NSTIC, Privacy and Social Login Presentation at the W3C Workshop on - - PowerPoint PPT Presentation

nstic privacy and social login
SMART_READER_LITE
LIVE PREVIEW

NSTIC, Privacy and Social Login Presentation at the W3C Workshop on - - PowerPoint PPT Presentation

Dec 09, 2023 172 likes •257 views

NSTIC, Privacy and Social Login Presentation at the W3C Workshop on Identity in the Browser Francisco Corella and Karen P. Lewison Pomcor 1 05/03/2011 Pomcor Getting Rid of Passwords n is one long term goal of NSTIC n But it may

slide-1
SLIDE 1

05/03/2011 Pomcor

1

NSTIC, Privacy and Social Login

Presentation at the W3C Workshop on Identity in the Browser

Francisco Corella and Karen P. Lewison Pomcor

slide-2
SLIDE 2

05/03/2011 Pomcor

2

Getting Rid of Passwords…

n …is one long term goal of NSTIC n But it may be achieved in the short term by

“social login”

n Login with Facebook… n …or some other social site such as MySpace or

LinkedIn or Twitter

n … or a general purpose site such as Google or Yahoo

n Is this a good thing?

slide-3
SLIDE 3

05/03/2011 Pomcor

3

Unfortunately Not!

n NSTIC seeks increased privacy and security,

OAuth-based social login achieves the opposite:

n Social site can track user’s Web activity n Credential may be sent in the clear n Facilitates phishing attacks

n RPs must register with social site

n Social site can revoke registration

n Registration requirement reinforces Facebook’s

social network monopoly

slide-4
SLIDE 4

05/03/2011 Pomcor

4

Social Login Needed ASAP in the NSTIC Ecosystem

n In the long term, the NSTIC ecosystem should

be based on ZKP technology

n But today’s social login may preempt NSTIC if

we wait until ZKP can be broadly deployed by RPs

n =>NSTIC needs an interim solution n The interim solution could be used to develop a

trust framework and user interfaces ahead of the long term solution

slide-5
SLIDE 5

05/03/2011 Pomcor

5

HTTP Extension for Delegated Identity

n Browser aware of double redirection n Browser retains callback URL n Browser generates one-time key pair, IdP binds

  • ne-time public key to attributes in one-time

certificate

n Browser receives generic identifier from IdP,

sends RP-specific identifier to RP

n Generic identifier is high-entropy secret, not included

in one-time certificate

slide-6
SLIDE 6

05/03/2011 Pomcor

6

Social Login Using the HTTP Extension

n IdP = social site n RP generates 2nd one-time key pair, sends

public key to social site via 1st redirection

n Social site binds 2nd one-time public key to right

to access user’s account, in 2nd one-time certificate; sends certificate to RP via 2nd redirection

n RP accesses user’s account at social site using

2nd one-time certificate

slide-7
SLIDE 7

05/03/2011 Pomcor

7

For More Info

n A newly revised version of the position

paper will be posted to the Pomcor site shortly after the workshop:

n http://pomcor.com/whitepapers/

NSTICPrivacySocialLogin.pdf

n Email addresses of the authors:

n fcorella@pomcor.com n kplewison@pomcor.com

Core Hubs:
All Converters PDF Hub Video Hub Audio Hub Image Hub File Compressor