identity 3.0 and oracle
TRANSCRIPT
A match made in heaven or is hell freezing over?
Bram van Pelt
Identity 3.0 and Oracle
Who Am I
• Bram van Pelt
• Expert lead Security
• Security Consultant
What will we be covering
Agenda
• The evolution of the identity
• Identity 3.0
• Oracle POC implementation
Definitions
• Account
• Identity
• User
The history of digital Identity
Identity 1.0
• Jericho Forum
• De-perimeterisation
• COA Framework
COA Framework
• Technologies
– Endpoint security
– Secure communications
– Secure data (DRM)
COA Framework
• Processes
– People Lifecycle Management
– Risk Management
– Information Lifecycle Management
– Device Lifecycle Management
– Enterprise Lifecycle Management
COA Framework
• Services
– Identity management and federation
– Policy Management
– Information Classification
– Information Asset Management
– Audit
Identity 2.0
• Securely collaborating in clouds
• Identity, Entitlement & Access Management Commandments
Identity, Entitlement & Access Management Commandments
• 14 Guidelines on how to secure an identity
• An Entity can have multiple, separate Persona (Identities) and related unique identifiers
• The source of the attribute should be as close to the authoritative source as possible
• A resource owner must define Entitlement (Resource Access Rules)
Identity 3.0
• Bring your own identity
• Using identity to enhance privacy
• “We believe that with a single global identity eco-system all this is possible.”
Identity 3.0 definitions
• External identifier
A provider for attributes other than the user.
• Core identifier
The “bring your own identity” attribute provider
• Persona
A mix of attributes which are provided by the core identifier and optionally external
identifiers
Identity 3.0 principles: Risk
• Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
• Attributes of an Identity will be signed by the authoritative source for those attributes.
Identity 3.0 principles: Privacy
• Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
• The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
• Entities will only maintain attributes for which they are the authoritative source.
Identity 3.0 principles: Functionality
• The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
• The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.
• Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
The inner workings
Inner workings
• Personas
• One way trust
Persona’s
19
[Entity: Organization]
Government
[Entity: Person]
Yourself
Citizen Persona with authoritative
(cryptographically) signed
attributes
Date of Birth = 01 Jan 2000
Place of Birth = London, UK
Sex at Birth = Male
Name at Birth = John Doe
Citizenship = Full British
Issued = 01 Jan 2015
Revalidation = gid.citizen.gov.uk
Trust
One way trust
• I trust you, so you can access my resources
• Does not mean you can access unauthenticated
How does this work?
• Site demands identity
• You give your attrbutes
• Your login to the
External identifier
How does this work?
• Reusable
• Web of identities
Why would you want this
• No more user storage
• Personalisation options
• Transparancy to end users
• Enhanced privacy
How would we build this?
• Ingredients:
– The core identity and identifier
– The persona’s implementation
– The external identifier / authenticators
The core identity and Identifier
• This is a personal device which you have on you, if possible…
• Phones
• Dyn-dns via browsers
• Personal component
The Persona implementation
• Basically an “identity cookbook”
• Trusts to identifiers
• One way cryptographic trust
– Signed attributes
The external identifier / authenticator
• Basically an external identification source
• Chosen by the application
How would we build this?
• Oracle Weblogic Server
– SAML Trust to an access manager
• Oracle Access Manager
– Key retrieval using dyndns
– External authentication (Using SAML or OAuth2)
• Personal authenticators…
– Todo…
Let’s picture it
What do we need
• Oracle:
– Authentication modules to authenticate using DYNDNS / IPV6
– Personal authenticators
– Expanded control over authentication chains
YOU
Special Thanks
• Global Identity Foundation
• Jericho Forum
• Bram van Pelt
• Twitter: @BramPelt
• LinkedIn: http://linkedin.com/in/bram-van-pelt-77a15021