Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2015 Session 3: Attribute authorities discovery (protocol)

Convener: Davide Vaghetti

Abstract: 3 Use Cases for Attribute Authority. Possible solutions for Discovery.

Tags: Attributes, Discovery

Attribute Authority (AA) Discovery

In every case you need an attribute authority but only one (the third one) needs discovery:

1. Authentication Authority is Attribute authority: AA Discovery is sufficient.

2. VO AA that knows about membership info that the Campus IDP (AA) does not, but the SP will know which VO AA to contact.

3. Usage of external AA like eGov ID, things like Switch eduID or Social IDs, there only the User will be able to tell which AA to use. This use case is in need of AA discovery.

Possible solution for AA Discovery

1) Attribute Authority WAYF (after authentication)

Pros

  • It does apply to every SP in need of AAD
  • It is not bounded to a specific attribute or set of attributes

Cons

  • It does complicate the resource access process
  • It puts another burden on the user that has already passed WAYF to choose IDP.

2) Attribute Authority Central Discovery and Collecting or “(A)AC/DC”

Pros

  • It is transparent for the user until we do not have collisions in attribute collecting (i.e. multiple values for single value attributes)
  • It is consistent with EduKEEP - user-centric identity management model

Cons

  • Difficult to implement for every and each attributes, but not that difficult to implement for just some attributes (i.e. schacHomeOrganization)

Also take a look at: EduKEEP: towards a user-centric identity federation
http://meetings.internet2.edu/2015-technology-exchange/detail/10003996/

Off- topic discussion, presentation of a Dutch UETP Uniform Economic Transaction Protocol

Discussion about Identity Layers in Bank domain:

  • Who entities (who legally represent)
  • What entity
  • How entities (rule sets)
  • Transaction entibining who what and how with timestamp and location. - transaction entities where how, when, where can be combined

The idea of the entity becomes data-centred as open source - it is important to cooperate. Real-time relevant authority routing. ID is a set of attributes like MAC address, IPv6 Address, connected by a handle based on RFC 4122.

Conclusion

Attribute Authority Discovery will be necessary for R&E when eGovID-like technologies will be delivered.

An Attribute Authority Central Discovery and Collecting mechanism or (A)AC/DC seems to be the simplest solution.

Partner 2020