Embed Size (px)
DESCRIPTION
Bob Blakely, Global Head of Information Security, Citi Group Larry Lessig argued in “Code (And Other Laws of Cyberspace)” that computer program code can create a place of freedom or a place of oppressive control. In this session, Bob Blakely argues that the code of logon and registration interfaces creates a power imbalance in which organizational interests override individual interests—and that this imbalance can be reduced or eliminated by making one small change in the code of those interfaces.
Citation preview
WHAT IF IDENTITY WERE PASS-BY-REFERENCE?
WHAT IF IDENTITY WERE PASS-BY-REFERENCE?
A drama in text messages
HI, I'M BOB
I'M IN THE DRAMA DEPARTMENT
I'M IN THE DRAMA DEPARTMENT
At Citibank
WATCH THIS.
SHORT ATTENTION SPAN SUMMARY
SHORT ATTENTION SPAN SUMMARY
Passing a pointer to your identity is a better idea
than passing your identity
TELL ME MORE...
TELL ME MORE...I hear you cry
TEXTING THE CAR DEALER
I'd like a car
I'd like a car
I have a Cadillac STS for $32,000
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylinders
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylindersOK. I'll take the red one. I'd like to finance over 4 years
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylindersOK. I'll take the red one. I'd like to finance over 4 years
That loan is at 6.25%
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylindersOK. I'll take the red one. I'd like to finance over 4 years
That loan is at 6.25%
I want 5.5%
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylindersOK. I'll take the red one. I'd like to finance over 4 years
That loan is at 6.25%
I want 5.5%I can do that
TEXTING THE CAR DEALER
TEXTING THE CAR DEALERIf Identity Architects sold cars
I'd like a car
I'd like a car
That will be $52,000
I'd like a car
That will be $52,000Here you go
I'd like a car
That will be $52,000Here you go
Here's your white Ford Escort.
I'd like a car
That will be $52,000Here you go
Here's your white Ford Escort.
It comes with a vinyl wrap advertising The Gap.
I'd like a car
That will be $52,000Here you go
Here's your white Ford Escort.
It comes with a vinyl wrap advertising The Gap.
And the radio plays Fox News
YOU THINK I'M BEING MEAN
YOU THINK I'M BEING MEAN
DON'T YOU?
I'd like a social media account
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you go
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you goHere's your account.
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you goHere's your account.
You want cheap Viagra?
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you goHere's your account.
You want cheap Viagra?
You'll be hearing from the FISA Court
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you goHere's your account.
You want cheap Viagra?
You'll be hearing from the FISA Court
But you didn't hear that from me. Tell them Snowden told you.
I'd like a social media account
Send me your name, email, SSN, Credit Card, and phone
Here you goHere's your account.
You want cheap Viagra?
You'll be hearing from the FISA Court
But you didn't hear that from me. Tell them Snowden told you.
Seriously.
WHAT DOES THE CAR DEALER KNOW...
WHAT DOES THE CAR DEALER KNOW...
THAT THE IDENTITY ARCHITECT DOESN'T?
I'd like a car
I have a Cadillac STS for $32,000
I like the STS, but I'm only willing to pay $27,000
OK, but you'll have to get the LE package with 4
cylindersOK. I'll take the red one. I'd like to finance over 4 years
That loan is at 6.25%
I want 5.5%I can do that
WHAT DOES THE CAR DEALER KNOW...
THAT THE IDENTITY ARCHITECT DOESN'T?
The car dealer knows how to deal with counteroffers
TEXTING THE SERVICE PROVIDER
TEXTING THE SERVICE PROVIDER
If Identity Architects understood counteroffers
Identify me. Use this @address and this #token
Identify me. Use this @address and this #token
OK. Hang on
Identify me. Use this @address and this #token
OK. Hang on
...
Hey @address! Some dude says you can identify him
using this #token
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPR
WAIT, WHAT?
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #address
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
LIKE, ZOMG, RIGHT?
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
FedEx. And Viagra ads.
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
FedEx. And Viagra ads.That'll be $50
MIND. BLOWN.
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
FedEx. And Viagra ads.That'll be $50
Whoa. Just FedEx?
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
FedEx. And Viagra ads.That'll be $50
Whoa. Just FedEx?Deal. Stephen Falken, Tiny
Island, Oregon
Maybe. Who are you?
Hey @address! Some dude says you can identify him
using this #token
My name is @WOPRWhat do you want to know?
#name and #addressWhat will you use it for?
FedEx. And Viagra ads.That'll be $50
Whoa. Just FedEx?Deal. Stephen Falken, Tiny
Island, OregonOK, but...
How do I know the guy who sent me the token is really
Falken?
Send him this #challenge.if he replies with this #response, it's him.
How do I know the guy who sent me the token is really
Falken?
Send him this #challenge.if he replies with this #response, it's him.
How do I know the guy who sent me the token is really
Falken?
KTHXBAI
Identify me. Use this @address and this #token
OK. Hang on
Answer this #challenge
...
Identify me. Use this @address and this #token
OK. Hang on
Answer this #challenge#response
...
Identify me. Use this @address and this #token
OK. Hang on
Answer this #challenge#response
Greetings, Professor Falken.
...
Identify me. Use this @address and this #token
OK. Hang on
Answer this #challenge#response
Greetings, Professor Falken.
...
Would you like to play a game?
API
IDENTITY CONSUMER
identify_me()
IDENTITY CONSUMER
identify_me()
IDENTITYPRODUCER
identify_subject()
IDENTITY CONSUMER
identify_me()
IDENTITYPRODUCER
identify_subject()
SUBJECT
challenge()
PROTOCOL
IDC.identify_me (*IDP, subject_token)
IDC.identify_me (*IDP, subject_token)
IDP.identify_subject (subject_token, IDPname, requested_subject_attrs,
requested_uses)
IDC.identify_me (*IDP, subject_token)
IDP.identify_subject (subject_token, IDPname, requested_subject_attrs,
requested_uses)
subject_attrs, restrictions, challenge_token, response_token
IDC.identify_me (*IDP, subject_token)
IDP.identify_subject (subject_token, IDPname, requested_subject_attrs,
requested_uses)
subject_attrs, restrictions, challenge_token, response_token
subject.challenge (challenge_token)
IDC.identify_me (*IDP, subject_token)
IDP.identify_subject (subject_token, IDPname, requested_subject_attrs,
requested_uses)
subject_attrs, restrictions, challenge_token, response_token
subject.challenge (challenge_token)
response_token
IDC.identify_me (*IDP, subject_token)
IDP.identify_subject (subject_token, IDPname, requested_subject_attrs,
requested_uses)
subject_attrs, restrictions, challenge_token, response_token
subject.challenge (challenge_token)
response_token
RINSE AND REPEAT FOR NEGOTIATION
USE CASES
IDP = subject IDC
FIRST-PARTY REGISTRATION
IDP = subject IDC
FIRST-PARTY AUTHENTICATION
subject IDC
THIRD-PARTY REGISTRATION
IDP
subject IDC
THIRD-PARTY AUTHENTICATION
IDP
BENEFITS
No identity information is exchanged
until terms of use are negotiated
Both users and Identity Consumers
can state terms and negotiate
Phishing defense
via authentication of Identity Consumers
Simple, minimal "webdevified" API and protocol
Anonymity, pseudonymity, and "real names"
are supported using a single API and protocol
First- and third-party identity producers
are supported using a single API and protocol
Registration and authentication
are supported using a single API and protocol
BOB.BLAKLEY @ CITI.COM
THANK YOU
I'LL BE HAPPY TO ANSWER YOUR QUESTIONS
