W3C

Workshop Tackles the Hard Problem of Identity in the Browser

Today’s approaches for managing trusted identities online, social networking, security, and privacy are uneven and at times incompatible. Tackling this market fragmentation, the W3C organized the Identity in the Browser workshop on 24-25 May in Mountain View (California, USA). The goal of the workshop was to bring active practitioners together to explore what can be done to increase security and privacy relating to Web-based user identity and to try and reduce fragmentation within the identity eco-system found on the Web.

Over 80 representatives from various organizations attended the two-day workshop, including participants from the major browser developers such as Google, Microsoft, Apple, and Mozilla. The room was filled with active practitioners across the spectrum of identity, security, and design professionals. During the full-day sessions, the workshop explored requirements and technical proposals for standardizing approaches to securely handling Web-based user identity. Among the topics discussed were:

Cryptographic APIs: Currently there is no common API to access browser support for cryptography, forcing developers to rely on freely available cryptographic libraries that may not be entirely safe. Given that high-quality cryptographic procedures do exist within most browsers, it may be possible to make a common set available via standardized APIs.

Standardized Identity/Account Managers: Almost every browser has some sort of an account manager designed to handle user identity data. Unfortunately, they do not all function the same way making it difficult to port identity data between browsers or Cloud-based services. There is also little integration to the underlying device OS, making it difficult to leverage its own account management mechanisms.

Identity in Forms: Most browsers also facilitate Web interactions by offering to store, and automatically pre-fill form fields. While their techniques often assist users in filling out forms, there are security and privacy concerns with the practice. All of the browser developers present at the workshop agreed that their current heuristics for form management could be improved by some simple standardization.

Private Browsing and Cookie Management: A common theme was that some aspects of identity management in a browser (including cookie states) seemed contradictory to current proposals for “do-not-track” and “anonymity protection”. Possible research work was considered for what should constitute a standardized “private browsing mode”. Other proposals included updating the user interface to improve understanding of how to effectively manage cookies in support of more controlled or anonymous browsing.

Security Indicators: There are currently significant differences between browsers on how they display security indicators to users. They often leverage various colors and icons within the URL bar that relate to the “trustworthiness” of the digital certificates used when setting up a secure connection. Unfortunately, none of them appear compatible, raising questions about their effectiveness. While standardization may be premature, there was interest in building a common place to share research on security indicators as a first step.

A final detailed report will be published by the end of June that summarizes the findings and proposed next steps coming out of the workshop. To join the discussion, join us on public-identity@w3.org by e-mailing public-identity-request@w3.org with “subscribe” in the title. The W3C is looking forward to hearing from you, and wants your help in making identity integrated into the Open Web Platform.

The W3C thanks J. Trent Adams, Internet Society Outreach Specialist on Trust & Identity, for co-chairing the workshop with me. Thanks also to the Mozilla Foundation for providing host facilities. Special thanks also go to Yahoo!, Paypal, and RSA (The Security Division of EMC) for sponsoring the workshop.

One thought on “Workshop Tackles the Hard Problem of Identity in the Browser

  1. SP’s Security Policy
    Another area where standardisation is needed, is for a service provider site to be able to transfer its identity requirements (both authentication and authorisation requirements) in a standard format, via the browser, to an IDP (or proxy IDP, identity broker or hub etc.) as a standard MIME type, so that the recipient can obtain sufficient credentials from the user so as to allow the user to gain access to the SP’s protected resources.

Comments are closed.