11. Identity, Entitlement & Access
Management Commandments
• 14 Guidelines on how to secure an identity
• An Entity can have multiple, separate Persona (Identities) and related
unique identifiers
• The source of the attribute should be as close to the authoritative source
as possible
• A resource owner must define Entitlement (Resource Access Rules)
12. Identity 3.0
• Bring your own identity
• Using identity to enhance privacy
• “We believe that with a single global identity eco-system all this is
possible.”
13. Identity 3.0 definitions
• External identifier
A provider for attributes other than the user.
• Core identifier
The “bring your own identity” attribute provider
• Persona
A mix of attributes which are provided by the core identifier and optionally external
identifiers
14. Identity 3.0 principles: Risk
• Decisions around identity are taken by the
entity that is assuming the risk; with full
visibility of the identity and attributes of all
the entities in the transaction chain.
• Attributes of an Identity will be signed by the
authoritative source for those attributes.
15. Identity 3.0 principles: Privacy
• Every entity shall need only one identity which is unique and private unto
the entity; there will be no body issuing or recording identities.
• The Identity ecosystem will be privacy enhancing; attributes will be
minimised, asserting only such information that is relevant to the
transaction.
• Entities will only maintain attributes for which they are the authoritative
source.
16. Identity 3.0 principles:
Functionality
• The digital representation and function of an entity type will be
indistinguishable from another entity type, and will be interchangeable in
operation.
• The Identity ecosystem will operate without the need for identity brokers,
CA of last resort or other centralized infrastructure.
• Identity shall be (as much as possible) invisible to the end user; identity
and attribute verification and exchange should be a background operation
until such time that increased levels of user verification is required.
19. Persona’s
19
[Entity: Organization]
Government
[Entity: Person]
Yourself
Citizen Persona with authoritative
(cryptographically) signed
attributes
Date of Birth = 01 Jan 2000
Place of Birth = London, UK
Sex at Birth = Male
Name at Birth = John Doe
Citizenship = Full British
Issued = 01 Jan 2015
Revalidation = gid.citizen.gov.uk
24. Why would you want this
• No more user storage
• Personalisation options
• Transparancy to end users
• Enhanced privacy
25. How would we build this?
• Ingredients:
– The core identity and identifier
– The persona’s implementation
– The external identifier / authenticators
26. The core identity and Identifier
• This is a personal device which you have on you, if possible…
• Phones
• Dyn-dns via browsers
• Personal component
27. The Persona implementation
• Basically an “identity cookbook”
• Trusts to identifiers
• One way cryptographic trust
– Signed attributes
28. The external identifier /
authenticator
• Basically an external identification source
• Chosen by the application
29. How would we build this?
• Oracle Weblogic Server
– SAML Trust to an access manager
• Oracle Access Manager
– Key retrieval using dyndns
– External authentication (Using SAML or OAuth2)
• Personal authenticators…
– Todo…
31. What do we need
• Oracle:
– Authentication modules to authenticate using DYNDNS / IPV6
– Personal authenticators
– Expanded control over authentication chains
An account is a digital representation of a user
An identity is a collection of accounts of a user
A user is a natural person
Technology, Process, Services
For a full rundown, see: https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
The full risk principles are:
- Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
- Attributes of an Identity will be signed by the authoritative source for those attributes.
- Identity will work off-line as well as on-line; with a lack of on-line verification simply another factor in the risk equation.
The full privacy principles are:
-Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
-The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
-Entities will only maintain attributes for which they are the authoritative source.
-The identity of one entity to another will be cryptographically unique; negating the need for user-names or passwords and minimising attribute aggregation.
-The biometrics (or other authentication method) of an entity will remain within the sole control of the entity; biometric information will not be used, exchanged or stored outside of the entities sole control.
The full functionalityprinciples are:
-The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
-The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.
-Identity will be simply expandable to encompass the security of data; E-mail (for example) can be encrypted simply by having an entities e-mail attributes shared with them.
-Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
-Everyone plays their part – no more!