De-Confusion Big Picture

From IIW

Tuesday Session 1 Space E

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

"De-confusing" Identity (5/18 session 1)


"On the Internet, nobody knows you're a dog" (IIW logo)

  • Anonymity is important
  • But people need the set of tools to be able to represent who they are (at varying levels of granularity/disclosure)


Communities in attendance


Business

  • Enterprise Customer
  • Enterprise Identity Management Product
  • WebPortals (e.g. Google, Yahoo, MSN, LinkedIn)
  • Regular websites

Government

  • Europe, BC, DC

Standards Development Community

  • OASIS (InfoCards, SAML, XRI/XDI)
  • IETF and Internet Society (SMTP)
  • W3C (HTML)
  • ITU-T (phone) and ISO
  • "Floaters"
    • XMPP - Jabber
    • OpenID
  • Sysadmins
  • Web Developers
  • Etc. Etc. Etc.
    • Provisioning/issuing credentials for use of internal enterprise systems
    • e.g. username, password, auth token, etc.
    • SAML (Security Assertion Markup Language): Directory of employees with specific privileges
    • Authorization, or AuthZ (What you’re allowed to do)
  • Authentication, or AuthN (The identifier – the username you use, etc.)
  • Verification
  • Enrollment into system (new users)
  • Termination from system (ex-users)
  • SAML Federation
    • Business to Business sharing (e.g. American Airlines + Boeing)
    • Trusting each other's credentials
    • Doesn't scale well

OpenID = outsourcing username and password (same "username" or i-name)

  • Problem is phishing: Fake forms for OpenID providers
  • Therefore, OpenID is designed for low-security transactions

NASCAR problem: Addresses challenge of usability with OpenID (logos instead of having to remember your OpenID URL)

Info Cards

  • IDP issues card, or you make your own card
  • User selects cards
  • Open Source InfoCard Selector repository: Higgins Project
  • Send various attributes only, customize the amount of information sent

OpenID + Information Cards = Open Identity Exchange

XRD is Discovery: A protocol for understanding and discovering services

We then went over a bunch of the organizations and how they relate to each other. See Kaliya’s flowchart slides for an overview.