Proposal for a SAML-WebSSO profile with enhanced privacy

Identity Federations having B2C-type and sometimes other use cases need to prevent the collection of user data across services for privacy and business case reasons. This draft proposes a new SAML profile with improvements in respect to un-traceability, un-linkability and non-disclosure.
[Updated June 15]

What is an Identity Ecosystem?

Abstract: I argue that the metaphor is unclear and violates basic properties of the concrete meaning in biology. The difference between biological ecosystems and economic subsystems is so radical that the metaphor can at best only be used as a source of inspiration, not for conveying clear objectives. The only property that could be reasonably indicated by the metaphor is the aspect of self-organization without a single leader. However, this contradicts the definition of business ecosystem, therefore another term, e.g. Identity Metasystem or Identity Infrastructure, should be searched and deployed.

Requirements for Session Management in Identity Federations & Proposal for Global Idle Timeout (draft)

Terminating unused or long-running user sessions is an established security policy. In environments with medium or high security idle timeout, explicit logout and user revocation are mandatory security controls.

In federations a common pattern is that a Service Provider (SP) will create a local session when it consumes an authentication assertion from an IdP. As there is no global session state across the IdP and SPs, some issues arise like:

  • Terminating the IdP-session has no immediate effect for the SPs.

  • Single Logout (SLO) is difficult on both front- and back-channel variants for several

    reasons. The Shibboleth Wiki provides a good overview of the issues with SLO.

  • If short idle-timeouts are required user are requiring to re-authenticate frequently

    because the idle-timers are not reset globally. 

Top problems with PKI, signatures and SSL

To avoid confusion: This article pertains primarily to open PKIs like in web browsers. PKI federations with strict control on policy and profile and implementations manage many of the issues. See also Patrick's comment.

Public key cryptography is widely believed to assure high levels of security and confidentiality in an otherwise untrusted Internet. SSL, digital signatures and public key infrastructures play a significant role in e-commerce and information system security.  It seems likely, moreover, that their role will continue to grow in the future. However, leading security experts warned that the good news is exaggerated because of flaws in the underlying model, specification, implementation and the human factor. The consequence is that the application of cryptography needs to be part of a wider security management system, and expectations need to be moderated.

The following list collects a number of issues that are quite well known in the security community.

A trust model with third party assurance

1. Trust between autonomous organizations

Trusted interaction between identifiable parties has been a problem that predates the current Internet. But the solutions from the mainframe area do not scale with today’s demands. Trust needs to be moved to an infrastructure layer that can be utilized by applications as a commodity. In electronic communication the key issues are to assure that the other party is who they claim to be, and to assure that their actual and expected behavior match closely.

Assurance Metrics in Trust Federation Frameworks


Kantara discussed the topic how to use Assurance Levels several times in the last months, most recently on the P3WG list as in [WG-P3] Anna Slomovic's Follow up thread (RE: IAWG P3 Agendas going into Berlin). I think that we need a clear model of assurance metrics to build trust frameworks and would like to outline some thoughts on such a model.

Assurance Levels for Attribute Assertions may not be realistic

There was some discussion going on in some working groups about extending the concept of authentication assurance levels to attribute assurance.

However, the business case might be different. The attribute authority will usually have a different position than an identity provider. The IdP will usually be in a competitive environment, whereas the AP will be in the sole authoritative source. Hence the Relying Party will not have a negotiating position to ask for anything than best effort and compliance to applicable law.

The signatory's problem with the onus of proof

Digital signatures allow relying parties to take to validity of an e-Signature as granted. Unfortunately there are many attacks possible against the signatory, like untrusted client devices (What You Sign is Not What You See), keyboard loggers or even corrupted card terminals with dedicated keyboards.
If there was an abuse a problem occurs when a signatory repudiates a signature. The onus of proof is under current legislation with the signatory, and it is very difficult to proof for a plain consumer that a signature was abused, e.g. by malware on the user’s device.

Pitfalls of mapping of multiple security factors into a single scale: The weakest link in the chain

Assurance Levels ..

  • Simplify the relationship between controls, vulnerabilities and assets;
  • Are a pragmatic method of standardizing baseline security policies to a singular security scale (usually of 1 to 4);
  • Are a quite rough approximation of the actual protection yielded by specified controls;
  • But this is not a problem, because risk assessment would anyway be too complex without that simplification;
  • Too granular controls in the specification of Assurance Levels  should be avoided. Instead, the installation of processes to adapt to changing threats should be aimed at, like with capability maturity models in each specific area.

Identity Assurance levels, like specified in NIST SP 800-63, map multiple security controls into a single scale.

How do we define trust?

There was a recent discussion about the term "trust" in the context of trust federation. Jane Winn gave me a hint on a good paper by Timothy W. Guinnane that points out that the discussion about the meaning of trust is superfluous: "the useful parts of the idea of trust are implicit in older notions of information and the ability to impose sanctions".

Syndicate content