W3C workshop on Identity in the Browser -- 25 May 2011

<tantek> thanks scribe for fixing the perms

<tantek> yes, in my opinion we should introduce <input type="identity-url"> because it does incrementally improve a number of aspects of *exiting* browser login / password functionality

<tantek> you could use <input type="identity-url"> by itself for URL-based login systems such as OpenID or RelMeAuth

<nico> current discussion: labeling of form fields for credential capture (when the password manager learns creds) and credential presentation (when the pw mgr fills creds in)

<tantek> and you could use it with <input type="password"> for traditional login (the browser could convert email addresses to mailto: URLs in an <input type="identity-url">

<nico> "we dont want to assume the browser is in the TCB because it's susceptible to malware"

<tantek> btw - I prefer <input type="identity-url"> over <input type="identity-uri"> because <input type="url"> already exists in HTML5 (i.e. that bikeshed fight has already been fought - so let's just re-use the existing pattern/decision)

<nico> (who's the speaker?)

<tantek> fine, then those sites that don't want to assume the browser can simply not use those <input> types

<nico> "if you're relying on something that can be easily compromised, that causes more harm than good"

<nico> (speaker?)

<hober> <input type=identity-url> falls back to <input type=text> in browsers that don't support it, which is pretty much exactly what you want

<karen> Dan Schutzer, FSTC/BITS

<tantek> hober, exactly

<nico> thanks

<nico> <something about two factor auth> "to prevent fraud we need end-to-end security"

<nico> that was Dominique (sp?)

<karen> Speaker from Bank of America, Dominique Nguyen

<nico> response: "allowing the browser to get involved in credential presentation, letting the site tell us that we must not do that... we could generate really good passwords for the user, wouldn't that be better?"

<nico> "you're telling your users to remember memorabe passwords, [implication: that's bad]"

<nico> dan: "the concern is about the link in the chain"

<nico> "in the browser case they can tell they are using firefox..."

<nico> dan: "but they can't tell if they're using bank of america"

<nico> john linn: ""we're taking as a premise that the browser is central, so we have to trust it, so it has to be trustworthy, but it's not less vulnerable to attack"

<nico> dominique: if you can improve the browser, that'd be the first step

<nico> response: I do want to assume the browser is trusted, working hard to make it trustworthy, but it's a very valid point

<nico> "it's the simplest possible answer. if I carry a keyfob, that adds value, but there's a large chunk of the market where we can't do that"

<nico> so, I'm not that good a scribe :(

<nico> harry: if I'd told you that JavaSript would become so universal 10 years ago, you'd have said "impossible!"...

<nico> harry: so we can do good things that seem impossible now

<nico> sam: as a user I wish you would [let us]

<dsinger_> S/viability/liability/

<tantek> um, why are non-lawyers arguing/discussing liability?

<nico> tantek: because we have to to some degree?

<tantek> appeal to meeting chairs: please rule this topic (liability) out of scope for this meeting

tantek, tom smedinghoff is definitely a lawyer :)

<tantek> oh ok

<tantek> then the rest of us

<tantek> nico - we don't have sufficient expertise to have a meaningful discussion - hence request for out-of-scoping the topic

<nico> phillip: we don't have an internet security problem, we have a bank security problem (pointing to passwords printed on credit cards :)

<nico> phillip: separate accounts for spending vs. money mgmt [I missed something]

<nico> phillip: <missed stuff>

<maryhodder> phillip said: login is different than the transaction PW

<nico> ok, so restated

<nico> brian: you mentioned intermediate steps... I think one might be to have fewer passwords, and reduce the number of servers that they must be shared with, also password verifiers, and this could be done without having to solve the federated problem

<nico> <one immediate reaction is that there's a lot of points in the design space, well, if we say that too many passwords is the immediate problem, then there's some things we could do... e.g., consolidation on federated auth

<nico> sam: I'll be talking tomorrow, but I think that the password manager could be the granddaddy for a good ID manager; let's not throw out something that's useful today that we could make into something great tomorrow>

<josephboyle> http://www.w3.org/2011/05/25-idbrowser-minutes.html still showing diagnostics not content

<nico> <comments about distinction between initial and derivative credentials> (did I understand correctly>)

<tantek> finally! real-world examples of security problems instead of handwaving!

<tantek> password compromises come from servers, not browsers

<tantek> e.g. Gawker, Sony

<nico> heh

<nico> <doesn't France require cleartext passwords be available on demand?

I believe Tom crafted the legal work behind EV certs, so we have one actual lawyer in the audience.

<nico> <there's a policy overlay here too; we as society say to the banks "you guys set this up, you're responsible for breaches", so when consumers' accounts are compromised, the users have minimal liability, so this has some impact...

<nico> I said that server issues are mostly out of scope here... and I asked if Craig had intended to distinguish between initial and non-initial credentials (think tickets)

<nico> and I said that I like that distinction

<nico> craig: <using 2-factor authentication we could use trusted location and devices>

<nico> dan: at iiw there was a comment made by... eric sachs that he was more worried about people's passwords being terrible than about phishing

<nico> so, fixing phishing but keeping passwords may be a problem

<nico> bob, sam: well, there's the lying endpoint problem

<nico> bob: the servers could make statements about what kinds of practices they want from the clients, that could be useful

<nico> <stolen temporary credentials can still be used to do a lot of harm>,

<karen> a1 speaker is David Chadwick, University of Kent, UK

<nico> (TPMs??)

<nico> so, yes, TPMs

<karen> Speaker was Mark Watson, Netflix

<nico> harry: surprising consensus about password managers

<nico> (I think that was a comment in relation to the privacy considerations regarding TPMs)

<nico> sam: don't see how to do that without violating privacy; also, go to an underround electronics sop sometime, see the counterfeits

<nico> craig: it's more complicated for users to deal with hardware IDs

<nico> scribe: thanks

<nico> I'm missing this too

Can get to a pretty solid proof that the browser visiting the site NOW is the same as the browser that visited a month ago

<nico> bob: basically, it's hard to manage all these IDs, and it's a big DB, and maybe you don't manage it well, and you could lose your users stuff, and so device IDs is hard to deploy

<nico> harry: asking about crypto APIs

<nico> so, a hum

<tlr> andersR: access to credential stores is critical element

<tlr> phb: frameworks are a way to avoid making choices. standards are about making choices.

<tlr> crocker: discuss more tomorrow

<tlr> ??: framework gives choice of what mechanism to use

<karen> Nico is Nico

<nico1> y

<nico1> harry: so more on this tomorrow

<tlr> tlr: sounds like we need to flesh out scope of api discussion tomorrow

<nico1> harry: attaching ID to session states (?)

<nico1> incognito mode

<nico1> is this something that's of interest to people

<tlr> identity attached to session state / login/logout functionality

<nico1> sam: useful, but not necessarily in scope

<nico1> harry: I just remember ppl mentioning multiple personane

<nico1> ...

<nico1> comments about lack of competitiveness regarding incognito mode

<nico1> dan: nothing prevents users from using pw managers

<nico1> reply: well, stock browsers don't let you

<nico1> for bank creds

<nico1> harry: asking about consensus regarding the annotations concept

<nico1> (basically making the cookie a derivative credentials)

<nico1> hannes: <also concurs>

<nico1> bob: that's of a piece with my comment about labeling session IDs

<tantek> what was the specific RFC for suggested labels?

<tantek> does anyone know it?

<tantek> or could the person who spoke with Hixie please dig it up from their email etc. and post it?

<nico1> tantek: it was said to be 3127

<nico1> I'm falling behind on scribing

<tantek> Hixie's argument is sound. Re-inventing a previously failed standard is not a rational path unless you can point out key reasons for failure that your re-invention is specifically addressing.

<nico1> harry: agenda for tomorrow

<tantek> I thought "3127" was said like an example of an RFC #, not the actual #.

<nico1> tantek: I thought so too

<nico1> root around for it?

<nico1> harry: we might want to re-bake the agenda

<tantek> who was the Google person that claimed he spoke with "Ian Hixie" [sic]

<tantek> ?

<tantek> perhaps we can ask him for the specific RFC #

<tantek> I'd like to track this down

<yoiwa> RFC 3127 is "Authentication, Authorization, and Accounting: Protocol Evaluation" (Informational)

<karen> Harry: we don't have complete agreement

<karen> ...but have more proposals for scope; would like to have that list...10 proposals

<karen> .Speaker: I did not get the sense...third party; token use

<karen> Harry: It was brought up several times; we can revisit that

<karen> ...discussion went away from that; like mobile discussion

<karen> TLR: We have room for that in the Beyond the Browser session

<karen> Speaker: talking about that as opposed to tokens

<karen> TLR: Use case will bring it up

<karen> Bob: Bring up browser support for IP discovery

<karen> ...hoping that may be in

<karen> ...and other concrete suggestions

<karen> Harry: I think it rather naturally comes into it today

<karen> ...Dinner at Shivas

<karen> 800 California Street, #100

<karen> Buffet dinner starts at 7:00pm

<karen> Trent: Please pick up your trash

<karen> Meeting adjourned

<karen> ...is problem about too many passwords; or not at all; too weak

<karen> ...everyone will have different POVs

<karen> ...no stopping; how do we know when online identity is solved

<karen> ,..it's not a check-mate end

<karen> ...related to that, solutions are not true or false; something is better than another

<karen> ...cannot have a proof for sovling online identity

<karen> ...maybe say something about crypto

<karen> ...but the overall thing is fuzzier

<tlr> http://en.wikipedia.org/wiki/Wicked_problem

<karen> ...Next problem is that there is not an immediate test of what will happen

<karen> ...everything has unfortunate side effects

<karen> ...If we roll out @@auth

<karen> ...could push into malware and have other repercussions

<tyler> Anyone got a link to the Workshop wiki handy?

<karen> ...Cannot look into future or rewind the past

<karen> ...Everything happens in the real world as we speak

<karen> ...If you screw up privacy like Google did, it's challengin

<karen> ...You get damaged by this if you screw up; you lose credibility

<karen> ...It's not like science where you can celebrate failure

<karen> ...In real life, it's bad

<karen> ...If passport failed for Microsoft

<karen> ...some people wrote it off, so they were blackballed

<karen> ...You cannot sit down and choose six different things

<karen> ...We have seen a dozen things already in this Workshop

<karen> ...In science you want to say you have a set of techniques, such as building a bridge

<karen> ...but this space is essentially different

<karen> ...Identity on the Web is not like identity in the real world; no real person's face

<karen> ...Not like identity in Internet with one admin domain

<karen> ...what worked here won't work there

<karen> ...reasons for failure are over-determined

<karen> ...Did infocard fail due to user experience; too complex a mental model; don't know

<karen> ...cannot rewind the past

<karen> ...All I wanted to do

<karen> ...really interesting framework

<karen> ...I'll put up references

<karen> ...Some white papers you can read

<karen> ...They have some frameworks for how to address problems to build shared understanding

<karen> ...And most important, capture that somewhere

<karen> ...So next time you can pick up from where you left off

<karen> ...and not recreate all the past conversations

<karen> ...So for today, think about what I said here; we all have different stakes, viewpoints, backgrounds

<karen> ...Be careful when you say the problem is not x it's y

<karen> ...their assumptions and values are different

<karen> ...Other obvious anecdote

<karen> ...Think about the rules for passwords

<karen> ...Think about how you pick it

<karen> ...All these security experts thought different approaches would work to select them

<karen> ...No consensus, but all defensible positions

<karen> ...So important to have this context

<karen> Q: Any data to back up assertions

<karen> A: no

<karen> Harry: let's hold questions until end of session

<tantek> that was me that asked "Did any of them have data to support their assertions?"

<tantek> answer was "no"

<JeffH> so there will be some way to recover these irc logs ?

<karen> Next Speaker: Philipp Hollam Baker, Comodo

Simulation & Design for Deployment

<tantek> (in reference to the room full of Google security experts all recommending different ways to make "good" (strong) passwords)

<karen> Problem is how do you get that problem deployed; Internet has 20 billion users

<tantek> I think that was 2 billion

<karen> ...how I deal with this problem is I design simulations

<karen> ...and identify which audiences need to address protocol

<karen> ...and I simulate; use stuff from control system world

<karen> ...can use software or even Excel

<karen> ...Do need to test assumptions

<karen> ...If you think viral marketing will take off

<karen> ...if you are talking viral or network effect, you are fooling yourself

<karen> ...Chicken and egg problem

<karen> ...getting to critical mass is really hard

<karen> ...Simply having Microsoft say it won't work

<karen> ...some things will kill your proposal

<karen> ...One is deployment deadlock

<karen> ...If servers do this or that

<karen> ...stopped working when Web had a million users

<karen> ...Digest authentication was proposed seven days after basic

<karen> ...Basic was deployed and enmeshed in Web six days after it was proposed

<karen> ...I proposed digest on next day and it took five years to get into browsers

<karen> ...Once something works well, it's hard to replace

<karen> ...Getting to web sites

<karen> ...I won't use your identity scheme if it does save time

<karen> ...Users are aware of razor and blades model

<karen> ...Unlike other workshops, I am seeing technology proposals not business proposals

<karen> ...First proposal is to put the account manager in the cloud

<karen> ...we can do it securely and user never needs to know what is going on

<karen> ...can get access; can support legacy browsers

<karen> ...Why start here? User can do on their onw

<karen> ...I know companies looking at this

<karen> ...they don't need participation of any other party

<karen> ...I'm doing this to save my time, not establish a bus model

<karen> ...Could do in two ways

<karen> ...just solve this problem, make easy to store passwords in the cloud

<karen> ...But then write protocols to go slightly more sophisticated

<karen> ...allow a secure authentication mechanism

<karen> ...not choose too many or invent something new unless I have to

<karen> ...if I can coopt OpenID or SAML people I can do it faster

<karen> ...phase two builds out on phase one

<karen> ...Finally, this was originally proposed as phase three

<karen> ...putting user names and passwords in the cloud

<karen> ...don't put pw into password manager

<karen> ...Who here does not have a smart phone?

<karen> [one hand]

<karen> Philipp: Ok, so you all know you can get AUTH

<karen> ...congrats, you have now simulated a 1960s technology on a smart phone

<karen> ...this thing has a display, keyboard, voice input

<karen> ...could we do more?

<karen> ...I'm buying my phase kit off eBay

<karen> ...so instead of typing passcode, would be nice to have been asked

<karen> ...I mentioned voice

<karen> ...for applications that demand it

<karen> ...Take a picture of person taking purchase; put in a pin number

<karen> ...we could have voice recognition or voice recog biometrics

<karen> ...We have a really powerful toool

<karen> ...This could start to deploy now in the enterprise

<karen> ...i looked up $20 per year for one-time password tokens

<karen> ...This requires no software; can be done quickly and enterprises can adopt unilaterally

<karen> ...thank you

<karen> Harry: up next is Sam Hartman from Painless Security

<karen> ...I would like to talk about the value of the browser in supporitng identity management

<karen> ...and in supporting the kinds of things that Phil

<karen> ...making things easier to deploy so we get innovation

<karen> ...to start off

<karen> ...One of things to realize is things platform can do

<karen> ...you cannot write Java Script

<karen> ...platform mediates cross application and site information

<karen> ...yesterday Bob talked about the identity selection problem

<karen> ...When he was talking he said it is hard for service providers to drive the selection problem

<karen> ...The platform is in postion to know what the identities are that are broader than one site

<karen> ...site is in position to reasonably know about the identities

<karen> ...So together you can have the platform; a good understanding of what the identities are

<karen> ...better position to ask user who they want to be today versus a site asking it the possibilities

<karen> ...Another thing the platform can be in a position to do

<karen> ...some sites can manage iphones to traditional desktops

<karen> ...can be in enterprise or individuals

<karen> ...platform can enforce policy that is broader

<karen> ...Also platform can cross identity beyond justthe web browser

<karen> ...ID not just in some app

<karen> ...used in some web resources

<karen> ...you need the platform's involvement

<karen> ...as we discussed yesterday

<karen> ...there are cases where the browser is used less, particularly the mobile environment

<karen> ...Cannot just treat as a web id problem

<karen> ...finally something the platform can do

<karen> ...that can enable security

<karen> ...Something that one of first presentations talked about

<karen> ...channel bindings

<karen> ...is about tying two security relationships together

<karen> ...Can allow you to have an association with some web site

<karen> ...and can confirm even the certificate has changed

<karen> ...Also valuable in device authentification

<karen> ...if user has inserted himself into device

<karen> ...could break some use cases

<karen> ...the platform could tie these sorts of identification together

<karen> ...Would be nice to pick one like OpenID

<karen> ...but we cannot just pick one

<karen> ...Different organizations...

<karen> ...If you tell me I have to change from one thing to something else

<karen> ...why is that in my best interest?

<karen> ....Lots of properties to these identity management systems

<karen> ...attempt to consume lots of identities

<karen> ...Some aspects are part of system and a critical part of using

<karen> it

<karen> ...like Kerberos using it

<karen> ...things based on URIs versus naming things based on other approaches

<karen> ...and sometimes those differences are important to people

<karen> ...if we don't have a way to dispose

<karen> ...and force all identity management to be the same, we will defeat choice of using them

<karen> ...ont he other hand, important

<karen> ...not to have to know ...

<karen> ...permit only when you need to take advantage of the special properties

<karen> ..I come from identity management background outside of the Web

<karen> ...a lot of things going on there

<karen> ...I think that we have a real opportunity for a convergence of these approaches with what is going on the Web

<karen> ...the best identity management story we have seen is cases where there is a real decoupling from the application

<karen> ...plug in new security mechanism, or deployment and mechanism will work within new environment without being aware of it

<karen> ...Major desktop systems have this such as Microsoft

<karen> ...Take a look of hosted services on Windows Live

<karen> ...where they inveneted a new service

<karen> ...They were not previously aware

<karen> ...At IETF we are working on things

<karen> ...A single way of looking at Open IDE, OAUTH, SAML, Kerberos and public key

<karen> ...the application won't get any of those the same, but can delve into detail

<karen> ...and take advantage of specifics of the mechanism if necessary

<karen> ...also at IETF, project Moonshot is looking at how to create an identity management mechanism

<karen> ...uses SAML to look at things

<karen> ...intended to work well in a federated environment

<karen> ...address privacy issues we are talking about

<karen> ...address mechanisms that are highly integrated into platform

<karen> ...Basically, what I am proposing to look at

<karen> ...is an approach where the application and platform can both contribute

<karen> ...application can take advantage of identity coming from that

<karen> ...and can provide set of mechanisms; can inject an identity into the system

<karen> ...not about solving users typing id into system

<karen> ...about enabling credentials in future

<karen> ...that are not passwords

<karen> ...Final recommendation

<karen> ...more detail from previous slide

<karen> ...Ok

<karen> Harry: We are going to begin discussion on Platform issue for ten minutes

<karen> ...then continue with Device discussion and then take a break

<karen> CarlH: Identity really is a wicked problem

<karen> ...I think it will require inconsistency robustness

<karen> ...cannot be algorithmic solution

<karen> ...like credit cards, do you pass this charge or not?

<karen> ...evidence for or against and make the decision

<karen> ...if it is a wicked problem, this is where you need to go

<karen> ...may be onlly thing to do the job

<karen> ? Comment on ???

<karen> ...Smartphone, you don't use browser, just native apps

<karen> ...does not mean browser should not handle identity

<karen> ...there is trust

<karen> ...could be done relatively easily

<karen> ...like OpenID a mechanism

<karen> ...think of bringing app into smartphone

<karen> ...you redirect to identity provider and redirects using a custom URI

<karen> ...what is missing is the first leg

<karen> ...what it means for first app to redirect

<karen> ...when you have direct access to begin with

<karen> ...maybe that is something the browser providers should think about

<fjh> what makes a browser "trusted"?

<karen> Sam: I agree that use pattern could be supported

<karen> ...i want to see a way to invoke that pattern

<karen> JeffH: I just wanted to support notion of identity spams far outside this thing called the browser

<karen> ...many of apps on smartphones are browsers...mobile code

<karen> ...that environment is getting married to the platform

<karen> ...agree we need to think about this more holistically

<karen> JeffH: that is a big problme

<karen> Nico: I want to echo that there are

<karen> ...browser apps and HTTP applications

<karen> ...dapper and that sort of thing

<karen> ...Browser apps use HTTP

<karen> JeffH: there are protocols in wide use beyond HTTP

<karen> Q: another approach is to use standardized mechanisms out to the platform

<karen> ...such as what Microsoft has done

<karen> ...with identification

<karen> ...beyond multifactor things

<karen> ...browser can react in more robust way; and can you channel that back

<karen> ...browser can still be the locus

<karen> Sam: that's great if I trust the browser or if I have an identity for which it's the locus

<karen> ...but in enterprise that does not make sense

<karen> ...If I am an unintended app, the browser is wrong place for it

<karen> ...as a human, the browser is wrong choice for my ID locus

<karen> ...you have described an important use pattern

<karen> ...but many different approches, as Dirk described

<karen> Ben Adida: one point Phil made

<karen> ...it's not just crypto

<karen> ...hate to bring up SONY; when you concetrate a lot of data into the cloud.

<karen> ...can be more complicated

<karen> PhilHB:decide what you can accept

<karen> ...such as accepting, storing credit card data

<karen> ...and whether to store in unencrypted

<karen> ...I just had my credit card suspended from Michael's retailer because it was hacked

<karen> Harry: we will close the queue now

<karen> Speaker is Direck Balfanz, Google

<karen> Dirk: I want to do a demo

<karen> ...so thanks, Sam, a lot of what you said will be a great introduction

<karen> ...to what I will talk about on Android

<karen> ...how we are using it on installed apps as well as browser

<karen> ...and talk about how to do this more generally

<karen> ...So what does the account manager on Android do?

<karen> ...so the way it works is you write plug-ins called authenticators

<karen> ...app users an API to say I want a ? complete to talk to some service provider

<karen> ...which of these plug-ins and what account installed on device this token should be fo

<karen> ...plug-in does magic and returns to server

<karen> ...so plug-ins store user credentials

<karen> ...let me show you

<karen> ...here is an Android device

<karen> ...and so the account manager here as a bit of a UI

<karen> ...two accounts currently installed on this device and I can add more

<karen> ...add a Google account

<karen> ...I can say take me to a browser

<karen> ...let me use a more complicated login procedure at Google

<karen> ...this in an account that has OpenID turned on, so I get redirected to Yahoo!

<karen> ...You could imagine other things like two-factor id, or log-in challenges that complicate things

<karen> [checking network]

<karen> ...Let's try again

<JeffH> @karen -- u doing valiant yeoman's work there :)

<karen> ...I can readwrite to Yahoo

<karen> ...So what you will hopefully see, is an installed app AUTH flow

<karen> ...could have been something more complicated like a two-factor authentification

<karen> ...device gets an AUTH token for this account

<karen> ...so now a third

<karen> ...installing on account manager and seeing what is there

<karen> ...store account credentials, don't have to see it again

<karen> ...type into phone and don't have to do it again

<karen> ...uses an API for the accoutn manager which remembers your passwrod

<karen> ...takes care of rest

<karen> ...no need for app to take care of ?

<karen> ...one of APIs it provides

<karen> ...apps can show you this list of accounts

<karen> ...installed lists, some confusions

<karen> ...link with same accoutns

<karen> ...So what an app typically does

<karen> ...it calls the account manager to ask what is installed

<karen> ...then you pick account

<karen> ...after you choose, use the acc't manager and talks to server side

<karen> ...What we did in Honecomb

<karen> ...we added acc't manager to device

<karen> ...here is browser, I am not logged in yet

<karen> ...I want to log into my Picasa Web account

<karen> ...so now at Google log-in page

<karen> ...the browser slid in that butter bar

<karen> ...use that to log in

<karen> ...now logged into my Picasa account

<karen> ...you notice what happened is the log-in page was still there

<karen> ...I could log in manually

<karen> ,..but it offered me the choice

<karen> ...Also works with relying parties

<karen> ...they way this works

<karen> ...is that the server sends a header that says I support logins with google account

<karen> ...openID relying party can also use header

<karen> ...using my account manager

<karen> ...get taken to OpenID approval page on Google

<karen> ...being a relying party, the site could have asked for my id, photo

<karen> ...my address book; so appropriate to show an approval page

<karen> ...shows OpenID back to the relying party

<karen> ...using the account manager

<karen> ...two more slides

<karen> ...plug-ins run their own proprietary protocols

<karen> ...one acc't manager you don't have to write prop. protocols, but could do in a standardized way

<karen> ...uses OAuth to install acccounts

<karen> ...one, standardize ways to get credentials into account manager

<karen> ...second thing we need is a standardized way to use that credential, that OAUTh token

<karen> ...to access something, it's downscoping

<karen> ...go to service provider

<karen> ...to hand to the app

<karen> ...third thing I demonstrated

<karen> ...one of tokens is not standard OAuth is URL

<karen> ..and it logs in the user

<karen> ...one-time use

<karen> ...that magic token makes the user get logged in

<karen> ...hit and get back in return a URL

<karen> ...will log in the user

<karen> ...Google has such a URL

<karen> ...other have them, too, so we could standardize on those

<karen> ...no crypto

<karen> ...not standardize how I authenticate to my ID

<karen> ...browser used standard mark-up

<karen> ...just need standardized way for OAuth token

<karen> ...Once I hit that login URL, I can hit it @@

<karen> ...Yesterday we talked about special cookies, I don't think we need those

<karen> Harry: I like the "do need to standardize and don't need to" list

<karen> Sam: you don't need to standardize X for your use case

<karen> ...great to innumerate for each use case

<karen> ...but annoying when you say we don't need to standardize at all, because there are more than one use case

<karen> Harry: goog point

<karen> s/goog/good

<karen> BenA: for that web login URL, do envision some special header

<karen> ...so it's coming from more than redirecting? Coming from outside browser?

<karen> Dirk: If any random web site

<karen> ...saying I support Google logins, and if not relying party, browser will redirect to Google

<karen> ...and I won't see it

<karen> BenA: I'll take it offline

<karen> Q: when Google ? to Yahoo

<karen> ...is Google aware of it?

<karen> DirK: no, fires off an OAuth flow

<karen> ...I need to log in a user

<karen> ...if OpenID, I need to redirect to Yahoo

<karen> Harry: closed queue, now prsenting is Mark Watson, Netflix

<karen> Mark Watson: also joining me is Mitch Zollinger, the real security expert

<karen> ...Provider a user perspective today

<karen> ...When it comes to device authentification, some things not possible

<karen> ... if you define a browser as an id environment, and we (netflix) ship browsers to all sorts of devices

<karen> ... you just don't see the chrome

<karen> ... what does secure actually mean

<karen> ... our service and a bunch of others rely on guarantees of device behavior

<karen> ... this is not a normal part of the web

<karen> ... this makes sure we install a reputable browser

<karen> ...examples are HD content

<karen> ...not just our requirement of our service

<karen> ...Other areas are financial services data

<karen> ...that is out of scope of right now

<karen> ...Could imagine other examples such as electronic medical records

<karen> ...haven't thought a lot, but there are others

<karen> ...how do we determine if device has properties to get the proper content

<karen> ...We have restrictions on the number of devices per account

<karen> ...that is a business decision we took

<karen> ...What do we mean by device authentification, staying at requirements level

<karen> ...One, we need to id the type of device accessing the service

<karen> ...we don't care if YouTube sees different identifiers for that device

<karen> ...we use it to make authorization decisions and to restrict access

<karen> ...we need to tell what properties the device has

<karen> ...may come from some software, which is weaker and does not provide guarantees

<karen> ...We need to determine the security properties

<karen> ...could be done with software or hardware

<karen> ...Strength of identity is implicit in the identity itself

<karen> ...for example, we have a trusted relationship with a device manufacturer

<karen> ...and can make decisions

<karen> ...privacy

<karen> ...device identifier is personally identifiable information

<karen> ...You need some type of user consent to give out to a given destination

<karen> ,,maybe dialogue boxes with certification is not best way

<karen> ...services need to be secure to users satisfaction

<karen> ...that user is going to right .com

<karen> ...We are not saying these are "the" requirements; they are our requirements

<karen> ...not trying to generalize

<karen> ...we need input from others

<karen> ...that could be universally applicable

<karen> ...Java Script APIs for service device authentication is one possible approach

<karen> ...First, possiblity to derive a temporary key

<karen> ...those temp keys should not be visible to Java Script code

<karen> ...should be secure to whatever level...of the platform device

<karen> ...Build whatever protocols you want

<karen> ...to make them secure

<karen> ...There are some services not possible today on the Web platform

<karen> ...secure device authentification is one

<karen> ...on browser side others interested in working on this

<karen> Harry: Let's go next to Intel presentation

<karen> ...then Q&A and then go to a shorter break

<lowenthal> are the slides online somewhere?

<karen> Speaker is Jack Matheson, Intel's application and security products group

<karen> Jack: this is a new area whe just christoned

<karen> ...mostly talking about platform problems

<karen> ...that is my interest and it is important

<karen> ...First I would like to acknowledge the notion of trust in this relationship

<karen> ...establish trust between you and your services

<karen> ...long-term support

<JeffH> @karen -- at some point pls announce to group -- perhaps write on the flip chart -- how we can go access these IRC logs from ystdy & today. thanks!

<karen> ...Trust is predicated on user and their device

<karen> ...Problem here is a lot of things

<karen> ...think of device ids, hardware state or testing it

<karen> ...talking about a trusted third party to verify it

<karen> ...that's a big problem

<karen> ...not just in enterprise but also consumer

<karen> ...More philosophically

<karen> ...it's a problem because a device is owned by a user

<karen> ...not user centric but network centric

<karen> ...need a tie between the platform and the privacy of the user

<karen> ...that is not nec. solved by attestation

<karen> ...you can ping me later about hat

<karen> ...mostly stating problems today

<karen> ...Leads to second problem

<karen> ...if you want mass adoption, you need platform that gets to masses

<karen> ...why the platform is so important here

<karen> ...My interest in this workshop

<karen> ...I titled this hardware relevance

<karen> ...I think of browser

<karen> ....user agent has direct access to platform

<karen> ...hybrid solutions, software-device interactions

<karen> ...primary is low cost

<karen> ...If someone snaps a picture

<karen> ...it is very cheap to put on and it is massively adopted

<karen> ...everyone has a camera phone now

<karen> ...other things I will gloss over

<karen> ...Think of user-centric privacy

<karen> ...if a trusted third party is not user centric

<karen> ...and I have seen experiments of putting within device itself

<karen> ...Problem all of them face is that people in business of devices, hardware and platforms

<karen> ...no one wants to introduce legacy

<karen> ...solutions in platform

<karen> ...no one wants to support

<karen> ...So the problem here is that platform vendors want to support identity in a secure, user-centric way, but not in a proprietary way

<karen> ...closing example

<karen> ...TPN

<karen> ...way in which it got accepted is awesome

<karen> ...people who worked in trusted computing got together

<karen> ...so every laptop has a TPM chip

<karen> ...just the perfect example of why we need workgroups to create identity standards that are applicable to the platform

<karen> Harry: now go to questions

<karen> ...20 minutes then break

<karen> PHB: going back to other discussion about platforms

<karen> ...we have not decided about how to represent the account identifier

<karen> ...OpenID uses a URi

<karen> ...and type in..

<karen> ...look on web, way we federate accounts

<karen> ...if we can make that decision to use that same mechanism to represent an account across SAML, and OpenID and OAUth

<karen> ...we could all make that play nicely and simply

<karen> ...and how one relates to another

<karen> JeffH: Phil makes a good point

<karen> ...a bit confused

<karen> ...what we people use to id ourselves in an online context

<karen> ...may or may not be mapped to what internally in the system is known as an account identifier under the hood

<karen> ...he is talking about user identifiers

<karen> ...we could leverage those

<karen> ...but not nec what gets mapped under hood

<karen> ...people wield multiple identifiers

<karen> Phil: comes to how you interpret; whether you use DNS

<karen> ...identify provider at xyz.com or Fred a pqr.com

<karen> ...have to decide if we are going to use the DNS and nothing else

<karen> CarlH: In cases where customer has own equipment

<karen> ...it looks identity management should be in the platform

<karen> ...and be just another app

<karen> ...like Google chrome

<karen> ...could be standardized

<karen> ...to do that and have these apps work together

<karen> ...me having 40K apps on my iPhone that won't work together is crazy

<karen> ...so apps must work together on the platform

<karen> ...I didn't hear a revocation story from Dirk

<karen> Dirk: I had the step of provisioning the account

<karen> ...just an OAuth flow

<karen> ...what fell out was an OAuth

<karen> ...service provider can show tokens

<karen> Carl: could be tricky to explain

<karen> Dirk: page not very good, hard to discover; I think Facebook is doing a better job

<karen> ...service provider knows the token has been issued

<karen> Carl: should provide a reasonable summary

<karen> DirK: could be a sitation to voluntarily give up token

<karen> Carl: How can we explain to users what they have given out and what they can take back?

<karen> DirK: with Android, you can uninstall

<karen> ...but revocation you have to do on server provider side

<karen> Dave: a couple things

<karen> ...Jeff's comment of email address, I am a big fan of that

<CraigWi> from a question yesterday, the Microsoft Security Intelligence Report is at http://www.microsoft.com/security/sir/default.aspx

<karen> ...if you use the @ sign you apply an email address

<karen> ...i dno't have an obvious solution, but we need simplifying assumptions

<karen> ...improve usability

<karen> ...bigger point, there may be low hanging fruit to improve usability

<karen> ...to point that improving usability is worth doing

<karen> ...consistency is important

<karen> Harry: Phil

<benadida> ack me, that was a while ago

<karen> PHB: I agree with what Dave just said

<karen> ...I tried using ? in mark-ups

<karen> ...most sites require you to use an email account

<karen> ...If you want to aggregate more than a small number of accounts; this may not be your sole email

<karen> ...but it must have to have some email like properties and be used as a customer service account

<karen> Dave: it's a limiting assumption

<karen> Dirk: an email address should be a standard attribute because it is pervasive

<karen> ...I don't think it should be "the" identifier of the account

<karen> ...just an attribute

<karen> Craig: security analysis report

<karen> ...acc't manager in Honeycomb

<karen> ...MS has a full suite of capabilities

<karen> ...Windows probably sends

<karen> ...further investments in that space, plug-in model, may be worth noting

<karen> ...Phil said about deployment

<karen> ...deployment was both fantastic opportunity and failure

<karen> ...we thought we could get on all machines

<karen> ...but was first version, not improved

<karen> ...with need for deployment to evolve systems

<karen> ...we won't get it right

<karen> ...do get broad deployment and good site of timeline usability is important

<karen> Sam: a solutoin for some use cases is to have a compoenent of web app

<karen> ...a library you can grad

<karen> ...you have evolution points within the platform

<karen> ...which could give you a better story

<karen> ...either one can bring new features to the other

<karen> Tyler: question for Netflix

<karen> ...you are user web technologies

<karen> Mark: we do have user interface stuff in web environment

<karen> ...video streaming is pretty much under covers

<karen> ...we could put together a proposal of a Java Scipt API requirements

<karen> Tyler: A strawman proposal would be good

<karen> Harry: yes, we really do need strawman proposals to make work move forward; for more or less every group of passcode features in scope

<karen> ...we are trying to determine how much of device id is in scope

<karen> Q: Online acc't manager would also fall back to same issues as yesterday

<karen> ...go into form fill

<karen> Phil: yes and no

<karen> ...if site makes it too difficult for me, I don't use

<karen> ...like Huffington Post

<karen> ...I will give up if it's too difficult

<karen> ...yes, there are idiot web managers that want to control the user experience

<karen> ...and then they become unemployed

<karen> Q: they are still there

<karen> Phil: some you cannot reach; if you can get 80-90 percent in, better than zero

<karen> Q: we make one, I agree, but still suffer

<karen> ...no standard

<karen> Q: for Intel, from hardware platform perspective, where are the manufacturers in coming up with a standard

<karen> ...why not start at platform and build up

<karen> ...where are we? What is Intel, AMD, as an industry

<karen> A: No agreement what we need

<karen> ...people like me who approach more philosophically and the business side

<karen> ...no one will use Id priviledges unless there is mass adoption

<karen> Q: sort of schizophrenic

<karen> A: lots of things Intel is working on

<karen> Q: no standards body working on that?

<karen> Harry: at W3C we work on more Webby things

<karen> Q: For Google we talked about the "ok" button

<JeffH> who's the guy asking these good questions?

<karen> ...Ok comes onto screen so fast; you grant permission to get information

<karen> ...have you thought through usability of those who don't want to give approval?

<karen> Dirk: Google screens are the standard

<karen> ...that we implemented

<karen> ...whatshould go on those consent screens is an interesting problem

<karen> ...informed consent; versus check boxes

<karen> ...yes, it's an interesting problem we are looking at

<karen> ...but a bit orthogonal to identity in the browser

<karen> ...to me it seems like a trust issue

<karen> ...either I trust or I don't

<karen> ...if I trust, they are ok

<karen> Sam: more like I trust them or I trust them; have you ever said no?

<karen> Dirk: yes, I have said not

<karen> Q: If you install an app that asks for phone calls when you want to play a game, you still say yes

<karen> Dirk: I look at number of stars, who recommended it

<karen> Harry: Nico, Dominique

<karen> Nico: to comment on the Android, I want to say, no I don't want that priviledge

<karen> ...I liked your presentation

<karen> ...you exemplified what you can do with a framework and APIs

<karen> ...some of what you showed is somewhat I envision

<karen> ...so you, me and him need to get together

<karen> Dirk: you are not only one who wants that feature

<karen> Dominique: I am curious to know scheme of user creating account

<karen> ...how do you deal with elevations

<karen> ...transactions may have a higher value

<karen> ...how do you protect that information

<karen> ...if someone else assume the account of that indiv, but not real person, how do you tell?

<karen> Dirk: first part of question goes into transaction based authorization

<karen> ...at that point in time I need additional authorization from the user

<karen> ...When you install account, an OAuth token could be used

<karen> ...but not powerful enough to approve all transactions

<JeffH> on a technical level, an "oauth token" is a "capability"

<karen> ...then service provider sees they are using an OAuth; could send an sms to them

<karen> Dominique: so resides at service provider?

<karen> Dirk: yes, service provider decides about OAuth token

<karen> Q: What if developer asks to turn feature off?

<karen> Harry: to summarize

<PhilWolff> Did anyone answer the question raised by Intel about hardware baking in identity protocols that fail to update and keep up?

<karen> ...needs to work with platform

<karen> ...account manager, account manager

<karen> ...help Phil's cloud scheme

<karen> ...show of hands

<karen> ...should we scope ourselves

<karen> ...outside browser mechanisms

<karen> ...The statement is

<karen> ...scoping statement

<karen> ...strong consensus about account managers working outside browsers and in the cloud

<karen> ...yes, we should go outside browser

<karen> [half room says yes]

<karen> [no hands for no]

<karen> ...Next, yes device ID should be within scope

<karen> [about half room shows hands]

<karen> [a few no hands]

<karen> Sam: another question, is it valuable to see what IETF is doing

<karen> ...and try to align

<karen> Nico: in a device, identity comes from platform or the hardware

<karen> Sam; yes, I agree; but is it desirable for us to work with IETF

<karen> Harry: I assume answer is yes to work with IETF

<karen> Mark: you are also thinking about platform capability

<karen> ...whether keys represent you or the device

<JeffH> my thought is that the particular notion of "device id" that the netflix folks are arguing for is imv a somewhat separable problem

<karen> Sam; on Android, device id cuold be another account

<karen> nico: we want to bake a framework in

<karen> ...another one for user id

<karen> ...want ability to have them

<karen> John Linn: these two topics are valid area of standardization, yes

<karen> ...if it's W3C or others to approach, should discuss

<JeffH> also, there may be existing work that can be leveraged for "device id" and it isn't necessarily something that needs to be reinvented

<karen> Harry: good point

<karen> ...one of reason ISOC is co-chairing

<karen> ...is I do believe W3C is happy to coordinate with IETF in this area

<karen> JeffH: this device Id stuff could largely be done from a protocol perspective

<tlr> (also, the W3C liaison to the IETF is sitting in the second row and nodding)

<karen> ...in other contexts, don't reinvent it

<karen> Harry: we will have a protocol discussion in the afternoon

<karen> ...sorry ten minute break

Standing in for Kaliya

<tlr> ScribeNick: PHB

Ideas for user centricity -

Usability is important

This group is not the default, people can act out online without consequences

People use multiple personas, particularly women

Ways to let people manage their own data online

Critical thing is to allow users to have multiple persona

<nico> I'm curious why women might have more online personas than men, and where's the data to back that up :)

Organized conference earlier this year - she is geeky

Users had 2 facets by default

<nico> ah, there's the data

Women had an average of 6 facets, some must have had far more to make average

Being seen vs being watched vs being stalked

Being seen is bidirectional

Being watched is unidirectional

Being stalked is aggregating across multiple sources

Personal data services

users control their own data, users can share and trade in ways that they control

<dpranke> Is "stalking" an established term in this space

Can get free flights!!

<dpranke> I fear it may be overly charged or polarizing

Mary-Ann Hona

Hondo

The IBM presentation

The Nexus of identity

Users want two control knobs

one is transparency

Presenting aggregate IBM opinion is hard (!)

yes to everything

Lets do whatever we can to improve usability scalability security

In addition to the base products, research into vulnerabilities

acquired company now our X-force group, usability & security

track vulnerabilities, policies, risk based policies and controls

<PhilWolff> Hodder: ID managers should help users apply/admin personae from the browser, not just authentication.

what exactly wold a well behaved mobile app look like?

identity support outside the browser

less concerned about what it is than being able to talk about it in a common way

Our vision

zurich lab has worked with EU on privacy issues

vision from lab is that users can interact in a safe and secure way

identity mixer, a flexible cryptographic framework

access control

EU projects to make it real

proofs of claims such as 'i am between 12 and 15 years old

can be used with smartcards

addresses all requirements of privacy protecting PKI

Who are you vs access ??? (slide gone)

Resources www.Primelife.eu

(contacts in slides)

TLR: European host of W3C is a participant in that project

Next speaker:

<tlr> ... as are several W3C staffers

<tlr> (Rigo, Dave Raggett, myself)

John Tolbert from The Boeing Company

History

Talk about identity, use identity for access control

Histor: Users, Groups, ACLs, to Risk Adep AC

Can't say we have got off the simple stuff in some cases.

Machinery of identity

LDAP, Web Access management and so on, PKI, SAML, smartcards

Encouraged by whay I have heard

interested in combination of user and device identity

Get wrapped up in aerospace, defense type world

finance, social media type

use web access management internally extensively

1000s of applications (not users!)

external connection get into

identity is a piece of the puzzle

evrything goes into the middle, access control

Empower people in global trade controls, to author policy and make access control decisions

environment matters, who a person is, where there device is

being able to prove that strongly

identity providers

nobody in this country would go for a national identity card

bottom up may provide what we need in that area

mention the unmentionable - advanced persistent threats

identity in browser can be compromised, for naught if machine is compromised

skip through data protection for time

cryptographic standards needed to bind metadata to data for access control decisions

look to how we can leverage info from groups like trusted computing , extend existing standards, SAML etc

Next speaker

Yahoooooo!

Wendel Baker from right media

Provide open marketplace where Yahoo can buy and sell ads

Pay the bills by monetization

two systems in Yahoo

ONO - Owned and operated

sold on guaranteed basis like a newspaper

hand money (make good) if can't make display

This is the other system does the infill

How the internet world thinks about monetization

audience side - getting people to come and read stuff, use service

need to get people to register

how to manage identity in terms of profiles and so forth

goals have is to have more fun

more personalization more interest

does not get any money

two monetize charge people or you do advertising

<PhilWolff> @dpranke stalking is used for this type of asymmetry among online social science researchers

joke in VC community and can't work out how to monetize become an ad network

to make this interesting need to do more than just push pictures in front of people

need to tailor ad to the viewer

match between who the audience is, set of advertisers and the browser

Someone is providing the venue, set of advertisers would like access to opportunity and the viewer

today are two systems and they are unconnected for various reasons including policy

when you log in you get to choose screen name etc

advertising side is assigned to you by advertiser, public policy space

key about advertising is that you don't have to interact with that

don't need to know very much about the person on the other side of the wire

rough idea that have seen this guy before

amount of time that a buyer is focusing on the metrics is short

audience side identity systems

users should not need to sign in to use this site

users who log in via open id or whatever are better users, spend longer time, play more games etc

other way

got to be some way of identifying site

three screen strategy or four screenm

trying to relate what is going on in the online space to tv, mobile and other

web is the center

vision is that you should be able to do something on your tv, go to the web, mobile and its all the same stuff

need a way to link the identity across the devices so that you know its the same user

other side of the house

everything goes through the exchange that resolves 'who gets the ad'

this notion of who the user or the device is is not tied to what is seen before

advance going on today is linkage between different exchanges

to do that need to map the identity between different marketplaces

very important exchange wants to maintain its idea of who a user is

but need to match up

two sides

voluntary identity, vs forced identity

how strong and by what method should we tie these mechanisms?

Speaker: Chadwick

Trusted Attribute Aggregation

TAAS

Paypal people think of it as a broke

few sites

electronic shopping site

said student

comes to shopping payment time

need a credit card, postal address and student card

two attributes from user

one from bank (credit card)

and one from schoo (student card

Policy for getting onto the site

is a mime type that causes a plugin to be activated by the browser

user clicks on bookmark

this stops a phishing attack

selects trusted service provider

can use any auth syustem you want we use username and password

has taken policy of the search provider

and filtered it according to the user

got some names and got some addresses

can have an official name given by the government or a name chosen by user

can do a gift purchase

can submit

or save and submit where the system remembers and gets one click shopping

now can go back and get single click shopping

single sign-on from SAML etc

another example from UK e-gov work

to get parking permit must have proof of car ownership

proof od pension

credit card

government currently only doing aggregation of government attributes

this time when user chooses name the only one that works is the officially certified name

user can't choose bill gates, has to match policy from search provider

goes back to site and site says these are attributes that were provided to me

if happy with that can get permit sent in post.

uses SAMLv2

(read slide summary of featues)

similar features today to what Microsoft and IBM will provide in ten years time

Demo is at (someone else must type)

username is guest

<hhalpin> can someone near the front type that URI into IRC?

passwpord is password

<hober> s/guest/Guest/

(high security here!)

Time check, we is an hour late

20 mins for discussion

Dirk? Wicked does not mean bad

Stalking has connotations... is this intentional

loaded term

<nico> "stalker economy"

?? well, refering to it as stalker economy is that we see people using info in malicious ways

people selling life insurance go online

health insurers

not just you but your friends

so its all kinds of ways

dossiers being compiled

Dan schuster

<nico> so act anonymously then?

legitimate needs of privacy

trying to support them is chasing tail

can obtain all the information from a variety of sources

photos announcement of church etc

niothing to do with whether know full birthday, who I am etc

<nico> See Spokeo for a freaky example. As the chairman of a past employer said: "you have no privacy, get used to it"

is complicating id metasystem, but agent can get same info more easily

name and age bracket plus zip is enough to identify you

Speaker Jon

Speaker Harry:

<nico> Enough personal info arguably is identity...

Quicj question at Mary: is google a personal id system

yes

Wendel: device ID in paper

need complex schemes to track people to real id on their net

what is the process to

<hhalpin> actually I think Mary said "maybe"

netflixy based hardware id is bettrer, have number and can just work with it

<hhalpin> which does make me wonder what is NOT a personal data store.

scale of the yahoo audience must be lots of

<hhalpin> Perhaps Wendell's ad-tracking system would not be one, as I am not aware of it per se

state kept, device id would make it simpler, reduce gear, costs, co-lo space and so on.

John Linn:

Trusted components

is underspecified

should be by whom and for what

(PHB and does not mean trustworthy)

firefox plugin is an adblocker will undo an aspect of the system

need to recognize there are components

different entrants and for different purposes

we engineered it to minimize the trust component

never asks for username and password

(Chadwick) I don't know who you are, idp does not know

aggregator merely aggregates tuples

minimize the amount of trust required in it

will only release links to the entity that gave it to them

trust is a major issue

Tom ?

<karen> Tantek Celik speaking

Economics, pick any

zero to know cost to check anyone in your system

zero cost to stalk everyone makes a very bad system

Jeff Hodges: This is really important stuff but layer 9

legislation and policy trather than technology

(can't hear)

I just want to be this person for today

David singer above

<karen> Greg Kerr, AuthenTec was speaking

Dan: brute force is not as difficult as people imagine.

Sam H.: anonymity and unlinkability is harder than you think no matter what

agree with jeff, every if statement in your code is a potential linkability issue

have bought 40 minutes

<JeffH> OMG -- Carl Hewitt has an even bigger gear bag than me....

<JeffH> :)

Dan Schuster

what is different now that would make it a good time to be making changes?

much greater sophistication in malware and fraud etc than before

Government drive

Smartphones

Social networks etc

now may be the time to see things happen

barriers

<nico> Are logs of this channel being kept?

(summary is in slides)

<nico> If so, where?

hard to displace historical precedence

must be easier to use, to interface to

<JeffH> @nico -- apparently irc.w3.org keeps logs and there's a std way to get to them. i dunno offhand what it is. TLR said they'd let us know

- DRAFT -

W3C workshop on Identity in the Browser

25 May 2011

Attendees

Contents

Simulation & Design for Deployment

Summary of Action Items

Scribe.perl diagnostic output