Gluu Blog

Follow us:
Back to Blog

Know Identity Conference Wrap-up and Decentralized Identity Panel notes

Mike S. March 30, 2018

I just got back from the Know Identity conference, where I moderated a panel on decentralized identity. Before I forget what happened, I thought it would be a good idea to write down some observations and notes.

The conference is attended by quite a number of identity gurus. Dave Birch and Steve Wilson did a fantastic job mc-ing. And OWI made managing a large conference look easy. Next year it will be in Las Vegas, and I definitely recommend attending.

As to be expected these days, there was quite a lot of chatter about blockchain and decentralized identity in various forms. There was a very interesting keynote by Scott Galloway, who gave away some free copies of The Four: The Hidden DNA of Amazon, Apple, Facebook, and Google, which I read on my plane ride home. The book is highly relevant and somewhat disturbing to an open source / DIY advocate like myself. The fact that having the latest iPhone is “sexier” then sporting an old android phone with a spider webbed screen was utterly lost on me until I read this book. Thanks Scott! I’m now enlightened.

On a more serious note, I was impressed by several authentication startups, including: Privakey, NuID, Status Identity, and Hizeez. I’m hoping to see Gluu Server authentication interceptions scripts, and Credential Manager plugins for all the above soon.

Margaret Weichert, Deputy Director for Management at White House’s Office of Management and Budget, gave the closing keynote. I thought of a great question to ask her, but unfortunately, there wasn’t time: “What is the OMB’s position on strong encryption?” I’m always interested to hear if government people think we can rollback the clock on strong encryption. Realistically, you can’t have freedom without privacy. And today, you can’t have privacy without strong encryption.

Below is a summary of the materials from the panel I hosted. Sorry, no minutes! I was listening, not taking notes. Please add comments to this blog if you were there to let me know any insights that you might have gleaned from the conversation.

Building Standards for Decentralized Identity

Moderator

  • Michael Schwartz, Gluu Founder / CEO

Panelists

  • Paul Grassi SVP of Cybersecurity & Identity at Easy Dynamics
  • Rajiv Dholakia VP Products at Nok Nok Labs
  • Drummond Reed Chief Trust Officer at Evernym
  • George Fletcher Identity Architect at Oath, a Verizon company

Centralized cloud identity has peaked. Distributed ledgers, decentralized identifiers, and verifiable claims have made sovereign identity possible. The benefits to people are overwhelming, especially with regard to privacy, control of data, and fraud reduction. Three standard technologies in particular stand out as enablers of this new digital identity infrastructure: (1) OpenID Connect, an OAuth based federated identity layer; (2) Sovrin, an advanced distributed ledger technology; (3) FIDO, a standards-based cryptographic authentication protocol. This session will provide an overview of each of these technologies as well as references to open source software that can be deployed today to put it to work.

Questions

  • How does OpenID enable decentralized identity?
  • How does FIDO enable decentralized identity?
  • How does Sovrin enable decentralized identity?
  • How do these identity standards enable privacy?

Decentralized Identity Standards you need to know about

  • FIDO U2F, FIDO Alliance
  • FIDO UAF, FIDO Alliance
  • W3C Web Authentication, W3C
  • OAuth, IETF
  • OpenID Connect, OpenID Foundation
  • UMA, Kantara Initiative
  • OTTO, Kantara Initiative
  • Sovrin, Sovrin Foundation
  • Verifiable Claims, W3C
  • DID, W3C
  • DID Auth, W3C
  • DKMS, W3C

Infographic

email Infographic discussion before the panel

George Fletcher:

I think OpenID is a lot more than just associating a given device with
a given user. You could go so far as to say it is also "Prove
something about you" its just that the "proof" is done in a different
way and the trust needed to accept the "proof" is also different.

I also believe there is just as much an "association" concept in
self-sovereign in that a Verifier will want to look at the device
attributes associated with the verified claims as another feature in
the Verifier's risk system.

Another possible label for OpenID Connect is... "Prove it's the same
you". Note that OIDC is just as viable for mobile apps and rich
desktop apps as for browsers.

Mike Schwartz:

I totally agree that OpenID and Sovrin could certainly both be
resolved to: "prove something about you" (the id_token is an
assertion just as much as a verifiable claim).

And certainly my diagram is a vast over-simplification of OpenID
Connect :)

Still, the most common application of federation protocols is
browser-sso. With the advent of appauth for mobile-sso, its
mainstream even for mobile apps to leverage the browser. Could a
profile of OAuth get rid of the "redirect" for user
authentication... I guess so. I'm trying to present OpenID in 60
seconds, so I'm going to have to simplify somewhere!

I'm not sure I agree with the idea that OpenID Connect is "prove
it's the same you". The website is able to correlate you with a
previous session using either a pairwise or public identifier.
But that information is released post-authentication. And the
OpenID specs are about communication between the OAuth client
and authorization server (IDP)--how the server knows it's you
(other then correlating you with a previously authenticate
session), is out of scope.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.