1 00:00:09,080 --> 00:00:16,609 next presentation is why and users 2 00:00:12,450 --> 00:00:18,419 choose identity providers all the way hi 3 00:00:16,609 --> 00:00:21,390 I'm Kevin 4 00:00:18,420 --> 00:00:24,449 and work at orange and in Harran we 5 00:00:21,390 --> 00:00:29,640 delighted to be here so I will present 6 00:00:24,449 --> 00:00:31,769 OCD on oz and relate to the data on 7 00:00:29,640 --> 00:00:34,590 identity provider used on the web and 8 00:00:31,769 --> 00:00:37,140 the idea is to find a why you you can't 9 00:00:34,590 --> 00:00:40,110 choose the identity provider you trust 10 00:00:37,140 --> 00:00:43,079 on the web so tooth of the the problem 11 00:00:40,110 --> 00:00:45,989 statement then a presentational for CD 12 00:00:43,079 --> 00:00:50,180 and all solution one a part of the 13 00:00:45,989 --> 00:00:54,239 solution so like like explain the 14 00:00:50,180 --> 00:00:57,930 yesterday in WebRTC the signaling goes 15 00:00:54,239 --> 00:00:59,339 through a signaling server and the the 16 00:00:57,930 --> 00:01:03,030 signaling server can set up a 17 00:00:59,340 --> 00:01:06,960 man-in-the-middle attack so to solve 18 00:01:03,030 --> 00:01:11,070 that WebRTC propose to use an identity 19 00:01:06,960 --> 00:01:14,389 providers in the signaling loop to 20 00:01:11,070 --> 00:01:17,429 resolve the issue of untrusted service 21 00:01:14,390 --> 00:01:19,560 the idea is to add an identity assertion 22 00:01:17,430 --> 00:01:24,390 in the session description protocol 23 00:01:19,560 --> 00:01:27,780 offers that will assert the the 24 00:01:24,390 --> 00:01:30,630 fingerprint of the user so they can be 25 00:01:27,780 --> 00:01:33,090 both authenticated without forcing the 26 00:01:30,630 --> 00:01:37,320 scene any servers but on the web 27 00:01:33,090 --> 00:01:39,600 selecting an IDP is a choice issue the 28 00:01:37,320 --> 00:01:42,508 web service the website that implement 29 00:01:39,600 --> 00:01:44,970 social login option implements really a 30 00:01:42,509 --> 00:01:47,970 few of them often one or two maybe three 31 00:01:44,970 --> 00:01:50,579 and so the user are faced with a dilemma 32 00:01:47,970 --> 00:01:52,530 either truth an IDP that they made for 33 00:01:50,579 --> 00:01:55,289 us but between a really restricted 34 00:01:52,530 --> 00:01:57,540 number of choices or creating yet 35 00:01:55,290 --> 00:01:59,969 another account with a the issue we know 36 00:01:57,540 --> 00:02:05,670 such as password fatigue or drop-in 37 00:01:59,969 --> 00:02:08,340 security so choosing a naturist IDP is 38 00:02:05,670 --> 00:02:11,730 impossible so what's the privacy issue 39 00:02:08,340 --> 00:02:13,140 in my act and if you consider the WebRTC 40 00:02:11,730 --> 00:02:16,590 identity use case 41 00:02:13,140 --> 00:02:19,260 so the user first logon on a website it 42 00:02:16,590 --> 00:02:22,350 choose to use the social login tuition 43 00:02:19,260 --> 00:02:24,780 and invent the websites initial ID the 44 00:02:22,350 --> 00:02:30,000 WebRTC connection by using the same 45 00:02:24,780 --> 00:02:32,220 identity providers then the identity 46 00:02:30,000 --> 00:02:35,340 assertion is transmitted to the to the 47 00:02:32,220 --> 00:02:37,170 other users and the the other user 48 00:02:35,340 --> 00:02:39,540 browser will instantiate the the 49 00:02:37,170 --> 00:02:42,420 component called identity / key which 50 00:02:39,540 --> 00:02:47,609 will validate the identity assertion and 51 00:02:42,420 --> 00:02:52,049 this allows the the identity providers 52 00:02:47,610 --> 00:02:55,620 to to learn that due to user are having 53 00:02:52,050 --> 00:02:58,260 a go together and so this is a useful 54 00:02:55,620 --> 00:03:00,150 information for basically the identity 55 00:02:58,260 --> 00:03:02,310 providers is no participating in the 56 00:03:00,150 --> 00:03:05,100 local establishment and knows the same 57 00:03:02,310 --> 00:03:06,810 information as the the whether chichi 58 00:03:05,100 --> 00:03:10,079 service providers so we know the user 59 00:03:06,810 --> 00:03:14,880 call log which when they are calling and 60 00:03:10,080 --> 00:03:16,830 to whom and regarding the type of one 61 00:03:14,880 --> 00:03:19,290 the user get the only one in the gate is 62 00:03:16,830 --> 00:03:22,040 a related to the the sharing of the of 63 00:03:19,290 --> 00:03:26,359 the camera so they may not be aware that 64 00:03:22,040 --> 00:03:31,530 the the a identity providers are getting 65 00:03:26,360 --> 00:03:34,890 information about the course so like I 66 00:03:31,530 --> 00:03:37,049 said jgp can learn user collage and the 67 00:03:34,890 --> 00:03:40,200 user should be able to use the trusted 68 00:03:37,049 --> 00:03:45,690 IGP but the implementation on website is 69 00:03:40,200 --> 00:03:47,429 is limiting the use of choices so in the 70 00:03:45,690 --> 00:03:50,670 other end if the user could choose the 71 00:03:47,430 --> 00:03:54,510 IDP what would be required for it to be 72 00:03:50,670 --> 00:03:57,540 possible so the the first point is that 73 00:03:54,510 --> 00:04:03,420 the IDP and the website must be 74 00:03:57,540 --> 00:04:05,519 compatible using oath to the the website 75 00:04:03,420 --> 00:04:08,280 must be registered on the identity 76 00:04:05,519 --> 00:04:11,220 providers so that they can be so that 77 00:04:08,280 --> 00:04:14,190 the website can authenticate to the to 78 00:04:11,220 --> 00:04:17,310 do identity provider and in some 79 00:04:14,190 --> 00:04:20,190 situation the website may need to trust 80 00:04:17,310 --> 00:04:22,079 the IDP regarding the type of data the 81 00:04:20,190 --> 00:04:23,789 level of authentication the security or 82 00:04:22,079 --> 00:04:24,880 the identity information' that are 83 00:04:23,789 --> 00:04:28,400 provided 84 00:04:24,880 --> 00:04:30,169 so why is it impossible for the user to 85 00:04:28,400 --> 00:04:32,960 true they are not eatable either and we 86 00:04:30,169 --> 00:04:35,120 have to regress to research question the 87 00:04:32,960 --> 00:04:37,698 first one is that maybe the service 88 00:04:35,120 --> 00:04:39,860 require the specialized API specialized 89 00:04:37,699 --> 00:04:43,070 data so that any identity provider 90 00:04:39,860 --> 00:04:47,570 cannot be used the second worst research 91 00:04:43,070 --> 00:04:49,669 question is that maybe the identity 92 00:04:47,570 --> 00:04:51,919 provider do not implement dynamic for 93 00:04:49,669 --> 00:04:54,590 inspiration that would allow the plug-in 94 00:04:51,919 --> 00:04:57,280 of anywhere and any identity providers 95 00:04:54,590 --> 00:05:00,200 or any website on any website and 96 00:04:57,280 --> 00:05:02,150 finally maybe just a trust if you bit 97 00:05:00,200 --> 00:05:06,800 between website and identity providers 98 00:05:02,150 --> 00:05:09,080 so to answer that questions we did a no 99 00:05:06,800 --> 00:05:13,070 study trying to find which type of data 100 00:05:09,080 --> 00:05:15,080 are requested by website and its website 101 00:05:13,070 --> 00:05:17,210 menu requires specialized data I will 102 00:05:15,080 --> 00:05:19,909 define it later or it's the require 103 00:05:17,210 --> 00:05:24,138 basic authentication that are just in 104 00:05:19,910 --> 00:05:26,419 from user identity if you use social 105 00:05:24,139 --> 00:05:28,940 login you may notice that this type of 106 00:05:26,419 --> 00:05:32,479 pattern where the the identity providers 107 00:05:28,940 --> 00:05:34,550 is requesting the user to tries the 108 00:05:32,479 --> 00:05:36,440 website to access some information in 109 00:05:34,550 --> 00:05:38,780 some case between different scenario so 110 00:05:36,440 --> 00:05:41,330 on the right you have data Basking 111 00:05:38,780 --> 00:05:43,400 authorization to share with Mozilla 112 00:05:41,330 --> 00:05:46,789 developer Network and on the right learn 113 00:05:43,400 --> 00:05:49,580 the left a Facebook you sketch so in 114 00:05:46,789 --> 00:05:52,070 this guide the implicit authentication 115 00:05:49,580 --> 00:05:55,130 is common between the two some profile 116 00:05:52,070 --> 00:05:57,680 information are also come on but find 117 00:05:55,130 --> 00:06:00,740 something Facebook the website is asking 118 00:05:57,680 --> 00:06:02,690 to access the friend list and so this is 119 00:06:00,740 --> 00:06:04,789 obviously not available on github so in 120 00:06:02,690 --> 00:06:12,229 this case github could not be used by 121 00:06:04,789 --> 00:06:14,000 the website on the left on the right so 122 00:06:12,229 --> 00:06:18,229 this is the kind of specialized data 123 00:06:14,000 --> 00:06:20,990 that would block any website to use any 124 00:06:18,229 --> 00:06:23,659 identity providers so in the paper we 125 00:06:20,990 --> 00:06:25,789 categorize the type of idea that are 126 00:06:23,660 --> 00:06:29,180 accessed between three different level 127 00:06:25,789 --> 00:06:31,070 authentication which is just a proof of 128 00:06:29,180 --> 00:06:34,880 authentication or maybe just implicit 129 00:06:31,070 --> 00:06:36,680 and an identifier a profile data which 130 00:06:34,880 --> 00:06:37,420 are which we define as being equivalent 131 00:06:36,680 --> 00:06:39,310 to the 132 00:06:37,420 --> 00:06:42,790 what is defined in open education under 133 00:06:39,310 --> 00:06:48,220 and any other type of data which we call 134 00:06:42,790 --> 00:06:51,760 specialized so in austerity we try to 135 00:06:48,220 --> 00:06:54,400 collect the oath to request you are and 136 00:06:51,760 --> 00:06:56,980 these are interesting data because they 137 00:06:54,400 --> 00:06:58,750 contain the identity providers the 138 00:06:56,980 --> 00:07:01,930 client website that is making the 139 00:06:58,750 --> 00:07:03,880 request also accessible also also we 140 00:07:01,930 --> 00:07:07,750 don't available with a human readable 141 00:07:03,880 --> 00:07:12,880 name and of course the type of data that 142 00:07:07,750 --> 00:07:17,320 are requested so we the 500 website and 143 00:07:12,880 --> 00:07:18,940 try to use any any social login option 144 00:07:17,320 --> 00:07:21,969 that was present and then collected the 145 00:07:18,940 --> 00:07:24,910 AWS request and all result on the left 146 00:07:21,970 --> 00:07:27,490 you have so we add a to classification 147 00:07:24,910 --> 00:07:31,360 because on some website the website of 148 00:07:27,490 --> 00:07:33,550 the different login option sometimes 149 00:07:31,360 --> 00:07:35,950 only one and we have a double 150 00:07:33,550 --> 00:07:38,020 classification of a minimal type of data 151 00:07:35,950 --> 00:07:42,520 that are requested and the maximal type 152 00:07:38,020 --> 00:07:44,169 of data for instance in some case where 153 00:07:42,520 --> 00:07:46,419 the website including Google and 154 00:07:44,170 --> 00:07:48,940 Facebook and on Facebook the website is 155 00:07:46,420 --> 00:07:51,850 requesting lot of data friendly is the 156 00:07:48,940 --> 00:07:53,500 more information and on Google using 157 00:07:51,850 --> 00:07:56,350 Google they did not implement the Google 158 00:07:53,500 --> 00:07:59,200 API so just requesting the user 159 00:07:56,350 --> 00:08:02,290 identifier and proof of education so on 160 00:07:59,200 --> 00:08:05,289 the left on the blue it's only one type 161 00:08:02,290 --> 00:08:07,180 of service and then you have the 162 00:08:05,290 --> 00:08:12,550 authentication profile and specialized 163 00:08:07,180 --> 00:08:14,200 class and so first this shows that some 164 00:08:12,550 --> 00:08:16,240 website don't need specialized data 165 00:08:14,200 --> 00:08:18,909 because a functions in this case the the 166 00:08:16,240 --> 00:08:22,750 profile and the specialized it shows 167 00:08:18,910 --> 00:08:25,060 that the website is a requesting only as 168 00:08:22,750 --> 00:08:27,520 a minimal profile data so just a 169 00:08:25,060 --> 00:08:30,820 username and saw some small information 170 00:08:27,520 --> 00:08:33,220 not we don't respond user privacy but 171 00:08:30,820 --> 00:08:36,490 she's also using with another identity 172 00:08:33,220 --> 00:08:42,310 providers a lot more compromising data 173 00:08:36,490 --> 00:08:44,229 and also so this kind of only 174 00:08:42,309 --> 00:08:46,540 specialized is the type of website that 175 00:08:44,229 --> 00:08:48,400 will not be compatible with any identity 176 00:08:46,540 --> 00:08:50,709 provider because they require really 177 00:08:48,400 --> 00:08:54,010 specialized data to work for in salsa 178 00:08:50,710 --> 00:08:56,830 get up cloud or the kind of data that 179 00:08:54,010 --> 00:08:59,890 will not be accessible for any identity 180 00:08:56,830 --> 00:09:03,460 providers and so in total we have 58 181 00:08:59,890 --> 00:09:05,770 percent of the website in Austria that 182 00:09:03,460 --> 00:09:09,310 are at least compatible with 183 00:09:05,770 --> 00:09:11,680 authentification or provide data so it 184 00:09:09,310 --> 00:09:14,349 shows that concerning the of France with 185 00:09:11,680 --> 00:09:16,239 a research question the the majority of 186 00:09:14,350 --> 00:09:19,089 website could let us on to the identity 187 00:09:16,240 --> 00:09:21,339 provider from this point of view we also 188 00:09:19,089 --> 00:09:23,350 look at if the dynamic registration 189 00:09:21,339 --> 00:09:26,440 which is also possible without an ID 190 00:09:23,350 --> 00:09:30,940 connect is implemented and so in our 191 00:09:26,440 --> 00:09:34,000 data we have 500 website from which we 192 00:09:30,940 --> 00:09:35,620 found one on whether relying party so 193 00:09:34,000 --> 00:09:39,250 website that I'm using with identity 194 00:09:35,620 --> 00:09:42,339 providers in total 23 identity providers 195 00:09:39,250 --> 00:09:45,750 and on undeath only five we're 196 00:09:42,339 --> 00:09:48,430 implementing open ID connect only 3 with 197 00:09:45,750 --> 00:09:51,580 accessible metadata and none of this 198 00:09:48,430 --> 00:09:55,170 metadata we're concerned with a dynamic 199 00:09:51,580 --> 00:09:58,180 fluid expression so in clear the dynamic 200 00:09:55,170 --> 00:09:59,890 registration and discovery is not at all 201 00:09:58,180 --> 00:10:05,199 implemented by imodium identity 202 00:09:59,890 --> 00:10:08,290 providers and finally a new website 203 00:10:05,200 --> 00:10:10,420 require trust from the IDP we have an 204 00:10:08,290 --> 00:10:13,510 example for instance print Connect which 205 00:10:10,420 --> 00:10:16,270 is kind of a trusted Federation in a 206 00:10:13,510 --> 00:10:18,850 identity provider for French services 207 00:10:16,270 --> 00:10:21,160 and basically the bottom line is that 208 00:10:18,850 --> 00:10:24,790 the the website that would use France 209 00:10:21,160 --> 00:10:27,880 connect expect some level of trust 210 00:10:24,790 --> 00:10:30,310 regarding the user identity and so the 211 00:10:27,880 --> 00:10:32,890 website will not be able to use any any 212 00:10:30,310 --> 00:10:36,010 identity providers so can we find some 213 00:10:32,890 --> 00:10:39,279 example of this in the while we look at 214 00:10:36,010 --> 00:10:42,550 the collected data and we found no 215 00:10:39,279 --> 00:10:46,329 example of explicit trust 216 00:10:42,550 --> 00:10:49,680 scope that will have some meaning of 217 00:10:46,329 --> 00:10:51,939 trust some type of data that will be 218 00:10:49,680 --> 00:10:56,859 trusted by the website that I'm 219 00:10:51,940 --> 00:10:59,320 requesting them so the people disease is 220 00:10:56,860 --> 00:11:00,610 that is a result first a relation 221 00:10:59,320 --> 00:11:02,410 between the 222 00:11:00,610 --> 00:11:04,899 the website and the identity provider 223 00:11:02,410 --> 00:11:07,089 it's invisible from a technical point of 224 00:11:04,899 --> 00:11:10,239 view and probably due to agreement our 225 00:11:07,089 --> 00:11:14,110 condition of hues and we didn't study 226 00:11:10,239 --> 00:11:16,749 that part and keeps all solution to the 227 00:11:14,110 --> 00:11:18,459 dynamic registration program we had 228 00:11:16,749 --> 00:11:20,860 three research question and we found 229 00:11:18,459 --> 00:11:22,569 that dynamic registration may be an 230 00:11:20,860 --> 00:11:27,759 issue for users through the identity 231 00:11:22,569 --> 00:11:29,589 providers but on WebRTC the identity 232 00:11:27,759 --> 00:11:31,540 solution allows identity provider on 233 00:11:29,589 --> 00:11:34,660 discovery and without crying for 234 00:11:31,540 --> 00:11:40,179 registration the client here being the 235 00:11:34,660 --> 00:11:42,670 website so we propose a web browser by 236 00:11:40,179 --> 00:11:45,189 the identity management at the moment 237 00:11:42,670 --> 00:11:49,628 it's a prototype emoji a Firefox 238 00:11:45,189 --> 00:11:51,879 extension and so the website only put a 239 00:11:49,629 --> 00:11:54,699 connect button on on the website instead 240 00:11:51,879 --> 00:11:56,829 of all the social login option and the 241 00:11:54,699 --> 00:11:59,079 user can then use that button to call an 242 00:11:56,829 --> 00:12:01,089 API on the web browser that will display 243 00:11:59,079 --> 00:12:03,790 a pop-up and allow the user to choose 244 00:12:01,089 --> 00:12:06,939 any identity provider that it may have 245 00:12:03,790 --> 00:12:10,959 previously were restored on Omnitech 246 00:12:06,939 --> 00:12:12,549 functions so the when you select an 247 00:12:10,959 --> 00:12:14,919 identity then call the identity provider 248 00:12:12,549 --> 00:12:16,660 which provide a JSON web token with the 249 00:12:14,919 --> 00:12:20,860 user identity and is proof of of 250 00:12:16,660 --> 00:12:22,719 Education so we reuse the WebRTC our 251 00:12:20,860 --> 00:12:26,079 non-teaching mechanism and basically 252 00:12:22,720 --> 00:12:27,850 true that if this male identity 253 00:12:26,079 --> 00:12:30,939 mechanism is used in a while it could be 254 00:12:27,850 --> 00:12:34,269 used more largely for more identity 255 00:12:30,939 --> 00:12:36,579 management stuff also and it's not in 256 00:12:34,269 --> 00:12:39,040 the paper but we found it after what 257 00:12:36,579 --> 00:12:41,109 there is a web payment working group at 258 00:12:39,040 --> 00:12:43,029 the w3c and they are working on a 259 00:12:41,110 --> 00:12:45,419 similar solution but for web payment so 260 00:12:43,029 --> 00:12:47,649 basically the user configure some 261 00:12:45,419 --> 00:12:51,040 payment provider in each browser and 262 00:12:47,649 --> 00:12:54,759 then the website can call an API on a 263 00:12:51,040 --> 00:12:56,790 browser to to to basically do the same 264 00:12:54,759 --> 00:13:00,279 flow as we did with item 6 minute 265 00:12:56,790 --> 00:13:03,009 another translation so in no conclusion 266 00:13:00,279 --> 00:13:06,429 could use a food item to provide the 267 00:13:03,009 --> 00:13:09,160 identity provider on web site in on the 268 00:13:06,429 --> 00:13:11,740 Internet basically in Oakland in 269 00:13:09,160 --> 00:13:13,779 observation it's not related to the type 270 00:13:11,740 --> 00:13:15,970 of data that the web site our will 271 00:13:13,779 --> 00:13:19,300 resting to identity provider but more 272 00:13:15,970 --> 00:13:21,910 for technical connection between 273 00:13:19,300 --> 00:13:24,248 identity provider on website and all 274 00:13:21,910 --> 00:13:24,810 solution could a good app solve this 275 00:13:24,249 --> 00:13:27,180 issue 276 00:13:24,810 --> 00:13:33,099 so thank you 277 00:13:27,180 --> 00:13:33,099 [Applause]