Bishop: Chapter 14 Representing Identity
Outline <ul><li>Introduction </li></ul><ul><li>Naming & Certificates </li></ul><ul><li>Identity on the web </li></ul><ul><...
What is  identity ? <ul><li>An  identity  specifies a principal. </li></ul><ul><ul><li>A  principal  is a unique entity. <...
Authentication vs identity <ul><li>Authentication  binds a principal to a representation of identity internal to the compu...
Identity Naming  and  Certificates <ul><li>In X.509 certificates,  distinguished names  (that is,  X.500 Distinguished Nam...
Structure of CAs <ul><li>[ RFC 1422 , S. Kent, 1993]  Privacy Enhancement for internet Electronic Mail: Part II,  Certific...
Certificates & Trust <ul><li>A  certificate  is the binding of an  external identity  to a cryptographic key and a  Distin...
Certificates & Trust <ul><li>The goal of certificates is to bind a correct pair of  identity  and  public key . </li></ul>...
Certificates & Trust <ul><li>Issues with the  OpenPGP’s  levels of trusts: </li></ul><ul><ul><li>The trust is not quantifi...
Identity on the Internet
Summary <ul><li>Naming of identities & Certificates </li></ul><ul><li>Identity on the web </li></ul><ul><li>Anonymity </li...
Next <ul><li>Chapter 27: system security </li></ul>
Upcoming SlideShare
Loading in …5
×

Identity

6,279 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,279
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Identity

  1. 1. Bishop: Chapter 14 Representing Identity
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Naming & Certificates </li></ul><ul><li>Identity on the web </li></ul><ul><li>Anonymity </li></ul>
  3. 3. What is identity ? <ul><li>An identity specifies a principal. </li></ul><ul><ul><li>A principal is a unique entity. </li></ul></ul><ul><ul><li>What can be an entity ? </li></ul></ul><ul><ul><ul><li>Subjects : users, groups, roles </li></ul></ul></ul><ul><ul><ul><li>e.g., a user identification number (UID) identifies a user in a UNIX system </li></ul></ul></ul><ul><ul><ul><li>Objects : files, web pages, etc. + subjects </li></ul></ul></ul><ul><ul><ul><li>e.g., an URL identifies an object by specifying its location and the protocol used (such as http://sce.cl.uh.edu/ ). </li></ul></ul></ul>
  4. 4. Authentication vs identity <ul><li>Authentication binds a principal to a representation of identity internal to the computer. </li></ul><ul><li>Two main purposes of using identities : </li></ul><ul><ul><li>Accountability (logging, auditing) </li></ul></ul><ul><ul><li>Access control </li></ul></ul>
  5. 5. Identity Naming and Certificates <ul><li>In X.509 certificates, distinguished names (that is, X.500 Distinguished Name ) are used to identify entities. </li></ul><ul><ul><li>e.g., /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US </li></ul></ul><ul><ul><li>e.g., /O=UHCL/OU=SCE/CN=UnixLabAdministrator/L=Houston/SP=Texas/C=US </li></ul></ul><ul><li>A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued. </li></ul>
  6. 6. Structure of CAs <ul><li>[ RFC 1422 , S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate-Based Key Management </li></ul><ul><li>The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure. </li></ul><ul><li>Each node in the tree corresponds to a CA. </li></ul><ul><li>A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs. </li></ul>
  7. 7. Certificates & Trust <ul><li>A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name . </li></ul><ul><li>If the certificate issuer can be fooled, all who rely on that certificate may also be fooled. </li></ul><ul><li>The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge. </li></ul>
  8. 8. Certificates & Trust <ul><li>The goal of certificates is to bind a correct pair of identity and public key . </li></ul><ul><li>PGP certificates include a series of signature fields, each of which contains a level of trust . </li></ul><ul><li>The OpenPGP specification defines 4 levels of trusts: </li></ul><ul><ul><li>Generic : no assertions </li></ul></ul><ul><ul><li>Persona (i.e., anonymous): no verification of the binding between the user name and the principal </li></ul></ul><ul><ul><li>Casual : some verification </li></ul></ul><ul><ul><li>Positive : substantial verification </li></ul></ul>
  9. 9. Certificates & Trust <ul><li>Issues with the OpenPGP’s levels of trusts: </li></ul><ul><ul><li>The trust is not quantifiable. </li></ul></ul><ul><ul><li>The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers. </li></ul></ul><ul><ul><li>The interpretations are left to the verifiers. </li></ul></ul><ul><li>The point: </li></ul><ul><ul><li>“ Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal.” </li></ul></ul><ul><ul><li>Other knowledge is needed: e.g., how the CA or signer interprets the policy and enforces its requirements </li></ul></ul>
  10. 10. Identity on the Internet
  11. 11. Summary <ul><li>Naming of identities & Certificates </li></ul><ul><li>Identity on the web </li></ul><ul><li>Anonymity </li></ul>
  12. 12. Next <ul><li>Chapter 27: system security </li></ul>

×