meeting the privacy goals of nstic in the short term
DESCRIPTION
Meeting the Privacy Goals of NSTIC in the Short Term. Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen P. Lewison Pomcor. Contents. - PowerPoint PPT PresentationTRANSCRIPT
05/03/2011 Pomcor1
Meeting the Privacy Goals of NSTIC in the Short Term
Presentation at the
2011 Internet Identity Workshop
Francisco Corella and Karen P. Lewison
Pomcor
05/03/2011 Pomcor2
Contents
The following slides illustrate protocol steps described in the white paper “Achieving the Privacy Goals of NSTIC in the Short Term” available at
http://pomcor.com/whitepapers/NSTICWhitePaper.pdf
There are three protocol variations: Attribute verification Delegated authorization Social login
05/03/2011 Pomcor3
Attribute Verification
Attribute
Provider
Browser
Relying
Party
Attribute request
+Callback
URL
Step 1
Attribute
Provider
Browser
Relying
Party
Attribute request
+one-time
PublicKey
Retains callback URL.
Produces one-time key pair,
retains one-time private key.
User’s long term
TLS certificate
Step 2
Attribute
Provider
Browser
Relying
Party
One-time cert binding attribute to one-time
public key
Step 3
Attribute
Provider
Browser
Relying
Party
Asks user’s permission to pass attribute
to relying party
Step 4
Attribute
Provider
Browser
Relying
Party
Uses one-time private key in TLS handshake
Step 5
One-time cert used as TLS client cert
Targets callback
URL
Browser
Success
05/03/2011 Pomcor9
Delegated Authorization
Site holding user’s
account
Browser
Web application
Access request+
One-time public key+
Callback URL
Step 1
Browser
Access request
+one-time
PublicKey
Retains callback
URL
User’s long term
TLS certificate
Step 2
Site holding user’s
account
Web application
Browser
One-time cert binding access grant to one-time public key
Step 3
Site holding user’s
account
Web application
Browser
Asks user’s permission to
grant access to application
Step 4
Site holding user’s
account
Web application
Browser
Step 5
Browser
One-time cert with access grant Targets
callback URL
Site holding user’s
account
Web application
Browser
Step 6
Browser
One-time cert with access grant used as TLS client cert
Site holding user’s
account
Web application
05/03/2011 Pomcor16
Social Login
Combines attribute verification
And delegated authorization
Attribute
Provider
Browser
Attribute request, access request,app’s one-time
public key,callback URL
Step 1
Web application
Attribute
Provider
Browser
User’s long term
TLS certificate
Step 2
Retains callback URL.
Produces browser’s one-time key pair,
retainingprivate key.
Attribute request, browser’s one-time
public key,access request,app’s one-time
public key
Web application
Attribute
Provider
Browser
One-time cert bindingattribute to browser’s one-time public key +one-time cert bindingaccess grant to app’s one-time public key
Step 3
Web application
Attribute
Provider
Browser
Asks user’s permission to
pass attribute and grant access to
application
Step 4
Web application
Attribute
Provider
Browser
Step 5
Browser
One-time cert with access grant
Uses one-time private key in TLS handshake
One-time cert with attribute used as TLS client cert
Targets callback
URL
Web application
Attribute
Provider
Browser
Step 6
Browser
One-time cert with access grant used as TLS client cert
Web application