Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NIST SP 800-63C #idcon vol.22

740 views

Published on

#idcon vol.22 のスライド (2つめ)

日本語が消えてるので、見る時はダウンロードしてみてください。

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NIST SP 800-63C #idcon vol.22

  1. 1. SP 800-63C - Federation and Assertions - Nov Matake
  2. 2. 800-63-3 Federation 800-63-2
  3. 3. Federation Assurance Level (FAL) • ... • Assertion • (ID Token etc.) • Artifact (a.k.a. Handle / Assertion Reference) • Assertion (Authorization Code etc.) • Front-channel Presentation • Assertion User Agent Assertion (Implicit Flow etc.) • Back-channel Presentation • User Agent Artifact Assertion (Code Flow etc.)
  4. 4. Federation Assurance Level (FAL) • Federation Assurance Level • Federation Assertion / Artifact • Lv.1 • Front-channel / Back-channel Assertion • Lv.2 • Lv1 Front-channel Assertion • Lv.3 • Lv.2 Back-channel Assertion • Lv.4 • Lv.3 Holder-of-Key Assertion (Proof-of-Posession)
  5. 5. Front-channel Presentation Credential Service Provider (a.k.a. IdP) Relying Party (a.k.a. End-User)
  6. 6. Back-channel Presentation
  7. 7. Holder-of-Key Assertion • Subscriber (End-User) • RP Assertion Subscriber (Proof-of-Posession) • Assertion Subscriber Assertion Subject (= Holder-of-Key) • Holder-of-Key Assertion “ ” Assertion Bearer Assertion • Assertion Subscriber Assertion Subject Assertion Assertion
  8. 8. Holder-of-Key Assertion Key Pair Public Key Reference + + Proof of Possession
  9. 9. Holder-of-Key Assertion Key Pair + Public Key Reference + Proof of Possession
  10. 10. ?OIDC / OAuth Implicit / Code Flow Authorization Response Proof-of-Possession
  11. 11. ?RFC 7800 Holder-of-Key = Presenter = OAuth Client RFC 7800 : Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) https://tools.ietf.org/html/rfc7800
  12. 12. Federation Assurance Levels FAL Back-channel Presentation Front-channel Presentation 1 • Bearer assertion • Signed by IdP • Bearer assertion • Signed by IdP 2 • Bearer assertion • Signed by IdP • Bearer assertion • Signed by IdP • Encrypted to RP 3 • Bearer assertion • Signed by IdP • Encrypted to RP • Bearer assertion • Signed by IdP • Encrypted to RP 4 • Holder-of-Key assertion • Signed by IdP • Encrypted to RP • Holder-of-Key assertion • Signed by IdP • Encrypted to RP
  13. 13. FAL Federation
  14. 14. 1. Purpose 2. Introduction 3. Definitions and Abbreviations 4. Federation 5. Assertions 6. Assertion Presentation 7. Federation Assurance Levels 8. Security 9. Privacy Requirements and Considerations 10. Usability 11. Assertion Examples 12. References
  15. 15. 4 Federation • 4 Federation Model • Central Authority • Manual Registration • Dynamic Registration • Proxied Federation • IdP Subscriber Profiling
  16. 16. 5. Assertion • Possession Category (800-63-2 ) • Holder-of-Key Assertion • Bearer Assertion • Protection Category • Assertion Identifier • Signed Assertion • Encrypted Assertion • Audience Restriction • Pairwise Pseudonymous Identifier (PPID)
  17. 17. 8. Security • (Non-normative) • Assertion manufacture/modification • Assertion disclosure • Assertion repudiation by the IdP • Assertion repudiation by the subscriber • Assertion redirect • Assertion reuse • Secondary authenticator manufacture • Secondary authenticator capture • Assertion substitution • 800-63-2 LoA
  18. 18. Discussion

×