Upload
internet-identity-workshop
View
1.825
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Relationship Card Presentation at IIW.
Citation preview
From Information Cards to Relationship Cards
IIW IXNovember 3, 2009
Paul Trevithick, [email protected]
1
The Problem
• I have too many accounts and passwords• My personal information is spread all over the web• I have no way to control my digital footprint• Information about me (esp. social networks) isn’t portable• I have security and privacy concerns with today’s “cookie”
model
2
Missing Identity Layer
• Controlled by the individual • Trusted, cloud-based, available anywhere • Synchronizes all of my identities, profiles and social networks• Gives me more control over updating and who has access to
my own data
3
Identity LayerIdentity Layer
Higgins
• Began in 2003 in affiliation with Harvard’s Berkman Center• Invited to join the Eclipse Foundation in 2004• IBM, Novell, and others contributed a dozen senior
developers during 2005-2007• Google and Oracle began contributing in 2007• Higgins 1.0 was released in 2008• Higgins code is part of commercial products from Novell,
IBM, Google, Serena, Azigo, and others.• Higgins 1.1 is planned for Q1 2010• http://higgins-project.org
4
Card Metaphor
• Information Cards –a digital version of the cards you carry in your purse or wallet today
• You use them with a new kind of digital wallet called a selector
5
Act I: Regular Information Cards
6
Information Cards & Claims
Data Portability: profile & social networking attributes are made portable by referencing them on Information Cards
Any kind of information:your preferences, favorite songs, employee id numbers, drivers licenses, affiliations, your health plan id, etc., can be on a card.
Cards from multiple sites are managed in a local Card Selector application (Microsoft CardSpace™ or Azigo™ or Novell DigitalMe™)
Click
Card-based Login
8
Higgins is interoperable with Microsoft CardSpace™ shown here
Card Types
9
Managed What somebody else says about you
•Name•Address•Date of Birth•License number
Personal What you say about you
•Name•Gender•Like to rock climb, fly fish, mountain bike, play piano•No kids•Profession: Medical doctor
Actors
AA
UU
rrPPppIdentity Provider
Relying Party
User
RR
Personal Card
AA
UU
rrPPpp RR
PersonalCard
PersonalCard
has
Personal Card:
Data Flow
AA
UU
rrPPpp RR
PersonalCard
PersonalCard
Managed Card
AA
UU
rrPPpp RR
points to token
generator
ManagedCard
ManagedCard
has
Managed Card:
Data Flow
AA
UU
rrPPpp RR
points to token
generator
ManagedCard
ManagedCard
has
Managed Card:
Alice goes to site
AA
UU
rrPPpp RR
Managed Card:
Selector retrieves policy
AA
UU
rrPPpp RR
Required and
Optional Claims
Required and
Optional Claims
Managed Card:
Display cards that match policy
AA
UU
rrPPpp RR
Managed Card:
Alice selects a card
AA
UU
rrPPpp RR
Managed Card:
Auth to IdP
AA
UU
rrPPpp RR
Managed Card:
Generate token
AA
UU
rrPPpp RR
Managed Card:
Browser sends token
AA
UU
rrPPpp RR
Set of ClaimsSet of Claims
Managed Card:
Validate token
AA
UU
rrPPpp RR
Managed Card:
Alice accesses resource
AA
UU
rrPPpp RR
Card-based Login Benefits
• Per-site passwords are eliminated• Strong anti-phishing protection• Site declares what claims it needs or desires• User reviews and consents to all release• Privacy enhancing minimal disclosure
24
Regular Cards
Manual Static “one shot”
Read onlyUni-directional
25
Act II: Relationship Cards
26
Personal Data Agent
• The agent is the advocate of the consumer/patient/citizen• Gives data ownership back to the individual
Personal Data AgentPersonal Data Agent
Browser Add-on
Browser Add-on
Permissioned data sharing
Relationship Cards: Sending a pointer claim value over the front
channel
AA
UU
rrPPpp RR
Set of Claims & Ptr
Set of Claims & Ptr
Personal Relationship Cards: Sending a pointer over the front channel
AA
UU
rrPPpp RR
Set of Claims & Ptr
Set of Claims & Ptr
Personal R-Card
Personal R-Card
points to data
has
Personal Relationship Cards: User managed data channel
AA
UU
rrPPpp RR
Any protocol
Managed Relationship Cards: Sending a pointer over the front channel
AA
UU
rrPPpp RR
Set of Claims & Ptr
has
ManagedR-Card
ManagedR-Card
Managed Relationship Cards: User managed data channel
AA
UU
rrPPpp RR
ManagedR-Card
ManagedR-Card
has
Kantara UMA Access Manager
control
control
control Any protocol
Relationship Cards
Manual AutomaticStatic “one shot” Continuous
Read only Read/WriteUni-directional Bi-directional
…data channels managed by the user
33