Security Standards

Security Standards - what and why #

PKI #

Problem Addressed (from 1980s?): How can I be sure that a public key given for use in asymmetric encryption is from the person they claim to be

SAML - Security Assertion Markup Language #

Problem Addressed (from 2001): Too Many Standards for exchanging authentication and authorization information. Developed by OASIS Security Services Technical Committee (SSTC), SAML1 announced in November 2002.

WS-Security #

Problem (from 2001): Lack of formal security standards in web-services specifications

WS-SX - WS-Secure Exchange #

Problem: Lack of standards for inter-operation of web services

Formed in Oct 2005 OASIS Web Services Secure Exchange (WS-SX) TC | OASIS (oasis-open.org) OASIS Lists (oasis-open.org)

WS-Trust Secure Token Service #

Defines extensions that build on WS-Security to provide a framework for requesting and issuing security tokens, and to broker trust relationships

Open ID #

Problem Addressed (from 2005): users managing too many seperate credentials for different websites, and websites responsible for implementing their own authentication.

Provided a way for providers to authenticate users and verify that identity to relying parties (websites). A large number of providers were set up originally, but this has since consolidated. Key providers now are Google, Microsoft (and Facebook and Twitter?)

Open ID Connect #

Open ID Connect (OIDC) was published in February 2014 as the 3rd generation of Open ID technology, building on the OAuth 2 authorization framework, using more recent protocols.

OAuth #

Problem (from 2006): Twitter needed a way to share identity information with relying parties who were using Twitter as an Open ID provider to authenticate users.

From start of IETF minutes in 2008: “The primary problem oauth solves is delegating access to resources held at a service provider to consumers of a resource under the control of a user. Typically today, this is done using passwords. However as sites adopt other authentication mechanisms, they may not have a password to give out. Oauth arose to solve this need.”

OAuth2 #

Problem (from 2013): a number of new threats emerged from how access delegation was implemented, and a wider variety of use cases were to be supported

FOAF #

Friend of a Friend - semantic web standard for describing people and social networks.