The document summarizes the evolution of digital identity from Identity 1.0 to Identity 3.0. Identity 1.0 focused on de-perimeterization and the COA framework for device and information lifecycle management. Identity 2.0 involved securely collaborating in clouds and access management commandments. Identity 3.0 brings the concept of bringing your own identity using a single global identifier with personas, enhanced privacy, and interchangeability without centralized infrastructure. The document outlines how an Identity 3.0 system could work using one-way trust between a core identifier and external identifiers to form personas with cryptographically signed attributes. It provides Oracle's WebLogic Server and Access Manager as an example platform to implement such a system.

1. A match made in heaven or is hell freezing over?
Bram van Pelt
Identity 3.0 and Oracle

2. Who Am I
• Bram van Pelt
• Expert lead Security
• Security Consultant

3. What will we be covering
Agenda
• The evolution of the identity
• Identity 3.0
• Oracle POC implementation

4. Definitions
• Account
• Identity
• User

5. The history of digital Identity

6. Identity 1.0
• Jericho Forum
• De-perimeterisation
• COA Framework

7. COA Framework
• Technologies
– Endpoint security
– Secure communications
– Secure data (DRM)

8. COA Framework
• Processes
– People Lifecycle Management
– Risk Management
– Information Lifecycle Management
– Device Lifecycle Management
– Enterprise Lifecycle Management

9. COA Framework
• Services
– Identity management and federation
– Policy Management
– Information Classification
– Information Asset Management
– Audit

10. Identity 2.0
• Securely collaborating in clouds
• Identity, Entitlement & Access Management Commandments

11. Identity, Entitlement & Access
Management Commandments
• 14 Guidelines on how to secure an identity
• An Entity can have multiple, separate Persona (Identities) and related
unique identifiers
• The source of the attribute should be as close to the authoritative source
as possible
• A resource owner must define Entitlement (Resource Access Rules)

12. Identity 3.0
• Bring your own identity
• Using identity to enhance privacy
• “We believe that with a single global identity eco-system all this is
possible.”

13. Identity 3.0 definitions
• External identifier
A provider for attributes other than the user.
• Core identifier
The “bring your own identity” attribute provider
• Persona
A mix of attributes which are provided by the core identifier and optionally external
identifiers

14. Identity 3.0 principles: Risk
• Decisions around identity are taken by the
entity that is assuming the risk; with full
visibility of the identity and attributes of all
the entities in the transaction chain.
• Attributes of an Identity will be signed by the
authoritative source for those attributes.

15. Identity 3.0 principles: Privacy
• Every entity shall need only one identity which is unique and private unto
the entity; there will be no body issuing or recording identities.
• The Identity ecosystem will be privacy enhancing; attributes will be
minimised, asserting only such information that is relevant to the
transaction.
• Entities will only maintain attributes for which they are the authoritative
source.

16. Identity 3.0 principles:
Functionality
• The digital representation and function of an entity type will be
indistinguishable from another entity type, and will be interchangeable in
operation.
• The Identity ecosystem will operate without the need for identity brokers,
CA of last resort or other centralized infrastructure.
• Identity shall be (as much as possible) invisible to the end user; identity
and attribute verification and exchange should be a background operation
until such time that increased levels of user verification is required.

17. The inner workings

18. Inner workings
• Personas
• One way trust

19. Persona’s
19
[Entity: Organization]
Government
[Entity: Person]
Yourself
Citizen Persona with authoritative
(cryptographically) signed
attributes
Date of Birth = 01 Jan 2000
Place of Birth = London, UK
Sex at Birth = Male
Name at Birth = John Doe
Citizenship = Full British
Issued = 01 Jan 2015
Revalidation = gid.citizen.gov.uk

20. Trust

21. One way trust
• I trust you, so you can access my resources
• Does not mean you can access unauthenticated

22. How does this work?
• Site demands identity
• You give your attrbutes
• Your login to the
External identifier

23. How does this work?
• Reusable
• Web of identities

24. Why would you want this
• No more user storage
• Personalisation options
• Transparancy to end users
• Enhanced privacy

25. How would we build this?
• Ingredients:
– The core identity and identifier
– The persona’s implementation
– The external identifier / authenticators

26. The core identity and Identifier
• This is a personal device which you have on you, if possible…
• Phones
• Dyn-dns via browsers
• Personal component

27. The Persona implementation
• Basically an “identity cookbook”
• Trusts to identifiers
• One way cryptographic trust
– Signed attributes

28. The external identifier /
authenticator
• Basically an external identification source
• Chosen by the application

29. How would we build this?
• Oracle Weblogic Server
– SAML Trust to an access manager
• Oracle Access Manager
– Key retrieval using dyndns
– External authentication (Using SAML or OAuth2)
• Personal authenticators…
– Todo…

30. Let’s picture it

31. What do we need
• Oracle:
– Authentication modules to authenticate using DYNDNS / IPV6
– Personal authenticators
– Expanded control over authentication chains

32. YOU

33. Special Thanks
• Global Identity Foundation
• Jericho Forum

34. • Bram van Pelt
• Twitter: @BramPelt
• LinkedIn: http://linkedin.com/in/bram-van-pelt-
77a15021