Recent Changes - Search:

Research


edit SideBar


ID20

Some notes of "Identity 2.0"

What?

  • New anticipated revolutionary digital Identity for the internet.
  • “2.0” hints of improvement and renewal.
  • Will (/needs to) be open, simple and user-controlled.
    • You control your identity and what attributes of it you want to share.
    • Meant to be the analogue to real world credentials such as ID card, passport, bank card etc.
    • You should be able to use this (the same) ID on different sites. (Where today’s ID is focused on a silo (read: directory (database optimized for reading))
  • De-centralized
  • Not a standard to implement in practice, more a philosophy or buzzword
  • The technology is here, but different parties have different ideas of how to implement it
  • These needs a metasystem and the possibility to interoperate
  • Single sign-on (unified-login)

Where from?

The term Identity 2.0 was made popular by Dick Hardt at The first Web 2.0 conference october 2004. Preliminary principles were drawn. It (Identity 2.0) stems from Web 2.0. Refers to second generation internet services: more user input and contribution. Examples: wikis (wikiepedia), social networking sites (blogging, dating), folksonomy (rather than taxonomy). That is: Folksonomy = tagging
Taxonomy = classification (today)

One of the first widely distributed web services was ad serving.

Pros and cons

  • You need someone who can vouch for you, who also is trusted by the one you’re identifying yourself to. Creates more traces (ex. You can have different mails or qxl accounts, making it seem you’re diffent persons with you different logins), with 2.0 you are you, verified.
  • Could be a problem when:

You don’t want to use your strong secure identity (you want a (semi-)anonymous email account or write a comment on a website) Your unrelated actions are linked together and a pattern made to map your actions or behaviour.

  • With identity 2.0 each and every company and website wouldn’t need its own silo or security platform (which is expensive).

The user wouldn’t need to remember 10 – 20+ passwords.

Identity 1.0

Identity 1.0 vs. 2.0

  • ID 1.0 is secure enough, it’s just not simple and user-centric enough
  • Expensive (silo’s with high security = costly)
  • Not userfriendly (15 – 20 passwords used daily not unusual)

Comparisiontable by wikipedia.org

  • Identity 1.0

• site registration • unverified • directory centric • username and password • immobile • opaque

  • Identity 2.0

• ID providers • verifiable • user centric • identity credentials • mobile • transparent

The protocol SAML (Security Assertion Markup Language), an XML standard, supports single log-on
has been known as "Identity 1.5".

Why?

  • Many people use the internet because of broadband and availability.
  • People shop and do business online.
  • Economic motive: lower helpdesk cost – lost pw = great cost.
  • The problem of fragmentation of digital identity systems
  • Phising
  • Pharming
  • Identity theft
  • No need to punch in data over and over for each web site

How? (approaches)

  • You should be able to log in once and bring your diffent ID's to each and every web site.
    • This login may be done by one of, or a combination of, username/password, fingerprintscan, NFC-phone, smartcard, PIN, one-time-passwords etc.
  • You should be able to choose with attributes of your ID you want to share with different membersites.
  • Sites should be able to link anonymously.
  • Another way saying the same thing would be by parallel with TCP/IP as the universal abstraction layer that abstracts away from things like Ethernet

Who?

Sxip (Simple, eXtensible Identity Protocol)

  • Push based = user centric.
  • Fronted by Dick Hardt and almost a synonym for Identity 2.0.
  • Takes the Identity 2.0 as their own (“An Identity 2.0 company”).
  • Ad quote: “Sxip Identity understands the need for a customer-centric and enterprise approach to creating, using and managing identity. Their approach makes them a pioneer in Web-based identity management.” Mike Neuenschwander, Burton Group.

Sxip access (for corporations)

  • (delegated authority) (you write in your credentials, it scrambles, send it to a corporate relates website etc. it sends it to corporate server which unscrambles it and sends it back)
  • logon/off with one click
  • single sign-on & delegated authentication for seamless login
  • centralized user management

Sxip 2.0 (the protocol)

  • Uses own protocol. Http platform.
  • user centric (user choices and management, ID is stored at homesite or desktop computer)
  • decentralized (less overhead, more scalable) (certificate (claim / assertion) is on homesite (which can be on oen pc))
  • Utilizes a wide range of data formats: plain text, XML, SAML (digitally signed)
  • PKI not necessary

Microsoft

Infocard / CardSpace

  • built on WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy (open standards, more or less).
  • securely stores digital identities of a person, and provides an unified interface for choosing the identity for a particular transaction
  • a central part of Microsoft's effort to create an Identity Metasystem, or an unified, secure and interoperable identity layer for the Internet.
  • the core idea for InfoCard is to be a meta-identity system

When you are about to make a transaction, register a at site or log-in, a screen pops up, you selects the identity (card / infocard) you want to use and the screen goes back to the website and uses that specific ID. Your computer contacts the issuer or ID provider and downloads a signed XML document with the information to give to the “ID asker”. The users can also create ID’s for themselves and also sign them themselves, these can be used at trivial websites like www.wired.com or unik.wikipedia.no. One uses as strong or as “weak” ID as fits.

Live ID!?

Unified-login (not Single login) for Microsoft (and friends) services. MSN, hotmail etc.

Yadis

LID, Folk, XRI XDI, OpenID.
/ Ligh-weight Identity (LID) protocol. These guys (Johannes Ernst of NetMesh Inc)

don’t want to rely on a central authority and have developed a standard which uses URLs as identifiers. For example, the URL http://lid.netmesh.org/liddemouser/ is the LID identifier for a hypothetical individual called Mr. LID Demo User. The membersite accesses the URL and transfers ID attributes there over a secure protocol OpenID or LID

Pull model

  • aims to make the internet a more people-friendly place. User in total control of which ID attributes to share/use at each login/transaction.
  • REST-ful, "small pieces loosely joined"
  • more useful in lightweight blogging/social networking/trivial web site logins and such.

No trust between IP (provides ID) and RP ("eats" ID) = advantage because loosely coupled and scalable. BUT complex management

Liberty Alliance (federation standard)

  • SAML based (token)
  • More directed towards intranets and ”inter-enterprise” transactions. Not really identity 2.0!
  • Single log-in.
  • 150 bedrifter og organisasjoner, inkludert IBM, HP, Intel, Oracle og Sun, Nokia og Ericsson, American Express, General Motors, flere store postverk og en rekke store teleselskap, samt norske Kantega - men ikke Microsoft.

Liberty Alliance Personal Identity

  • allow individuals to maintain some direct control over the release of identity claims. The user can choose which IDP to send.
  • Liberty-Enabled Client or Proxy (LECP) Profile,

Oasis

  • Organization for the Advancement of Structured Information Standards
  • A bigger umbrella for a lot of open, democratic work.
  • Vendor oriented and heavy / SAML, XRI, XDI, WS-*
  • SAML - Security Assertion Markup Language, a standard XML-based framework for the secure exchange of authentication and authorization information.
  • XRI - eXtensible Resource Identifier, a URI-compatible scheme and resolution protocol for abstract identifiers used to identify and share resources across domains and applications.
  • XDI - XRI Data Interchange, a standard for sharing, linking, and synchronizing data ("dataweb") across multiple domains and applications using XML documents, eXtensible Resource Identifiers (XRIs), and new method of distributed data control called a link contract.

In Norway

All governmental solutions based on the internet demands digital ID with PKI by 2006. BBS implements the solution and the Brønnøysund registers manages it. The certificates needed in the PKI solution is provided by Buypass, Telenor og ErgoGroup.
If you’re signed in you’re authorized for many services, no single login.

  • BankID og Buypass.
  • Kantega og Systek.

Protection of personal privacy

Anonymous digital credentials

Some people have seen that we need to be able to prove some of our identity attributes without giving away name, adress and social security number. You shouldn’t need to to. If you want to see a free movie (18y) on the internet, you have to prove your old enough, but shouldn’t need to give away more personal information.

  • More privacy can be obtained thru pseudonyms. But not where a real ID is needed.
  • Who should be identity provider?
    • Your bank (bankID, DNBNor)
    • Known certificate provider (VeriSign, Thawte)
    • Microsoft

Problems

  • Which identity providers are to trust?
  • Which member sites trust them?

Solutions

  • Big companies like Microsoft (Live ID)and VeriSign (VIP Verisign Identity Protection, VeriSign Network) starts to acknowledge each other and work together.

So if you want to visit a site which needs a verisignID, you can be logged into Live ID and VeriSign vouches for you, allowing you to enter.
!!!!!One needs compability between the standards, as no one is likely to be “the one” standard.

More info

Web 2.0

  • Web 2.0 is people, information and software, in that order.
  • Network (internet) as the platform.
  • Heavily User participatory, interactivity. User owns the data (more democratic and personal).
  • Ajax apps/UI. That is apps thru your browser off of the internet. You’re working against a server, thin client gone further. Demands more of server and database, closer to intranet server than web server characteristics.
  • Mashups are common: that is retrieve data from many different sources on the net a display in one page. Like dynamically pasting your bosses blog on your website or play a movie directly off of youtube (but it looks like it’s on your page)).
  • Explicit synonym: "Participatory Web"
  • Emphasizing tools and platforms that enable the user to tag, blog, comment, modify, augment, select from, rank, and generally talk back to the contributions of other users and the general world community.
  • notes, mail, address, feeds, blog
  • many to many publishing
  • today’s solutions for contacts, mail, feeds, notes, blogs, calendar isn’t 2.0, maybe 1.5 :P
  • to be “2.0 compatible” you should be able to synchronize between web, client, handheld seamlessly. (XML anyone?)
  • Often used as a synonym for semantic web. The social networking and contribution and folksonomy pushes web 2.0 in the right direction with tags and some meaning, but not complete “semanticness”.
  • The “creators” definition:
    "The transition of websites from isolated information silos to sources of content and functionality, thus becoming computing platforms serving web applications to end users"
  • A social phenomenon referring to an approach to creating and distributing Web content itself, characterized by open communication, decentralization of authority, freedom to share and re-use, and "the market as a conversation"
  • A more organized and categorized content, with a far more developed deeplinking web architecture
  • A shift in economic value of the web, possibly surpassing that of the dot com boom of the late 1990s
  • A marketing term to differentiate new web businesses from those of the dot com boom, which due to the bust now seem discredited
  • The resurgence of excitement around the possibilities of innovative web applications and services that gained a lot of momentum around mid 2005
Key principles of web 2.0 apps

the Web as platform; data as the driving force; network effects created by an architecture of participation; innovation in assembly of systems and sites composed by pulling together features from distributed, independent developers (a kind of "open source" development); lightweight business models enabled by content and service syndication; the end of the software adoption cycle ("the perpetual beta"); software above the level of a single device, leveraging the power of The Long Tail.

Web 1.5

Websites often uses a Content Management System serving HTML generated on the fly

The long tail

  • Many small sites make up the bulk of the web. These have great power and potential (in regards to reaching many, different people.
  • The Web 2.0 lesson: leverage customer-self service and algorithmic data management to reach out to the entire web, to the edges and not just the center, to the long tail and not just the head.

(Local) network creation

Computers in a network could automatically open firewalls for chatting, filesharing or applications to own equipment/computers and trusted friends/colleagues with identity 2.0:
"Hey, I'm a Mac, I belong to Michael Heilemann." - "Hey, so do I. Would you like to have casual wireless intercourse while Michael is surfing the web?" - "Sure". Voila; and I don't even feel dirty."\\(http://binarybonsai.com/archives/2006/01/11/web-15/)

Federative architecture

  • Single log-in.
  • “Intra-net” like.
  • User already has some trust being logged in, other services demands claims, which is then checked.

Some similarities to user/policy/group management in a server/client architecture.

The signature

Electronic signatures such as paper signatures send by fax may have legal meaning

Edit - History - Print - Recent Changes - Search
Page last modified on August 25, 2006, at 09:18 AM EST