OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
OpenID for Verifiable Credentials is the next generation of OpenID that enables issuing and presenting verifiable credentials in a decentralized manner. It uses an issuer-holder-verifier model where credentials are issued to a holder (digital wallet) and then presented to a verifier (website). This allows decoupling of issuance from presentation and reuse of credentials. OpenID for Verifiable Credentials specifications provide standards for credential issuance, presentation, and authentication that build upon OAuth 2.0 and OpenID Connect to enable a variety of decentralized identity use cases.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
OpenID for Verifiable Credentials provides a standardized way to issue, present, and authenticate credentials in a decentralized manner using existing OpenID Connect standards. It defines protocols for verifiable presentations and credential issuance that leverage OAuth 2.0 security mechanisms and can support different credential formats. Implementations are planned or underway across several companies and government initiatives to support use cases like mobile driving licenses and vaccination records.
OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
OpenID for Verifiable Credentials is the next generation of OpenID that enables issuing and presenting verifiable credentials in a decentralized manner. It uses an issuer-holder-verifier model where credentials are issued to a holder (digital wallet) and then presented to a verifier (website). This allows decoupling of issuance from presentation and reuse of credentials. OpenID for Verifiable Credentials specifications provide standards for credential issuance, presentation, and authentication that build upon OAuth 2.0 and OpenID Connect to enable a variety of decentralized identity use cases.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
OpenID for Verifiable Credentials provides a standardized way to issue, present, and authenticate credentials in a decentralized manner using existing OpenID Connect standards. It defines protocols for verifiable presentations and credential issuance that leverage OAuth 2.0 security mechanisms and can support different credential formats. Implementations are planned or underway across several companies and government initiatives to support use cases like mobile driving licenses and vaccination records.
OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
On our March 12, 2020 webinar, Evernym Chief Architect Daniel Hardman provided a great introduction to verifiable credentials and compared them to the physical credentials (passports, driver's licenses, loyalty cards) we use every day. He then identified six lessons we can learn from today's physical credentials and how we're applying each to the world of self-sovereign identity.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
- The document discusses decentralized identity systems and verifiable credentials, and introduces OpenID for Verifiable Credentials as a standard for issuing and presenting verifiable credentials in a decentralized and interoperable way.
- OpenID for Verifiable Credentials uses existing protocols like OAuth 2.0 and OpenID Connect to build upon established security practices. It supports various credential formats, identifier methods, and trust models to accommodate different needs.
- Implementations of OpenID for Verifiable Credentials allow users to privately obtain and present verifiable credentials from multiple credential issuers to different verifiers through a digital wallet on their device or in the cloud. Standards and profiles continue to be developed to promote adoption and interoperability.
Introduction to Self Sovereign Identity - IIW October 2019Heather Vescent
The document describes an internet identity workshop discussing decentralized identity models, standards, and specifications. It provides an agenda that includes introductions from three speakers and their backgrounds in decentralized identity. The vision for a global digital rail is presented, covering interoperability, cross-border functionality, and government support. Digital identity models from centralized to federated to decentralized are defined. Emerging standards for decentralized identifiers (DIDs) are explained, including DID documents, methods, authentication, and verifiable credentials. Examples from Transmute and Vivvo are mentioned, along with a Q&A session.
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
https://ssimeetup.org/hyperledger-aries-open-source-interoperable-identity-solutions-nathan-george-webinar-30/
Nathan George, Sovrin Foundation CTO, and Hyperledger Contributor will explain what Hyperledger Aries is and how it will facilitate an open source infrastructure for interoperable identity solutions.
Aries was born out of the work on identity agents and identity wallets that began in the Hyperledger Indy project. Aries is, in fact, the second Hyperledger project to spin out of Hyperledger Indy. The first was Hyperledger Ursa, announced in December 2018.
Self-sovereign identity based on DIDs requires strong interoperability and pluggability at the infrastructure level. It also requires great applications that offer end-to-end functionality so that users can accomplish jobs with greater security, flexibility, and privacy. Aries is expected to be a major step forward in this direction.
Aries will be the industry’s first implementation of interoperable open source wallets for digital credentials that use the DKMS (Decentralized Key Management System) architecture that Evernym pioneered under a contract with the U.S. Department of Homeland Security.
Verifiable Credentials for Travel & HospitalityEvernym
In this webinar, Evernym's Jamie Smith and Andrew Tobin discuss how verifiable credentials and digital wallets can reduce fraud, automate workflows, and transform customer experiences across the travel and hospitality industries.
Self-sovereign identity (SSI) is a new identity model that gives the user control and ownership over her data.
To dive into what this means and the benefits it offers, Evernym's Andy Tobin gave a webinar on October 17, 2019 introducing the topic of self-sovereign identity and its role in transforming customer experiences and unlocking competitive advantage.
The document describes the FIDO2 specification which includes WebAuthn and CTAP. WebAuthn introduces a new JavaScript API for browser-based authentication and CTAP introduces a new API for platform-based authentication. It provides an overview of the registration and authentication flows including the use of public key credentials on servers to authenticate users. It also describes extensions, attestations, credential management and the goals of convenience and strong security in the FIDO standards.
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
This document discusses proposals for supporting the request and presentation of verifiable credentials in OpenID Connect. It presents three options for delivering verifiable credentials/presentations: 1) embedding the entire credential/presentation in a JWT claim in the ID token, 2) using aggregated or distributed claims to include the credential/presentation, or 3) using a separate "VP token" artifact containing the credential/presentation along with an ID token. The document analyzes the pros and cons of each approach and seeks feedback on the best option to pursue as well as next steps like discussing with the Connect working group and incorporating encryption.
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
https://ssimeetup.org/peer-dids-secure-scalable-method-dids-off-ledger-daniel-hardman-webinar-42/
Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation will show how Peer DIDs will allow off-chain transactions for the self-sovereign identity (SSI) world.
Most documentation about decentralized identifiers (DIDs) describes them as identifiers that are rooted in a public source of truth like a blockchain, a database, a distributed filesystem, or similar. This publicness lets arbitrary parties resolve the DIDs to an endpoint and keys. It is an important feature for many use cases. However, the vast majority of relationships between people, organizations, and things have simpler requirements. When Alice(Corp|Device) and Bob want to interact, there are exactly and only 2 parties in the world who should care: Alice and Bob. Instead of arbitrary parties needing to resolve their DIDs, only Alice and Bob do. Peer DIDs are perfect in these cases. In many ways, peer DIDs are to public, blockchain-based DIDs what Ethereum Plasma or state channels are to on-chain smart contracts— or what Bitcoin’s Lightning Network is to on-chain cryptopayments. They move interactions off-chain, but offer options to connect back to a chain-based ecosystem as needed. Peer DIDs create the conditions for people, organizations, and things to have full control of their end of the digital relationships they sustain.
This 20-minute presentation introduces OAuth through defining it, explaining why it is useful, providing background information, defining key terminology, outlining the workflow, and including a live example. It defines OAuth as a method for users to grant third-party access to their resources without sharing passwords and to grant limited access. It highlights issues with traditional client-server authentication and how OAuth addresses them. The presentation then covers OAuth background, terminology like consumer and service provider, the redirection-based authorization workflow, and concludes with a live example and references for further information.
Hyperledger Indy is a platform for decentralized identity and verifiable credentials. It includes Indy node, which is a permissioned blockchain node, and Indy SDK which provides APIs for issuing and verifying credentials. The Indy node uses a BFT consensus protocol and consists of Indy-plenum and Indy-node repositories. The Indy SDK includes wrappers for different programming languages and supports features like anonymous credentials, selective disclosure, and efficient revocation without using revocation lists.
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
Presentation I gave on Self-Issued OpenID Provider during the second OpenID Foundation Virtual Workshop covering:
1. What is Self-Issued OpenID Provider (SIOP) ?
2. SIOP Requirements (draft)
3. Initial discussion points deep-dive
Self-Issued OpenID Providers are personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
My talk from Crypto Valley Conference 2018 on emerging standards in Self-Sovereign Identity, Technology behind it, Overview of implementations and how to use it with blockchain and DLT systems.
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
On our March 12, 2020 webinar, Evernym Chief Architect Daniel Hardman provided a great introduction to verifiable credentials and compared them to the physical credentials (passports, driver's licenses, loyalty cards) we use every day. He then identified six lessons we can learn from today's physical credentials and how we're applying each to the world of self-sovereign identity.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
- The document discusses decentralized identity systems and verifiable credentials, and introduces OpenID for Verifiable Credentials as a standard for issuing and presenting verifiable credentials in a decentralized and interoperable way.
- OpenID for Verifiable Credentials uses existing protocols like OAuth 2.0 and OpenID Connect to build upon established security practices. It supports various credential formats, identifier methods, and trust models to accommodate different needs.
- Implementations of OpenID for Verifiable Credentials allow users to privately obtain and present verifiable credentials from multiple credential issuers to different verifiers through a digital wallet on their device or in the cloud. Standards and profiles continue to be developed to promote adoption and interoperability.
Introduction to Self Sovereign Identity - IIW October 2019Heather Vescent
The document describes an internet identity workshop discussing decentralized identity models, standards, and specifications. It provides an agenda that includes introductions from three speakers and their backgrounds in decentralized identity. The vision for a global digital rail is presented, covering interoperability, cross-border functionality, and government support. Digital identity models from centralized to federated to decentralized are defined. Emerging standards for decentralized identifiers (DIDs) are explained, including DID documents, methods, authentication, and verifiable credentials. Examples from Transmute and Vivvo are mentioned, along with a Q&A session.
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
https://ssimeetup.org/hyperledger-aries-open-source-interoperable-identity-solutions-nathan-george-webinar-30/
Nathan George, Sovrin Foundation CTO, and Hyperledger Contributor will explain what Hyperledger Aries is and how it will facilitate an open source infrastructure for interoperable identity solutions.
Aries was born out of the work on identity agents and identity wallets that began in the Hyperledger Indy project. Aries is, in fact, the second Hyperledger project to spin out of Hyperledger Indy. The first was Hyperledger Ursa, announced in December 2018.
Self-sovereign identity based on DIDs requires strong interoperability and pluggability at the infrastructure level. It also requires great applications that offer end-to-end functionality so that users can accomplish jobs with greater security, flexibility, and privacy. Aries is expected to be a major step forward in this direction.
Aries will be the industry’s first implementation of interoperable open source wallets for digital credentials that use the DKMS (Decentralized Key Management System) architecture that Evernym pioneered under a contract with the U.S. Department of Homeland Security.
Verifiable Credentials for Travel & HospitalityEvernym
In this webinar, Evernym's Jamie Smith and Andrew Tobin discuss how verifiable credentials and digital wallets can reduce fraud, automate workflows, and transform customer experiences across the travel and hospitality industries.
Self-sovereign identity (SSI) is a new identity model that gives the user control and ownership over her data.
To dive into what this means and the benefits it offers, Evernym's Andy Tobin gave a webinar on October 17, 2019 introducing the topic of self-sovereign identity and its role in transforming customer experiences and unlocking competitive advantage.
The document describes the FIDO2 specification which includes WebAuthn and CTAP. WebAuthn introduces a new JavaScript API for browser-based authentication and CTAP introduces a new API for platform-based authentication. It provides an overview of the registration and authentication flows including the use of public key credentials on servers to authenticate users. It also describes extensions, attestations, credential management and the goals of convenience and strong security in the FIDO standards.
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
This document discusses proposals for supporting the request and presentation of verifiable credentials in OpenID Connect. It presents three options for delivering verifiable credentials/presentations: 1) embedding the entire credential/presentation in a JWT claim in the ID token, 2) using aggregated or distributed claims to include the credential/presentation, or 3) using a separate "VP token" artifact containing the credential/presentation along with an ID token. The document analyzes the pros and cons of each approach and seeks feedback on the best option to pursue as well as next steps like discussing with the Connect working group and incorporating encryption.
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...SSIMeetup
https://ssimeetup.org/peer-dids-secure-scalable-method-dids-off-ledger-daniel-hardman-webinar-42/
Daniel Hardman, Chief Architect, Evernym / Secretary, Technical Governance Board – Sovrin Foundation will show how Peer DIDs will allow off-chain transactions for the self-sovereign identity (SSI) world.
Most documentation about decentralized identifiers (DIDs) describes them as identifiers that are rooted in a public source of truth like a blockchain, a database, a distributed filesystem, or similar. This publicness lets arbitrary parties resolve the DIDs to an endpoint and keys. It is an important feature for many use cases. However, the vast majority of relationships between people, organizations, and things have simpler requirements. When Alice(Corp|Device) and Bob want to interact, there are exactly and only 2 parties in the world who should care: Alice and Bob. Instead of arbitrary parties needing to resolve their DIDs, only Alice and Bob do. Peer DIDs are perfect in these cases. In many ways, peer DIDs are to public, blockchain-based DIDs what Ethereum Plasma or state channels are to on-chain smart contracts— or what Bitcoin’s Lightning Network is to on-chain cryptopayments. They move interactions off-chain, but offer options to connect back to a chain-based ecosystem as needed. Peer DIDs create the conditions for people, organizations, and things to have full control of their end of the digital relationships they sustain.
This 20-minute presentation introduces OAuth through defining it, explaining why it is useful, providing background information, defining key terminology, outlining the workflow, and including a live example. It defines OAuth as a method for users to grant third-party access to their resources without sharing passwords and to grant limited access. It highlights issues with traditional client-server authentication and how OAuth addresses them. The presentation then covers OAuth background, terminology like consumer and service provider, the redirection-based authorization workflow, and concludes with a live example and references for further information.
Hyperledger Indy is a platform for decentralized identity and verifiable credentials. It includes Indy node, which is a permissioned blockchain node, and Indy SDK which provides APIs for issuing and verifying credentials. The Indy node uses a BFT consensus protocol and consists of Indy-plenum and Indy-node repositories. The Indy SDK includes wrappers for different programming languages and supports features like anonymous credentials, selective disclosure, and efficient revocation without using revocation lists.
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
Presentation I gave on Self-Issued OpenID Provider during the second OpenID Foundation Virtual Workshop covering:
1. What is Self-Issued OpenID Provider (SIOP) ?
2. SIOP Requirements (draft)
3. Initial discussion points deep-dive
Self-Issued OpenID Providers are personal OpenID Providers that issue self-signed ID Tokens, enabling portability of the identities among providers
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
My talk from Crypto Valley Conference 2018 on emerging standards in Self-Sovereign Identity, Technology behind it, Overview of implementations and how to use it with blockchain and DLT systems.
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
Polygon ID offers tools that allow developers to build self-sovereign, decentralized and private identity solutions for users that leverage zero knowledge proofs. Polygon ID was released as open source last March 2023 at ETH Denver. In this presentation, Otto Mora, BD Lead for Americas, and Oleksander Brezhniev, Technical Lead at Polygon ID, will be covering aspects of the did:PolygonID method including: Verifiable presentations leveraging ZK Proofs; How the Proofs are generated; Credential Issuance Methods; and Identity Management Features.
This document provides an overview of authentication mechanisms on Windows, including Kerberos, Active Directory, digital certificates, biometrics, and .NET identity objects. It also discusses upcoming technologies like CardSpace and OpenID that aim to improve single sign-on authentication across multiple systems and online applications. The document concludes that with the evolution of open standards, the goal of a trustworthy single sign-on experience across the web is becoming closer to reality.
The document discusses selecting authenticators for FIDO2 registration. It provides an overview of the FIDO2 registration process and the steps involved. It describes using the Authenticator Attestation Identifier (AAGUID) to identify the authenticator model and obtaining additional metadata from the FIDO Metadata Service (MDS). The MDS can provide details about authenticators, including how user verification and key protection are implemented. Selecting authenticators allows relying parties to control which devices can be used for authentication.
This document discusses OAuth2 and OpenID Connect for authentication. It begins by outlining goals of understanding OAuth, OpenID Connect concepts, and integrating them with Spring Security. It then explains key OAuth2 concepts like tokens, scopes, and flows. It describes OpenID Connect and how it builds on OAuth2 to provide authentication. It provides examples of configuring Spring Security for OAuth2 and OpenID Connect login, including registering a client and configuring the application.
Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
- Java WSIT provides support for WS-* specifications and can be used to create Java-based web services and clients that are interoperable with Microsoft WCF. It supports features like reliable messaging, security, and atomic transactions.
- Windows CardSpace is a Microsoft application that helps users manage digital identities and select information cards for authentication. It aims to improve user control over personal information sharing and identity federation.
- The authors used Java WSIT to create a Security Token Service that supports Windows CardSpace, addressing challenges around user authentication across and within domains and how to represent information cards as credentials.
Public key infrastructure (PKI) uses public and private key cryptography and digital certificates to provide security services like authentication, non-repudiation, and data integrity. A PKI system uses certification authorities to validate users' identities and issue digital certificates that bind public keys to those identities. These certificates allow users to securely exchange information and digitally sign documents online through services like SSL/TLS and S/MIME. Smart cards can serve as portable devices for storing users' private keys and certificates to enable strong authentication on untrusted devices.
Public Key Infrastructure (PKI) uses public and private key cryptography to authenticate users and devices. Digital certificates, issued by a Certificate Authority (CA), bind a public key to a user's identity. Enterprise CAs issue certificates only to internal users while stand-alone CAs can issue to external users. Active Directory, a Windows directory service, enables single sign-on access to network resources and authenticates external users without an Active Directory account.
The document outlines an agenda covering various topics related to digital identity and authentication. It discusses entity identity, assurance frameworks, the digital authentication process flow, threats/risks/controls, strong authentication methods, token and credential management standards like JWT, OAuth 2.0, OpenID Connect, FAPI, and how they relate to identity in areas like banking and payments. It provides definitions for key terms and compares authentication flows using standards like SAML, OAuth and OpenID Connect.
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
OpenID Connect is a specification that defines an identity layer on top of the OAuth 2.0 authorization framework. It allows clients to verify user identity and obtain basic profile information about the user. OpenID Connect supports common identity use cases like single sign-on and identity federation through the use of ID tokens and user info endpoints. While it is not a complete replacement for SAML, OpenID Connect provides a simpler approach that is better suited for mobile and REST-based applications compared to the XML-based SAML standard.
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
- The document describes how to secure a Spring Boot microservice with OAuth 2.0 using WSO2 Identity Server as the authorization server.
- It involves creating a simple microservice with a protected resource, then configuring WSO2 IS as an OAuth server to issue access tokens. This allows the microservice to validate tokens to secure the resource.
- It also covers configuring WSO2 IS to issue JWTs instead of normal tokens, and how to obtain and use a JWT to access the protected microservice resource.
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
This presentation explores how Identity APIs have evolved over the time to cater the consumer and enterprise requirements, and real-world scenarios where tough identity challenges have been successfully tackled by using them.
The document discusses digital certificates and public key infrastructure (PKI). It describes what information is contained in X.509 certificates and how they are used to verify identities and authenticate users. It also explains how the Java keytool can be used to generate key pairs, certificates, and manage a keystore containing private keys and certificate chains. Finally, it provides examples of Java programs for printing certificate information and building a certificate authority to sign other certificates.
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
This document discusses authorization and authentication standards like OAuth2 and OpenID Connect and how an authorization proxy can be used to implement them on Kubernetes. It provides examples of using the authorization code flow and OpenID Connect to authenticate users and delegate access. It also discusses how authorization proxies can be used to secure access to the Kubernetes API and enable fine-grained access management with Istio.
Decentralized Identifiers (DIDs) are self-sovereign identifiers for individuals, organizations, and things that are persistent, dereferenceable, decentralized, and cryptographically verifiable identifiers registered in a blockchain or other decentralized network. There are different DID methods that must have a specification and resolver implementation. A DID document containing public keys, service endpoints, and other metadata is resolved from the DID. DIDs enable verifiable credentials and authentication through challenge-response protocols using the DID document. Standards groups are working on further developing DIDs, verifiable credentials, and rebooting the web of trust through decentralized identity.
The document provides an agenda for a WSO2 Italy Club event. It lists dates from March to July and speakers who will present on topics related to APIs, identity management, and interoperability between organizations. Matteo Bordin is featured as a speaker for March and will cover new features of WSO2 IS and APIM. Other topics included are identity federation, adaptive authentication, API security, user provisioning, and privacy consent management. The main use cases for WSO2 Identity Server are listed as identity federation, identity bridging, adaptive authentication, API security, access management, and identity analytics.
Similaire à OpenID for Verifiable Credentials (IIW 35) (20)
The European Union’s regulation on Digital Identity, eIDAS, is currently being overhauled to adopt decentralized identity principles. The goal is to provide all citizens and residents across the EU with highly secure and privacy preserving digital wallets that can be used to manage various digital credentials, from eIDs to diplomas to payment instruments. Decentralized identity principles aim at giving freedom of choice and control to the end-user. Ensuring security and interoperability, however, will be challenging — especially in the enormous scale in terms of users and use cases the EU is aiming at. The choices made in eIDAS will have a huge impact on digital identity in the EU and beyond.
The so-called “Architecture and Reference Framework” (ARF) defines the technical underpinnings of eIDAS v2. Many experts from the member states and the Commission have been working on this framework over the last year, trying to select the best combination of technologies and standards out of the enormous number available in the market today. This talk will introduce the ARF and explain what architectural patterns and technical standards are adopted and how the challenges mentioned above are addressed in order to leverage on the vision of the eIDAS v2 regulation.
GAIN is a shared vision for an interoperable global identity network to bridge existing "islands of trust". It emerged from a need to address issues like financial crime, misinformation, and privacy concerns resulting from increased anonymity and lack of control online. GAIN is guided by 5 non-profits and aims to be global in scale, technology agnostic, and built upon open standards. Its Proof of Concept community group is currently connecting identity providers and relying parties from different jurisdictions to test GAIN's technical hypotheses, such as supporting diverse identity architectures and cross-border participation, through 2022.
FAPI 1 and 2 are security and interoperability profiles for OAuth. FAPI 1 patched OAuth security issues and added features like CIBA. FAPI 2 is a simpler evolution with broader scope, covering authorization, consent management, and secure API access. It uses mechanisms like PAR, RAR, and grant management to enable rich authorization and consent workflows. FAPI 2 provides the same security protections as FAPI 1 in a more versatile manner through alternative mechanisms like DPoP and PKCE. Adoption depends on existing vendor support and use case requirements around authorization complexity and consent lifecycle management.
FAPI 1 and 2 are security and interoperability profiles for OAuth that address high security requirements. FAPI 1 patched OAuth security issues and added features like CIBA mode and conformance testing. FAPI 2 aims to be simpler to use with mechanisms like PAR and broader scope through features like RAR and grant management. While some ecosystems use FAPI 1, FAPI 2 covers additional authorization needs and fits better with OpenID Connect, though incremental adoption of FAPI 2 features with FAPI 1 is possible.
The document proposes extending OpenID Connect to support requesting and presenting W3C Verifiable Credentials in all OpenID Connect flows. It outlines the need for a standard way to do this given limitations of existing approaches. The proposal is to use existing OpenID Connect mechanisms like the "claims" parameter to request verifiable presentations, which could then be returned embedded in ID tokens or userinfo responses, or as a separate verifiable presentation token. Examples are provided and it discusses the relationship to other relevant work. The goal is to make OpenID Connect the preferred choice for obtaining and providing verifiable presentations.
This document proposes extensions to OpenID Connect to enable identity assurance and verification of identity claims. It discusses representing verification details explicitly, distinguishing verified from non-verified claims, and supporting verification across different contexts. Key concepts include attaching metadata about the verification process, trust framework, and evidence to verified claims. Requests can specify desired claims and verification attributes for privacy. The proposal aims to clarify representation of verified identity data and support use across channels while preserving privacy.
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
OpenID Connect for Identity Assurance allows IDPs explicit attestation of verification status of
Claims (what, how, when, according to what rules, using what evidence). It's intended to be used for use cases requiring strong identity assurance, such as Anti-money Laundering, eGovernment & eSigning.
The document discusses security recommendations for OAuth SCA mode authentication in PSD2 open banking. It recommends adhering to OAuth 2.0 security best practices and using mutual TLS client authentication and certificate bound access tokens to protect against replay and authentication attacks. It also recommends measures like CSRF tokens, nonce values, and checking redirect URIs to prevent attacks like cross-site request forgery, code injection, mix-up attacks, and session fixation. Detailed checks and validations are described to secure the authorization request, response, token request and API requests in the OAuth flow.
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
The Payment Service Directive 2 (PSD2) is a huge leap forward for Open Banking as it obliges every financial institution operating in the European Union to provide APIs for Access to Account Information and Payment Initiation. The need for more then six thousand financial institutions to provide APIs caused a tremendous push forward for financial API design and accompanying authorization and authentication technologies. Based on the experiences gathered while supporting some of the PSD2 API initiatives in the context of OpenID Foundation’s FAPI working group, this talk will give an introduction to PSD2 and related technical standards, dig into some remarkable aspects of authorization for financial APIs and points out the potential impact on the future of OAuth.
The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
The document discusses identity proofing using OpenID Connect. It provides examples of use cases that require identity verification like opening a bank account or accessing health data. It proposes representing verified identity claims in a composite JSON Web Token claim that includes metadata about the verification process and the verified claims. An example token is given that verifies a user's name, date of birth, place of birth and nationality according to a specified assurance level by referencing an existing bank verification. The document also describes how to request specific verified claims from the identity provider.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
OpenID for Verifiable Credentials (IIW 35)
1. OpenID for Verifiable Credentials
The next generation of OpenID
Kristina Yasuda, Microsoft
Oliver Terbu, Spruce,
Tobias Looker, Mattr,
Dr. Torsten Lodderstedt, yes.com
2. 2
What is it?
OpenID for Verifiable Credential Issuance
(Issuance of verifiable credentials)
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Can be hosted locally on the user’s
device, have cloud components, or be
entirely hosted in the cloud
Issue Credentials
Present
Credentials
Self-Issued OP v2 (authentication using identifiers
not namespaced to a third-party identity provider)
OpenID for Verifiable Presentations
(Presentation of verifiable credentials)
3. 3
Credential
Issuer
Wallet
OP
Alice
Stored
Verifiable Credentials
⓪ Wallet requests & User
authorizes credential issuance
③ Credential is issued
① access token(, refresh token)
② Wallet requests credential issuance
Credential issuance via simple OAuth-authorized API
OpenID for Verifiable Credential Issuance
4. 4
- RP can request credentials by format*,
type and select claims for selective
disclosure, e.g
○ format: “ldp_vc”
type: “IDCredential”
claims: “given_name” & “last_name”
○ format: “mso_mdoc”
doctype: “org.iso.18013.5.1.mDL”
claims: “driving_privileges”
OpenID for Verifiable Presentations
Website or App
(RP)
Wallet
OP
Alice
⓪ User tries to get
access to a resource
Stored Verifiable Credentials
② Wallet issues Verifiable
Presentation(s) in VP Token
① RP requests
Credential(s)
- Verifiable Presentations* are
returned in the so-called VP
Token (one or more)
5. 5
OpenID4VCs allows variety of choices in the VC tech stack
Component Implementer’s choices when using OpenID4VP
Format of
VCs/PID/(Q)EAA
Any format (W3C VCs, ISO mDL, SD-JWT, AnonCreds, …)
Method to obtain
Public Keys
Any DID method, raw keys, or X.509 certs
Cryptography Any crypto suite (EdDSA, ES256K, etc.)
Revocation Any mechanism (Status List 2021, etc.)
Trust Management Any mechanism for managing trusted Issuers, Wallets and Relying Parties
(EU Trusted List, OpenID Connect Federation, TRAIN, …)
6. 6
Working Group Updates Since Last Workshop – May 2022
■ Renamed from “OpenID Connect 4 SSI” to
“OpenID 4 Verifiable Credentials”
■ OpenID 4 VCs is a new kind of OpenID
■ Started comprehensive security threat analysis
■ Conformance Test (1st revision)
■ New sub page https://openid.net/openid4vc/
8. 8
OpenID 4 Verifiable Presentations
● Changed base protocol to OAuth 2.0
● Replaced “claims” parameter by following options:
▪ scope (definition left to spec or deployment)
▪ presentation definition (by value or by reference)
● Started to move SIOP v2 pieces to make OpenID4VPs
self-contained
▪ cross device flow
▪ client metadata
9. 9
SIOP v2
● SIOP “just” means “iss” == “sub”
● id_token_types_supported
▪ subject_signed: self-issued id token, i.e. the id token is
signed with key material under the end-user's control.
▪ attester_signed: signed by the OP
, classical ID Token
● SIOP now supports all OpenID Connect flows
10. 10
Other standards bodies & non profits & government activities
■ Incorporated OpenID4VCs into ISO drafts
(18013-7/mDL & 23220-3&4/eID)
■ The European Blockchain Services
Infrastructure (EBSI) adopted OpenID4VCs
■ EU eIDAS v2
● Presented to EU eIDAS expert group
● OpenID4VCs was added to short list
■ Established liaison with ETSi
■ Working on BLE mode with MOSIP
12. 12
Working Group Issues to be Addressed
■ More implementers feedback (preparing IDs for all spec)
■ Overall trust model and security considerations draft
■ Issuance: issuer metadata path & file content, issuer
identification by DID, anonymous & externally managed
clients
■ Offline support (BLE) - first non-WG draft ->
■ Conformance Testing