5M2YzZjA2ODIyNTBiNmNmODMzMWI3ZWU2OGZkOA%3D%3D&dix:/digest=Yzg3ZjA0ZjVlZWM1YWFjNTI5ZjY1YWViMmMxM2E3NzEwNjliZWUxNg%3D%3D

Verify Request (Bits)

POST /sxip HTTP/1.1 Host: isp.com User-Agent: membersite Content-Type: application/x-www-form-…Content-Length: 202

dix:/message-type= dix:/verify-request

dix:/signature= NWJhYTYx…

dix:/digest= Yzg3ZjA0…

MembersiteHomesite

Signature Verification

Verify Response

signature

HTTPS HTTPS

Browser

Verify Response (Bits)

HTTP/1.1 200 Ok Connection: close

dix:/true

Saving Data to isp.com Beth decides to leave a

comment on a post at geeknews.com

She will provide some Identity Data and save it at her Homesite

Membersite

Browser

[sxip save]

Membersite

Browser

[sxip save]

Consistent User Experience

Save Identity Data

Homesite Membersite

store request

[sxip save]

Browser

Store Request (Bits)

dix:/message-type= dix:/store-request

dix:/persona-url= http://work.com/beth

dix://sxip.net/media/image=

http://work.com/beth/me.jpg

Persona

Name: Beth SurnamePhone: (604)-678-3500….

Name: Beth SurnamePhone: (415)-244-5808…

Homehttp://home.com/beth

Workhttp://work.com/beth

Homesite Membersite

Store Response

store response

store request

Browser

Store Response (Bits)

dix:/message-type= dix:/store-response

dix:/homesite-url= http://isp.com/sxip

dix:/status-success= dix:/true

Available Today

MembersiteHomesite

Browser

Homesite Reference ImplementationPerl

Demonstration App

Membersite Development KitPHP, Perl, Java,(Ruby, Python)

PluginsMedia Wiki, (Drupal, Ning)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Resources Websites:

The Vision: identity20.com

The Code: sxip.org

The Spec: sxip.netdixs.org

The Demo: sxore.com

Contact:

John Merrells, merrells@sxip.com

draft-merrells-dix-00.txt Individual Submission Internet-Draft

Title: DIX: Digital Identity Exchange

Author: J. Merrells, Sxip Identity

Contact: merrells@sxip.com

Date: Jan 17th, 2005

http://www.ietf.org/internet-drafts/draft-merrells-dix-00.txt

(Wiki has Update: http://dixs.org/index.php/Documents)

General Discussion?