Identity Doesn't Matter - Authorization Does

From IIW

Conference IIW8 Room/Time: 1/A

Convener: Alan Karp, HP Labs

Notes-taker: Guillaume Lebleu


Technology Discussed/Considered: Webkeys, authorization, delegation

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Alan started the session with a few slides on Identity and Access Management Position Statement. His main point is that the two concerns should be separate.

Basic problem: how does a user informs a car rental company to update the rental is updated IF the flight is delayed. The car rental company does not care who is changing the car rental information as long as they are authorized.

Web keys: Use Bookmarks for login. a secure URL with a password. The user does the same for all the services he uses. Companies already use Web keys: You can view a confirmation by clicking a URL received in an email. This Web key can be passed along. The issuer does not care who uses the URL as long as they have received it.

Question for the session: Do we really need identity? What are the use cases that REQUIRES identity, except for the who did what use case (“who to throw in jail scenario”). Delegation of authority is done by sending a URL.

“Identity is an indirection to authorization”

The challenge is the delegation: how to share a small amount of rights.

If there is a mechanism for proving one's identity.

Identity gets in the way of delegation. With URLs you can delegate delegated rights. I can't prevent the receiver from delegating anyway. They will find a workaround.

Access control problem: identification authentication authorization (ACL) ACLs check

Web keys are like machine language. For the convenience of users/administrators: user roles, identity, etc.

We use identity in two many places that makes identity theft possible.

There is no logging system for delegation of authorizations.

Webkey: sentry system to whom I show a pass.

Voluntary Oblivious Compliance. You have to acknowledge that you are relying on the good action of your people: they can always find a workaround.

Identity is like a center of gravity where you accumulate reputation (ex. Lots of links pointing to you). Identity: there is no data there, except that it is the guy.

“Aggregated identification is way harder than the way OAuth does it.” Eve Maler

Q: The problem with Webkeys is how to remove delegation. A: you remove the mapping. Q: yes, but I need to break each one.

Identifiers have a benefit of aggregating authorizations.

Authorization management has to be done in the user's domain.

Webkeys represent permissions. A GET on a Webkey may return several other Webkeys.

Identity does not matter at the time of access control, it matters only at the time you assign it.

Webkey is not security by obscurity.

If you don't want your sister to see your calendar, don't send the email with the Webkey to her.

It all depends if you need to do the evaluation at use time or not. Is the policy contextual?

What about implementing separation of duties w/ Webkeys.