Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

What are your “Three Big Bets” in IAM?

(Robin Wilton)

Could be filtered as a ‘hype cycle’, Gartner’s magic quadrant, or Leif’s filter (‘look where money is misspent’)

  • will OIDS replace SAML? -> Did SAML replace X.509 . (-> Leif: ‘Nothing ever gets replaced’) – even X509 (single-root PKI, simpler use) is increasingly used

What are your “three big bets” in IAM?

Does X509 represent misdirected effort or wasted money? Where should we focus our efforts? looking for ideas; brainstorming session Link to pictures of the white board · Winners: something we want to encourage · Losers: something we want to stop · Pain Points: Unknown unknowns, which haven’t been encountered yet · Blind Spots: Unknown unknowns, which haven’t been encountered yet

For example, one of the problems that we might encounter is that open ID connect could displace SAML

· OAuth <-> Open ID connect <-> SAML Complexity of connect and OAuth; no surprise if some of the bigger players go “let’s redo this from scratch because it’s clearly too complex -> cannot sustain the rate of change of OIDC”; the design of OAuth is a craft pile
· SAML <-> X. 509 Q: Does SAML replaces X.509? A: No. Or partially. Comment: Someone said that SAML will replace X.509, but it won’t because nothing ever gets replaced; It will create another standard that needs to be followed; · Outsourcing vs. in-house · A growing accumulation of CRUFT – legacy stuff builds up · Single-root PKI no IT/anti cross-signed PKI or diamond shaped PKI · X.509 volume vs. function the number of the X509 certificate went up, but the number of the functions went down · ZKP outside DLT People grow tired of logger aspects and mining, there are some aspects of that is talking to get picked up by people ZKP = a bunch of technologies, there are libraries; a bunch of crypto that allows me to say that I can proof to you that I am wearing blue socks without showing you my socks You could prove your affiliation with the university without revealing your identity
· Crypto evolution + Application to I.A.M => AuthN – privacy, security Application of new crypto ideas into IAM Privacy and security are a part of them · X.509 client AuthN · PIVs · PETs GOVT/F.S. – i.e. regulate sectors 2 major efforts for PET:

  1. Put them in regulated areas of the government/financial services (hard because there is already regulation in place/people wouldn’t want to spend time and money on improving it)
  2. Change the game in data monetization – difficult relationship with the organization operating free services; · Changing the Monetization status quo IDM innovation likely to fail (even though people spend money on it) · STDs driven by corporate interest Control from big corporations · Shifting TDSKS the user will fail Rumors about Apple releasing an app that will kill FB Moving data back to user control, that requires the user to deploy technology on the devices is going to fail (includes technologies – e-wallets etc.) · SSI= A LANDGRAB (International star registry) Interest in the product because they hope to define the next domain system; someone’s going to pay money for valuable name space; looking at their source code – commute in a file, which adds 5 people who can control entry into the system
    · Scalable Attacks on RSA + ITS uses => algorithm agility A major game changer, but problematic a connect would survive better than SAML most TLS services don’t use RSA today handshake itself doesn’t use RSA IDAS? will not survive in its current form, not specified, not implemented Not nearly enough algorithm agility [MASS eID: China/India] – impact on society + democratic structures Problem on a global scale Architectural challenges; practical problems Institutional stability works back on the government eID system What impact do those mass eIDs on the society and the democratic structures? Access to social media (China) · 5 per AuthN; cost model isn’t realistic Problem: no civilians can use it; if there are no people -> no use case for services to use it; cost model – if you have to pay for it (authentication); cheaper to do a half-assed solution · Any per-use model might be unrealistic · Where does RVE take place, if no post office/banks Related trend about moving everything digital no foundation left for the high trust identity; Banks don’t meet their customers anymore Blind spot around globally: where do we establish/know your customer environments, where do we fulfill that? 1 or 2 regulated outlets of things where that can happen – apothecaries (drugs), libraries the sign <-> represents the dynamical tension between the elements

Paper – tries to explain quantum computing, symmetric and public key encryption and problems like factorization Research found: if you’ve got a given RSA key length here is our assessment of the number of key bits you will need to mount an effective quantum computing attack on that key length. Couldn’t find any research on: if I’ve got a 256-bit key and a quantum computer that only has 16 key bits, can I attack 16 of the key bits with my quantum computer … Can you reduce the effective length of the key to a more manageable one for a classical computer? Grover’s algorithm works for symmetric keys; thinking more about the RSA whether it is viable? many people pessimistic about how many key bits would be able to assemble in use à saying it will not matter until the next millennium, because there’s no way you’ll be able to turn 256-bit key into …useful; if you don’t need to then - small number of key bits start to enable effective attacks sooner ask cryptographer or mathematician QIRL – quantum internet research list (possible link);