Re: Proof of Concept: Identity Credentials Login

On 10 June 2014 08:02, Tim Holborn <timothy.holborn@gmail.com> wrote:

> I’m really, super impressed with it…
>
> Obviously, it's early days…
>
> Melvin, i was wondering how your web-credits identifiers will link?
>

Web credits is an IOU between 2 URIs.  It's agnostic to authentication, so
any authentication system can be plugged in.


>
> timh.
>
> On 10 Jun 2014, at 3:49 pm, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
> FYI
>
> ---------- Forwarded message ----------
> From: Manu Sporny <msporny@digitalbazaar.com>
> Date: 10 June 2014 06:25
> Subject: Proof of Concept: Identity Credentials Login
> To: Web Payments CG <public-webpayments@w3.org>
>
>
> TL;DR: There is now an open source demo of credential-based login
> for the Web. We think it’s better than Persona, WebID+TLS, and
> OpenID Connect. If we can build enough support for Identity
> Credentials over the next year, we’d like to standardize it via
> the W3C.
>
> This is a text-only version of the original blog post, which can be found
> here:
>
> http://manu.sporny.org/2014/identity-credentials/
>
> Identity Credentials and Web Login
>
>    In a [1]previous blog post, I outlined the need for a better login
>    solution for the Web and why Mozilla Persona, WebID+TLS, and
>    OpenID Connect currently don’t address important use cases that
>    we’re considering in the Web Payments Community Group. The blog
>    post contained a proposal for a new login mechanism for the Web
>    that was simultaneously more decentralized, more extensible,
>    enabled a level playing field, and was more privacy-aware than the
>    previously mentioned solutions.
>
>    In the private conversations we have had with companies large and
>    small, the proposal was met with a healthy dose of skepticism and
>    excitement. There was enough excitement generated to push us to
>    build a proof-of-concept of the technology. We are releasing this
>    proof-of-concept to the Web today so that other technologists can
>    take a look at it. It’s by no means done, there are plenty of bugs
>    and security issues that we plan to fix in the next several weeks,
>    but the core of the idea is there and you can try it out.
>
> The Demo
>
>    The demonstration that we’re releasing today is a proof-of-concept
>    asserting that we can have a unified, secure identity and login
>    solution for the Web. The technology is capable of storing and
>    transmitting your identity credentials (email address, payment
>    processor, shipping address, driver’s license, passport, etc.)
>    while also protecting your privacy from those that would want to
>    track and sell your online browsing behavior. It is in the same
>    realm of technology as Mozilla Persona, WebID+TLS, and OpenID
>    Connect. Benefits of using this technology include:
>      * Solving the [2]NASCAR login problem in a way that greatly
>        increases identity provider competition.
>      * Removing the need for usernames and passwords when logging
>        into 99.99% of the websites that you use today.
>      * Auto-filling information that you have to repeat over and over
>        again (shipping address, name, email, etc.).
>      * Solving the NASCAR payments problem in a way that greatly
>        increases payment processor competition.
>      * Storage and transmission of credentials, such as email
>        addresses, driver’s licenses, and digital passports, via the
>        Web that cryptographically prove that you are who you say you
>        are.
>
>    The demonstration is based on the [3]Identity Credentials
>    technology being developed by the [4]Web Payments Community Group
>    at the [5]World Wide Web Consortium. It consists of an ecosystem
>    of four example websites. The purpose of each website is explained
>    below:
>
> Identity Provider (identus.org)
>
>    The Identity Provider stores your identity document and any
>    information about you including any credentials that other sites
>    may issue to you. This site is used to accomplish several things
>    during the demo:
>      * Create an identity.
>      * Register your identity with the Login Hub.
>      * Generate a verified email credential and store it in your
>        identity.
>
> Login Hub (login-hub.com)
>
>    This site helps other websites discover your identity provider in
>    a way that protects your privacy from both the website you’re
>    logging into as well as your identity provider. Eventually the
>    functionality of this website will be implemented directly in
>    browsers, but until that happens, it is used to bootstrap the
>    discovery of and login/credential transmission process for the
>    identity provider. This site is used to do the following things
>    during the demo:
>      * Register your identity, creating an association between your
>        identity provider and the email address and passphrase you use
>        on the login hub.
>      * Login to a website.
>
>   Credential Issuer (credential.club)
>
>    This site is responsible for verifying information about you like
>    your home address, driver’s license, and passport information.
>    Once the site has verified some information about you, it can
>    issue a credential to you. For the purposes of the demonstration,
>    all verifications are simulated and you will immediately be given
>    a credential when you ask for one. All credentials are digitally
>    signed by the issuer which means their validity can be proven
>    without the need to contact the issuer (or be online). This site
>    is used to do the following things during the demo:
>      * Login using an email credential.
>      * Issue other credentials to yourself like a business address,
>        proof of age, driver’s license, and digital passport.
>
>   Single Sign-On Demo
>
>    The single sign-on website, while not implemented yet, will be
>    used to demonstrate the simplicity of credential-based login. The
>    sign-on process requires you to click a login button, enter your
>    email and passphrase on the Login Hub, and then verify that you
>    would like to transmit the requested credential to the single
>    sign-on website. This website will allow you to do the following
>    in a future demo:
>      * Present various credentials to log in.
>
> How it Works
>
>    The demo is split into four distinct parts. Each part will be
>    explained in detail in the rest of this post. Before you try the
>    demo, it is important that you understand that this is a
>    proof-of-concept. The demo is pretty easy to break because we
>    haven’t spent any time polishing it. It’ll be useful for
>    technologists that understand how the Web works. It has only been
>    tested in Google Chrome, versions 31 – 35. There are glaring
>    security issues with the demo that have solutions which have not
>    been implemented yet due to time constraints. We wanted to publish
>    our work as quickly as possible so others could critique it early
>    rather than sitting on it until it was “done”. With those caveats
>    clearly stated up front, let’s dive in to the demo.
>
>   Creating an Identity
>
>    The first part of the demo requires you to [6]create an identity
>    for yourself. Do so by clicking the link in the previous sentence.
>    Your short name can be something simple like your first name or a
>    handle you use online. The passphrase should be something long and
>    memorable that is specific to you. When you click the Create
>    button, you will be redirected to your new identity page.
>
>    Note the text displayed in the middle of the screen. This is your
>    raw identity data in [7]JSON-LD format. It is a machine-readable
>    representation of your credentials. There are only three pieces of
>    information in it in the beginning. The first is the JSON-LD
>    @context value, https://w3id.org/identity/v1, which tells machines
>    how to interpret the information in the document. The second is
>    the id value, which is the location of this particular identity on
>    the Web. The third is the sysPasswordHash, which is just a bcrypt
>    hash of your login password to the identity website.
>
>   Global Web Login Network
>
>    Now that you have an identity, you need to register it with the
>    global Web login network. The purpose of this network is to help
>    map your preferred email address to your identity provider. Keep
>    in mind that in the future, the piece of software that will do
>    this mapping will be your web browser. However, until this
>    technology is built into the browser, we will need to bootstrap
>    the email to identity document mapping in another way.
>
>    The way that both Mozilla Persona and OpenID do it is fairly
>    similar. OpenID assumes that your email address maps to your
>    identity provider. So, an OpenID login name of joe@gmail.com
>    assumes that gmail.com is your identity provider. Mozilla Persona
>    went a step further by saying that if gmail.com wouldn’t vouch for
>    your email address, that they would. So Persona would first check
>    to see if gmail.com spoke the Persona protocol, and if it didn’t,
>    the burden of validating the email address would fall back to
>    Mozilla. This approach put Mozilla in the unenviable position of
>    running a lot of infrastructure to make sure this entire system
>    stayed up and running.
>
>    The Identity Credentials solution goes a step further than Mozilla
>    Persona and states that you are the one that decides which
>    identity provider your email address maps to. So, if you have an
>    email address like bob@gmail.com, you can use yahoo.com as your
>    identity provider. You can probably imagine that this makes the
>    large identity providers nervous because it means that they’re now
>    going to have to compete for your business. You have the choice of
>    who is going to be your identity provider regardless of what your
>    email address is.
>
>    So, let’s register your new identity on the global web login
>    network. Click the text on the screen that says “Click here to
>    register”. That will take you to a site called login-hub.com. This
>    website serves two purposes. The first is to map your preferred
>    email address to your identity provider. The second is to protect
>    your privacy as you send information from your identity provider
>    and send it to other websites on the Internet (more on this
>    later).
>
>    You should be presented with a screen that asks you for three
>    pieces of information. Your preferred email address, a passphrase,
>    and a verification of that passphrase. When you enter this
>    information, it will be used to do a number of things. The first
>    thing that will happen is that a public/private keypair will be
>    generated for the device that you’re using (your web browser, for
>    instance). This key will be used as a second factor of
>    authentication in later steps in this process. The second thing
>    that will happen is that your email address and passphrase will be
>    used to generate a query token, which will be later used to query
>    the decentralized [8]Telehash-based identity network. The third
>    thing that will happen is that your query token to identity
>    document mapping will be encrypted and placed onto the Telehash
>    network.
>
>     The Decentralized Database (Telehash)
>
>    We could spend an entire blog post itself on Telehash, but the
>    important thing to understand about it is that it provides a
>    mechanism to store data in a decentralized database and query that
>    database at a later time for the data. By storing this query token
>    and query response in the decentralized database, it allows us to
>    find your identity provider mapping regardless of which device
>    you’re using to access the Web and independent of who your email
>    provider is.
>
>    In fact, note that I said that you use your “preferred email
>    address” above? It doesn’t need to be an email address, it could
>    be a simple string like “Bob” and a unique passphrase. Even though
>    there are many “Bob”s in the world, the likelyhood that they’d use
>    the same 20+ character passphrase is unlikely and therefore one
>    could use just a first name and a complex passphrase. That said,
>    we’re suggesting that most non-technical people use a preferred
>    email address because most people won’t understand the dangers of
>    SHA-256 collisions on username+passphrase combinations like
>    sha256(“Bob” + “password”). In addition to this aside, the
>    decentralized database solution doesn’t need to be Telehash. It
>    could just as easily be a decentralized ledger like Namecoin or
>    Ripple.
>
>    Once you have filled out your preferred email address and
>    passphrase, click the Register button. You will be sent back to
>    your identity provider and will see two new pieces of information.
>    The first piece of information is sysIdpMapping, which is the
>    decentralized database query token (query) and
>    passphrase-encrypted mapping (queryResponse). The second piece of
>    information is sysDeviceKeys, which is the public key associated
>    with the device that you registered your identity through and
>    which will be used as a second factor of authentication in later
>    versions of the demo. The third piece of information is
>    sysRegistered, which is an indicator that the identity has been
>    registered with the decentralized database.
>
>   Acquiring an Email Credential
>
>    At this point, you can’t really do much with your identity since
>    it doesn’t have any useful credential information associated with
>    it. So, the next step is to put something useful into your
>    identity. When you create an account on most websites, the first
>    thing the website asks you for is an email address. It uses this
>    email address to communicate with you. The website will typically
>    verify that it can send and receive an email to that address
>    before fully activating your account. You typically have to go
>    through this process over and over again, once for each new site
>    that you join. It would be nice if an identity solution designed
>    for the Web would take care of this email registration process for
>    you. For those of you familiar with Mozilla Persona, this approach
>    should sound very familiar to you.
>
>    The Identity Credentials technology is a bit different from
>    Mozilla Persona in that it enables a larger number of
>    organizations to verify your email address than just your email
>    provider or Mozilla. In fact, we see a future where there could be
>    tens, if not hundreds, of organizations that could provide email
>    verification. For the purposes of the demo, the Identity Provider
>    will provide a “simulated verification” (aka fake) of your email
>    address. To get this credential, click on the text that says
>    “Click here to get one”.
>
>    You will be presented with a single input field for your email
>    address. Any email address will do, but you may want to use the
>    preferred one you entered earlier. Once you have entered your
>    email address, click “Issue Email Credential”. You will be sent
>    back to your identity page and you should see your first
>    credential listed in your JSON-LD identity document beside the
>    credential key. Let’s take a closer look at what constitutes a
>    credential in the system.
>
>    The EmailCredential is a statement that a 3rd party has done an
>    email verification on your account. Any credential that conforms
>    to the Identity Credentials specification is composed of a set of
>    claims and a signature value. The claims tie the information that
>    the 3rd party is asserting, such as an email address, to the
>    identity. The signature is composed of a number of fields that can
>    be used to cryptographically prove that only the issuer of the
>    credential was capable of issuing this specific credential. The
>    details of how the signature is constructed can be found in the
>    [9]Secure Messaging specification.
>
>    Now that you have an email credential, you can use it to log into
>    a website. The next demonstration will use the email credential to
>    log into a credential issuer website.
>
> Credential-based Login
>
>    Most websites will only require an email credential to log in.
>    There are other sites, such as ecommerce sites or high-security
>    websites, that will require a few more credentials to successfully
>    log in or use their services. For example, a ecommerce site might
>    require your payment processor and shipping address to send you
>    the goods you purchased. A website that sells local wines might
>    request that you provide a credential proving that you are above
>    the required drinking age in your locality. A travel website might
>    request your digital passport to ease your security clearing
>    process if you are traveling internationally. There are many more
>    types of speciality credentials that one may issue and use via the
>    Identity Credentials technology. The next demo will entail issuing
>    some of these credentials to yourself. However, before we do that,
>    we have to login to the credential issuer website using our newly
>    acquired email credential.
>
>    Go to the [10]credential.club website and click on the “Login”
>    button. This will immediately send you to the login hub website
>    where you had previously registered your identity. The request
>    sent to the login hub by credential.club will effectively be a
>    request for your email credential. Once you’re on login-hub.com,
>    enter your preferred email address and passphrase and then click
>    “Login”.
>
>    While you were entering your email address and passphrase, the
>    login-hub.com page connected to the Telehash network and readied
>    itself to send a query. When you click “Login”, your email address
>    and passphrase are SHA-256′d and sent as a query to the Telehash
>    network. Your identity provider will receive the request and
>    respond to the query with an encrypted message that will then be
>    decrypted using your passphrase. The contents of that message will
>    tell the login hub where your identity provider is holding your
>    identity. The request for the email credential is then forwarded
>    to your identity provider. Note that at this point your identity
>    provider has no idea where the request for your email credential
>    is coming from because it is masked by the login hub website. This
>    masking process protects your privacy.
>
>    Once the request for your email credential is received by your
>    identity provider, a response is packaged up and sent back to
>    login-hub.com, which then relays that information back to
>    credential.club. Once credential.club recieves your email
>    credential, it will log you into the website. Note at this point
>    that you didn’t have to enter a single password on the
>    credential.club website, all you needed was an email credential to
>    log in. Now that you have logged in, you can start issuing
>    additional credentials to yourself.
>
> Issuing Additional Credentials
>
>    The previous section introduced the notion that you can issue many
>    different types of credentials. Once you have logged into the
>    credential.club website, you may now issue a few of these
>    credentials to yourself. Since this is a demonstration, no attempt
>    will be made to verify those credentials by a 3rd party. The
>    credentials that you can issue to yourself include a business
>    address, proof of age, payment processor, driver’s license, and
>    passport. You many specify any information that you’d like to
>    specify in the input fields to see how the credential would look
>    if it held real data.
>
>    Once you have filled out the various fields, click the blue button
>    to issue the credential. The credential will be digitally signed
>    and sent to your identity provider, which will then show you the
>    credential that was issued to you. You have a choice to accept or
>    reject the credential. If you accept the credential, it is written
>    to your identity.
>
>    You may repeat this process as many times as you would like. Note
>    that on the passport credential how there is an issued on date as
>    well as an expiration date to demonstrate that credentials can
>    have a time limit associated with them.
>
> Known Issues
>
>    As mentioned throughout this post, this demonstration has a number
>    of shortcomings and areas that need improvement, among them are:
>      * Due to a lack of time, we didn’t setup our own HTTPS Telehash
>        seed. Since we didn’t setup the HTTPS Telehash seed, we
>        couldn’t run login-hub.com secured by TLS due to security
>        settings in most web browsers related to WebSocket
>        connections. Not using TLS results in a gigantic
>        man-in-the-middle attack possibility. A future version will,
>        of course, use both TLS and HSTS on the login-hub.com website.
>      * The Telehash query/response database isn’t decentralized yet.
>        There are a number of complexities associated with creating a
>        decentralized storage/query network, and we haven’t decided on
>        what the proper approach should be. There is no reason why the
>        decentralized database couldn’t be NameCoin or Ripple-based,
>        and it would probably be good if we had multiple backend
>        databases that supported the same query/response protocol.
>      * We don’t check digital signatures yet, but will soon. We were
>        focused on the flow of data first and ensuring security
>        parameters were correct second. Clearly, you would never want
>        to run such a system in production, but we will improve it
>        such that all digital signatures are verified.
>      * We do not use the public/private keypair generated in the
>        browser to limit the domain and validity length of credentials
>        yet. When the system is productionized, implementing this will
>        be a requirement and will protect you even if your credentials
>        are stolen through a phishing attack on login-hub.com.
>      * We expect there to be many more security vulnerabilities that
>        we haven’t detected yet. That said, we do believe that there
>        are no major design flaws in the system and are releasing the
>        proof-of-concept, along with [11]source code, to the general
>        public for feedback.
>
> Feedback and Future Work
>
>    If you have any questions or concerns about this particular demo,
>    please leave them as comments on this blog post or send them as
>    comments to the [12]public-web-payments@w3.org mailing list.
>
>    Just as you logged in to the credential.club website using your
>    email credential, you may also use other credentials such as your
>    driver’s license or passport to log in to websites. Future work on
>    this demo will add functionality to demonstrate the use of other
>    forms of credentials to perform logins while also addressing the
>    security issues outlined in the previous section.
>
> References
>
>    1. http://manu.sporny.org/2014/credential-based-login/
>    2. http://indiewebcamp.com/NASCAR_problem
>    3. http://manu.sporny.org/2014/credential-based-login/
>    4. https://web-payments.org/
>    5. http://www.w3.org/Consortium/
>    6. https://identus.org/create
>    7. https://www.youtube.com/watch?v=vioCbTo3C-4
>    8. http://telehash.org/
>    9. https://web-payments.org/specs/source/secure-messaging/
>   10. https://credential.club/
>   11. https://github.com/digitalbazaar/opencred-idp
>   12. http://lists.w3.org/Archives/Public/public-webpayments/
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Identity Credentials and Web Login
> http://manu.sporny.org/2014/identity-credentials/
>
>
>
>
>

Received on Tuesday, 10 June 2014 08:13:52 UTC