Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenID in the Digital ID Landscape: A Perspective From the Past to the Future

96 views

Published on

Digital identity has been under a constant evolution for the last 30 years. It started from a simple access control via user account within a system to a shared credential among the systems, then to the federated identity and bring-your-own-identity (BYOI). Modern usages are not only for access control but include such purposes like digital on-boarding (account opening), employee and customer relationship management. Among the many technologies out there, OpenID seems to have gained popularity in the market that you are probably using it without knowing it. This session explains the positioning of OpenID in the digital ID landscape and explores the future potential for both corporations and individuals.

Published in: Technology
  • Be the first to comment

OpenID in the Digital ID Landscape: A Perspective From the Past to the Future

  1. 1. Nomura Research Institute OpenID in the digital ID landscape: a perspective from the past to the future Nat Sakimura (@_nat_en) Research Fellow, Nomura Research Institute Chairman of the board, OpenID Foundation www.kuppingercole.com _nat_en https://nat.Sakimura.org/youtube.php https://www.linkedin.com/in/natsakimura https://nat.sakimura.org Nomura Research Institute
  2. 2. Nomura Research Institute
  3. 3. Nomura Research Institute
  4. 4. Nomura Research Institute Open, Sesame! (Source)Albert Robida (1848-1926) - public domain An example of long-term weak shared key
  5. 5. Nomura Research Institute Rome 5 (Source)Roman soldiers on the cast ofTrajan's Column in theVictoria and Albert museum, London.– public domain Shared weak symmetric key, rotated daily with ACK based key delivery protocol
  6. 6. Nomura Research Institute MIT’s CTSS system (1961) used LOGIN & PASSWORD – An example of individual password 6 (Source) http://en.wikipedia.org/wiki/IBM_7090#mediaviewer/File:IBM_7094_console2.agr.JPG
  7. 7. Nomura Research Institute Per System identity 7 Service 1 Service 2 Service N
  8. 8. Nomura Research Institute 8
  9. 9. Nomura Research Institute 9 IDENTITY Nomura Research Institute
  10. 10. Nomura Research Institute 10 Real Name Professional qualification department Geo-location Employee number Entity Identity
  11. 11. Nomura Research Institute 11 Real Name Professional qualification department Geo-location Employee number Entity Authenticated IdentityAuthentication Server Provides claims username password Geo-location Device info Etc. Identity Register Verification (authenticatio n)
  12. 12. Nomura Research Institute 12 (source)Created by the author based on ISO/IEC 24760-1 Identity management framework: Part1 Unknown※ Established Active Archived Suspended suspend reactivate maintain delete archive activate adjust register Re-establish delete Identity Management
  13. 13. Nomura Research Institute 13 Real Name Professional qualification department Geo-location Employee number Entity Authenticated IdentityAuthentication Server Provides claims username password Geo-location Device info Etc. Identity Register Verification (AuthN)
  14. 14. Nomura Research Institute Per System identity 14 Service 1 IR Service 2 Service N IR IR
  15. 15. Nomura Research Institute Shared identity 15 Service 1 Service 2 Service N IR IR
  16. 16. Nomura Research Institute 16
  17. 17. Nomura Research Institute Shared identity 17 Service 1 Service 2 Service N IR IR password
  18. 18. Nomura Research Institute Federated identity 18 Service 1 Service 2 Service N IdP IR Get Token ID Token ID Token
  19. 19. Nomura Research Institute 19 OpenID Authentication 2.0 (key=value) 2002 2005 20142012 SAML 2.0 (XML, XML SIG, SOAP) SAML 1.0 2007 OAuth 1.0 (Key=value)
  20. 20. Nomura Research Institute 20 2007 2008
  21. 21. Nomura Research Institute 21
  22. 22. Nomura Research Institute 22
  23. 23. Nomura Research Institute 23
  24. 24. Nomura Research Institute 24
  25. 25. Nomura Research Institute 25
  26. 26. Nomura Research Institute 26
  27. 27. Nomura Research Institute 27 Nat Sakimura (NRI) John Bradley (Mercenary working for NRI) Breno de Madeiros (Google)
  28. 28. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 28 JSON Simple Signature (JSS) & Encryption (JSE)
  29. 29. Nomura Research Institute Then, there was a parallel work Magic Signature & JSON Token 29 John Panzer Dirk Balfanz
  30. 30. Nomura Research Institute And there came Mike Jones  “You guys should come together and standardize it at IETF. Don’t worry. I can take care of the editing!” 30 JSON Simple Signature (JSS) & Encryption (JSE) Magic Signature & JSON Tokens JWx
  31. 31. Nomura Research Institute JWx JWS: JSON Web Signature JWE: JSON Web Encryption JWT: JSON Web Token etc. 31
  32. 32. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 5. JWx 32 Dick Hardt Allen Tom
  33. 33. Nomura Research Institute Early design decisions: 1. No canonicalization 2. ASCII Armoring 3. JSON 4. REST 5. JWx 6. Base on OAuth WRAP 33 2.0
  34. 34. Nomura Research Institute 34 OAuth 2.0 OpenID Authentication 2.0 (key=value) 2002 2005 2012 SAML 2.0 (XML, XML SIG, SOAP) SAML 1.0 2007 2014 OpenID Connect (JSON, JWS, REST) OAuth 1.0 Dave Recordon
  35. 35. Nomura Research Institute 35 Nomura Research Institute HTTPS OAuth 2.0 JWS/JWE/JWKS ID Token
  36. 36. Nomura Research Institute Over 90% of Azure AD App Authentication are Over OpenID Connect as of April 2018 36 Alex Simmons at EIC 2018
  37. 37. Nomura Research Institute 37 OpenID Financial-grade API (FAPI) Security Profile https://www.openbanking.org.uk/provider-categories/account-providers/ ABN AMRO Bank NV AIB Group (UK) plc Bank of Cyprus UK Ltd Bank of Ireland (UK) Plc Bank of Scotland plc Barclays Bank Plc Clydesdale Bank PLC HSBC UK Bank Plc ICBC (London) plc Lloyds Bank PLC etc…
  38. 38. Nomura Research Institute That is perfectly fit for not only Enterprise access control Real Name Professional qualification department Geo- location Employee number Entity Authenticated IdentityAuthentication Server Provides Claims username password Geo-location Device info Etc. Identity Register AuthN Log Audit Anomaly Detection Resource PolicyPAP PDP PEP metadata PEP2 Admin ID Token
  39. 39. Nomura Research Institute Employee Relationship Management (ERM) But also …
  40. 40. Nomura Research Institute Customer Relationship Management (CRM) 40 Including Customer on-boarding … and
  41. 41. Nomura Research Institute Social & Bank Identities 41 BYOID
  42. 42. Nomura Research Institute Host your own IdP on-premise / cloud 42
  43. 43. Nomura Research Institute It can be on your local machine 43
  44. 44. Nomura Research Institute Self-issued OP – Never taken away 44 HOSTED ON YOUR LOCAL MACHINE. NO NEED FOR IDP DISCOVERY BECAUSE IT IS LOCAL. USER IDENTIFIER IS THE HASH OF THE PUBLIC KEY GENERATED BY THE SOFTWARE.
  45. 45. Nomura Research Institute 3 Claims Models Simple AggregatedDistributed 45
  46. 46. Nomura Research Institute Simple Claims 46 ID Token IdP Client
  47. 47. Nomura Research Institute Aggregated claims 47 Signed Claims (Token) Signed Claims (Token) ID Token IdP Claims Provider Claims Provider Client Claims are Verifiable
  48. 48. Nomura Research Institute Distributed Claims 48 Signed Claims (Token) ID Token including pinters ClientClaims are Verifiable
  49. 49. Nomura Research Institute An example of on- going activities on the claims-set 49  Minimum Viable eKYC Framework (eID/KYC Expert Group @ EC)
  50. 50. Nomura Research Institute CIBA: Client Initiated Backchannel Authentication -- O2O: Online Authentication for Offline Transaction  Use-case 1: Customer authentication @ Call centers 50
  51. 51. Nomura Research Institute 51Trusted Personal Data Management Service (TPDMS) - Consent Management  Worked on by Japanese government.  Ethical Assistance to combat “Over consenting”  Note: Cambridge Analytica incident happened because of “over consent”  Public comment period for the certification scheme started Nov. 22.  Expected to find the first certified service by the end of March.  ISO/IEC 29100, 29134, 29184, 27552  Kantara Initiative Consent Receipt
  52. 52. Nomura Research Institute Projected Landscape 52 Signed Claims (Token) Signed Claims (Token) ID Token Access Token IdP Claims Provider Claims Provider Client Keys Keys eKYC Continuous AuthN + Risk Info FAPI+CIBA Consent Management (Ethical Assistance)
  53. 53. Nomura Research Institute 52
  54. 54. Nomura Research Institute OpenID in the digital ID landscape: a perspective from the past to the future Nat Sakimura (@_nat_en) Research Fellow, Nomura Research Institute Chairman of the board, OpenID Foundation www.kuppingercole.com _nat_en https://nat.Sakimura.org/youtube.php https://www.linkedin.com/in/natsakimura https://nat.sakimura.org

×