22/05/2014 - etsi · © futureid consortium futureid is partly funded by eu fp7 under ga n°318424...
TRANSCRIPT
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
1
22/05/2014
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
2Jon Shamah
FutureID - A Comprehensive Identity
Management Infrastructure for Europe
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
3
FutureID – Shaping the Future of
Electronic Identity
Partially funded by EU FP7
Collaborative Project (Large Scale Integrating Project)
Start in Nov. 2012
Duration of 36 month
19 Partners
from 11 countries
Coordinated by
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
4
credential servicecredential service
Social Media:
a Paradigm Shift in Identity Management
Before:
Service Providers issue/manage identity
Users obtain/manage one identity per service
Social Media:
Service Providers reuse 3rd Party identities
Users reuse their existing identity for new services
user
credentialservice
1:1
servicemany:manyservice
serviceUser
Credential
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
7
social media tomorrow
social media today
“Social Identities” have a
limited Domain of Application
fun
Legally
Binding
Transactions
Trust in
Identity
SecurityPasswords Tokens
remain out of
reach
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
8
Trusted and Secure Identities exist,
but are locked into the old paradigm
User Service Provider
Too costly,
too small user base,
maximum one type if
really necessary
Single service,
significant effort,
not worth-while!
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
9
Trusted and Secure eIDs are also locked
into the old paradigm
User eID Provider
Too costly,
Takes too long to
fully deploy,
maximum one type
Few services,
significant effort,
not worth-while!
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
10
Trusted and Secure eIDs are also locked
into the old paradigm
How can trusted identities be used
with the new paradigm?
User eID Provider
Too costly,
Takes too long to
fully deploy,
maximum one type
Few services,
significant effort,
not worth-while!
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
11
Objective for User
Number of necessary
Credentials
Number of Services
old paradigm social media
high trust serviceslow trust services
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
12
Objective for Service Provider
The targeted user base has many different existing secure token types.
Example: European Marketplace of Services
Many different national eIDs
The cost of supporting a large number of token types must be contained.
old paradigm
Number of Token Types
Cost
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
13
How?: ‘Traditional’ Federations match
IDs to Services
most convenient
token for user
single
interfacesHub
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
14
How?: FutureID Transformer Component
matches any ID to any Service
FutureID
Infrastructure
single
interfaces
most convenient
token for user
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
15
Problem: BIG BROTHER IS HERE
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
16
Problem with Federations: A Centralized
Infrastructure would help a Big Brother
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
17
We need Privacy Counter Measures
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
18
A Better Design:
Decentralized and User-Centric
ecosystem with
free participation
of an open
number of
stakeholders
Explicit avoidance of central
components / players
Privacy
Scalability / Availability
Market oriented
Flexible
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
19
The FutureID Infrastructure Overview
Free participation of an open number of stakeholders
TSATSA
TSA
TSA
TSA
CT
CT
CT
CTCT
CT
CT
CT
CT
CTCT
CT CT
CT
CT
CT
CT
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
20
Users
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
21
Arbitrary credential
technology:
• password
• one-time pad
• OTP device
• smart card
• privacy-ABC
• mobile
• etc.
Credential Issuers (CIs)
enrollment
Credential
issuer
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
23
Types of Identities
certified by
authority
Credential
issuer
self-claimed
reputation-based
Credential
issuer
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
24
Users with Multiple Credentials
CI
CI
CI
CI
CI
CI
CI
CI
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
25
Service Providers (SPs)
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
26
Some SPs can directly consume
user credentials
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
CI
CI
CI
CI
CI
CI
CI
CI
no intermediary
required
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
27
Credential Transformers (CTs):
Type 1: existing Identity Service Providers
CT
CT
CT
CTCT
CT
CT
CT
CT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP• SAML
• WS-*
• OAuth
• OpenID
• ...
user
credential
session
credential
CT
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
28
Authentication with existing Identity
Service Provider
CT
CT
CT
CTCT
CT
CT
CT
CT
CTCT
CT CT
CT
CT
CT
IdSP
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
• IdSP transforms:user credential
to session credential
• SP can directly consume
session credential
SP and IdSP need to
support the same
federation dialect
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
29
Credential Transformers (CTs):
Type 2: FutureID Brokers
CT
CT
CTCT
CT
CT
CT
CT
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
user and/or session
credential(s)
session
credential
CT
• convert format OAuth -> SAML
SAML -> WS-*
• convert semanticscognome -> lastname
• filter Name
Date of Birth
Address
SSN
• derivedate of B. -> age over 18
• combine attributesrole certificate etc.
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
30
Authentication with existing Identity
Service Provider and one/several Brokers
CT
CT
CT
CTCT
CT
CT
CT
CT
CT
CT CT
CT
CT
CT
IdSP
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
• IdSP transforms:user credential
to session credential
• Broker transforms:• format that SP
can consume
• less privacy exposure
• etc.
SP and IdSP need not
support the same
federation dialect
Broker
Within the limits of trust, any credential
can be presented to any SP.
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
31
Who Controls Authentication Process?
CT
CT
CT
CTCT
CT
CT
CT
CT
CTCT
CT CT
CT
CT
CT
CT
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
SP
Whom to trust:
• user credentials (CIs)
• CTs
Auth. Flow:(within limits of trust)
• which user credential
• which CTs
• which attributes to
disclose
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
32
Trust Scheme Authorities (TSA)
Maintaining Standards
CT
CT
CT
CTCT
CT
CT
CT
CT
CTCT
CT CT
CT
CT
CT
CT
CTCT
CI
CI
CI
CI
CI
CI
CI
CI
SP
SP
SP
SP SP
SP
SP
SP
SP
SP
SP
TSATSA
TSA
TSA
TSA
SP/User Trust Issues:
• Difficult to determine
trustworthiness
• cumbersome to enumerate
trusted entities
Trust Scheme Authorities:
• regulation and oversight
• certify CIs and CTs
• define groups of CIs/CTs
• EC qualified
certificates
• STORK level 3
credentials
• Privacy-friendly CTs
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
33
FutureID Trust Infrastructure in Practice
- solving the real operational issues
Service Provider chooses Credential Issuers, existing Identity Service
Providers and/or brokers, to rely upon
Enters into a number of bilateral trust relationships
Chooses depending on certification, reach and assurance levels
Can extend its market by adding more relationships directly or
through FutureID brokers
Users choose which credential and profile they wish to use from those offered
by the service provider
Selection is dependent on what contracts the Service Provider has in
place and which assurance levels are required
Users authenticate in their own trust domain using their token type of
choice
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
34
FutureID
Broker
IdSP
Choice for the Citizen & Service Provider
High level visualisation - Examples Only
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
35
Highlights of FutureID Trust Infrastructure
Infrastructure fosters free participation of open number of stakeholders.
free market of “trust services”
Interfaces almost any (trusted) credential with any SP.
Flexible integration:
FutureID SPs and legacy federated SPs “as is”
variety of deployment options
Seamless integration with STORK infrastructure
Privacy-friendly Attribute-Based-Credentials (by ABC4Trust)
Free from imposing any political or organizational structure;
no centralized components or single point of failure.
Privacy-friendly and (where possible) privacy-enhancing.
© FutureID Consortium
FutureID is partly funded by EU FP7 under GA n°318424
36
Contact
Jon Shamah
www.futureid.eu