 Hello, everyone. Is this one? Yeah. So thank you for coming. I'm Vittorio Bertola. I'm here to present the ID for me project for open and Faradate identities. So as soon as we get back to the presentation. But OK. So I mean I think everyone already knows about the online identities and how bad they are today, but to recap, basically, we actually have, vse lahko smo pričo, misli, da si nisih, oč in odsah su, oč sem čak Vietnama, ki mislim, da jim je igranje, zapomeniše, zelo labovce, se kajim da se vse znači? S tega,ako smo vse problemi, na pogočenju, nekaj sam bo, se ni omrfločilo, znači so našli se, ki se vse ponestilo, to je zelo noze. Prekaj smo našli početni, načo imamo dovolj, zelo našli, jim je za nr. Tato, da se pričepočimo polniti bati vse, arrina. Dobro vse je početno, 1.000 različne akacij, včetnih pasvori, in vznikovih sistemov, vznikovih. In je to vznikovih, je to vznikovih, bo je početno, da vznikovih je zelo, ali če ne bi se vznikovih, ne bi se vznikovih se zelo. To je zelo sistem, ki ne se vznikovih. Zelo, če soluzija je veliko zelo, soluzija je vznikovih, če se vznikovih, če se vznikovih, kaj je vznikovih, kaj se predstavila, ker se vznikovih, kaj se vznikovih, that you are you and they should let you in. And of course this requires some kind of trusted authentication provider. And of course the big internet platforms, the tops already thought about this. So in the last two or three years there's been this proliferation of forms like this one. They are now everywhere, almost on every website. As you see, I mean, most websites usually give these alternatives, so you can either login with Facebook or with Google. Some only have Facebook or Google. ki ima few more. There is a tini link which is going to disappear more and more. If you really want, you can log in with your own personal account with your email, but again that is going to disappear. And what's the problem with this? The problem is that this is proprietary, not in terms of protocols, but in terms of the implementation and the actual service. So this is very convenient. It's now ubiquitous, I mean just click and you are in, you don't have to enter your data, everybody likes it, especially the average user that doesn't realize the privacy implication of these, To je veliko malo, da je tukaj. Prvno, njih ne je interoperabilitiva. To je vsega. Čekaj, da se pošli Facebook, da se pošli Facebook, da se pošli Google, da se pošli Google, da se pošli koncentracij, bo nekaj ne bo, da se pošli 1.000 systems na svoj web page. Tako, da se pošli, da se pošli. If you want to support more systems, you are a website, web admin, you have to implement each and every of them separately again and again. The users, in the end, don't have a choice because you can only choose the ones that are supported by most websites. And in the end, this makes tracking straightforward. So the platforms that already know everything about us, then they have an even easier way to track us across the multiple services we use. And on the other hand, you get to situations like this one, which was actually funny. This was the recommended hotel for the IETF or out working group, the security workshop they had, and the recommended hotel had, you choose between eight different systems to log in to your Wi-Fi. So this was really crazy. So it showed everyone of the IETF also that there's a problem that needs to be solved. So we need some kind of better way of doing this. So we need openness because we cannot allow these companies to own our identities. And we need federations so that everybody can run their identity. Or at least we can have thousands of providers and we can have a choice. So of course, single sign-on has a lot of advantages. So these are advantages that you already get with the current system. You need to log in to credentials because you log in to a single place. This place can be made more and more secure because you just need to implement, for example, to factor authentication in the single place where you log in. And you have a way to control your information as long as the provider lets you control the information, which Google and Facebook unfortunately basically don't. And you don't need to register. I mean, in the end, this idea of registering for a website is going to go away. You just have to show your identity to rent a car, you show your identity documents. That's what's going to happen in front of websites. But if we succeeded in making this public and federated, there would be more and more advantages. So why cannot single sign-on work like e-mail? E-mail is being an old-time service before all this mass commercialization in big internet platforms came. E-mail is still federated, which means that you can get your e-mail address from whoever you want, including running it yourself. And then everyone can speak with everyone else. And that's how it works. And there's no reason why identities should not work like that. So you could get your identity from whoever you want or even run it yourself and then use it everywhere. And you would just need one account for everything, and you could choose your provider or you could even run it yourself. And you could possibly choose one that is not selling you out. And you could also keep your identifier, which is a known problem. You have to own your own username, in a way. Otherwise, you will always depend on the company that supplied your username. So the technical problem is that to have a federation, you need what is called the discovery mechanism. So what's necessary is that someone shows you an identifier, their own username. And the website, the service that needs to verify that you are you needs to know where to go, which server to contact to do that. And actually the main protocol that is used today, including by the properties, single sign-ons, for online single sign-ons is OpenID Connect. I guess people here are mostly, I would say, would be familiar with that. So, I mean, it has some federation capabilities, but it's never deployed in a really federated manner. So the federation in the common deployments of OpenID Connect is that the same company has 10 different services, and they all use a centralized login server for login identity provider. But it's always everything run by the single company or at most by a group of companies. And so we need a real federation, and so we need to keep these directory identities somewhere so that websites can look them up. So where do we do that? And this is what we try to do. I mean, the standard OpenID Connect method relies on webfinger, so it's an HTTPS call to a web server running on your identity provider, which is a problem that you need to have a website running for that on each and every domain name or identifier that you want to use. So it's not very handy, and it's actually, I mean, basically very hard to implement, for example, for domain name industry and for the hosting industry for the ISPs, because you need... And so... And also it requires you to have a WebPKI certificate with let's encrypt, you can get one for free, but still it's... And of course, when of the blockchain, there are, I mean, I'd say it's thousands of identity projects based on blockchains, and it's fine, we have nothing against the blockchain, but we want something that can actually compete today with the biggest it is. It must be something that is already available today everywhere. It's tested, it can scale to mass service and so on. And everyone can just pick it up and run it. And so, in the end, we're going for the DNS. And I mean, the DNS usually... I mean, there are people that love it, there are people that hate it, but it has several advantages, because in the end it is an open public standard, there's three implementations everywhere, you can just download one and run your DNS server. It's widely available, it's tested, it's been around for 80 years on a global scale, it keeps the internet up, and so it has some kind of regulation, so even if there is some centralization, there's also some regulation to prevent capture. And so, maybe that's not perfect, but it's already there and it works. And so we chose to use the DNS for the namespace, because also, I mean, to have a global internet scale online identities, you need a global unique identifier. And of course, our own names are not unique identifiers, there's many people with the same name over the world. And so you need a global namespace, which is also distributed and federated and can be delegated, and this is the problem that was already solved with the DNS 35 years ago. So you can just use DNS names and people are actually familiar with them, and they are human readable in the end, they are usually strings with dots in the middle. You could even use email addresses, just convert them into a domain name with a fixed hash in algorithm. And in the end, this would also allow people to just buy a domain name for a few euros and become owners of their own identifier, which is another advantage. So then you could just move your identifier across different providers if you don't like your current provider anymore. And so it's also very easy to realize that a discovery scheme, to make a discovery scheme over the DNS, since, again, email basically does that. Email has the same problem. If you have an email address, you need to know which server is managing it. And in the DNS that tells you which server is managing it. And we did the same. We're not going for a new resource record type, because that's hard to get implemented. We're just using a txt record, like many other new protocols. And there are actually internet drafts already there. We are not at the moment going forward in standardization, because first we want to get implementations and prove that it works and so on. But the drafts are already there, they are public. So basically this is what we did. We just chose that, I mean, you can use whatever valid hostname, even if it doesn't correspond to an existing server in a domain that you control, so that you can create records in it. And you can just create a standard special utility txt record, which points to a stringer, which basically tells you where this is being run. Who is the issuer and the claims provider for your identity in OpenID ConnectSpeak. So, well, the project in itself is basically this. It's just an attempt not to become yet another identity provider or group of companies or entities that compete to provide identities against everyone else, but it's meant to provide the basic building technology to allow everyone to run providers and interoperate with each other. So the point is that we want to create basically a set of open patent-free standards that are there for everyone to implement, the traditional way, like email. I mean, we are an email company, so this is why we believe in this model. And so, in the end, we do have also a foundation, here in Brassos, it's a non-profit. We decided to have one because you need the place basically to ask companies and supporters to put money and then spend it for the project to pay, for example, promotion and people to develop something, maybe, and other expenses. So it's not a controlling entity anyway, the standard is open, everyone can implement it. And so, we do have additional activities over that, including some, I mean, well, I will come to that. Basically, the architecture of the roles in ID4ME is more or less the same as the traditional OpenID Connect system, except that we decided to break the traditional identity provider role in two, partly because, I mean, among the original supporters there are several companies and people from the domain name industry, and so we have a sort of separation that mimics the domain name registrar and registry separation, so we have an identity authority which is basically the registry for identities and the only thing that it does it verifies your credentials, so it runs your authentication and it doesn't get to actually know your data, so the data and the relationship with you are kept by your agent which is the other entity which basically gives you the service so that you could even change agent both, or you can run both on the same service, you could even have a service running both roles at the same time, it's entirely free, but at least for the attempt to get to the real average users which needs to be built upon an existing industry to have channels to actually reach out to people, then this is, we thought this is the best way of organizing it, and so in the end you provide your information and manage it with the agent and trust anchor in the authentication system that guarantees that the authentication is being done correctly. And so the login flow is actually pretty standard if anyone is familiar with OpenID Connect so basically it is a standard OpenID Connect login process except that before starting the entire process you have to do this DNS query so the relying party will have to discover who is running your identity who is managing it they will make this DNS query and get in return to the record and discover which server they have to contact to start up the normal OpenID Connect login process which then uses a feature OpenID Connect which is called distributed claims so that the initial identity provider which is the authority then redirects the relying party to the agent with the assigned token so that they can actually get your personal information but the nice thing in this process that the authority for example asks you actually which data you want to share so I mean you have a set of information for the moment it's a basic one but in theory you could standardize names and claims for any kind of information that you would like to share with websites from your frequent flyer number in whatever and then when you login with the first time you login into a website the authority asks you this is the information they would like to have about you and do you agree so do you give consent for each information field whether you agree with sharing it or not and then this is signed and gets sent to the agent so that the agent knows which data they actually can share with the relying party and so in this way we are trying to put back control over data sharing in the hands of the user so that in the end it's the user that chooses which information gets passed on to the website and so on as I said in the status is like the project is about a couple of years old it was initially promoted by a few German companies now it's becoming international there are more entities signing in for profit and non profit so there's a website there's specification and there's an API there are several prototypes, testbeds there's actually an ID for me based the service which is DINIC ID DINIC is the manager for the world domain in Germany so they are the first company that really tries to release a public service based on this and this technology and they are basically about to launch it and we are working on the possibility of adding a verification layer on top of this so you can still the data in that is what you put in it so it's not verified, you can use it also anonymously anonymously, you decide you can have many identities whatever you want but for certain use cases you might want to have a third party that you are you and in that case we are building the extensors to the standard that would allow basically a third party to sign an attestation and so provide verified identities and we have now about 30 members in the international non profit here in Brussels so what's coming next, if anyone here will attend the cloud fest in Germany there's going to be a hackathon project to develop a completely free server implementation we already have a part of it so we want to finish it and release it so that it's available to everyone we already have several authentication plugins for several languages, they are also free and so we are as I said we are working on the verified identities part so that you can have a stronger identity and we are discussing the reputation issue and I want to stress this because this is a problem that cannot happen in any federated approach and it should not be underestimated because it is a difficult project because in the end if you are Google I decide which degree of validity I want to give to the information I pass to websites and people have to trust me in a federated system it happens for email, spam and so on there could be people that run services in a bad way and so you need to have some way to exchange reputation information and be sure that if someone is telling that this person is authenticated and these are data they are not just making everything up at least for certain use cases around how to manage reputation of the operators so this is the website you can go there and there is everything about the project there is also the technical path with documentation links to our github space and whatever and that's it, so basically thank you and I am happy to take questions Hi, I have a question so when I am a website and I integrate the login with Google button for the SSO, for my users basically the reason I do that is because I trust Google that it is doing the authentication correctly for the user but if I for example use ID for me I don't know who I am asking and in OpenMedy Connect I usually need a client with the identity provider so how does that work because I need to establish some kind of trust with the identity provider as I was saying this is the key problem we are discussing exactly because we decided to make for example the client registration dynamic so you don't need to ask the identity provider for a key to start being a relying party because that would make the federation unworkable but yeah, I mean in the end it depends on relying party because if you are just a basic website a forum for lobbyist or whatever you don't need any real certainty about the data actually that's a case in which people should be encouraged to login anonymously if they want on the other hand for some services to be sure about the entire process and in that case possibly you as a relying party want to put some barrier on the identity provider that is being used so I mean since you cannot know I mean you could in theory say I will only accept identities from these one, two, three identity providers but again this is done on scale so what we are thinking is that we could have some kind of certification so that you can get some cryptographic so you can more or less trust that they are who they are and these others completely unknown so accept it as your own wish but on the other hand we don't want to make this too hard because otherwise it will rule out the self-hosting of identities which I think is a pretty important case I have a question the OpenID Connect they have a certification process did you take your services through that process or did you talk to the people about certifying your services I mean you mean the certification of the implementation as I said Denik who is the first company that is launching services is an OpenID Foundation member and they have applied so their server implementation is being certified by the OpenID Foundation and also we have been submitting some of this development for standardization basically in some of the extension I mean there are a couple of extensions that just came out to OpenID Connect in terms of federation and they were actually influenced by some of us participating in groups and bringing ideas and of course we want to be aligned so in the end of course this is still catching up so there are no websites almost today except maybe for Denik and a few of you that accept these identities so this is the challenge if this gains adoption everything I mean we are going to apply for standardization of all the parts of the protocol both at the OpenID Foundation and at the ITF my question is have you thought about integrating with the decentralized identity standard that this is going to be developed? We have thought about getting a DID schema for example for ID for me so I mean if that's what you're referring to there's already a DID message for web so you can write some kind of DNS it looks kind of similar it's just how to resolve as I said we haven't done it yet but we have we could do it we actually have thought of it we could do it Is there any place where I can find people from OpenExchange to chat with them or you? There are several here so just grab us later either on this or any other thing that OpenExchange is doing Have you thought about a use case where you're not trying to identify a web application but any other thing that doesn't have a browser available? Sorry I speak loudly because we are not identifying providing the ability to identify outside of the browser? I mean we were trying to for example see whether this could be used for IMA blogging for example of these kind of things there's not been the focus yet because of course there's a problem with the interactivity because OpenID Connect is an interactive process but I think you could get your a token and store it but we have not worked on this yet but if you want to help you're welcome Have you looked at engaging with web standards bodies or web browsers to perhaps standardize this so you could just have a new HTML component to have a federated login for example? Yeah I mean we do not have browsers at this point in time also this is a very European project originally German now European there are not basically European browser makers so we if you're interested please join and yeah I think that some degree of support in the browsers would help a lot I had a quick chat with Mozilla like over a year ago the problems that they tried persona if you remember it and then it didn't really work so they are sort of wary of these kind of things but this is how I understood it I was wondering if you can talk a bit more about the status of the project because if I understand correctly most of the components basically are just thin layers in front of ID connector providers and other data storage so it's just a matter of writing this small Yeah exactly this was a design feature so when we decided not to design everything from scratch but to try to design something which had an implementation path which is as short as possible so yeah for the relying part it's actually just this DNS call in front of a standard open ID connection implementation then if you want to support some of these servers maybe you want to customize but basically yeah and also DINIC is running the implementation from the server side by using an open ID connect server and just developing a few things on top of it so yeah Thank you very much And I'm here around if you still have questions of course Please give him a warm round of applause