Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

Topics 2017

Son-of-IAF (2017)

Kantara Identity Assurance Framework reloaded: How can the IAF be profiled and tailored to specific needs? E.g. there should not be restrictions on organizations submitting their own assessment rules, if their consumers accept it, because it is expensive to get third party assessments. Next steps: continue discussion at the Internet2 Global Summit.

SAML Proxy Options (2017)

There are a couple of use cases for SAML-to-SAML proxies, such as Hub-and-Spoke Federations, double blinding, aggregation of IDPs and SPs, cross federation with eID systems and adding local attributes in virtual organizations.

Privacy by Design (2017)

Non-technical discussion about privacy by design. Reason and Background of the topic: At ORCID were talks about how to build a concept of trust. How to build this value system into the features, workflows, work with the community.

Multi Factor/Strong Authentication (2017)

The diversity of authentication mechanism can be challenging. While no-so-strong approaches have show certain success because of easy-of-use considerations, the security-UX tradeoff is not the only one, as the example of the Google Authenticator shows.

Mapping attributes between SAML & OIDC (2017)

Straight mapping from A to B, vs. bidirectional mapping. Basic mapping should work out-of-the-box, extensions are required for clients for advanced scenarios. I n R&E there are a few problematic attributes, like eduPerson(Scoped)Affiliation and eduPersonEntitlement. Join the join the REFEDS OICDre working group for further work and proposals.

"Free", "Freemium" and Paid Services (2017)

There are services which state they are free, but “if you are not paying for something, then you are the product”. Then there are services, which have premium setting, where you are just not seeing ads but they most likely sell your data anyway. And then there are services where you pay, and your data is sold and someone else who is profiled similar to you is seeing the ads.

Difference between Oauth2 and OIDC (2017)

There is a lot of confusion about OAuth2 vs OpenID-Connect tokens. The OAuth2 token can sometimes be used incorrectly. The ID tokens are for encapsulating ID of a user. If I have a bearer token, what do I do with it? Nothing prevents the resource from using the access token to connect to other resources.

Blockchain and Identity (2017)

Is there enough foundation in the identity ecosystem? Blockstack for instance already uses Block chains for this. Particularly the financial industry spends much money and resources on research-projects. There are some privacy-issues in digital block chain-currencies. Potential privacy-benefits in using them?