The Laws of Identity and Cardspace Charles Young Solidsoft
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Laws of Identity and Cardspace
Charles YoungSolidsoft
• Embodies Kim Cameron’s ‘Laws of Identity’– Universal identity systems
• Supports the Identity Metasystem
CardSpace
The Identity Meta-what???
• The Identity Meta-system– A single identity ‘fabric’ supported by many
different technologies– A system of systems– …so standards are important here!!
Yes, but what is an identity?
• It’s a list of claims about an entity– Entities….that’s me and you!– My name is Charles– I work for Solidsoft– My email address is….• …well, that would break laws 2 and 3
Law 1: User Control and Consent
• Only reveal information with the user’s consent– It’s their identity, after all
Law 2: Minimal disclosure for a defined use
• Disclose as little identifying information as possible
• Limit the use of identifying information as much as possible
• Helps build stable long-term solutions.
Law 3: Justifiable Parties
• Don’t disclose identifying information to a party that cannot ‘justify’ itself.– All parties must identify themselves– Establish trust relationships
Law 4: Directional Identity
• Omni-directional–Publicly broadcast your identity – ‘Look at me everyone! Here I am. It’s me.’
• Uni-directional–Privately assert your identity– ‘Psst…It’s me. The password is ‘Cardspace’.
Let me in.’• Identity systems must support both.
Law 5: Pluralism of operators and technologies
• If it’s Microsoft-only, its useless!• …but seriously…– The Identity meta-system MUST NOT be
bound to proprietary solutions and technologies–Different cultures–Different contexts
Law 6: Human Integration
• Humans are first-class components if the identity meta-system (duh)
• Unambiguous human-machine communication
• Machines don’t attack you – humans do.
Law 7: Consistent experience across contexts
• ‘Thingify’ your identities• Consistency shines the spotlight on attackers
Cardspace Actors: Subjects
SubjectsIndividuals and other entities about whom claims are made
Cardspace Actors: Relying Parties
Relying PartiesRequire identities
SubjectsIndividuals and other entities about whom claims are made
Cardspace Actors: Identity Providers
Relying PartiesRequire identities
SubjectsIndividuals and other entities about whom claims are made
Identity ProvidersIssue identities
• Reason over your identities• Smart selection
The Cardspace Identity Selector
Service Provider Requests Identity
CardSpace Identity Selector pops up
Token is built by Identity Selector(with Identity Provider)
Token sent to client
Output sent to client
The Cardspace Logon process
Contains self-asserted claims about meStored locallyUse instead of username/password
SELF - ISSUED
Information Card Types
Provided by banks, stores, government, clubs, etc.Claims stored at Identity Provider and sent only when card submitted
MANAGED
Information Card Types
• Cards contain metadata only!• Cardspace can handle any claims tokens– SAML tokens are most common
• Cardspace uses WS-* standards
Cards and standards
Call to action
• Cardspace-enable your web sites– Relying parties
• Invest in Secure Token Server technology– Identity providers
• Spread the word.
Related Documents
