1 / 11

oasis-open

www.oasis-open.org. Building "One Size Fits All" Identity Systems Possible or Fantasy? Ronny Bjones Security Architect Microsoft Corporate. Is it realistic?. Different requirements between businesses, consumers, governments, corporate users, etc

marilynmclean
Download Presentation

oasis-open

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.oasis-open.org Building "One Size Fits All" Identity SystemsPossible or Fantasy?Ronny BjonesSecurity ArchitectMicrosoft Corporate

  2. Is it realistic? • Different requirements between businesses, consumers, governments, corporate users, etc • Different risk profiles implying different measures to prove (mutual) identities • Different cultural sensitivities when it comes to identities (e.g. eID) • Yet another IDA system to which we have to adapt our applications! • And what about all these different platforms?

  3. Haven't we heard this before? + - + - + -

  4. A new approach should… • be based on a federated model providing an SSO experience • have privacy protection build into the heart of the system • increase the overall security on the Internet, scalable according to risk model • be very easy to use by businesses and consumers • easily be integrated into services and applications

  5. Identity Metasystem Members Only User D.O.L. Club Site Identity Selector Bank Identity Providers Pet Site Relying Parties Medical Card Store Card Insurance Card Employee Card Bank Card DOL Card Employer Other Sites Personal Card E-mail Card JunkCard WS* WEB* Gov. Store Sites TokenNameAccountStatus

  6. Strong Identity and Access is Complicated • For developers • For users

  7. Security Token Service User Experience Service What is Windows CardSpace? • Identity Selector for Windows • Digital identities represented by cards • When user selects a card • Get security token from Identity Provider • Give it to the Relying Party after user consent • User is in control

  8. Wallet Metaphor • A set of claims someone makes about me • Claims are packaged as security tokens • Many identities for many uses

  9. Framework for Interoperability • TCP/IP of Identities • Defined on open standards – WS* • Extended by CardSpace’s definition of CLAIMS • http://download.microsoft.com/download/2/7/c/27c16ebb-bf83-4abd-8002-21fa111ba7ac/infocard-profile-v1-techref.pdf • CardSpace is security token agnostic • SAML, Kerberos, X.509, custom • Identity Providers can bridge different identity technologies • Multiprotocol Federation Interoperability Demonstration • Burton Group – Gerry Gebel - November 1th 2005

  10. Resources • http://www.identityblog.com/ • Laws of Identity • Identity Metasytem • Zermatthttps://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=642&DownloadID=12937 • Netfx3http://cardspace.netfx3.com

  11. Conclusions • Identity layer on the Internet should: • Incorporate privacy, security, usability by design • Interoperability, interoperability, interoperability, … • Make live easy for developers and not raise the bar

More Related