Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NIST SP800-63C (rev.4) Federation & Assertions - OpenID BizDay #16

Nov Matake
March 16, 2023
Technology
0
39

NIST SP800-63C (rev.4) Federation & Assertions - OpenID BizDay #16

Nov Matake

March 16, 2023
Tweet

More Decks by Nov Matake

See All by Nov Matake
OpenID Summit 2024 - Translation WG
nov
0
240
OpenID Summit 2024 - Panel : Celebrating Ten Years of OpenID Connect
nov
0
250
What’s Passkey @ AXIES 2023
nov
0
1.8k
#fidcon WebAuthn, Next Stage - #idcon vol.29
nov
0
1.8k
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID TechNight vol.17
nov
0
6
Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ - #idcon vol.27
nov
0
4
OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka
nov
2
590
IIW #13 report at idcon #10
nov
2
69

Other Decks in Technology

See All in Technology
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
380
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
170
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
17k
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
700
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
610
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
1.1k
Cloud Service Mesh に触れ合う
phaya72
1
120
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.4k
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
JSON攻略法.pdf
miyakemito
8
5.2k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
5
870
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
150

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
38
2.5k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Six Lessons from altMBA
skipperchong
22
3k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
A Modern Web Designer's Workflow
chriscoyier
689
190k
The Cost Of JavaScript in 2023
addyosmani
19
3.9k
Making Projects Easy
brettharned
109
5.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
222
21k
Thoughts on Productivity
jonyablonski
59
3.9k

Transcript

  1. NIST SP800-63C (rev.4) Federation & Assertions Nov Matake

  2. Federation & Assertions

  3. Ұ࿈ͷωοτϫʔΫγεςϜؒͰ Identity ͓Αͼ Authentication ৘ใͷ఻ൖΛߦ͏ ͨΊͷϓϩηε. Federation

  4. 'FEFSBUJPOΛར༻͠ͳ͍৔߹ͱಉ͡ 'FEFSBUJPOΛར༻͠ͳ͍৔߹ͱಉ͡ 31͸$MBJNBOUʹ"VUIFOUJDBUJPOΛཁٻ͢Δ $MBJNBOU͸"VUIFOUJDBUJPOϓϩηεΛ௨ͯ͡  *E1ͷ7FSJ fi FSػೳʹରͯ͠"VUIFOUJDBUPSͷॴ ༗ͱ؅ཧΛূ໌͢Δ 31ͱ*E1ͷؒͷ"TTFSUJPOΛؚΉ͢΂ͯͷ௨৴

    ͸ 'FEFSBUJPOϓϩτίϧΛ௨ͯ͡ߦΘΕΔ *E1͸31ʹ4VCTDSJCFSͷ"VUIFOUJDBUJPOͷ ঢ়گͱ ؔ࿈͢Δ"UUSJCVUFΛఏڙ͠  4VCTDSJCFSͱ31ͷؒͰ"VUIFOUJDBUFE 4FTTJPOཱ͕֬͞ΕΔ

  5. Verifier ͔Β Relying Party (RP) ʹରͯ͠ૹ ΒΕΔ, Subscriber ͷ Identity

    ৘ใΛؚΜͩ Statement. Assertion ͸ݕূࡁ Attribute Λ ؚΉ͜ͱ΋͋Δ. Assertion

  6. Federation Λ࢖༻͢Δͱ͖, Subscriber ͷ Ұ࣍ Authenticator Λ؅ཧ͠, Subscriber Account ͔Β೿ੜ͢Δ

    Assertion Λൃߦ͢Δ ओମ. Identity Provider (IdP)

  7. Subscriber ͷ Identity ʹؔ͢Δ Verifier ͷ Assertion Λ৴པͯ͠, Transaction ॲཧ΍৘

    ใ·ͨ͸γεςϜ΁ͷΞΫηεΛڐՄͨ͠Γ ͢Δओମ. Relying Party (RP)

  8. CSP Identity αʔϏεʹొ࿥͞Ε֤ͨར༻ऀ ͷ৘ใ͓Αͼ Authenticator ΛؚΉ, CSP ͕ ઃఆ͢ΔΞΧ΢ϯτ. Subscriber

    Account

  9. RP ͕ Subscriber ϨίʔυΛ RP ࣗ਎ͷϩʔΧϧʹ อଘ͢Δͷ͸Ұൠతͳ͜ͱͰ, ͜Ε͸ RP Subscriber

    Account ͱݺ͹ΕΔ. RP Subscriber Account ʹ͸, RP ʹ͓͍ͯ Subscriber ͕࣋ͭ Access ݖݶ΍, Subscriber ͷ Identity Attribute ͷΩϟογϡͳͲ͕ ؚ·ΕΔ. RP Subscriber Account

  10. Federation Assurance Level (FAL)

  11. '"- 3FRVJSFNFOU 3FRVJSFNFOU 3FRVJSFNFOU  ʜ    Federation

    Assurance Level (FAL)

  12. Federation ʹ͓͍ͯ Authentication ৘ใ ͓Αͼ (৔߹ʹΑͬͯ͸) Attribute ৘ใΛ RP ʹૹΔࡍʹ༻͍ΒΕΔ

    Assertion Protocol ͷΧςΰϦʔ. Federation Assurance Level

  13. FAL ͸, Ϩϕϧ্͕͕Δ͝ͱʹηΩϡϦςΟ ͱෳࡶੑ͕૿͢ͱ͍͏ಛ௃Λ࣋ͭ, Ұ࿈ͷཁ ݅ͷू߹ͱͯ͠දݱ͞ΕΔ. ͜ΕΒͷཁ݅ʹ ͍ͭͯ͸, ຊηΫγϣϯͰϦετԽͨ͠ͷͪ, ຊυΩϡϝϯτ֤ηΫγϣϯͰৄࡉԽ͢Δ.

  14. 1. Cryptographic Verifiability 2. Audience Restriction 3. Injection Protection 4.

    Trust Agreement 5. Registration 6. Presentation

  15. Federation Protocol ʹ͓͍ͯఏࣔ͞Εͨ Assertion ͕, ͦ ΕΛൃߦͨ͠ಛఆͷ IdP Λ௥੻ՄೳͰ͋Γ, ͦͷؔ܎ੑΛ

    Digital Signature ΍ MAC ͳͲͷ҉߸࿦తϝΧχζϜʹΑ ΓݕূՄೳͰ͋Δ͜ͱ. ·ͨ RP ʹΑͬͯ౰֘ Assertion ͕վม͞ΕͨΓِ଄͞Ε͍ͯͳ͍͜ͱΛݕূͰ͖Δ͜ͱ. ͜Ε͸શͯͷ FAL ʹ͓͍ͯٻΊΒΕΔཁ݅Ͱ͋Δ. Cryptographic Verifiability

  16. Federation Protocol ʹ͓͍ͯఏࣔ͞Εͨ Assertion ͕, ಛఆͷ RP ʹ޲͚ͨ΋ͷͰ͋ Γ, ౰֘

    RP ͕౰֘ Assertion ͷ Audience Λ ݕূՄೳͰ͋Δ͜ͱ. ͜Ε͸શͯͷ FAL ʹ͓ ͍ͯٻΊΒΕΔཁ݅Ͱ͋Δ. Audience Restriction

  17. Attacker ͕౰֘ Federation Transaction Ϧ ΫΤετ֎Ͱಘͨ Assertion Λఏࣔͯ͘͠Δ Α͏ͳ Attack

    ʹରͯ͠, RP ͕ڧݻͳอޢࡦ Λ࣋ͭ͜ͱ. Injection Protection

  18. IdP ͱ RP ͕, ૒ํͱ΋ʹ, ౰֘ Subscriber Λ౰֘ RP ʹϩάΠϯͤ͞ΔͨΊʹ౰֘

    Federation Transaction ʹࢀՃ͢Δ͜ͱʹ߹ҙ͢Δ͜ͱ. ͜Ε͸྆ύʔςΟʔ ؒͷࣄલͷ੩తͳ߹ҙʹΑΔ͜ͱ΋͋Δ͠, ౰֘઀ଓ Λ࣋ͬͯ҉໧తʹ߹ҙͨ͠ͱΈͳ͞ΕΔ͜ͱ΋͋Δ. Trust Agreement

  19. Trust Agreement Ͱ͸, ҎԼͷύϥϝʔλΛཱ֬͢Δ͜ͱͱ͢Δ (SHALL). w *E1͕31ʹରͯ͠։ࣔͰ͖Δ"UUSJCVUFͷϦετ w *E1͕"TTFSUJPOΛੜ੒Ͱ͖Δ4VCTDSJCFS"DDPVOUͷ฼ूஂ w

    31͕ϦΫΤετ͢Δ"UUSJCVUFͷϦετ *E1͕31ʹରͯ͠։ࣔͰ ͖ΔϦετͷαϒηοτ  w 31͕ϦΫΤετ͢Δ֤"UUSJCVUFʹ͍ͭͯͦͷར༻໨త w 4VCTDSJCFS"UUSJCVUFͷ։ࣔʹ͔͔Δҙࢥܾఆͷ੹຿Λෛ͏ "VUIPSJ[FE1BSUZ w 4VCTDSJCFS͕31ʹ։ࣔ͞ΕΔ"UUSJCVUFʹ͍ͭͯ஌Δखஈ w *E1͕ఏڙ͠͏ΔY"- w 31͕ඞཁͱ͢ΔY"-

  20. IdP ͱ RP ͕૬ޓʹࣗ਎ͷࣝผࢠͱΩʔϚςϦΞ ϧΛަ׵͠, ͦΕҎ߱ͷ Federation Transaction ಺Ͱ Assertion

    ΍ Artifact ͷ Verification ʹ༻͍ Δ͜ͱ͕Ͱ͖ΔΑ͏ʹ͢Δ͜ͱ. Registration

  21. Manual Registration Dynamic Registration

  22. Assertion ͕ͦΕ୯ମͰ RP ʹ (Bearer Assertion ͱͯ͠) ఏࣔ͞ΕͨΓ, Subscriber ͕ఏࣔ͢Δ

    Authenticator ͱඥ͚ͮͨܗͰఏ ࣔ͞ΕͨΓ͢Δ͜ͱ. Presentation

  23. Back-channel Presentation Front-channel Presentation

  24. Back-channel Presentation Front-channel Presentation Bearer Assertion v.s. Assertion w/ Bound

    Authenticator …is defined as “Binding” not “Presentation”

  25. '"- *OKFDUJPO1SPUFDUJPO 5SVTU"HSFFNFOU 3FHJTUSBUJPO 1SFTFOUBUJPO  3FDPNNFOEFE %ZOBNJDPS4UBUJD %ZOBNJDPS4UBUJD #FBSFS"TTFSUJPO

     3FRVJSFE 4UBUJD %ZOBNJDPS4UBUJD #FBSFS"TTFSUJPO  3FRVJSFE 4UBUJD 4UBUJD "TTFSUJPOBOE#PVOE "VUIFOUJDBUPS Federation Assurance Level (FAL)

  26. FAL1

  27. FAL1 Ͱ͸, IdP ͕ੜ੒͢Δ Assertion ͸ Sec. 6 ͷίΞͱͳΔཁ݅Λ ຬͨ͞Ͷ͹ͳΒͳ͍

    (SHALL). ͜ΕΒͷཁ݅ʹ͸, IdP ͕ Approved Cryptography Λ༻͍ͯ Assertion ͷ಺༰ʹॺ໊Λࢪ͢͜ͱʹΑΔ, Attacker ͔Βͷ Assertion վม͓Αͼِ଄ʹର͢Δอޢࡦؚ͕·Ε Δ. RP ͸, Sec. 6 ʹ͋ΔΑ͏ʹ, Assertion Λड͚औͬͨࡍ͸ͦͷى ݯ΍ Integrity (׬શੑ) Λݕূ͠, ͦΕ͕ظ଴ͨ͠ग़ॴΛىݯͱͨ͠ ΋ͷͰ͋Δ͜ͱΛอূͤͶ͹ͳΒͳ͍ (SHALL).

  28. શͯͷ Assertion ʹ͸ҎԼͷ Attribute ΛؚΊΔ΋ͷͱ͢Δ (SHALL). 1. Subject Identi fi

    er: Assertion ͕ࢦࣔ͢͠౰ࣄऀ (i.e., Subscriber) ͷࣝผࢠ 2. Issuer Identi fi er: Assertion ൃߦऀ (i.e., IdP) ͷࣝผࢠ 3. Audience Identi fi er: Assertion Λར༻͢Δ͜ͱ͕૝ఆ͞Εͨ౰ࣄऀ (i.e., RP) ͷࣝผࢠ 4. Issuance Time: IdP ͕ Assertion Λൃߦͨ࣌͠ࠁΛࣔ͢λΠϜελϯϓ 5. Validity Time Window: ͦͷظؒΛ௒͑ͯ RP ͕ Subscriber Λ Authentication ͢Δ໨తͰ Assertion Λ༗ޮͳ΋ͷͱͯ͠ड͚ೖΕΔ͜ͱ ͷͳ͍ (SHALL NOT) Α͏ࣔ͢ظؒ. ͜Ε͸௨ৗ Assertion ͷ༗ޮظݶλΠϜελϯϓͱ͍͏ܗͰ Issuance λΠϜελϯϓͱͱ΋ʹ఻͑Β ΕΔ. 6. Assertion Identi fi er: ౰֘ Assertion ΛҰҙʹࣝผ͢Δ஋Ͱ, ߈ܸऀ͕Ҏલͷ Assertion Λ Replay ͢Δ͜ͱΛ๷ࢭ͢Δ໨తͰར༻͞ΕΔ. 7. Signature: Digital Signature ͳ͍͠͸ Message Authentication Code (MAC). IdP ʹඥ͍ͮͨ伴ͷࣝผࢠ΍ Public Key ΛؚΈ, Assertion શମΛΧόʔ͢Δ΋ͷ. 8. Authentication Time: IdP ͕࠷ޙʹ (ՄೳͰ͋Ε͹) ௚઀ Authentication ΠϕϯτΛ௨ͯ͡ Subscriber ͷଘࡏ֬ೝΛߦͬͨ࣌ࠁΛࣔ͢λΠ Ϝελϯϓ. 9. IAL: Assertion ͕ࢦࣔ͢͠ Subscriber Account ͷ IAL Λࣔ͢஋, ͳ͍͠͸͍͔ͳΔ IAL ΋໌ݴ͞Εͳ͍͜ͱΛࣔ͢஋. 10. AAL: IdP ͕ Subscriber Λ Authenticate ͨ͠ࡍͷ AAL Λࣔ͢஋, ͳ͍͠͸͍͔ͳΔ AAL ΋໌ݴ͞Εͳ͍͜ͱΛࣔ͢஋. 11. FAL: Assertion ͕ࢦࣔ͢͠ Federation ϓϩηεʹ͓͍ͯ IdP ͕ҙਤ͢Δ FAL Λࣔ͢஋.

  29. '"-ʹ͓͚Δ"TTFSUJPO͸શͯ ಛఆͷ31 ܈ ʹର͢Δ "VEJFODF3FTUSJDUJPO͕ࢪ͞Εͳ͚Ε͹ͳΒͣ 4)"-- 31 ͕౰֘"TTFSUJPOͷ"VEJFODFʹࣗ਎ؚ͕·Ε͍ͯΔ͜ͱΛ֬ೝ ͤͶ͹ͳΒͳ͍ 4)"--

    *E1͸ "QQSPWFE$SZQUPHSBQIZʹ ΑΔॺ໊ٴͼݤΛ༻͍ͯ౰֘"TTFSUJPOΛอޢ͠ ౰֘31ΛؚΉ શͯͷ"TTFSUJPOॴ༗ऀ͕*E1ʹͳΓ͢·͢͜ͱ͕Ͱ͖ͳ͍Α͏ ʹͤͶ͹ͳΒͳ͍ 4)"--  தུ

  30. '"-Ͱ͸*E131ؒͷ5SVTU"HSFFNFOU͸׬શʹ%ZOBNJD ʹཱ֬͠͏Δ .": ྫ͑͹ 4VCTDSJCFS͕31ʹରͯ͠ಈతʹ *E1Λબ୒ɾࢦఆ͠ 31͸*E1ͷύϥϝʔλΛ%JTDPWFSZʹΑ Γऔಘࣗ͠਎Λ*E1ʹొ࿥͢Δ͜ͱ΋ՄೳͰ͋Δ தུ ͳ͓

    '"-Ͱ΋4UBUJDͳ5SVTU"HSFFNFOU͓Αͼ3FHJTUSBUJPO ͕ՄೳͰ͋Δ͜ͱ͸ཹҙ

  31. FAL2

  32. FAL2 Ͱ͸ Assertion ͸ Attacker ʹΑΔ Injection Attack ͔Βڧݻʹ อޢ͞ΕΔඞཁ͕͋Δ

    (SHALL). ͜ͷཁ݅Λຬͨͨ͢Ίʹ͸, Assertion ͸ (தུ) Back-Channel Ͱఏࣔ͞ΕΔ΂͖Ͱ͋Δ (SHOULD). ͜ͷఏࣔ ํ๏Ͱ͸, RP ͸ϫϯλΠϜͳ Assertion Reference Λ༻͍ͯ IdP ͔Β ௚઀ Assertion Λऔಘ͢Δ. ैͬͯ Attacker ͸֎෦ΞΫηεϙΠϯτΛ ௨ͯ͡ Assertion Λ Inject ͢Δ͜ͱ͸Ͱ͖ͳ͍. Sec. 7.2 ͷΑ͏ͳ Front-Channel ʹΑΔఏࣔͰ͸, RP ͸௥Ճͷ Injection Protection Λ࣮ ૷͠ͳ͚Ε͹ͳΒͳ͍ (SHALL).

  33. FAL2 Ͱ͸, IdP-RP ؒͷ Trust Agreement ͸ Static ʹཱ֬͞Εͳ͚Ε ͹ͳΒͳ͍

    (SHALL). ͜Εʹ͸ RP ʹఏࣔՄೳͳ Attribute ٴͼͦͷར ༻໨తͷ੍ݶͷཱ֬΋ؚΉ. Trust Agreement ͸ IdP-RP ͷೋऀؒͰ֬ ཱ͢Δ͜ͱ΋Ͱ͖Δ͠ (MAY), ଟऀؒͰͷ Federation ύʔτφʔγοϓ Λհཱͯ֬͢͠Δ͜ͱ΋Ͱ͖Δ (MAY). RPͱ IdP ͕࣮ߦ࣌ʹཱ֬ࡁͷ Trust Agreement Λূ໌ՄೳͰ͋Ε͹, Registration ͸ Dynamic Ͱ΋ Α͍ (MAY). ͦͷΑ͏ͳূ໌ํ๏͸ Federation Protocol ʹΑΓଟ༷Ͱ ͋Δ͕, Software Attestation ͷఏࣔ΍ Trusted Domain ্ͷ URL ͷ؅ ཧݖݶΛূ໌͢Δ͜ͱͳͲ͕ྫͱͯ͠ڍ͛ΒΕΔ.

  34. FAL3

  35. FAL3 Ͱ͸ Subscriber ͸ Assertion ʹՃ͑ͯ Authenticator Λ Direct ʹ

    RP ʹఏࣔ͢Δ͜ͱͰ Authenticate ͤͶ͹ͳΒͳ͍ (SHALL). ͜͜ Ͱ༻͍ΒΕΔ Authenticator ͸ Bound Authenticator ͱ΋ݺ͹Ε, Sec. 6.1.2 ʹޙड़͞ΕΔ. (தུ) ͳ͓, Subscriber ͕ Bound Authenticator Λ༻͍ͯ Authenticate ͠, RP ͕౰֘ Authenticator ͕ ਖ਼͘͠౰֘ Assertion ͕ࣔ͢ RP Subscriber Account ʹඥ͍͍ͮͯΔ ͜ͱΛݕূ͢Δ·Ͱ, FAL3 ͕ୡ੒͞ΕΔ͜ͱ͸ͳ͍.

  36. FAL3 Ͱ͸, IdP-RP ؒͷ Trust Agreement ͓Αͼ Registration ͸ Static

    ʹཱ֬͞Εͳ͚Ε͹ͳΒͳ͍ (SHALL). શ౰ࣄऀʹͱͬͯ, ࣝผ ʹ༻͍ΒΕΔΩʔϚςϦΞϧ͓Αͼ Federation ύϥϝʔλ (RP ʹૹ৴ ͞ΕΔ Attribute ϦετΛؚΉ) ͸, Federation ʹΑΔ Authentication ϓϩηε࣮ࢪલʹݻఆ͞Ε͍ͯͳ͚Ε͹ͳΒͳ͍ (SHALL). Federation ʹΑΔ Authentication ϓϩηεͷதͰૹ৴͢Δ߲໨Λ͞Βʹ੍ݶ͢Δ ৔߹ʹ͸, ಈతʹܾఆ͕ͳ͞Εͯ΋Α͍ (MAY). (e.g., Trust Agreement Ͱ߹ҙ͞Εͨύϥϝʔλʹ͸ؚ·Ε͍ͯΔ΋ͷͷ Email Address Λ։ࣔͨ͘͠ͳ͍৔߹ͳͲ)

  37. Provisioning

  38. +VTU*O5JNF1SPWJTJPOJOH 1SFQSPWJTJPOJOH

  39. Provisioning API (e.g., SCIM API) v.s. Identity API (e.g., UserInfo

    API)

  40. Attribute Synchronization

  41. IdP ͸ RP ʹఏڙͨ͠ Subscriber Account ͷ Attribute ʹߋ৽͕ ͋ͬͨ৔߹,

    RP ʹγάφϧΛૹΔ΂͖Ͱ͋Δ (SHOULD). ͜Ε͸, Sec. 5.7 ͷ Shared Signaling ΍ Sec. 5.4.3 ͷ Provisioning API Λ ར༻ͨ͠Γ, Assertion ʹγάφϧΛؚΊͯఏڙ͢ΔͳͲͷํ๏Ͱ࣮ ݱՄೳͰ͋Δ.

  42. IdP ͸ Subscriber Account ͕ Terminate ͞ΕͨΓ Subscriber Account ͕࣋ͭ

    RP ΁ͷ Access ͕ແޮԽ͞Εͨ৔߹, RP ʹγάφ ϧΛૹΔ΂͖Ͱ͋Δ (SHOULD). (தུ) ͜ͷγάφϧΛड͚औͬͨ৔ ߹, RP ͸ RP Subscriber Account Λ Terminate ͤ͞, RP Subscriber Account ʹؔ࿈͢Δશͯͷ personal information Λ࡟ আͤͶ͹ͳΒͳ͍ (SHALL). ͨͩ͠؂ࠪ΍ηΩϡϦςΟ໨తͰඞཁ ͱ͞ΕΔ৔߹Λআ͘.

  43. Shared Signaling

  44. *E1͸4VCTDSJCFS"DDPVOUʹҎԼͷΑ͏ͳมߋ͕ੜͨ͡ࡍ γάφϧ ΛૹΔ͜ͱ͕Ͱ͖Δ .":  • "DDPVOU͕5FSNJOBUF͞Εͨ • "DDPVOU͕৵֐͞ΕͨڪΕ͕͋Δ •

    'FEFSBUFE*EFOUJ fi FSҎ֎ͷࣝผࢠ &NBJM"EESFTT $FSUJ fi DBUF $/౳ Λ͸͡Ίͱ͢Δ"DDPVOUͷ"UUSJCVUFʹมߋ͕ੜͨ͡ • "DDPVOUʹద༻͞Ε͏Δ*"- ""-ͳ͍͠͸'"-ͷൣғʹมߋ͕ੜ ͨ͡

  45. 31͸314VCTDSJCFS"DDPVOUʹҎԼͷΑ͏ͳมߋ͕ੜͨ͡ࡍ γά φϧΛૹΔ͜ͱ͕Ͱ͖Δ .":  • "DDPVOU͕5FSNJOBUF͞Εͨ • "DDPVOU͕৵֐͞ΕͨڪΕ͕͋Δ •

    31͕؅ཧ͢Δ#PVOE"VUIFOUJDBUPS͕௥Ճ͞Εͨ • 31͕؅ཧ͢Δ#PVOE"VUIFOUJDBUPS͕࡟আ͞Εͨ

  46. Time-based Removal of RP Subscriber Accounts

  47. ͕࣌ؒܦա͢ΔʹͭΕ, IdP ͔ΒΞΫηεͰ͖ͳ͘ͳͬͨ RP Subscriber Account ͕஝ੵ͞Ε͍ͯ͘Մೳੑ͕͋Δ. ͜Ε͸ RP Subscriber

    Account ʹ Personal Information Λอ࣋͢ΔϦεΫΛ RP ʹ΋ͨΒ͢. ಛʹ Just-in-time Provisioning ϞσϧͰ͸, Sec. 5.7 ͷ Shared Signaling ʹΑΓ IdP ͔Β Subscriber Account ͕ Terminate ͞Εͨͱ͍͏γάφϧΛૹΔ͜ͱ͕Ͱ͖ͳ͍. ͜ͷΑ͏ͳ ৚݅ԼͰ͸, RP ͸࣌ؒϕʔεͷϝΧχζϜΛ΋͍ͪͯҰఆ࣌ؒΞΫ ηεͷͳ͍ (ྫ͑͹, ࠷ऴΞΫηε͔Β120೔ͳͲ) RP Subscriber Account Λಛఆ͠ Terminate ͤ͞Δ΂͖Ͱ͋Δ (SHOULD).

  48. ͜ͷΑ͏ͳΠϯΞΫςΟϒͳ Account Λॲཧ͢Δࡍ, RP ͸ՄೳͰ͋ Ε͹อཹதͷ Account ͷ Terminate ʹ͍ͭͯ

    Subscriber ʹे෼ͳ ௨஌Λߦ͏͜ͱͱ͠, εέδϡʔϧ͞Εͨ Terminate ͷલʹ Subscriber ʹ Account Λ࠶ΞΫςΟϕʔτ͢ΔΦϓγϣϯΛఏڙ ͢Δ͜ͱͱ͢Δ (SHALL). Terminate Λߦ͏ࡍ͸, RP ͸ RP Subscriber Account ʹؔ࿈͢Δશͯͷ Personal Information Λ࡟ আ͢Δ͜ͱͱ͢Δ (SHALL). ͨͩ͠؂ࠪ΍ηΩϡϦςΟ໨తͰඞཁ ͱ͞ΕΔ৔߹Λআ͘.

  49. Assertion

  50. Assertion Binding

  51. #FBSFS"TTFSUJPO WT "TTFSUJPOX#PVOE"VUIFOUJDBUPS

  52. Assertion Protection

  53. 1. Assertion Identifier 2. Signed Assertion 3. Encrypted Assertion 4.

    Audience Restriction 5. Pairwise Pseudonymous Identifiers

  54. Assertion ʹ Personally Identifiable Information ؚ͕·Ε͔ͭ Assertion ͕ϒϥ΢βͳͲͷதؒऀʹऔΓѻΘΕΔ৔߹, Federation Protocol

    ͸ Assertion Λ҉߸Խ͠ Assertion ʹؚ·ΕΔηϯγςΟϒ ͳ৘ใΛ༧ظͤ͵౰ࣄऀʹ࿙Ӯ͠ͳ͍Α͏อޢ͠ͳ͚Ε͹ͳΒͳ͍ (SHALL).

  55. ঢ়گʹΑͬͯ͸, ڞ௨ͷࣝผࢠΛ༻͍ͯෳ਺ͷ RP ʹ·͕ͨͬͯ Subscriber Account ΛϦϯΫ͢Δ͜ͱΛ๷͍͗ͨ৔߹͕͋Δ. Pairwise Pseudonymous Identifier

    (PPI) ͸, IdP ͕୯Ұͷ Subscriber Account ʹؔͯ͠ҟͳΔ RP ʹҟͳΔ Federated Identifier Λఏڙ͢Δ ͜ͱΛՄೳʹ͢Δ. ͜ΕʹΑΓҟͳΔ RP ͕ڞ๳ͯ͠ Federated Identifier Λ༻͍ͯ Subscriber ΛτϥοΫ͢Δ͜ͱΛ๷ࢭͰ͖Δ. * Pairwise Pseudonymous Identifier = PPI, not PPID

  56. Security

  57. 'FEFSBUJPO5ISFBUT "UUBDLT આ໌ ۩ମྫ "TTFSUJPO.BOVGBDUVSF PS.PEJGJDBUJPO "UUBDLFS͕"TTFSUJPOΛِ଄͢Δ ৵֐͞Εͨ*E1͕ ਖ਼͘͠"VUIFOUJDBUF͞Ε͍ͯͳ͍$MBJNBOUͷ*EFOUJUZΛ ओு͢Δ

    "UUBDLFS͕طଘ"TTFSUJPOΛվ͟Μ͢ Δ ৵֐͞Εͨ1SPYZ͕"VUIFOUJDBUJPO"TTFSUJPOͷ""-Λมߋ͢Δ "TTFSUJPO%JTDMPTVSF "TTFSUJPO͕SEQBSUZʹ࿙Ӯ͢Δ /FUXPSL؂ࢹΛ௨ͯ͡4VCTDSJCFSͷ"EESFTTPG3FDPSE͕෦֎ऀʹ࿙Ӯ͢Δ "TTFSUJPO3FQVEJBUJPO CZUIF*E1 *E1͕ࣄޙʹͳͬͯ5SBOTBDUJPOʹॺ໊͠ ͍ͯͳ͍ͱओு͢Δ Ϣʔβʔ͕31ʹ͓͍ͯෆਖ਼ͳΫϨδοτΧʔυऔҾΛߦͬͨࡍ *E1͕ࣗ਎͸Ϣʔ βʔΛϩάΠϯ͍ͤͯ͞ͳ͍ͱओு͢Δ "TTFSUJPO3FQVEJBUJPO CZUIF4VCTDSJCFS 4VCTDSJCFS͕5SBOTBDUJPOΛ࣮ߦͯ͠ ͍ͳ͍ͱओு͢Δ Ϣʔβʔಉҙ FH ܖ໿ ͕ཤߦෆೳʹͳΔ "TTFSUJPO3FEJSFDU "TTFSUJPO͕૝ఆ͞Ε͍ͯͳ͍ίϯςΩε τͰར༻͞ΕΔ ৵֐͞ΕͨϢʔβʔΤʔδΣϯτ͕"TTFSUJPOΛ"UUBDLFSʹૹ৴͠ "UUBDLFS ͕ͦΕΛผͷ৔ॴͰར༻͢Δ "TTFSUJPO3FVTF "TTFSUJPO͕ಉ͡31ʹରͯ͠ෳ਺ճར༻ ͞ΕΔ ๣ड͞Εͨ"TTFSUJPOΛར༻ͯ͠"UUBDLFS͕ࣗ਎ͷ4FTTJPOΛ"VUIFOUJDBUF ͢Δ "TTFSUJPO4VCTUJUVUJPO "UUBDLFS͕ҟͳΔ4VCTDSJCFS޲͚ͷ "TTFSUJPOΛར༻͢Δ *E1ͱ31ͷؒͰ4FTTJPO)JKBDLJOH"UUBDL͕੒ཱ͢Δ

  58. 'FEFSBUJPO5ISFBU"UUBDL 5ISFBU.JUJHBUJPO.FDIBOJTNT /PSNBUJWF 3FGFSFODF T "TTFSUJPO.BOVGBDUVSFPS .PEJGJDBUJPO *E1͕҉߸࿦తʹ"TTFSUJPOʹॺ໊͠ 31͕ͦΕΛݕূ͢Δ 

     "TTFSUJPOͷૹ৴ʹ*E1Λ"VUIFOUJDBUF͢Δ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛར༻͢Δ   "TTFSUJPOʹਪଌෆՄೳͰϥϯμϜͳࣝผࢠΛؚΊΔ  "TTFSUJPO%JTDMPTVSF "TTFSUJPOͷૹ৴ʹ31Λ"VUIFOUJDBUF͢Δ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛར༻͢Δ   "TTFSUJPOΛಛఆͷ31ʹ޲͚ͯ҉߸Խ͢Δ ૒ํ޲ͷ"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛ༻͍ͯ ୡ੒Մೳ  "TTFSUJPO3FQVEJBUJPOCZ UIF*E1 *E1͕/POSFQVEJBUJPO ൱ೝ๷ࢭ Λαϙʔτ͢ΔݤΛ༻͍ͯ҉߸࿦తʹ"TTFSUJPOʹॺ໊͠ 31͕ͦ ΕΛݕূ͢Δ  "TTFSUJPO3FQVEJBUJPOCZ UIF4VCTDSJCFS #PVOE"VUIFOUJDBUPSʹඥͮ͘"TTFSUJPOΛൃߦ͠ #PVOE"VUIFOUJDBUPSͷอ࣋ূ໌ʹΑΓ 4VCTDSJCFS͕31ʹؔ༩͍ͯ͠Δ͜ͱΛݕূ͢Δ  "TTFSUJPO3FEJSFDU "TTFSUJPOൃߦઌͷ31 l"VEJFODFz ͷ*EFOUJUZΛ"TTFSUJPOʹؚΊ 31͕ͦΕΛݕূ͢Δ    "TTFSUJPO3FVTF ୹͍༗ޮظؒͱڞʹൃߦ೔࣌Λ"TTFSUJPOͷॺ໊ର৅ίϯςϯπͱؚͯ͠Ί 31͕ͦΕΛݕূ͢Δ    31͸Ұఆͷઃఆظؒ಺ʹར༻͞Εͨ"TTFSUJPOΛ௥੻͠ ౰֘"TTFSUJPO͕ෳ਺ճΓ༻͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ  "TTFSUJPO4VCTUJUVUJPO "TTFSUJPO͕"TTFSUJPOཁٻ΁ͷࢀর΍31ͷϦΫΤετʹ҉߸࿦తʹඥ͚ͮΒΕͨͳΜΒ͔ͷ/PODF ΛؚΉ͜ͱΛอূ͢Δ  "TTFSUJPOΛϦΫΤετͱಉ͡"VUIFOUJDBUFE1SPUFDUFE$IBOOFMΛհͯ͠ૹ৴͢Δ#BDL$IBOOFM Ϟσϧ౳͕͜Εʹ͋ͨΔ 

  59. Privacy

  60. 1. Minimizing Tracking and Profiling 2. Notice and Consent 3.

    Data Minimization 4. Agency-Specific Privacy Compliance 5. Blinding in Proxied Federation

  61. [NISTIR 8062] ΑΓ: ݸਓ, ॴ༗ऀ, ࣄۀऀʹ ରͯ͠, PII ͓Αͼ PII

    ʹରͯ͠৘ใγες Ϝ͕ߦ͏ Processing ʹؔ͢Δ৴པੑͷߴ ͍ԾఆΛՄೳͱ͢Δ͜ͱ. Predictability [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  62. [NISTIR 8062] ΑΓ: ݸਓΛಛఆͰ͖Δ৘ใ ͷมߋ, ࡟আ, બ୒తͳ։ࣔΛؚΉ, ͖Ίࡉ ͔͍؅ཧػೳΛఏڙ͢Δ͜ͱ. Manageability

    [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  63. [NISTIR 8062] ΑΓ: γεςϜͷӡ༻্ͷඞ ཁੑΛ௒͑ͯݸਓ·ͨ͸σόΠεʹؔ࿈෇ ͚Δ͜ͱͳ͘ߦΘΕΔ, PII ·ͨ͸Πϕϯτ ͷ Processing.

    Disassociability [NISTIR 8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

  64. Proxy Type RP knows IdP IdP knows RP Proxy can

    track subscriptions between RP and IdP Proxy can see attributes of Subscriber Non-Blinding Proxy with Attributes Yes Yes Yes Yes Non-Blinding Proxy Yes Yes Yes N/A Double Blind Proxy with Attributes No No Yes Yes Double Blind Proxy No No Yes N/A Triple Blind Proxy with or without Attributes No No No No Blinding in Proxied Federation

  65. Triple Blind Proxy Ͱ͸, Proxy ͸ࣗ਎Λ௨ա͢ΔσʔλΛݟΔ͜ͱ΋ Ͱ͖ͳ͘ͳΔ. Blinding ͷϨϕϧ্͕͕ΔʹͭΕ, ٕज़త͓Αͼӡ༻্

    ͷ࣮૷ෳࡶ౓΋্ঢ͠͏Δ. Proxy ͸ Transaction Λ͍ͣΕ͔ͷଆͷద ੾ͳ౰ࣄऀʹϚοϐϯά͠, Transaction ಺ͷશͯͷ౰ࣄऀͷ伴Λ؅ཧ ͢Δඞཁ͕͋ΔͨΊ, ׬શͳ Triple Blind Proxy ͷ࣮૷͸࣮ࡍʹ͸ඇৗ ʹࠔ೉Ͱ͋Δ.

  66. Usability …skip

  67. Equity …skip

  68. Examples (SAML, Kerberos, OIDC) …skip

  69. Q&A