Security

Implementing Identity Management Solutions

By: Carolyn Duffy Marsan

Date: June 1, 2012

line break image
bob morgan addressing audience
Panel speakers (left to right): Bob Morgan, University of Washington; Michael Jones, Microsoft; Hannes Tschofenig, Nokia Siemens Networks; John Bradley, identity-management expert; Harry Halpin, W3C team member

Editor’s note: We are saddened to share that RL “Bob” Morgan, long-time IETF participant and leader in the evolution of digital identity, passed away on July 12th 2012. For more information about Bob’s professional achievements and to read or leave tributes to Bob, see: https://spaces.internet2.edu/display/rlbob/

Internet users are clamouring for better and easier ways to ensure the privacy and security of their digital information scattered across websites. Internet standards bodies, including the IETF, are responding to this demand.
The Internet Society held a panel discussion in March 2012 at IETF 83 in Paris, France, about emerging authentication and authorization standards being developed by the IETF, the OpenID Foundation, and the W3C. The panel’s aim was to update attendees on the development of these standards and how they will intersect with each other in commercial implementations.
Lucy Lynch, director of Trust and Identity Initiatives for the Internet Society, led the panel discussion, calling it a “timely” topic because the IETF’s OAuth working group (WG) will soon have two core specifications—for web authorization and bearer tokens—accepted as proposed standards. “I thought this was a good opportunity to look at IETF-sponsored protocols and see what happens when they actually get implemented in the wild,” she added.
Bob Morgan, an IT architect for the University of Washington and an initiator of a trust framework for U.S. colleges and universities called the InCommon Federation, says the goal of all of this standards work is to create a framework for “pervasive usable identity.”
“Billions of people have their digital stuff scattered about the Internet. They need to manage it. How do they get to that stuff? How do they control sharing that stuff?’’ Morgan explained. “That’s the infrastructure we are trying to build to enable people to do that securely and with some notion that their privacy is not being totally abused while they do it.”
Morgan has been developing authentication technology for 25 years, starting with Kerberos and leading up to Security Assertion Markup Language (SAML). He said the new standards under development by the OAuth WG and the OpenID Foundation are directly competitive with SAML, which is a positive development if they enable new security systems that scale to protect Internet users.
“We’re trying to create an attribute economy, where information about everyone and ultimately about everything can be found from authoritative sources and where there is economic motivation to provide that information with reasonable privacy protections,” said Morgan. “We need some great technology to make that vision come true.”
Hannes Tschofenig, a network engineer with Nokia Siemens Networks and OAuth cochair, said it has been a positive experience for the IETF’s OAuth WG to interact with industry players who are rapidly developing common-but-proprietary specifications for access control among data-sharing cloud applications.
“Reaching out to those communities is, I believe, a really important aspect that has to go along with the actual technical work,’’ Tschofenig said, adding that those groups have created interesting designs that solve real-world problems. “We still see technical work happening outside the IETF for good reasons.”
Michael Jones, a standards architect at Microsoft and editor of several OAuth and OpenID specifications, explained how Facebook, Google, Microsoft, and others designed a simple specification for security tokens that is in the OpenID specification.
“In order for digital systems to act on trust information, they have to have some notion of where they are getting the information from and what it is,’’ Jones said. “What do I mean by a security token? It’s nothing much more than a set of claims that one party makes about a subject. [For example], to do single sign-on, we use a set of particular claims that make assertions about who the party is that’s logged into the system.”
Jones said several components of a usable digital identity system—including security tokens, cryptographic signing and public key encryption—are underway within the IETF. “These are all reusable pieces that are each small, easy to build, and easy to use,’’ he said. “Some of this work came out of the OpenID world, where we made a conscious choice that we were building reusable components that we could repurpose. The IETF is a great place to do these general-purpose pieces.”
Identity-management expert John Bradley told the panel that the OpenID group tried to integrate its OpenID 2.0 specification with the original OAuth specifications, but that the two specifications were extremely difficult to implement together. Now the OAuth group is reconsidering some issues related to SAML, such as handling structured responses and decoupling the identity provider from the attribute. OAuth also is collaborating with the Kantara Initiative for digital identity, which is building user consent modules allowing separation of protected resources from consent management.
“There are a bunch of different things that have gone into OpenID Connect, with different influences from different sources,’’ Bradley said. “We just got to the ‘implementer’s draft’ stage.”
Harry Halpin, a W3C team member, described the group’s efforts to create a common JavaScript cross-browser library for cryptographic permits. The idea for this “Web Security API” stems from a May 2011 workshop that W3C held regarding identity in the browser.
“Currently, OAuth is heavily bound to bearer tokens of [Transport Layer Security] in most implementations, but you could imagine greater and higher security flows built with a PKI infrastructure that would be easier to implement if it were available to the browser,’’ Halpin said. “Putting PKI into the browser is a hard problem, and it is not something that we at W3C have solved. But we hope to include as many experts from the IETF to solve it in cooperation with the browser vendors.”
Halpin said the W3C wants to encourage the emerging identity ecosystem.
“The world of identity management is very difficult, very fractured, and very contentious. The situation as it stands today, in which the authentication process revolves around user names and passwords, is not going to stand,’’ Halpin said. “It’s becoming increasingly unsafe to do high-value transactions over the Web…We think our Web cryptography WG will have a definite impact, and I implore everyone who wants to learn more about it to contact [me.]…We want to work with all major proposed authentication mechanisms.’’
In a question-and-answer session following the opening remarks from each speaker, panelists were asked how end-users would know when a particular Web site is acting as their identity provider. Panelists explained that end-users with, for example, a Google account that allows them to log into other sites will have Google as their identity provider. Corporate users, on the other hand, will have IT departments provide an internally managed identity-management system. It is difficult, though, to design a user interface that lets end users know what’s going on behind the scenes with the identity management process.
“There are certain things that are out-of-scope for the W3C, including user experience and user interaction on the browser,’’ Halpin said. “A lot of the hard problems in getting users to understand privacy are going to be out-of-scope of the kind of standards that we normally do. There is a tremendous amount of regulatory [activity] moving at a speed that may be faster than the technical standards bodies.’’
Bradley pointed out that the OpenID Foundation has a WG called Account Chooser, which is working on a standard user interface for Web sign-in that will allow end users to preconfigure various identity providers. “It’s an important thing that when people log into a Web site with their user ID and password, they have…some sense of the information that [data sharing sites] can get about them,’’ he said.
Overall, the panelists were optimistic that the standards under development by various groups including the IETF would help create the underlying infrastructure needed for identity management in the cloud.
“The landscape is moving really rapidly right now, and it seems to be moving in a positive direction that could lead to mass deployment solving a known problem that’s been open for decades,’’ Halpin said.