ID4me: using the DNS as a directory for identities
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 561 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/44337 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 2019308 / 561
1
9
10
15
18
19
23
24
27
29
31
33
34
35
38
39
40
43
47
49
52
53
54
55
58
59
60
63
65
67
69
70
78
80
82
87
93
95
97
102
103
104
107
110
111
114
116
118
120
122
123
126
127
131
133
136
137
139
141
142
148
153
155
157
159
163
164
168
169
170
171
172
173
174
181
183
185
187
188
193
196
197
198
199
200
201
205
207
208
209
211
213
214
218
221
223
224
226
230
232
234
235
236
244
248
250
251
252
253
255
256
257
262
263
264
268
269
271
274
275
276
278
280
281
283
284
288
289
290
293
294
296
297
300
301
304
309
311
312
313
314
315
317
318
321
322
327
332
333
334
335
336
337
338
339
340
343
345
346
352
353
355
356
357
359
360
362
369
370
373
374
375
376
377
378
383
384
387
388
389
390
391
393
394
395
396
406
408
409
412
413
414
415
419
420
425
426
431
432
433
434
435
436
438
439
440
441
445
446
447
448
453
455
457
459
466
467
471
473
474
475
476
479
480
484
485
486
489
491
492
496
499
500
502
505
507
508
512
515
517
518
529
531
533
534
535
536
539
540
546
550
551
552
553
554
555
557
558
559
560
561
00:00
Direct numerical simulationIdentity managementDirectory serviceControl flowTrailSingle-precision floating-point formatSingle sign-onExistenceSign (mathematics)Mechanism designTime domainMathematicsInfinite conjugacy class propertyComputing platformPhysical systemOpen setSingle sign-onInternet service providerMechanism designSingle-precision floating-point formatDomain nameWebsiteLoginDifferent (Kate Ryan album)NumberTouchscreenTrailInformation securityFacebookWeb 2.0Service (economics)Point (geometry)AuthenticationSet (mathematics)PasswordAddress spaceCASE <Informatik>Communications protocolIdentifiabilityString (computer science)TwitterSign (mathematics)Directory serviceIdentical particlesToken ringServer (computing)Scaling (geometry)Information privacyQuicksortDomain nameCNNGame controllerDirect numerical simulationClient (computing)Flow separationEmailDevice driverConcentricPhysical systemElectronic mailing listOpen setConnected spaceIterationPublic key certificateUniform resource locatorArithmetic meanOrder (biology)Axiom of choiceGoodness of fitWater vaporComputer animation
05:45
System identificationArchaeological field surveySoftwareSource codeElectronic mailing listNumbering schemeNamespaceDirect numerical simulationMathematicsVideo gameNormed vector spaceSupersonic speedSoftware engineeringIdentifiabilityHash functionPointer (computer programming)File formatIdentical particlesDirect numerical simulationProjective planeNamespacePoint (geometry)NumberStandard deviationDisk read-and-write headTwitterCapability Maturity ModelDimensional analysisElectronic mailing listArchaeological field surveySoftwareLine (geometry)Block (periodic table)AuthorizationAddress spaceEmailGoodness of fitString (computer science)Row (database)Presentation of a groupDomain nameCartesian coordinate systemSpacetimeWebsiteMotion captureNumbering schemeServer (computing)Arithmetic meanType theoryDatabaseImplementationExtension (kinesiology)Information securityNatural numberRegulator geneRootChemical equationState of matterSoftware developerFrequencyDomain nameReal numberService (economics)
11:03
Internet service providerBetti numberPoint cloudWebsiteProgrammable read-only memoryFeedbackTerm (mathematics)Cartesian coordinate systemCentralizer and normalizerGoodness of fitInformationBitContent (media)Query languageService (economics)Server (computing)Point (geometry)Connected spaceIdentical particlesDirect numerical simulationSquare numberInternetworkingNumberMechanism designFile formatProjective planeRevision controlLatent heatOperator (mathematics)Independence (probability theory)Row (database)Different (Kate Ryan album)FacebookInformation privacyInformation securityWebsiteMereologyStandard deviationJava appletAuthenticationAssociative propertyIP addressOperating systemMessage passingData managementPresentation of a groupProduct (business)Sinc functionBeta functionNormal (geometry)PrototypeDataflowCASE <Informatik>Address spaceSoftware developerOpen setInternet service providerIdentifiabilityMultiplication signWeb 2.0
16:21
Computer animation
Transcript: English(auto-generated)
00:06
So, as I was saying again for the people remotely connected that the problem that we are trying to address is the problem of online identities and so how to do something better than just having 200 different accounts and 200 different passwords. And the point is that interestingly, we already have online identities because
00:26
each one of us has an online identity. The problem is that we're not controlling them. So we have an online identities because we are being tracked everywhere and we are being profiled. So maybe it's not directly connected to our main, but sometimes it is. But I mean, a lot of companies really know who we are across multiple services.
00:44
And this is basically because of advertising. But we do not have a way to basically do the same and have a single identity and control it. So we are stuck with having a thousand different accounts which is insecure and inconvenient. And so of course, the solution is some kind of single sign on.
01:02
And so you have a single set of credentials, you have someone who is basically running the authentication and verifying that you are you and telling all the other services that you are you. So of course, we already have this now. So of course, I'm sorry for Warren and the Google people, but again, we now have
01:23
basically two big entities running this, Facebook and Google. And it's really good. I mean, you see now everywhere on websites, you get this, I mean, big signing with Facebook, signing with Google, but if you really want, you can sign up with your own account with email. And so this is really a trend.
01:41
And it's very convenient. So it's actually very easy to do. And users like it. So it's been growing really fast in the last two, three years. But again, we have a problem where there is no interoperability. So I mean, even if all the systems are more or less based on the same protocols, they don't talk to each other. So and so you have a fragmentation in the end, you get you have a concentration because the
02:04
problem is that clients websites would have to implement each and every different provider separately. And so they don't do it for 200. They do it for two basically Google and Facebook. And users cannot choose. I mean, you can choose between Google and Facebook basically. And then again, this again creates an issue with privacy and tracking because if
02:21
whoever is running your single sign on will be able to tell all the places where you log into. And so I mean, if people try to do it, I mean, in a more open way, this is actually a real screen from a hotel, which was the recommended hotel for the ITA for security workshops. Actually, the old people were meeting there. And in this hotel really tried to give you some choice.
02:42
And so you had eight different login buttons to choose from. So this quickly becomes totally unmanageable and inconvenient. So we need some kind of federation, which is the solution. Of course, you can have a very, very easy to use a single sign on which is also federated so that you can choose your provider. You can have any number of providers.
03:01
They can interoperate. You can actually get your identifier. You can even get a domain name and so use a string in your domain name as your identifier. I mean, this is, I will not go into detail. The point I wanted to get to is that if you want to do this kind of federated whatever, then you need some kind of discovery mechanism.
03:23
So you need a way for the website that wants to authenticate you to know who is running your identity. And so this is what is missing. Actually, I mean, the protocol that everyone is using, which is open ID connect based on 2.0. There's also others, but open ID connect is most commonly used for this kind of use
03:42
case. They are not really, I mean, they do support some kind of federation, but they are not deployed in this way. They are just deployed. I mean, it's federation in the sense that you have many websites and a single identity provider, and that's it. And so we really need a place to keep the directory of online identities and a way to look into this list.
04:02
And so where do we keep the public directory for identities? And of course, the web people do it on the web. I mean, since now they are also doing DNS over the web. So there is actually a discovery mechanism which is already standardized in open ID connect, but it's based on WebFinger, which is based on HTTPS, again, and a well-known
04:20
address, URL, and so on. And so it has some limitations. By the way, it uses URIs as identifiers, which are really inconvenient. But the real point is that if you want to let people have their own domain name, their own identifier, and so you want to apply this on a million domain names for one million customers, then you need to have a web server for each and every domain in one million.
04:40
So you have a million websites, a million certificates, and so this is really inconvenient for deployment on a big scale in which you want to have any number of names and of providers. And so, well, the web is so uncool. So I'm sure you heard about this. So, of course, everyone is talking about the blockchain. Now, you know, everyone wants to use the blockchain.
05:01
You need to be self-sovereign, whatever this means, but it's the buzzword. And by the way, of course, there are tokens and ICOs and money going on. This is really a big trend. Maybe it's been slowing down in the last few months, but it's really big. I mean, this is one of the big drive, identity is one of the big drivers around blockchain. And so, of course, you see all sorts of different blockchain identity projects.
05:23
I mean, I took the screens like, I mean, last summer, so some of them might be older, might have already have folded up or whatever. But you still see a lot of different projects ranging from IBM, which is, of course, very willing to make yourself sovereign, to, I mean, foundations or startups. There's all sorts of players here.
05:42
And so the people do it on the blockchain. These people say we're going to put your identity in a blockchain so that it's there, it's public, then you have to protect it in some way because otherwise it's too public. But then you don't put identities, in fact, because, I mean, writing data into the blockchain is expensive.
06:01
And so you put pointers or maybe hashes of the pointers or something like that. And it's not very clear. But the selling point is that this is decentralized. So the nice thing is that we don't need a trusted central authority. We have decentralized everything. We don't need government. We don't need, I can, so, and there's even some standardization going on, even
06:20
if it's not by the W2C, but at the W2C as an independent effort. But there is some standardization. So this is, I mean, I went to a conference last year. This was in May 2018. And there was actually a guy that had tried to use a blockchain identity project for his own company. And so he did this survey. Went through a community website, went through the list of blockchain identity projects.
06:41
He found 91 blockchain identity projects. And 63 of them were already having or planning or announcing an ICO or raising money. But only 17 had a website which was more than, I mean, three lines and, yeah, coming soon. Only three had some software and zero had working software. So, I mean, this is not necessarily bad. The point is that this is really an immature technology.
07:02
So maybe it could come. I mean, I'm not saying this is all crap. It doesn't matter. But it's really not there yet, at least. So if you want to build something that can work now, you cannot really use the blockchain. So, I mean, of course they're talking about this public distributed ledger. But the blockchain is not a solution.
07:20
So, wait a minute. So we already have a public distributed ledger because it's an open standard. It has many free implementations. It's widely available everywhere. It's been working very reliably for 30 years. It's secure, at least if you deploy the security extensions. It can scale. We know how to scale it and serve millions of people. It's actually regulated to prevent capture.
07:42
So, I mean, some people don't like this point. They say, I mean, we want to be self sovereign, meaning we have no governments and we have no trusted authorities. Well, yeah, we really had already a period in which we had no trusted authorities, no institutions, no states, and it was called the Middle Ages. So I think we went beyond that. So I think that some trusted authorities are actually a good thing.
08:02
But still, if you're worried about someone capturing the DNS, there's been 20 years developing regulation and checks and balances and ways to prevent someone from capturing the root and making it disappear and whatever. It is actually decentralized and federated. So it's a DNS. And so this is the real point we wanted to make.
08:20
So the point is that we have to be aware that DNS is actually a very good public distributed ledger. And we could be using, we should be using for more than just naming the hosts and a few other things. And so this is really the, I think it's also good for everyone in the DNS community because the more applications we build onto the DNS, the more it stays relevant.
08:42
So actually, the DNS is very good to provide a namespace, which is a big problem for identities. Because with identities, I mean, people use natural names. Natural names are really bad as identifiers because they are not unique. They are not uniform. They don't have uniform formats around the planet. They are not even easily passable. So I mean, in the end, it's impossible to use real world names as identifiers for online
09:05
identities. And so you need some kind of namespace. And this namespace must be distributed, must be federated so that you can still ensure that every identifier is unique, but you don't have any centralized place where one has to go and register each and every identifiers and make a big database of all the existing
09:22
identifiers. And again, this is a problem that was already solved 35 years ago with the DNS. It's the same problem. So of course, it's nice for people to try to develop new technologies to do the same stuff. But still, we already discussed this. We already found a way. And so if you use the DNS, you can actually assign your identifiers to identity in a way
09:42
in a namespace, which is already naturally federated. And it's already familiar to users. So everyone is already familiar with DNS-like strings. You can use email addresses if you wish. Or also you can, I think in general, this should be a good trend for everyone.
10:00
We should really encourage people to get a domain name. It's cheap. It makes you independent in a number of dimensions. So of course, it's also good for those of us that make money by selling domain names, domain name related services. But in general, I think it's really good for people to own the little piece of the DNS namespace. So and also the DNS gives you a discovery scheme, which is also, as I said, working
10:22
very well. So what we need is just a pointer so that you enter your identifier or you provide your identifier to a website and they can discover who is running your identity, which server is responsible for it. And again, this is a problem that was already solved for email. It's the same problem. So now we're doing it.
10:41
I will show you briefly a little about our project, but we're doing it with a TXT record. We didn't get a new or try to get a new resource record type. And that way I already did this presentation at the ICanDNS symposium last year and people were like, no, you need to get a new resource record. Why are you polluting the space with TXT, which is fine. But then if you're an application developer and you need something to do, I mean, you
11:02
start doing it with a TXT record. And then, yeah, in the future we will change and then you never do it because then you start deploying it. So I am aware of the problem and I'm happy to hear comments. But still, I mean, there's already a couple of independent internet drafts. There's not IETF work going on on this yet, but at least there are public documents and specifications that you can see.
11:22
So it's very simple. We just created for, I mean, a very simple TXT format in which you have the user underscore name and you describe, well, a version number and who is the issuer of your identity and who is the claims provider, which is in the OpenID Connect talk. It's the entity that is actually providing the values for your name, for your identity.
11:44
So this could be the same or a different entity. So in the end, this is actually blockchain. So I didn't want to bash the blockchain people too much. So I mean, if you wanted, you could just then replace this with some blockchain mechanism. But at the same time, you have to do something which is available now.
12:03
So the project is called ID for me. I will not go really too much into detail on this. I will go very quickly through the last presentation. There are some logos mostly for transparency, but it's basically now a public consortium. So there's a non-profit association consortium running it. And the point I wanted to make is that if, let's skip this.
12:22
If anyone is interested, there's a website, of course. There are public specifications. There's a Java API development. We have this international non-profit consortium. So we're trying to make this as open as possible. We have a prototype up and running. There's going to be possibly a beta product launch in Germany since many of the original
12:40
promoters are German, including Diniq, the top-level manager. And so there will be possibly a beta public launch at the end of March. And we'll start using it and see whether people like it and whether it works. So again, of course, if anyone is interested, this was the advertisement part of the presentation. But I think apart from this, well, of course, this is the website if you want more information.
13:01
But apart from this, the message I really wanted to give here is that I think it's good for the DNS community to find new ways and new content to put into the DNS and new things to point, because it's really a wonderful service. And I think it's good if we keep it relevant and bring it forward with the new technologies. So thank you.
13:39
This is a bit tongue-in-cheek, I have to say.
13:41
So have you thought about maybe doing that with Ethereum DNS? There's actually some. I think there's already some. Yeah, I mean, yeah. I mean, maybe they will succeed. Yeah, I mean, it's nice to see people try and do stuff. I think in the end, and then people will see whether it's useful or not.
14:01
So it's not like everything is bad about the blockchain. But I think that the centralized identity problem is also a big issue in terms of privacy and security and a number of things. So I think that finding a solution that can work immediately would be good. Even if I must say it will be, we are aware that it will be very hard to succeed since most users just already use Google and Facebook and that's it.
14:23
But at least we want to try and make something different and try to keep it open. Could you explain the differences between your approach
14:40
with the DNS records and WebFinger? Yeah, the question was about the difference between the approach we have here and WebFinger. Basically, the operation you're trying to do is the same one, because you need to, you basically start from an identifier, you need to do something to get information on who is the issuer. The difference is that here is just, I mean,
15:02
the relying party that has to start the authentication flow just does a DNS query, gets the information through the DNS query, and then all the rest is standard OpenID Connect. So then it's the normal OpenID Connect authentication flow. If you do it with WebFinger, then the relying party has to do this HTTPS connection. But by the way, it has to do a DNS query anyway,
15:21
because it has to retrieve the IP address for the WebFinger server it has to connect to. So at that point in time, you just do the DNS query and you already get the information. There is one issue, and by the way, in this thing, the DOH might actually be useful to this project, because in the end, one of the problems is that JavaScript applications have problems today in doing txt queries.
15:41
So DOH, by the way, one of the good uses of DOH would be enabling JavaScript applications to do more than a other square is to reverse, which could be solved also by just by changing the way the APIs are done in the operating system. But still, in this case, that might be helpful. But in the end, I think it's technically, I think it's simpler as long as you can make this txt query,
16:02
because you just do the DNS query, rather than doing the DNS query and then the HTTPS connection.