the dns as a directory for identities
play

The DNS as a directory for identities ICANN DNS Symposium 2018, - PowerPoint PPT Presentation

Apr 10, 2024 •103 likes •302 views

The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola <vittorio.bertola@open-xchange.com> 1 Premise: We need proper online identities Traditionally, we only had accounts And they were not

  1. The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola <vittorio.bertola@open-xchange.com> 1

  2. Premise: We need proper online identities • Traditionally, we only had accounts • And they were not connected to each other, though they often had the same information in them • Until some companies realized that tracking users across multiple accounts created a lot of value • Targeted advertising, user profiling etc. • We already have online identities, but they are not under our control • We only have accounts, but others have our identity (and monetize it) 2

  3. Online credentials for the average user • Most people just reuse usernames and passwords across hundreds of websites and services • Usability issues • Security issues • Single-sign-on systems in private namespaces gaining ground • Users like them, but: • Fragmentation, lack of interoperability • Clients have to implement each of them separately • Users cannot choose their provider 3

  4. A wi-fi login form from the real world 4

  5. Advantages of public, federated SSO • Why can’t your online identity work like your email address? • You only need one account to interoperate with everyone • You get to choose and even to change your provider • You can keep your identifier if it is in your own domain name • You only need to remember and secure one set of credentials • Any additional security mechanisms can be implemented just once by a specialized party (not by any website operator) • You have an easy way to control the sharing of your information and to keep it updated (a legal requirement in many countries) • You don’t need to register for new websites, just identify yourself 5

  6. Ok, great idea! But what do we need? • We already have federated identity management and authorization protocols • OpenID Connect / Oauth 2.0 • Though not normally deployed in a truly federated way (at most, used for a federation with a single identity provider) • We miss a place to keep the directory of all existing identities, and a protocol for looking identities up into it 6

  7. The Web people do it on the Web • OpenID Connect already has an optional discovery mechanism • It is based on WebFinger, which is based on HTTPS • Only accepts URIs as identifiers, with email addresses as a special case • Requires you to deploy a web server and a WebPKI certificate on each and every domain that you want to use for identifiers • Even if it is a domain not used for the Web • Even if it is a domain not used at all, except as a reserved string • Even if you still need a DNS query before making an HTTPS connection (that is, until the Web people finally succeed in replacing DNS queries with HTTPS requests) 7

  8. Hey, but the Web is so uncool now • Why don’t we use a blockchain? • Join the revolution! • Don’t you want to be self-sovereign? • Here, buy these tokens from my ICO! 8

  9. 9

  10. The blockchain people do it on the blockchain • Identities, or at least pointers, or at least hashes, are written into the blockchain • The rest is often unclear, or proprietary, or vaporware, or all together A survey by a potential customer found 91 blockchain ID projects, 63 of which were having an ICO, but only 17 of them had a non-placeholder website, only 3 had downloadable software, and only 0 had working software. (source: European Identity Conference 2018) • The selling point is that this is «decentralized» • Down with «central authorities»! No government, no ICANN can get in your way! • Unofficial standardization ongoing at the W3C on a «DID» URI scheme 10

  11. Wait a minute… • We already have a «public distributed ledger» • It is an open, public standard with many free implementations • It is widely available to everyone everywhere • It has been working reliably for 30+ years • It is secure (with DNSSEC) • It can scale effectively to support almost any amount of traffic • It is decentralized and federated • It’s the DNS! 11

  12. The DNS provides the namespace • In the real world, people use «natural» names which are neither unique nor uniform nor easily parsable • So you need a namespace to name identities uniquely on a global scale, while distributing its management… but it’s the same problem that was already solved for host names 35 years ago • Using the DNS, you can assign human-readable identifiers to identities in a naturally federated namespace • Users are already familiar with DNS-based strings • You can even use email addresses if you wish • Or you can encourage people to get their personal domain name and own a piece of the namespace 12

  13. The DNS provides the discovery mechanism • We just need a pointer to know who is responsible for an identifier • Again, same problem already solved for email 35 years ago • We use a TXT record, rather than a new RRtype, and we all know why • So we are not adding straw onto the camel’s back • Two Internet drafts independently submitted • Looking for the right place to make them a standard • Could be the IETF, could be the OpenID Foundation 13

  14. The roles in ID4me Provides service to user Personal information Manages customer C n Manages user data r o e i d t Identity e a User n m t r i a o l f c s n o i a n l agent n s a e d n id4me n o t s r e P identifier (Claims provider) (any DNS (Registrar) hostname) Keeps and verifies user credentials Login confirmation Manages consent to Identity Relying data sharing authority party (Identity provider) (Registry) 14

  15. The DNS record for identity discovery _openid.<identifier> TXT v=OID1;iss=<issuer>;clp=<claims_provider> 15

  16. Project status • A joint project by several companies (public name “ID4me”) • Website, public specifications, Java API released (https://id4me.org/) • A prototype up and running, with new features being added • An international association in formation • Outreach ongoing throughout the domain name industry • Interest by TLD registries willing to become identity authorities • Interest by domain name registrars willing to become identity agents • Interest by telcos / ISPs willing to supply identities to their users • Looking for feedback and participation 16

  17. Conclusions • Let’s defend the role of the DNS as the true public and distributed database of the Internet • Let’s keep the DNS relevant by adding more content types into it (rather than more protocol features) • Comments welcome! 17

  18. Thank you vittorio.bertola@open-xchange.com https://id4me.org/ 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to

Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to

Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to our family trees fundamentally shape the ways that we think about, feel, and interact with the world. This neighborhood gives students the

657 views • 14 slides
Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core Coherence Socrates Demetriades and Sangyeun Cho 20 th Interna+onal Symposium On High Performance

782 views • 31 slides
Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Virtual Identities This lesson considers the extent to which people are able to create online,

Virtual Identities This lesson considers the extent to which people are able to create online,

Virtual Identities This lesson considers the extent to which people are able to create online, virtual identities, and whether these reflect real life identities On The Internet Nobody Knows You Are A Dog! This cartoon from the early days

458 views • 17 slides
Trig Identities An identity is an equation that is true for all values of the variables. Examples

Trig Identities An identity is an equation that is true for all values of the variables. Examples

Trig Identities An identity is an equation that is true for all values of the variables. Examples of identities might be obvious results like Elementary Functions Part 4, Trigonometry 2 x + 2 x = 4 x Lecture 4.8a, Trig Identities and

276 views • 6 slides
Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights Directory of accurate, trusted provider data available to vetted healthcare entities (Not consumer-facing) Authoritative data sources that feed the

529 views • 11 slides
WHAT IS THE SERVICE DIRECTORY? USING THE DIRECTORY Simple format- search by Service Name (if

WHAT IS THE SERVICE DIRECTORY? USING THE DIRECTORY Simple format- search by Service Name (if

A one-stop shop , district and borough-wide register of local services , events and other assets Professional directory- the information on it is not made available to the wider public. Users can see at a glance what the service can do

294 views • 11 slides
Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment

Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment

Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment Criteria Presented to: Joint Meeting NPCC TFSP&amp; WECC RWG September 2018 Tony Napikoski Principal Engineer United Illuminatiing/Avangrid

130 views • 9 slides
LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads Implements a distributed model for storing information

554 views • 39 slides
Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A.

Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A.

Introduction Units in quasigroups with classical Bol-Moufang identities Identities defining a CML Results Quasigroup based El Gamal Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A. Shcherbacov

472 views • 34 slides
LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads. Implements a distributed model for storing

854 views • 39 slides
The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich -

The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich -

The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich - Distributed Computing Group (DISCO) Distributed Directory Distributed Directory Shared Token Distributed Directory Distributed Directory

1.51k views • 139 slides
EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of

EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of

EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the test laboratory, Conditions/Power Utilized, 4 Description of the EUT &amp; Symbol Definitions Equipment under Test 17 General Remarks &amp;

987 views • 76 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura

DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura

DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura Farsight Security / IITiS PAN Technical University of Munich SIDN Labs / TU Delft pjf@fsi.io gasser@net.in.tum.de giovane.moura@sidn.nl ACM IMC

1.33k views • 29 slides
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses Root the Domain Name System (DNS). DNS database maps: edu mil ru Name to

923 views • 47 slides
ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Dynamic Host Configuration Protocol

722 views • 25 slides
DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson

DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson

DNS (Domain Name System) Tutorial @ IETF-70 (DNS for protocol designers) lafur Gumundsson OGUD consulting Peter Koch DENIC eG 2007-12-02 DNS Tutorial @ IETF-70 1 ogud@ogud.com &amp; pk@denic.de Tutorial Overview Goal: Give

736 views • 54 slides
Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
Encapsulation End-to-End Argument Source Transport Saltzer, Reed &amp; Clark, 1981 src &amp;

Encapsulation End-to-End Argument Source Transport Saltzer, Reed &amp; Clark, 1981 src &amp;

Encapsulation End-to-End Argument Source Transport Saltzer, Reed &amp; Clark, 1981 src &amp; dst ports + Network src &amp; dst IP addresses + message M Application src &amp; dst MAC addresses Link segment H T M Transport datagram H N

354 views • 6 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1 DNS Resolution

496 views • 34 slides

More recommend