Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Upcoming SlideShare
Loading in...5
×
 

Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)

on

  • 1,490 views

This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated ...

This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Statistics

Views

Total Views
1,490
Views on SlideShare
1,489
Embed Views
1

Actions

Likes
0
Downloads
3
Comments
1

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Good, Thank you!
    gab
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013) Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013) Presentation Transcript

  • Building Persona federated & privacy-sensitive identity for the webFrançois Marier – @fmarier
  • solving thepassword problem on the web
  • XUsername:francoisPassword:**************** Sign in
  • security
  • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • bcrypt 0 1 3 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
  • conversion rate
  • # hits signup
  • # hits signup signup_complete
  • # hits lost cust- omers signup signup_complete
  • existing solutions
  • client certificates
  • centralized authorities
  • so... storing passwords is hard
  • so... storing passwords is hard no suitable alternatives
  • decentralized
  • decentralized privacy-sensitive
  • decentralized privacy-sensitive simple
  • decentralized privacy-sensitive simple open source
  • in your browser
  • how does it work?
  • francois@mozilla.com
  • getting a proof of email ownership
  • authenticate?
  • authenticate? public key
  • authenticate? public keysigned public key
  • you have a signed statement from yourprovider that you own your email address
  • logging into a 3rd party site
  • assertion linux.conf.auValid for: 2 minutes
  • assertion linux.conf.auValid for: 2 minutescheck audience
  • assertion linux.conf.auValid for: 2 minutescheck audiencecheck expiry
  • assertion linux.conf.auValid for: 2 minutescheck audiencecheck expirycheck signature
  • assertion public key linux.conf.au Valid for: 2 minutes
  • assertion linux.conf.au Valid for: 2 minutes
  • assertionsession cookie
  • achievingthat vision
  • email providersbrowser vendors
  • email providers
  • fmarier@gmail.com
  • fmarier@gmail.com
  • fallback identity provider
  • persona.org account
  • support for all email providers
  • browser vendors
  • navigator.id.*
  • js
  • support for allmodern browsers >= 8
  • support for allmodern browsers >= 8
  • LIFD
  • LocallyIsolatedFeatureDomain
  • wanted: trusted coderunning in the browser
  • login.persona.org
  • localStoragelocalStorage.setItem("key", serializedKey);var serializedKey = localStorage.getItem("key");
  • storage tied tologin.persona.org
  • window.postMessage()
  • postMessage localStorage https://login.persona.org
  • postMessage localStorage https://login.persona.orgquestions?
  • live demo
  • using it on your site
  • <script src=”https://login.persona.org/include.js”></script></body></html>
  • navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.request()
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  • def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  • def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  • { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  • { status: “failed”, reason: “assertion has expired”}
  • navigator.id.logout()
  • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  • 1. load javascript library
  • 1. load javascript library2. setup login & logout callbacks
  • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  • function do_login() {<?php navigator.id.request(); }if (!empty($_POST)) { function do_logout() { $result = verify_assertion($_POST[assertion]); navigator.id.logout(); if ($result->status === okay) { } print_header(); echo "<p>Logged in as: " . $result->email . "</p>"; navigator.id.watch({ echo <p><a href="javascript:do_logout()">Logout</a></p>; loggedInUser: $email, print_backLink(); onlogin: function (assertion) { print_footer($result->email); alert("onlogin: $email"); } else { var assertion_field = print_header(); document.getElementById("assertion-field"); echo "<p>Error: " . $result->reason . "</p>"; assertion_field.value = assertion; print_backLink(); var login_form = document.getElementById("login-form"); print_footer(); login_form.submit(); } },} elseif (!empty($_GET[logout])) { onlogout: function () { print_header(); alert("onlogout: $email"); echo "<p>You have logged out.</p>"; window.location = ?logout=1; print_backLink(); } print_footer(); });} else { </script></body></html> print_header(); EOF; echo "<p><a href="javascript:do_login()">Login</a></p>"; } print_footer();} function verify_assertion($assertion) { $audience = ($_SERVER[HTTPS] === on ? https:// : http://)function print_header() { . $_SERVER[SERVER_NAME] . : . $_SERVER[SERVER_PORT]; echo <<<EOF $postdata = assertion= . urlencode($assertion) . &audience=<!DOCTYPE html><html><head><meta charset="utf-8"></head> . urlencode($audience);<body><form id="login-form" method="POST"> $ch = curl_init();<input id="assertion-field" type="hidden" name="assertion" value=""> curl_setopt($ch, CURLOPT_URL,</form> "https://verifier.login.persona.org/verify");EOF; curl_setopt($ch, CURLOPT_POST, true);} curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);function print_backLink() { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); echo "<p><a href="persona.php">Back to login page</a></p>"; curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);} $json = curl_exec($ch); curl_close($ch);function print_footer($email = null) { if ($email !== null) { $res = json_decode($json); $email = "$email"; $res->status = okay; } $res->email = francois@mozilla.com; echo <<<EOF return $res;<script src="http://127.0.0.1:10002/include.orig.js"></script> }<script> ?>
  • wanna help us solve thepassword problem?
  • add Persona toyour project/sitetell us about your experience email one site asking for it
  • add Persona toyour project/sitetell us about your experience email one site asking for it
  • add Persona toyour project/sitetell us about your experience email one site asking for it
  • grab some stickers!
  • To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  • Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
  • Whos using Persona?
  • identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  • identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  • identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  • identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  • identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again