Digital Signatures for use by IDA Relying Parties v102

  • 424 views
Uploaded on

Presented at the September 2012 Personal Data Ecosystem Catalyst Workshop in London on OIX

Presented at the September 2012 Personal Data Ecosystem Catalyst Workshop in London on OIX

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
424
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Digitally signing forms at IDA Relying Parties Jon Shamah EJ Consultants 04/09/20121 Commercial in Confidence E J Consultants
  • 2. IDA limitations and suggested resolution • IDA scheme as currently envisaged does not include any digital signing capability for on-line forms. – Provides authentication to a relying party only • Potential resolution is to create an appliance-based PKI at the relying party with authorisation linked to customer’s mobile. – The Relying Party in effect acts as the Registration Authority for its IDA authenticated customers • The advantage is that this simple approach to on-line form signing helps agencies justify inclusion in IDA with no impact on current procurements and existing scheme architecture2 Commercial in Confidence E J Consultants
  • 3. IdSP Hub Authenticate Portal Login Customer starts sign in to his account on the portal He is redirected to his IdSP for authentication3 Commercial in Confidence E J Consultants
  • 4. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Customer Data Login IdSP issues SAML2 assertion Hub communicates with Session Manager who matches credential to internal customer data to establish identity4 Commercial in Confidence E J Consultants
  • 5. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Session Manager establishes session5 Commercial in Confidence E J Consultants
  • 6. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Unique customer certificate is created in appliance and its key can only be used via delegated release using an OTP6 Commercial in Confidence E J Consultants
  • 7. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Form fetch & prefill View/fill Customer selects form to fill and views / completes a pre-filled form7 Commercial in Confidence E J Consultants
  • 8. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Form fetch & prefill View/fill 4 Press submit to agree to sign with OTP Signing Page Customer agrees to sign form with OTP Transfers to signing page8 Commercial in Confidence E J Consultants
  • 9. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Form fetch & prefill View/fill 4 Press submit to agree to sign with OTP Signing Page OTP /SMS Authenticator OTP releases data key to 5 sign (PKI Stored in Co- Sign) OTP is sent to registered mobile Customer enters code into signing page9 Commercial in Confidence E J Consultants
  • 10. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Form fetch & prefill View/fill 4 Press submit to Signed form agree to sign with OTP Signing Page Hash 6 signed and Download and print returned OTP /SMS Authenticator OTP releases data key to 5 sign (PKI Stored in Co- Sign) Document hash is signed using customers certificate stored in co- sign and then embedded in document for distribution10 Commercial in Confidence E J Consultants
  • 11. 2 SAML2 Session IdSP Hub Manager Match customer Authenticate Portal Establish Session Customer 3 Data Login Form fetch & prefill View/fill 4 Press submit to Signed form agree to sign with OTP Signing Page Hash 6 signed and Download and print returned OTP /SMS Authenticator OTP releases data key to 5 sign (PKI Stored in Co- Sign) Note: Customer certificates in appliance are continuously synchronised/validated together with Customer data11 Commercial in Confidence E J Consultants
  • 12. Discussion • The IDA does not currently support digital signatures for signing on-line forms as part of the core architecture • Are agencies willing to move to on-line signing of forms? • Do/will we need digital signatures to do this? • Can this form an ROI case to encourage joining IDA?12 Commercial in Confidence E J Consultants
  • 13. Thank you JON SHAMAH – EJ CONSULTANTS jshamah@ejconsultants.co.uk +44 7813-11129013 Commercial in Confidence E J Consultants