Empower your security operations with the Siop Process for Security

How to create outlook signature

hi guys I'm not Sara the chairman of the open lady foundation it's really unfortunate that I can't be with you live today it's because it's like 3:00 a.m. at where I am don't you rest assured I'm going to upload this video on to my youtube channel so you can actually ask questions if you wanted to now today you're going to learn three things one my take on what is self sovereign identity and the second one is how self issued Opie we called SIOP cops with it and number three the next step so without further ado let's get into what is soft sovereign identity I will stop over the easy part identity in a community is defined as set of claims related to entity in general there are many identities power entity here you need to remember two things first there are many identities mapping to an entity in general a lot of people mistakenly think that there is only one identity per entity that is false the second often found mistake is to conflict identity and identifiers identifier is a label that uniquely identifies the entity in the set of entities so please be careful not to conflate them now the hard part self sovereign sovereign ing to merriam-webster is defined like this among them what we mean by in this context is definition one be one that exercises supreme authority within the limited sphere this limited sphere is yourself in other words with self sovereign identity you should be able to keep having you recognized by a service that is you who are coming back and also select what claims are to be provided to the service now that's harder than you may think we identity profiles tend to categorize digital identities in three buckets one my density which exists without being given by other party and that I have fundamental control on it to our identity would usually is given by somebody else but I can still use for my own purpose as well unnhhh an identity that is given by my employer or my gmail address is a good example of it in many case especially for consumer facing identity it's constructed as user centric you have the right to say how it should be used and so on however the fundamental right to the identity is on the organization and not on me it may be taken away by the whole session number three the identity which the data about me but I have no way to use it my information in the company's CRM system is an example we cannot use their identity so the choice is between my density and our identity but what if the identity you are using was our identity the current mainstream identity if they delete who a burny account he will disappear from the internet and not worry your access to the service will be denied to avoid that I need to use my identity so that I can keep presenting me as me and the service can keep recognizing me as me as long as I want it isn't an identity that will not be taken away at least completely it provides an ability for me to keep saying that it is me to the party I have relationship with without respect to what other party says typically it can be achieved by letting the service recognize me using the public key I generated to verify that I or the private key this forms the baseline of a self sovereign identity however this is not enough to build a relationship with another entity you often need to disclose some claims about you that leads to the second requirements - the self sovereign identity selective disclosure of self and third party attested claims about me it is needed to express ourselves without respect to what others say but we have to accept the fact that we don't control all the information about ourselves for example the permission to drive a certain type of vehicle is not determined by myself but it is determined by the authority you cannot change it although you may have some control over where these claims are presented and process as authentic at the same time we want to minimize the claims that are going to be disclosed depending on the context so a self sovereign identity system must allow selective disclosure of self and third party attested claims about me that actually extend to the past on the future from time to time we may want to express what we wore in the past for example Alice may want to prove that she had a computer science degree from a university park in 2001 then suppose that her University goes out of business because of carbon 19 crisis how can always prove her agree to the 32 then or suppose there was a regime changing our country and Hannes thought he was renounced now she is deathless how can she prove that she was a citizen of that country before the regime change the third requirement for south sovereign identity is that the system must allow the subject to prove that the claims were tested certain point in time in the past so to summarize self sovereign identity system must allow the subject to be independently recognized by the parties she has relationship with disclose self on third-party Assessor claims about hustle selectively and prove that the claims were tested at a certain point in time in the past now I'm coming to the second topic how high up cops with SIOP stands for self issued open ID provider open ID connect is defined in a specification called Open ID connect core 1.0 and rated specifications and in Sai appeals tired he is actually defined in Chapter 7 of this specification if you don't know oh boy these standards are used everywhere signing with Apple Google's Syene Microsoft's ie GSM a mobile connects and so on are based on Open ID Connect and is estimated to be used by over 3 billion people in addition many countries and regions are using OpenID Connect in their citizen identity platform number of transactions are also large as of last year over 94% of Microsoft Azure sign-in are performed using hot connect opener D Fabi a new profile of it is being used as the API access control standard by UK open banking and other that require a higher level API protection open early contact at its core is selective claims provision protocol what one of the claims are the proof of logging then the claim set can be used as federated login credential but as you can see it's not only the login information it can carry arbitrary set of claims that's why we call open ID connect an internet identity layer open ID connect provider can be provided by a third party or you can provide it yourself it can be on the cloud or on your local machine like your form the letter has a special name self issued upon ID provider or SIOP there are capable actors that are involved in cyber Fame work obviously me the subject is at the center and I'll be using Authenticator to authenticate myself to the SIOP it can be just your phone right and then there's an IDP or Hopi program open I the provider application which is running on your local machine like your phone or PC or Mac and then the claims provider claims provider is a party which can attest the claims about you and finally there's a relying party at which you actually subscribe to the services so these are the main actors of PSYOP framework if you look closely there are two legs in it like one is between the Rhine party and psy up here and then leg two is between SIOP and claims provider these in mind let's go into how things happens in cyber a mark in the preparation phase the first thing that happens is that styopa gets registered to the dynamic or static claims provider and then to bind your Sai up to the claims provider you need to perform aapanaadu connect authorization authentication so the SIOP as a client sends or ADC authorization authentication request to the claims provider and then claims provider asks you would you like to authorize that access and obviously I'd say yeah sure so the garage it will be granted another result access s and optionally refresh s are provided to my SIOP that's a preparation phase now in the usage phase the client first asks the sire who are you and then I will issue a user if request with access that I got in the previous phase to the clay claims provider then the claims provider returns user info as a JWT chose and that jadibooti will be included in the ID that is going to be provided to the client now when you look closely there are couple problems that need to be solved the issue number one is binding your sub in ID in to to that of laQuan especially one pairwise pseudonymous ID identifier PB ID or ephemeral identifier it's being used against the client the code which is provided by claims provider actually has to have the PP ID and the UID in the itself otherwise the client cannot verify that the party the entity that is identified in the ID is the same person as that was described in the job within it second issue is the collection minimization in the regular using find point there is no way to constrain the information that is going to be returned to the request it will be okay to cause you no filter them at SIOP if it wasn't assigned jadibooti but in this case because those values in Joad have to be verified by the client the toka is signed and therefore we cannot do the filtering at the SIOP level so the actually has been minted specifically for this particular request to achieve that we actually have to send a list of claims to the claims provider and then claims provider means the job that includes only what is being asked this time now there is no specification that achieves this right now and we are writing it as of today so if you are interested in that kind of development please come to the open and collect working group and discuss now once that's done then the Joad which is included in ID will only have what is being asked so the collection minimization can be achieved there are a bunch of to the list for psyops here I have stated six of them registering the sigh up to the claims for our provider so that Sian requests and claims to the claims provider is kind of there but it's not really well specified and most notably there isn't any specification that talks about claims minimization or collection minimization and that needs to be done and then binding that self issued identifier which is a hash of a public key and attested claim is it's okay in the case of per Animus identifier but when it comes to anonymous kind of identify it's actually not really well specified and then we have no way of testing the signing key from the past and in the case of siop we have no one at home about enabling of the key recovery also we have nothing that specifies how to provide the claims to rang parties when the SIOP is offline there's another mode in a very connect which is called distributed claims in which case it can support the the whole flying case but that's not very well defined as well and then finding that high up address can become an issue when we define this high up there was nothing like deep link so we're using custom scheme so for that as long as there's only one map which is using the custom scheme which is open ID colon slash slash the finding or discovery of SIA progress became long issue but with the reintroduction of deep links it just came back so these are the things which are not solved right now we had a society back in January 27th in Miyazaki and like almost 30 people joined there the the workshop and hashed out what is the good part and what is not was what is an anti-pattern what could be requirements on so forth and taking those but I have come up with in a basic protocol requirements there are separate operational requirements but this is just protocol requirement and I'm just missing ten of them like self issue keys and subject identifier but we are on recovery IDP discovery Parvez specification which has to happen always and consent if necessary in consent is not always necessarily it can be processed with other legal basis as well then also I have to point out that the consent is not always possible in our lifetime in the period that we can actually give the real consent is at a pretty limited and then collection minimization claims you know CP claims provider rank party and linkable de multiple trust claims providers incentives for claims providers choice of subject identifier which can be short short term meaning it can even be ephemeral just one-time or short period of time or a long time like lifetime and then PPID which stands for pairwise pseudonymous identifier or sector specific identifier omnidirectional identifier it's after your choice and then counselor kind of entity has to be there it's sometimes called in the legal sphere the libertarian paternalism and also we need to be able to leverage the existing infrastructures as much as possible so your own party has many more things to adopt these protocols and this is my evaluation of a PSYOP against this requirement some are fulfilled quite well some are not we have to bring their specifications up so that it will be fulfilling all so last week we had the first ever sci-fi told me them it is very well attended the ticket just went like crazy within two morons or so all the tickets were actually sold out about 100 people came along that was actually almost everybody registered and people from diverse background like decent Rhys identification Cantara initiative Microsoft myself but you know far as implementation came along and shared that problems in the end we decided to work together to solve these problems as quickly as we can so we are going to convene the workshops and also start working on those items in operating connect working group I think we are going to form a sub working group besides it because it's a big group now so if you're interested in finding out what's happening if you're interested in providing some inputs into these walls please come along and join the Navy foundation walking rooms it doesn't cost anything what you have to do is just agree that you don't sue their implementations here are some additional informations that you could actually use so I'm looking forward to meet you in our water group or some other venue and thank you very much for joining this session