9H/ FIDO for Everything / Francisco Corella

Session 9H

How to use FIDO for everything — As alternative to SAML, as an alternative to OpenID Connect, for privacy-enhanced identification, and for user-centric identity

Session Convener: Francisco Corella

Notes-taker(s): Francisco Corella

Tags / links to resources / technology discussed, related to this session:

Slides can be found at https://pomcor.com/documents/FIDOforEverything.pptx

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

FIDO is intended for authentication by proof of knowledge of a private key after registration of the public key with the relying party. But in combination with the service worker API, it can also be used for identification with a third-party credential without prior registration with the relying party.

The third-party credential could be a public key certificate, such as an X.509 certificate, that binds the public key to user attributes.

Privacy-enhanced identification can be achieved with a public key certificate that binds the public key to an omission-tolerant checksum of the attributes, enabling selective disclosure by omission of the attributes not requested by the relying party.

FIDO can be used as alternative to federated authentication protocols such SAML or OpenId Connect by having the IdP issue an selective disclosure credential. The Relying party redirects the browser to the IdP, but the redirected request is intercepted a service worker in the user’s browser. This achieves the further privacy enhancing feature of unobservability, and obviates the need for the IdP to be always available.

User-centric identity can be achieved using an email address as the identifier and having the email service provider issue a selective disclosure credential augmenting the email address identifier with self-asserted attributes. Other attributes can be provided in by binding them to the email address in attribute certificates.