FICAM Profile, OAUTH2 and 800-63?? (3A)

FICAM Profile, OAUTH2 & 800-63 (3A)

Convener: Matt Tebo

Notes-taker(s): Ross Foard

Tags for the session - technology discussed/ideas considered:

Discussion of NIST SP800-63 and OAuth and their relationship

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

We are going to talk about assertion 800-63 Assertion definition
 * 800-63 and OAuth
 * Registration/Issuance
 * Tokens
 * Credential Management
 * Authentication
 * Assertion

Assertions are statement fs from a verifier (IDP) to an RP that contain information about a subscriber….May include identification and AuthN Statements and attributes

800-63 LOA Threats

1.	Assertion Manufacture/Mod 2.	Assertion Re-Use 3.	Secondary Authenticator Manufacture = AuthZ code OAuth does not have the identity of a user in any form, although it does provide a "consent" assertion. For any identity-based assertion must use a separate protocol or mechanism. Facebook Connect is a proprietary version of OpenID Connect, it is a predecessor to. There is no standard for the Identity portion of the OpenID Connect in OAuth Parts of Oauth 1.0 was trying to solve the 3 legged authorization problem with a single solution. Oauth 2 made a specific decision to not be backward compatible with Oauth 1.0. The difficulty of normalization the signing part of the authentication part normalized on SSL to broaden the audience of devices. Facebook has signed authentication token in their Facebook Connect We could profile an implementers draft of OpenID Connect. User experience compliance and constraints needs to be part of the profile to ensure control is being done to as desired by the pro filer.
 * a.	Threat-Bogus assertion or modified real one
 * b.	Mitigation - DSIG or TLS
 * a.	Threat-
 * b.	Mitigation- Timestamp, Validity Period
 * a.	Threat - Attacker Generates 2ndary Authenticator & impersonates user
 * b.	Mitigation - Entropy, DSIG, Client Auth