Identity In The Browser

From IIW

Session Topic: Identity In The Browser

Convener: Michael Hanson and Dan Mills and Dick Hardt

Notes-taker(s): Patricia Wiebe

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

• Browser has role in verified claims

• Identity “in the browser” means it is baked into client software, not in the cloud

••• Browsers are generally accepted as being in the trusted zone, trusted by user

• Developed model based on verified email, which is understood by user and should be trusted as well as scenarios where passwords are reset by email

• Model:

••• Browser stores user’s private key in safe location

••• User logs into browser, which provides access to user’s keys

••• Browser discovers the user’s public key based on their email address, request to server

••• Browser generates identifier based on keys, provides to RP

• Claim is “I control this identifier”, based on proof that “I control this email address”, SMTP

••• Is this assurance level 1 only?

• Approach to logon initiation is left to the RP, to determine when is the appropriate time to ask the user to logon

• User experience – need to have user determine whether to disclose their identifier, and which type:  correlatable (e.g. email address), pseudonymous (pairwise by domain of RP), ephemeral (one time use)

• Who would provide such an email verification system (that hosts users’ public keys)?

••• Mozilla is willing

• Could an RP be able to query the user’s browser to determine if it is capable?