Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NIST SP800-63C (rev.4) Federation & Assertions ...

Nov Matake
March 16, 2023
Technology
0
57

NIST SP800-63C (rev.4) Federation & Assertions - OpenID BizDay #16

Nov Matake

March 16, 2023
Tweet

More Decks by Nov Matake

See All by Nov Matake
Passkey Autofill に賭けるマネーフォワード ID - Money Forward Tech Day 2024
nov
1
2.2k
OpenID Summit 2024 - Translation WG
nov
0
390
OpenID Summit 2024 - Panel : Celebrating Ten Years of OpenID Connect
nov
0
420
What’s Passkey @ AXIES 2023
nov
0
2.1k
#fidcon WebAuthn, Next Stage - #idcon vol.29
nov
0
2.1k
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID TechNight vol.17
nov
0
13
Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ - #idcon vol.27
nov
0
14
OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka
nov
2
600
IIW #13 report at idcon #10
nov
2
69

Other Decks in Technology

See All in Technology
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
520
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
320
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
Product Engineer Night #6プロダクトエンジニアを育む仕組み・施策
hacomono
PRO
1
470
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
590

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
A designer walks into a library…
pauljervisheath
202
24k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
40
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Product Roadmaps are Hard
iamctodd
PRO
48
10k

Transcript

  1. NIST SP800-63C (rev.4) Federation & Assertions Nov Matake

  2. Federation & Assertions

  3. Ұ࿈ͷωοτϫʔΫγεςϜؒͰ Identity ͓Αͼ Authentication ৘ใͷ఻ൖΛߦ͏ ͨΊͷϓϩηε. Federation

  4. 'FEFSBUJPOΛར༻͠ͳ͍৔߹ͱಉ͡ 'FEFSBUJPOΛར༻͠ͳ͍৔߹ͱಉ͡ 31͸$MBJNBOUʹ"VUIFOUJDBUJPOΛཁٻ͢Δ $MBJNBOU͸"VUIFOUJDBUJPOϓϩηεΛ௨ͯ͡  *E1ͷ7FSJ fi FSػೳʹରͯ͠"VUIFOUJDBUPSͷॴ ༗ͱ؅ཧΛূ໌͢Δ 31ͱ*E1ͷؒͷ"TTFSUJPOΛؚΉ͢΂ͯͷ௨৴

    ͸ 'FEFSBUJPOϓϩτίϧΛ௨ͯ͡ߦΘΕΔ *E1͸31ʹ4VCTDSJCFSͷ"VUIFOUJDBUJPOͷ ঢ়گͱ ؔ࿈͢Δ"UUSJCVUFΛఏڙ͠  4VCTDSJCFSͱ31ͷؒͰ"VUIFOUJDBUFE 4FTTJPOཱ͕֬͞ΕΔ

  5. Verifier ͔Β Relying Party (RP) ʹରͯ͠ૹ ΒΕΔ, Subscriber ͷ Identity

    ৘ใΛؚΜͩ Statement. Assertion ͸ݕূࡁ Attribute Λ ؚΉ͜ͱ΋͋Δ. Assertion

  6. Federation Λ࢖༻͢Δͱ͖, Subscriber ͷ Ұ࣍ Authenticator Λ؅ཧ͠, Subscriber Account ͔Β೿ੜ͢Δ

    Assertion Λൃߦ͢Δ ओମ. Identity Provider (IdP)

  7. Subscriber ͷ Identity ʹؔ͢Δ Verifier ͷ Assertion Λ৴པͯ͠, Transaction ॲཧ΍৘

    ใ·ͨ͸γεςϜ΁ͷΞΫηεΛڐՄͨ͠Γ ͢Δओମ. Relying Party (RP)

  8. CSP Identity αʔϏεʹొ࿥͞Ε֤ͨར༻ऀ ͷ৘ใ͓Αͼ Authenticator ΛؚΉ, CSP ͕ ઃఆ͢ΔΞΧ΢ϯτ. Subscriber

    Account

  9. RP ͕ Subscriber ϨίʔυΛ RP ࣗ਎ͷϩʔΧϧʹ อଘ͢Δͷ͸Ұൠతͳ͜ͱͰ, ͜Ε͸ RP Subscriber

    Account ͱݺ͹ΕΔ. RP Subscriber Account ʹ͸, RP ʹ͓͍ͯ Subscriber ͕࣋ͭ Access ݖݶ΍, Subscriber ͷ Identity Attribute ͷΩϟογϡͳͲ͕ ؚ·ΕΔ. RP Subscriber Account

  10. Federation Assurance Level (FAL)

  11. '"- 3FRVJSFNFOU 3FRVJSFNFOU 3FRVJSFNFOU  ʜ    Federation

    Assurance Level (FAL)

  12. Federation ʹ͓͍ͯ Authentication ৘ใ ͓Αͼ (৔߹ʹΑͬͯ͸) Attribute ৘ใΛ RP ʹૹΔࡍʹ༻͍ΒΕΔ

    Assertion Protocol ͷΧςΰϦʔ. Federation Assurance Level

  13. FAL ͸, Ϩϕϧ্͕͕Δ͝ͱʹηΩϡϦςΟ ͱෳࡶੑ͕૿͢ͱ͍͏ಛ௃Λ࣋ͭ, Ұ࿈ͷཁ ݅ͷू߹ͱͯ͠දݱ͞ΕΔ. ͜ΕΒͷཁ݅ʹ ͍ͭͯ͸, ຊηΫγϣϯͰϦετԽͨ͠ͷͪ, ຊυΩϡϝϯτ֤ηΫγϣϯͰৄࡉԽ͢Δ.

  14. 1. Cryptographic Verifiability 2. Audience Restriction 3. Injection Protection 4.

    Trust Agreement 5. Registration 6. Presentation

  15. Federation Protocol ʹ͓͍ͯఏࣔ͞Εͨ Assertion ͕, ͦ ΕΛൃߦͨ͠ಛఆͷ IdP Λ௥੻ՄೳͰ͋Γ, ͦͷؔ܎ੑΛ

    Digital Signature ΍ MAC ͳͲͷ҉߸࿦తϝΧχζϜʹΑ ΓݕূՄೳͰ͋Δ͜ͱ. ·ͨ RP ʹΑͬͯ౰֘ Assertion ͕վม͞ΕͨΓِ଄͞Ε͍ͯͳ͍͜ͱΛݕূͰ͖Δ͜ͱ. ͜Ε͸શͯͷ FAL ʹ͓͍ͯٻΊΒΕΔཁ݅Ͱ͋Δ. Cryptographic Verifiability

  16. Federation Protocol ʹ͓͍ͯఏࣔ͞Εͨ Assertion ͕, ಛఆͷ RP ʹ޲͚ͨ΋ͷͰ͋ Γ, ౰֘

    RP ͕౰֘ Assertion ͷ Audience Λ ݕূՄೳͰ͋Δ͜ͱ. ͜Ε͸શͯͷ FAL ʹ͓ ͍ͯٻΊΒΕΔཁ݅Ͱ͋Δ. Audience Restriction

  17. Attacker ͕౰֘ Federation Transaction Ϧ ΫΤετ֎Ͱಘͨ Assertion Λఏࣔͯ͘͠Δ Α͏ͳ Attack

    ʹରͯ͠, RP ͕ڧݻͳอޢࡦ Λ࣋ͭ͜ͱ. Injection Protection

  18. IdP ͱ RP ͕, ૒ํͱ΋ʹ, ౰֘ Subscriber Λ౰֘ RP ʹϩάΠϯͤ͞ΔͨΊʹ౰֘

    Federation Transaction ʹࢀՃ͢Δ͜ͱʹ߹ҙ͢Δ͜ͱ. ͜Ε͸྆ύʔςΟʔ ؒͷࣄલͷ੩తͳ߹ҙʹΑΔ͜ͱ΋͋Δ͠, ౰֘઀ଓ Λ࣋ͬͯ҉໧తʹ߹ҙͨ͠ͱΈͳ͞ΕΔ͜ͱ΋͋Δ. Trust Agreement

  19. Trust Agreement Ͱ͸, ҎԼͷύϥϝʔλΛཱ֬͢Δ͜ͱͱ͢Δ (SHALL). w *E1͕31ʹରͯ͠։ࣔͰ͖Δ"UUSJCVUFͷϦετ w *E1͕"TTFSUJPOΛੜ੒Ͱ͖Δ4VCTDSJCFS"DDPVOUͷ฼ूஂ w

    31͕ϦΫΤετ͢Δ"UUSJCVUFͷϦετ *E1͕31ʹରͯ͠։ࣔͰ ͖ΔϦετͷαϒηοτ  w 31͕ϦΫΤετ͢Δ֤"UUSJCVUFʹ͍ͭͯͦͷར༻໨త w 4VCTDSJCFS"UUSJCVUFͷ։ࣔʹ͔͔Δҙࢥܾఆͷ੹຿Λෛ͏ "VUIPSJ[FE1BSUZ w 4VCTDSJCFS͕31ʹ։ࣔ͞ΕΔ"UUSJCVUFʹ͍ͭͯ஌Δखஈ w *E1͕ఏڙ͠͏ΔY"- w 31͕ඞཁͱ͢ΔY"-

  20. IdP ͱ RP ͕૬ޓʹࣗ਎ͷࣝผࢠͱΩʔϚςϦΞ ϧΛަ׵͠, ͦΕҎ߱ͷ Federation Transaction ಺Ͱ Assertion

    ΍ Artifact ͷ Verification ʹ༻͍ Δ͜ͱ͕Ͱ͖ΔΑ͏ʹ͢Δ͜ͱ. Registration

  21. Manual Registration Dynamic Registration

  22. Assertion ͕ͦΕ୯ମͰ RP ʹ (Bearer Assertion ͱͯ͠) ఏࣔ͞ΕͨΓ, Subscriber ͕ఏࣔ͢Δ

    Authenticator ͱඥ͚ͮͨܗͰఏ ࣔ͞ΕͨΓ͢Δ͜ͱ. Presentation

  23. Back-channel Presentation Front-channel Presentation

  24. Back-channel Presentation Front-channel Presentation Bearer Assertion v.s. Assertion w/ Bound

    Authenticator …is defined as “Binding” not “Presentation”

  25. '"- *OKFDUJPO1SPUFDUJPO 5SVTU"HSFFNFOU 3FHJTUSBUJPO 1SFTFOUBUJPO  3FDPNNFOEFE %ZOBNJDPS4UBUJD %ZOBNJDPS4UBUJD #FBSFS"TTFSUJPO

     3FRVJSFE 4UBUJD %ZOBNJDPS4UBUJD #FBSFS"TTFSUJPO  3FRVJSFE 4UBUJD 4UBUJD "TTFSUJPOBOE#PVOE "VUIFOUJDBUPS Federation Assurance Level (FAL)

  26. FAL1

  27. FAL1 Ͱ͸, IdP ͕ੜ੒͢Δ Assertion ͸ Sec. 6 ͷίΞͱͳΔཁ݅Λ ຬͨ͞Ͷ͹ͳΒͳ͍

    (SHALL). ͜ΕΒͷཁ݅ʹ͸, IdP ͕ Approved Cryptography Λ༻͍ͯ Assertion ͷ಺༰ʹॺ໊Λࢪ͢͜ͱʹΑΔ, Attacker ͔Βͷ Assertion վม͓Αͼِ଄ʹର͢Δอޢࡦؚ͕·Ε Δ. RP ͸, Sec. 6 ʹ͋ΔΑ͏ʹ, Assertion Λड͚औͬͨࡍ͸ͦͷى ݯ΍ Integrity (׬શੑ) Λݕূ͠, ͦΕ͕ظ଴ͨ͠ग़ॴΛىݯͱͨ͠ ΋ͷͰ͋Δ͜ͱΛอূͤͶ͹ͳΒͳ͍ (SHALL).

  28. શͯͷ Assertion ʹ͸ҎԼͷ Attribute ΛؚΊΔ΋ͷͱ͢Δ (SHALL). 1. Subject Identi fi

    er: Assertion ͕ࢦࣔ͢͠౰ࣄऀ (i.e., Subscriber) ͷࣝผࢠ 2. Issuer Identi fi er: Assertion ൃߦऀ (i.e., IdP) ͷࣝผࢠ 3. Audience Identi fi er: Assertion Λར༻͢Δ͜ͱ͕૝ఆ͞Εͨ౰ࣄऀ (i.e., RP) ͷࣝผࢠ 4. Issuance Time: IdP ͕ Assertion Λൃߦͨ࣌͠ࠁΛࣔ͢λΠϜελϯϓ 5. Validity Time Window: ͦͷظؒΛ௒͑ͯ RP ͕ Subscriber Λ Authentication ͢Δ໨తͰ Assertion Λ༗ޮͳ΋ͷͱͯ͠ड͚ೖΕΔ͜ͱ ͷͳ͍ (SHALL NOT) Α͏ࣔ͢ظؒ. ͜Ε͸௨ৗ Assertion ͷ༗ޮظݶλΠϜελϯϓͱ͍͏ܗͰ Issuance λΠϜελϯϓͱͱ΋ʹ఻͑Β ΕΔ. 6. Assertion Identi fi er: ౰֘ Assertion ΛҰҙʹࣝผ͢Δ஋Ͱ, ߈ܸऀ͕Ҏલͷ Assertion Λ Replay ͢Δ͜ͱΛ๷ࢭ͢Δ໨తͰར༻͞ΕΔ. 7. Signature: Digital Signature ͳ͍͠͸ Message Authentication Code (MAC). IdP ʹඥ͍ͮͨ伴ͷࣝผࢠ΍ Public Key ΛؚΈ, Assertion શମΛΧόʔ͢Δ΋ͷ. 8. Authentication Time: IdP ͕࠷ޙʹ (ՄೳͰ͋Ε͹) ௚઀ Authentication ΠϕϯτΛ௨ͯ͡ Subscriber ͷଘࡏ֬ೝΛߦͬͨ࣌ࠁΛࣔ͢λΠ Ϝελϯϓ. 9. IAL: Assertion ͕ࢦࣔ͢͠ Subscriber Account ͷ IAL Λࣔ͢஋, ͳ͍͠͸͍͔ͳΔ IAL ΋໌ݴ͞Εͳ͍͜ͱΛࣔ͢஋. 10. AAL: IdP ͕ Subscriber Λ Authenticate ͨ͠ࡍͷ AAL Λࣔ͢஋, ͳ͍͠͸͍͔ͳΔ AAL ΋໌ݴ͞Εͳ͍͜ͱΛࣔ͢஋. 11. FAL: Assertion ͕ࢦࣔ͢͠ Federation ϓϩηεʹ͓͍ͯ IdP ͕ҙਤ͢Δ FAL Λࣔ͢஋.

  29. '"-ʹ͓͚Δ"TTFSUJPO͸શͯ ಛఆͷ31 ܈ ʹର͢Δ "VEJFODF3FTUSJDUJPO͕ࢪ͞Εͳ͚Ε͹ͳΒͣ 4)"-- 31 ͕౰֘"TTFSUJPOͷ"VEJFODFʹࣗ਎ؚ͕·Ε͍ͯΔ͜ͱΛ֬ೝ ͤͶ͹ͳΒͳ͍ 4)"--

    *E1͸ "QQSPWFE$SZQUPHSBQIZʹ ΑΔॺ໊ٴͼݤΛ༻͍ͯ౰֘"TTFSUJPOΛอޢ͠ ౰֘31ΛؚΉ શͯͷ"TTFSUJPOॴ༗ऀ͕*E1ʹͳΓ͢·͢͜ͱ͕Ͱ͖ͳ͍Α͏ ʹͤͶ͹ͳΒͳ͍ 4)"--  தུ

  30. '"-Ͱ͸*E131ؒͷ5SVTU"HSFFNFOU͸׬શʹ%ZOBNJD ʹཱ֬͠͏Δ .": ྫ͑͹ 4VCTDSJCFS͕31ʹରͯ͠ಈతʹ *E1Λબ୒ɾࢦఆ͠ 31͸*E1ͷύϥϝʔλΛ%JTDPWFSZʹΑ Γऔಘࣗ͠਎Λ*E1ʹొ࿥͢Δ͜ͱ΋ՄೳͰ͋Δ தུ ͳ͓

    '"-Ͱ΋4UBUJDͳ5SVTU"HSFFNFOU͓Αͼ3FHJTUSBUJPO ͕ՄೳͰ͋Δ͜ͱ͸ཹҙ

  31. FAL2

  32. FAL2 Ͱ͸ Assertion ͸ Attacker ʹΑΔ Injection Attack ͔Βڧݻʹ อޢ͞ΕΔඞཁ͕͋Δ

    (SHALL). ͜ͷཁ݅Λຬͨͨ͢Ίʹ͸, Assertion ͸ (தུ) Back-Channel Ͱఏࣔ͞ΕΔ΂͖Ͱ͋Δ (SHOULD). ͜ͷఏࣔ ํ๏Ͱ͸, RP ͸ϫϯλΠϜͳ Assertion Reference Λ༻͍ͯ IdP ͔Β ௚઀ Assertion Λऔಘ͢Δ. ैͬͯ Attacker ͸֎෦ΞΫηεϙΠϯτΛ ௨ͯ͡ Assertion Λ Inject ͢Δ͜ͱ͸Ͱ͖ͳ͍. Sec. 7.2 ͷΑ͏ͳ Front-Channel ʹΑΔఏࣔͰ͸, RP ͸௥Ճͷ Injection Protection Λ࣮ ૷͠ͳ͚Ε͹ͳΒͳ͍ (SHALL).

  33. FAL2 Ͱ͸, IdP-RP ؒͷ Trust Agreement ͸ Static ʹཱ֬͞Εͳ͚Ε ͹ͳΒͳ͍

    (SHALL). ͜Εʹ͸ RP ʹఏࣔՄೳͳ Attribute ٴͼͦͷར ༻໨తͷ੍ݶͷཱ֬΋ؚΉ. Trust Agreement ͸ IdP-RP ͷೋऀؒͰ֬ ཱ͢Δ͜ͱ΋Ͱ͖Δ͠ (MAY), ଟऀؒͰͷ Federation ύʔτφʔγοϓ Λհཱͯ֬͢͠Δ͜ͱ΋Ͱ͖Δ (MAY). RPͱ IdP ͕࣮ߦ࣌ʹཱ֬ࡁͷ Trust Agreement Λূ໌ՄೳͰ͋Ε͹, Registration ͸ Dynamic Ͱ΋ Α͍ (MAY). ͦͷΑ͏ͳূ໌ํ๏͸ Federation Protocol ʹΑΓଟ༷Ͱ ͋Δ͕, Software Attestation ͷఏࣔ΍ Trusted Domain ্ͷ URL ͷ؅ ཧݖݶΛূ໌͢Δ͜ͱͳͲ͕ྫͱͯ͠ڍ͛ΒΕΔ.

  34. FAL3

  35. FAL3 Ͱ͸ Subscriber ͸ Assertion ʹՃ͑ͯ Authenticator Λ Direct ʹ

    RP ʹఏࣔ͢Δ͜ͱͰ Authenticate ͤͶ͹ͳΒͳ͍ (SHALL). ͜͜ Ͱ༻͍ΒΕΔ Authenticator ͸ Bound Authenticator ͱ΋ݺ͹Ε, Sec. 6.1.2 ʹޙड़͞ΕΔ. (தུ) ͳ͓, Subscriber ͕ Bound Authenticator Λ༻͍ͯ Authenticate ͠, RP ͕౰֘ Authenticator ͕ ਖ਼͘͠౰֘ Assertion ͕ࣔ͢ RP Subscriber Account ʹඥ͍͍ͮͯΔ ͜ͱΛݕূ͢Δ·Ͱ, FAL3 ͕ୡ੒͞ΕΔ͜ͱ͸ͳ͍.

  36. FAL3 Ͱ͸, IdP-RP ؒͷ Trust Agreement ͓Αͼ Registration ͸ Static

    ʹཱ֬͞Εͳ͚Ε͹ͳΒͳ͍ (SHALL). શ౰ࣄऀʹͱͬͯ, ࣝผ ʹ༻͍ΒΕΔΩʔϚςϦΞϧ͓Αͼ Federation ύϥϝʔλ (RP ʹૹ৴ ͞ΕΔ Attribute ϦετΛؚΉ) ͸, Federation ʹΑΔ Authentication ϓϩηε࣮ࢪલʹݻఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ (SHALL). Federation ʹΑΔ Authentication ϓϩηεͷதͰૹ৴͢Δ߲໨Λ͞Βʹ੍ݶ͢Δ ৔߹ʹ͸, ಈతʹܾఆ͕ͳ͞Εͯ΋Α͍ (MAY). (e.g., Trust Agreement Ͱ߹ҙ͞Εͨύϥϝʔλʹ͸ؚ·Ε͍ͯΔ΋ͷͷ Email Address Λ։ࣔͨ͘͠ͳ͍৔߹ͳͲ)

  37. Provisioning

  38. +VTU*O5JNF1SPWJTJPOJOH 1SFQSPWJTJPOJOH

  39. Provisioning API (e.g., SCIM API) v.s. Identity API (e.g., UserInfo

    API)

  40. Attribute Synchronization

  41. IdP ͸ RP ʹఏڙͨ͠ Subscriber Account ͷ Attribute ʹߋ৽͕ ͋ͬͨ৔߹,

    RP ʹγάφϧΛૹΔ΂͖Ͱ͋Δ (SHOULD). ͜Ε͸, Sec. 5.7 ͷ Shared Signaling ΍ Sec. 5.4.3 ͷ Provisioning API Λ ར༻ͨ͠Γ, Assertion ʹγάφϧΛؚΊͯఏڙ͢ΔͳͲͷํ๏Ͱ࣮ ݱՄೳͰ͋Δ.

  42. IdP ͸ Subscriber Account ͕ Terminate ͞ΕͨΓ Subscriber Account ͕࣋ͭ

    RP ΁ͷ Access ͕ແޮԽ͞Εͨ৔߹, RP ʹγάφ ϧΛૹΔ΂͖Ͱ͋Δ (SHOULD). (தུ) ͜ͷγάφϧΛड͚औͬͨ৔ ߹, RP ͸ RP Subscriber Account Λ Terminate ͤ͞, RP Subscriber Account ʹؔ࿈͢Δશͯͷ personal information Λ࡟ আͤͶ͹ͳΒͳ͍ (SHALL). ͨͩ͠؂ࠪ΍ηΩϡϦςΟ໨తͰඞཁ ͱ͞ΕΔ৔߹Λআ͘.

  43. Shared Signaling

  44. *E1͸4VCTDSJCFS"DDPVOUʹҎԼͷΑ͏ͳมߋ͕ੜͨ͡ࡍ γάφϧ ΛૹΔ͜ͱ͕Ͱ͖Δ .":  • "DDPVOU͕5FSNJOBUF͞Εͨ • "DDPVOU͕৵֐͞ΕͨڪΕ͕͋Δ •

    'FEFSBUFE*EFOUJ fi FSҎ֎ͷࣝผࢠ &NBJM"EESFTT $FSUJ fi DBUF $/౳ Λ͸͡Ίͱ͢Δ"DDPVOUͷ"UUSJCVUFʹมߋ͕ੜͨ͡ • "DDPVOUʹద༻͞Ε͏Δ*"- ""-ͳ͍͠͸'"-ͷൣғʹมߋ͕ੜ ͨ͡

  45. 31͸314VCTDSJCFS"DDPVOUʹҎԼͷΑ͏ͳมߋ͕ੜͨ͡ࡍ γά φϧΛૹΔ͜ͱ͕Ͱ͖Δ .":  • "DDPVOU͕5FSNJOBUF͞Εͨ • "DDPVOU͕৵֐͞ΕͨڪΕ͕͋Δ •

    31͕؅ཧ͢Δ#PVOE"VUIFOUJDBUPS͕௥Ճ͞Εͨ • 31͕؅ཧ͢Δ#PVOE"VUIFOUJDBUPS͕࡟আ͞Εͨ

  46. Time-based Removal of RP Subscriber Accounts

  47. ͕࣌ؒܦա͢ΔʹͭΕ, IdP ͔ΒΞΫηεͰ͖ͳ͘ͳͬͨ RP Subscriber Account ͕஝ੵ͞Ε͍ͯ͘Մೳੑ͕͋Δ. ͜Ε͸ RP Subscriber

    Account ʹ Personal Information Λอ࣋͢ΔϦεΫΛ RP ʹ΋ͨΒ͢. ಛʹ Just-in-time Provisioning ϞσϧͰ͸, Sec. 5.7 ͷ Shared Signaling ʹΑΓ IdP ͔Β Subscriber Account ͕ Terminate ͞Εͨͱ͍͏γάφϧΛૹΔ͜ͱ͕Ͱ͖ͳ͍. ͜ͷΑ͏ͳ ৚݅ԼͰ͸, RP ͸࣌ؒϕʔεͷϝΧχζϜΛ΋͍ͪͯҰఆ࣌ؒΞΫ ηεͷͳ͍ (ྫ͑͹, ࠷ऴΞΫηε͔Β120೔ͳͲ) RP Subscriber Account Λಛఆ͠ Terminate ͤ͞Δ΂͖Ͱ͋Δ (SHOULD).

  48. ͜ͷΑ͏ͳΠϯΞΫςΟϒͳ Account Λॲཧ͢Δࡍ, RP ͸ՄೳͰ͋ Ε͹อཹதͷ Account ͷ Terminate ʹ͍ͭͯ

    Subscriber ʹे෼ͳ ௨஌Λߦ͏͜ͱͱ͠, εέδϡʔϧ͞Εͨ Terminate ͷલʹ Subscriber ʹ Account Λ࠶ΞΫςΟϕʔτ͢ΔΦϓγϣϯΛఏڙ ͢Δ͜ͱͱ͢Δ (SHALL). Terminate Λߦ͏ࡍ͸, RP ͸ RP Subscriber Account ʹؔ࿈͢Δશͯͷ Personal Information Λ࡟ আ͢Δ͜ͱͱ͢Δ (SHALL). ͨͩ͠؂ࠪ΍ηΩϡϦςΟ໨తͰඞཁ ͱ͞ΕΔ৔߹Λআ͘.

  49. Assertion

  50. Assertion Binding

  51. #FBSFS"TTFSUJPO WT "TTFSUJPOX#PVOE"VUIFOUJDBUPS

  52. Assertion Protection

  53. 1. Assertion Identifier 2. Signed Assertion 3. Encrypted Assertion 4.

    Audience Restriction 5. Pairwise Pseudonymous Identifiers

  54. Assertion ʹ Personally Identifiable Information ؚ͕·Ε͔ͭ Assertion ͕ϒϥ΢βͳͲͷதؒऀʹऔΓѻΘΕΔ৔߹, Federation Protocol

    ͸ Assertion Λ҉߸Խ͠ Assertion ʹؚ·ΕΔηϯγςΟϒ ͳ৘ใΛ༧ظͤ͵౰ࣄऀʹ࿙Ӯ͠ͳ͍Α͏อޢ͠ͳ͚Ε͹ͳΒͳ͍ (SHALL).

  55. ঢ়گʹΑͬͯ͸, ڞ௨ͷࣝผࢠΛ༻͍ͯෳ਺ͷ RP ʹ·͕ͨͬͯ Subscriber Account ΛϦϯΫ͢Δ͜ͱΛ๷͍͗ͨ৔߹͕͋Δ. Pairwise Pseudonymous Identifier

    (PPI) ͸, IdP ͕୯Ұͷ Subscriber Account ʹؔͯ͠ҟͳΔ RP ʹҟͳΔ Federated Identifier Λఏڙ͢Δ ͜ͱΛՄೳʹ͢Δ. ͜ΕʹΑΓҟͳΔ RP ͕ڞ๳ͯ͠ Federated Identifier Λ༻͍ͯ Subscriber ΛτϥοΫ͢Δ͜ͱΛ๷ࢭͰ͖Δ. * Pairwise Pseudonymous Identifier = PPI, not PPID

  56. Security

  57. 'FEFSBUJPO5ISFBUT "UUBDLT આ໌ ۩ମྫ "TTFSUJPO.BOVGBDUVSF PS.PEJGJDBUJPO "UUBDLFS͕"TTFSUJPOΛِ଄͢Δ ৵֐͞Εͨ*E1͕ ਖ਼͘͠"VUIFOUJDBUF͞Ε͍ͯͳ͍$MBJNBOUͷ*EFOUJUZΛ ओு͢Δ

    "UUBDLFS͕طଘ"TTFSUJPOΛվ͟Μ͢ Δ ৵֐͞Εͨ1SPYZ͕"VUIFOUJDBUJPO"TTFSUJPOͷ""-Λมߋ͢Δ "TTFSUJPO%JTDMPTVSF "TTFSUJPO͕SEQBSUZʹ࿙Ӯ͢Δ /FUXPSL؂ࢹΛ௨ͯ͡4VCTDSJCFSͷ"EESFTTPG3FDPSE͕෦֎ऀʹ࿙Ӯ͢Δ "TTFSUJPO3FQVEJBUJPO CZUIF*E1 *E1͕ࣄޙʹͳͬͯ5SBOTBDUJPOʹॺ໊͠ ͍ͯͳ͍ͱओு͢Δ Ϣʔβʔ͕31ʹ͓͍ͯෆਖ਼ͳΫϨδοτΧʔυऔҾΛߦͬͨࡍ *E1͕ࣗ਎͸Ϣʔ βʔΛϩάΠϯ͍ͤͯ͞ͳ͍ͱओு͢Δ "TTFSUJPO3FQVEJBUJPO CZUIF4VCTDSJCFS 4VCTDSJCFS͕5SBOTBDUJPOΛ࣮ߦͯ͠ ͍ͳ͍ͱओு͢Δ Ϣʔβʔಉҙ FH ܖ໿ ͕ཤߦෆೳʹͳΔ "TTFSUJPO3FEJSFDU "TTFSUJPO͕૝ఆ͞Ε͍ͯͳ͍ίϯςΩε τͰར༻͞ΕΔ ৵֐͞ΕͨϢʔβʔΤʔδΣϯτ͕"TTFSUJPOΛ"UUBDLFSʹૹ৴͠ "UUBDLFS ͕ͦΕΛผͷ৔ॴͰར༻͢Δ "TTFSUJPO3FVTF "TTFSUJPO͕ಉ͡31ʹରͯ͠ෳ਺ճར༻ ͞ΕΔ ๣ड͞Εͨ"TTFSUJPOΛར༻ͯ͠"UUBDLFS͕ࣗ਎ͷ4FTTJPOΛ"VUIFOUJDBUF ͢Δ "TTFSUJPO4VCTUJUVUJPO "UUBDLFS͕ҟͳΔ4VCTDSJCFS޲͚ͷ "TTFSUJPOΛར༻͢Δ *E1ͱ31ͷؒͰ4FTTJPO)JKBDLJOH"UUBDL͕੒ཱ͢Δ

  58. 'FEFSBUJPO5ISFBU"UUBDL 5ISFBU.JUJHBUJPO.FDIBOJTNT /PSNBUJWF 3FGFSFODF T "TTFSUJPO.BOVGBDUVSFPS .PEJGJDBUJPO *E1͕҉߸࿦తʹ"TTFSUJPOʹॺ໊͠ 31͕ͦΕΛݕূ͢Δ 

     "TTFSUJPOͷૹ৴ʹ*E1Λ"VUIFOUJDBUF͢Δ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛར༻͢Δ   "TTFSUJPOʹਪଌෆՄೳͰϥϯμϜͳࣝผࢠΛؚΊΔ  "TTFSUJPO%JTDMPTVSF "TTFSUJPOͷૹ৴ʹ31Λ"VUIFOUJDBUF͢Δ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛར༻͢Δ   "TTFSUJPOΛಛఆͷ31ʹ޲͚ͯ҉߸Խ͢Δ ૒ํ޲ͷ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛ༻͍ͯ ୡ੒Մೳ  "TTFSUJPO3FQVEJBUJPOCZ UIF*E1 *E1͕/POSFQVEJBUJPO ൱ೝ๷ࢭ Λαϙʔτ͢ΔݤΛ༻͍ͯ҉߸࿦తʹ"TTFSUJPOʹॺ໊͠ 31͕ͦ ΕΛݕূ͢Δ  "TTFSUJPO3FQVEJBUJPOCZ UIF4VCTDSJCFS #PVOE"VUIFOUJDBUPSʹඥͮ͘"TTFSUJPOΛൃߦ͠ #PVOE"VUIFOUJDBUPSͷอ࣋ূ໌ʹΑΓ 4VCTDSJCFS͕31ʹؔ༩͍ͯ͠Δ͜ͱΛݕূ͢Δ  "TTFSUJPO3FEJSFDU "TTFSUJPOൃߦઌͷ31 l"VEJFODFz ͷ*EFOUJUZΛ"TTFSUJPOʹؚΊ 31͕ͦΕΛݕূ͢Δ    "TTFSUJPO3FVTF ୹͍༗ޮظؒͱڞʹൃߦ೔࣌Λ"TTFSUJPOͷॺ໊ର৅ίϯςϯπͱؚͯ͠Ί 31͕ͦΕΛݕূ͢Δ    31͸Ұఆͷઃఆظؒ಺ʹར༻͞Εͨ"TTFSUJPOΛ௥੻͠ ౰֘"TTFSUJPO͕ෳ਺ճΓ༻͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ  "TTFSUJPO4VCTUJUVUJPO "TTFSUJPO͕"TTFSUJPOཁٻ΁ͷࢀর΍31ͷϦΫΤετʹ҉߸࿦తʹඥ͚ͮΒΕͨͳΜΒ͔ͷ/PODF ΛؚΉ͜ͱΛอূ͢Δ  "TTFSUJPOΛϦΫΤετͱಉ͡"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛհͯ͠ૹ৴͢Δ#BDL$IBOOFM Ϟσϧ౳͕͜Εʹ͋ͨΔ 

  59. Privacy

  60. 1. Minimizing Tracking and Profiling 2. Notice and Consent 3.

    Data Minimization 4. Agency-Specific Privacy Compliance 5. Blinding in Proxied Federation

  61. [NISTIR 8062] ΑΓ: ݸਓ, ॴ༗ऀ, ࣄۀऀʹ ରͯ͠, PII ͓Αͼ PII

    ʹରͯ͠৘ใγες Ϝ͕ߦ͏ Processing ʹؔ͢Δ৴པੑͷߴ ͍ԾఆΛՄೳͱ͢Δ͜ͱ. Predictability [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  62. [NISTIR 8062] ΑΓ: ݸਓΛಛఆͰ͖Δ৘ใ ͷมߋ, ࡟আ, બ୒తͳ։ࣔΛؚΉ, ͖Ίࡉ ͔͍؅ཧػೳΛఏڙ͢Δ͜ͱ. Manageability

    [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  63. [NISTIR 8062] ΑΓ: γεςϜͷӡ༻্ͷඞ ཁੑΛ௒͑ͯݸਓ·ͨ͸σόΠεʹؔ࿈෇ ͚Δ͜ͱͳ͘ߦΘΕΔ, PII ·ͨ͸Πϕϯτ ͷ Processing.

    Disassociability [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  64. Proxy Type RP knows IdP IdP knows RP Proxy can

    track subscriptions between RP and IdP Proxy can see attributes of Subscriber Non-Blinding Proxy with Attributes Yes Yes Yes Yes Non-Blinding Proxy Yes Yes Yes N/A Double Blind Proxy with Attributes No No Yes Yes Double Blind Proxy No No Yes N/A Triple Blind Proxy with or without Attributes No No No No Blinding in Proxied Federation

  65. Triple Blind Proxy Ͱ͸, Proxy ͸ࣗ਎Λ௨ա͢ΔσʔλΛݟΔ͜ͱ΋ Ͱ͖ͳ͘ͳΔ. Blinding ͷϨϕϧ্͕͕ΔʹͭΕ, ٕज़త͓Αͼӡ༻্

    ͷ࣮૷ෳࡶ౓΋্ঢ͠͏Δ. Proxy ͸ Transaction Λ͍ͣΕ͔ͷଆͷద ੾ͳ౰ࣄऀʹϚοϐϯά͠, Transaction ಺ͷશͯͷ౰ࣄऀͷ伴Λ؅ཧ ͢Δඞཁ͕͋ΔͨΊ, ׬શͳ Triple Blind Proxy ͷ࣮૷͸࣮ࡍʹ͸ඇৗ ʹࠔ೉Ͱ͋Δ.

  66. Usability …skip

  67. Equity …skip

  68. Examples (SAML, Kerberos, OIDC) …skip

  69. Q&A