OpenID – Identity in the CLOUD? Nat Sakimura (=nat) twitter.com/_nat www.sakimura.org/en/
Chamo-me Nat Sakimura
Vim do japan
Eu nao falo portugues.
So … I have to continue in English
~ ~ ~
Thank you for inviting me here
Portugal – Japan Relationship started in 1543
466 th Year
Real Pleasure to be here to talk to you
and would like to thank the organizers making my visit possible!
Who am I?
Digital Identity since 2000
Founder, OpenID Japan
Community Board Member, OpenID Foundation
Founding Board Member, Kantara Initiative
Senior Researcher, Nomura Research Institute
… And My Mission is …
User Controlled Identity
Faster and Safer Transaction
Well, System is, but what about account Management?
The Internet CRM HR ERP CRM HR ERP Federated Identity
Over 16 accounts
Can remember only 3 pairs
Result: Same e-mail & password everywhere
2 Types of Federation
Out of bound trust exchange
E.g. SAML, Shib, etc.
Dynamic Federation Setup – sometimes promiscuous
Scales easier. Good for the Internet
E.g. OpenID – Identity in the Cloud
OpenID in 1 minute
Assertion Format : Tag=Value
Protocol for req/resp of the Assertion
Discovery of IdP through XRDS
Dynamic association through DH
Supported by AOL, Yahoo!, France Telecom, Google, Facebook, etc.
Soon to come? Microsoft, NTT
Identity in the Cloud
… but is it enough?
Roles and Authorization
Audit and Trust formation
Relationship Management and Non-repudiation
Roles and Authorization
Need to extract attributes from the authoritative sources
E.g. HR system
Connect different protocols
LDAP + OpenID
SAML + OpenID
WS-* + OpenID etc.
e.g., once logged into a corporate network, can log in to cloud service seamlessly.
Audit & TRUST
OpenID is Dynamic
Federation: Out of bound TRUST formation
OpenID: “Open” “Promiscuous”
How do I trust the other party?
Creating ad hoc white list does not scale.
It becomes essentially same as Federation
Where does the Trust come from?
Third party trust
Audit & Market Feedback
Reputation is a subjective evaluation of the assertion about a subject being true based on factual and/or subjective data about it, and is used as one of the factors for establishing trust on that subject for a specific purpose.
A Reputation Score of a Player (Reputee) on the Type (Criteria) by other players (Reputor) is the subjective probability assigned by the Reputor that the Reputee fulfils the Criteria.
O pen R eputation M anagement S ystem
Relationship Management and non-repudiation
Contract Exchange (CX)
(Legal) Contract + Non-repudiation
OpenID Foundation CX Working Group
The first really international WG ;-)
CX Basic Flow (Simplified Version) This is a special case of the generalized “Base Model” that is explained later. This special case is optimized for OpenID. Relying Party (RP) OpenID Provider (OP) 1. User access the service 1 3. User Consent verified 3 2. RP creates signed “Offer” and sends it to OP “ Offer” 2 RP 4. OP creates the signed “Contract” based on the “Offer” 4 “ Contract” OP “ Offer” RP
Non-repudiation and Integrity
Leveraging on Public Key signing
Encrypting the message by the receiving party’s public key
Extensible Contract (i.e., need to define those elsewhere)
Applicable to limited functionality user agents such as Mobile Phones
“ Artifact” binding
“ Ticket” and “Notification”
Use cases revolving around “User Consent”
Use case that “User requesting to RP” and “User giving consent at OP” is not the same.
Cases that the user signs the “Proposal” instead of the RP.
CX Basic Flow (Artifact+Synchronous)
CX Basic Flow (Artifact+Asynchronous) OP Service End Point XRD Access Service Get XRD to obtain service end point and the public key of the OP. Create “Offer” and sign Send “Offer” to OP Return Ticket for the “Offer” Browser Redirect to show OP the Ticket (Optional) Get XRD to obtain service end point and the public key of the Obtain User Consent on the Offer pointed by the Ticket. Create “TransactionID” Browser Redirect to send “TransactionID” to RP Done! Save TrabsactionID RP Service End Point XRD Store Offer Other Processing Send Notification that a Contract for the TransactionID has benn created Create Signed Contract GET Contract based on TransationID Return the (encrypted) Contract Store the Contract
Very Similar to OAuth?
JAL-Hotel SSO & Data Transfer Sequence
Though it would be desirable for its customer to be able to buy hotels etc. when he buys air-tickets at its site, since JAL is a Transportation provider, it is not allowed to sell Hotel rooms etc. As such, it partners with several hotel reservation sites and refers her customer to them.
For this purpose, JAL provides a hotel search frontend aggregating all her hotel partners. When user makes a selection there, the user will be taken to the hotel reservation site. Usually, he has to create an account there but in the current system, user can login with JAL’s account. The protocol used there is OpenID, although it does not show it. Together with the login, it also sends the verified personal information including credit card number with user’s consent.
Since the transaction amount ranges anywhere from US$100 to over $1,000 , and the data sent are sensitive, both sides needed non-repudiation, integrity, and confidentiality. Unfortunately, non of the existing OpenID extension gave these properties. So, it was decided to go with the TX extension proposed in December 2007 (at iiw).
The system went LIVE on May 28, 2008.
User I/F Sequence
For this purpose, JAL provides a hotel search frontend aggregating all her hotel partners (Fig.1). User makes a selection out of it and clicks the “Reservation Details” button.
User, then, will be taken to the hotel reservation site for the details and when he decides to buy it, he clicks “Confirm” button. (Fig.2)
Then, the user will be confronted with login page, from which he can choose to LOGIN by JAL ID. (Fig.3)
After the authentication (Fig.4), the user will be shown the data transfer contract proposal noting purpose, data item, duration of the use etc.(Fig.5). The contract proposal is actually electronically signed by the data requesting party (in this case, Hotel reservation site.) When the user agrees to it, it is counter signed to make it a “Contract” and “sent back” to the data requesting party. This “Contract” gives “non-repudiation” for both parties.
The hotel site requests the data in the back channel using this contract. The data is encrypted using the public key of the data requesting party that is included in the contract. This gives “confidentiality” and “integrity”. In this particular case, Name, Gender, Age, Creditcard number etc. are actually sent. These are verified values (Note: JAL has several level of enrollment. The highest class is the member who has JAL issued credit card and has travelled abroad. In this case, the user can be said to be registered with “Government issued Photo-ID (Passport)” in Person, with backing payment method.)
In the management interface, a user can manage the contract he has (Fig.10). He can terminate the contract whenever he wants to.
Fig.1 JAL: Search Result Press “Reservation Details”
Fig.2 Myu : Hotel Selection Confirmation Press Confirm
Fig.3 User Login
“ You can login with your JMB *1 Membership Number” *1 JMB==JAL Mileage Bank This screen probably needs a rework. Perhaps create a “Login by JMB” Logo-Button” Although there is no mention of OpenID here, this actually is an OP Identifier based OpenID Login.
Fig.4 (Optional: JAL : OpenID Login) It is an OP Identifier Login. When the user is already logged into JAL Site, this screen is skipped.
Enter JMB number and password and
Name Address Tel Mail Credit Card Number This Transction Only Until June 16, 2009
Press “Agree & Proceed”
Make Selection on attributes to send
Make Selection for the expiration date for this contract
Data Usage Policy Data to be provided Expiration date for this contract Explanation *1 Based on http://wiki.openid.net/Trusted_Data_Exchange For the non-repudiation purposes, mutually e-signed contract is created for the transaction Fig.5 JAL: Attribute Transfer Contract*1
Fig.6 Hotel : Name Confirm Now, you are logged in to the Hotel Site. This screen is double checking if you are making a booking for yourself. (You can change the name here if you are booking for someone else.)
Fig.7 Hotel : Room Confirm
Fig.8 Hotel : Payment Method Confirm Credit Card Wire Transfer CVS Payment
Fig.9 Hotel : Credit Card Confirm Masked for security reason When user selects “Credit Card”, the number etc. are prefilled because the data was transferred from JAL to the Hotel site using TX extension.
Fig.10 JAL: Managing the contracts/relationship A Contract date Actual Data View Detail Stop Data Provision (contract termination)
Fig.11 JAL: Contract Termination
Situations in Japan
Success in Japan
Why not using OpenID?
Focus on Peace of Mind
OpenID can be insecure
Bolt it up with “Security Profile”
https identifier only, etc.
Introduction of extra layer:
Non-repudiation with use of certificates.
How such a success were made possible?
Tackled three domains in pallarel.
Consumers Business & Tech Communities Government
Joint Marketing with other Identity Related Orgs/Activities such as Liberty Alliance Project Japan SIG and Id-Con.
Using Media/Press extensively to educate.
Cordinated Press conferences, press briefings, etc. with members.
Even a magazine for an average internet user had headlines on OpenID
A“must see” news show for business people had a coverage of the OpenID Japan press conference.
Other Press Coverages
Periodical Consumer Survay to monitor the effectiveness of the promotion
In person visits to well over 100 companies across the industries.
Banks, Telcos, Internet Marchants, Transportation, etc.
Sharing of the business cases among the peer group.
OpenID TechNights Seminars and other seminar opportunities.
Emphasis on Security and clear the “Myth”
Make the Business Case
During the above visits, discuss the possible business models to come up with the one suitable for the company: Service Creation
Hotel etc. Reservation (incl. payment) OpenID Based Payment Extending Social Graph to the internet through OpenID
Not only technical
Technology is there to serve people
Leaders of each industry
Strong relationship with the government
Policy Making Involvement
Partnership with other identity organization
E.g. Liberty Alliance Project
Balanced Composition As of Nov.1, 2008 Note: Some mebes wishes not to announce their participation in public so they are not listed in the web page. Published Member List: http:// www.openid.or.jp/memberlist.html
Visit key institutions to have discussion on the applicability of OpenID and other distributed digital identity systems in e-Gove and business settings.
e.g., Office of the Cabinet, NISC, METI, Ministry of Internal Affairs and Communications
Leverage on relationship with various government advisors.
Assist government research in the field.
e.g., Assurance programs, Digital Signature Usage, Digital Authentication Usage, Consumer reach, etc. (NRI)
Government Authentication Guidelines
Telco Guidelines etc.
Notable Activities (not including individual company visits)
8/26 Ministry of Internal Affairs and Communication
8/29 Tokyo Institute of Technology (Prof. Ohyama)
8/29 Tokyo University (Prof. Sudo)
9/4 Ministry of Economy, Trade and Industry
9/8-11 Digital ID World : Panel
9/18 OIDF Content Provider Advisory Committee
9/18 Chuo University (Prof. Sugiura)
9/19 National Information Security Center
9/28 NEC Product Endorsement
10/6 Biglobe Press Release Endorsement
10/6 Rakuten Payment Service Soft Launch
10/30 OpenID-J Press Conference
10/31 Submission of TX to OIDF Spec Committee
11/7 Liberty Alliance Day: Panel
11/10-14 Internet Identity Workshop
11/26 Internet Week 2008
12/3 Web 2008 Expo
12/* OIDF-J Plenary
12/12 OpenID BizDay#1
Cannot list individual company visits because there are too many!
OpenID Foundation Japan Structure Membership Corporation (OIDF-J) Fee *2 Activity Proposal Board of Trustees (3) (For fiscal fiduciary) SIG 1 SIG 2 SIG n *1 Funding & Support SIG Leadership Council Advisors (Academic) Advisors ( Government ) Liason ( LAP etc. ) *1 Anticipated Initial SIGs: 1. Marketing, 2. Payment, 3. Assurance, 4. User Interface *2 Fees are deliberately cheap because OIDF-J do not spend much… Fee = approx US$2000+$1000 Break even at 20 members for min. activities: Targeting at 100 members or more. Secretariat (Accounting and Facilitation)
Building Bridges Harmonize
Swahili Word: “Bridge”
Rooted in Arabics: “Harmonize”
BUILDING BRIDGES BETWEEN DIVERSE IDENTITY COMMUNITIES AND PROTOCOLS
The Bi-Cameral Model Board of Trustees Member A Member B Member N Leadership Council WG 1 DG 1 DG/WG N Coordination (Members & Non-Members) Staff support report Participants (Members & Non-Members)
No cost, able to participate in all DG’s and have full voting rights in WG’s
Must first sign the IPR agreement that a Group operates under
Receive a Member discount to attend and participate in interoperability workshops & Kantara Initiative meetings/ conferences
Vote on the adoption of all final Kantara Initiative Recommendations
Listed as a Member on Kantara Initiative’s web site
All member rights plus a seat on the Board of Trustees (with associated responsibilities) as well as:
Exercise fiduciary oversight of Kantara Initiative
Listed as a Trustee on the Kantara Initiative web site (premium logo placement)
Preferential right of first refusal (prior to other Members) to actively participate in Kantara Initiative’s marketing and promotional activities at trade shows and other industry events
Listed as a Trustee in all Kantara Initiative press releases
Incubation (Discussion Groups)
Anyone can start and participate
Used to gather community support for a new Work Group or Leadership Council funding request
Active (Working Groups)
Charter approved by Leadership Council to ensure it complies with goals, purpose, and principals of Kantara Initiative
Each charter must include a reference to the IPR agreement it wishes to operate under (a menu of agreements possible is maintained by the BoT)
Produces all output that may lead to final Kantara Initiative Recommendations (per vote of full Membership)
Once work concludes or becomes inactive, WG is sunset by Leadership Council
Benefits to Existing Initiatives
Existing .orgs can join as Members or Trustees to shepherd their activities through the Kantara Initiative process
Kantara Initiative WG’s are open to anyone and voting is a right granted to all without requirement of paying membership, so existing organizations can apply for WG status of their existing or new activities
Brings benefit of Kantara Initiative institutional support to that activity
On a case-by-case basis, Members who are also solution-developing organizations can negotiate specific shared infrastructure and staffing arrangements, even without any commitments of merging with Kantara Initiative over time (which is always an option but not required).
Benefits to Participants
One organization to join, no financial barrier to participation
Inclusive scope and mission of all solution technologies and operational frameworks
Global scope, involvement, and reach, with more participants and broader constituency than any single pre-existing .org
Collaborative environment across disciplines (technical, business, policy, privacy, etc)
Allows diversity of projects, put into a meaningful context
Simple & painless process to start work quickly, openly, yet with proven IPR processes and procedures in place
Leverage trademark programs for interoperability, conformance, compliance, and accreditation
Recent Development in Japan besides more and more companies announcing support such as NTT…