A Privacy Perspective

Michael Hanson
Dan Mills
Lloyd Hilaiel
Shane Tomlinson
Ben Adida

better web login
with strong privacy protection

vision

simple for users and developers
strong support for multiple personas
decentralized, no lock-in
privacy-protecting

players

role of the browser

without browser, identity provider involved in login transaction.
like a driver's license where, every time you check into a hotel, they call the state to verify.

email addresses

johnny@identity.org

distributed — domains certify their users
intuitive — emails are natural personas
pseudonyms and self-hosting
addressable — proven need for sites
no lock-in — recover by emailing the user

Quick Demo

flow — certify

flow — login

key duration

device loss/compromise: revocation?
binding a user to a key: non-repudiation?
limit chance of information leak
just enough to transfer authority to user
just enough to keep IdP out of login dance

architecture goal

secondary authorities

javascript implementation

verifier service

so... what's the point?

the RPs stay the same

navigator.id.getVerifiedEmail(...);

the IdPs stay the same

navigator.id.registerVerifiedEmail(...);

scaffolding
HDTV rollout: first get the TVs out with the capability, then upgrade programming.

summary

the browser plays a crucial role
email addresses are ideal identifiers
signatures keep login dance private
short-term keys reduce fingerprinting risk
scaffolding for distributed architecture