FICAM Profile, OAUTH2 and 800-63?? (3A)
FICAM Profile, OAUTH2 & 800-63 (3A)
Convener: Matt Tebo
Notes-taker(s): Ross Foard
Tags for the session - technology discussed/ideas considered:
Discussion of NIST SP800-63 and OAuth and their relationship
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- 800-63 and OAuth
- Registration/Issuance
- Tokens
- Credential Management
- Authentication
- Assertion
We are going to talk about assertion
800-63 Assertion definition
Assertions are statement fs from a verifier (IDP) to an RP that contain information about a subscriber….May include identification and AuthN Statements and attributes
800-63 LOA Threats
1. Assertion Manufacture/Mod
- a. Threat-Bogus assertion or modified real one
- b. Mitigation - DSIG or TLS
2. Assertion Re-Use
- a. Threat-
- b. Mitigation- Timestamp, Validity Period
3. Secondary Authenticator Manufacture = AuthZ code
- a. Threat - Attacker Generates 2ndary Authenticator & impersonates user
- b. Mitigation - Entropy, DSIG, Client Auth
OAuth does not have the identity of a user in any form, although it does provide a "consent" assertion. For any identity-based assertion must use a separate protocol or mechanism.
Facebook Connect is a proprietary version of OpenID Connect, it is a predecessor to. There is no standard for the Identity portion of the OpenID Connect in OAuth
Parts of Oauth 1.0 was trying to solve the 3 legged authorization problem with a single solution. Oauth 2 made a specific decision to not be backward compatible with Oauth 1.0.
The difficulty of normalization the signing part of the authentication part normalized on SSL to broaden the audience of devices.
Facebook has signed authentication token in their Facebook Connect
We could profile an implementers draft of OpenID Connect.
User experience compliance and constraints needs to be part of the profile to ensure control is being done to as desired by the pro filer.