RFC 8485 – Vectors of Trust

RFC 8485 Vectors of Trust; J. Richter, L. Johansson; IETF; 2018-10.


identity proofing
credential strength
assertion strength
management lifecycle




  • Identity Assurance Level (IAL),
  • Authenticator Assurance Level (AAL),
  • Federation Assurance Level (FAL).


Previously filled.

Self-Hosted OpenID





Apache HTTPD culture

WordPress Culture

General Identity Services

WSO2 Identity Server

  • Apache 2.0 License; open source.
  • Available from RPM Fusion
    • Fedora 16
    • Fedora 18
    • … & onward.
Package Description
wso2-axis2 WSO2 modified Apache Axis2/C
wso2-axis2-devel WSO2′s version of Apache Axis2/C development files
wso2-axis2-http-server WSO2′s axis basic http server
wso2-axis2-modules Modules for the WSO2 modified Apache Axis2/C
wso2-rampart-devel WSO2′s version of Apache Rampart/C development files
wso2-sandesha2-devel WSO2′s version of Apache Sandesha2/C development files
wso2-savan-devel WSO2′s version of Apache Savan/C development files
wso2-wsf-cpp WSO2 Web Services Framework for C++
wso2-wsf-cpp-debuginfo Debug information for package wso2-wsf-cpp
wso2-wsf-cpp-devel WSO2 Web Services Framework for C++ development files
wso2-wsf-cpp-security WSO2 Security for Web Services Framework for C++
wso2-wsf-cpp-security-devel WSO2 Security for Web Services Framework for C++
mod_wso2-axis2 An Apache HTTPD module which adds axis2 support
wso2-rampart A security module for Apache Axis2/C
wso2-sandesha2 A C implementation of WS-ReliableMessaging specification
wso2-savan A C implementation of the WS-Eventing specification
wso2-wsclient A web service client


  • Google Profile URL; c.f. +WendellBaker, the original (gensymed)
    Terms of Use

    • [Google] reserves the right to reclaim custom URLs or remove them for any reason, and without notice.
    • Custom URLs are free for now, but [Google] may start charging a fee for them.


OpenID Delegation

<link rel="openid.server=" href="http://openid.baker.org/">
<link rel="openid.delegate" href="http://note-to-self.baker.com/">


  • RP (Relying Party)
  • OP (OpenID Provider)


Source: some blog

Source: OpenID Connect

OpenID vs. Pseudo-Authentication using OAuth
Source: Jimi Wales’ Wiki

OpenID Connect Background

OpenID Connect

OpenID Connect Core 1.0


OpenID Connect identifies a set of personal attributes that can be exchanged between Identity Providers and the apps that use them, and includes an approval step so that users can consent (or deny) the sharing of this information.

OAuth 2.0

  • RFC 6749 The OAuth 2.0 Authorization Framework; Editor: D. Hardt (Microsoft); 2012-10.
  • RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage; M. Jones (Microsoft), D. Hardt (self); 2012-10.

Compare & Contrast

OpenID 2.0

  • pages, not apps => enterprise web applications, not storebought os screen chiclets
  • XML => Security Assertion Markup Language (SAML)

OpenID Connect

  • JSON
  • TLS
  • standard crypto signature-verification libraries.




  • Android => <quote>There are already system-level APIs built into the Android operating system to provide OpenID Connect services.</quote>
  • iOS => probably not; Apple isn’t listed, [own thing; add value].

Working Group

OpenID Foundation


  • AOL,
  • Deutsche Telekom,
  • Facebook,
  • Google,
  • Microsoft,
  • Mitre Corporation,
  • mixi,
  • Nomura Research Institute,
  • Orange,
  • PayPal,
  • Ping Identity,
  • Salesforce,
  • Yahoo! Japan.


  • GSMA, Mobile Network Operators (MNOs) => mobileidentity(articulates a need)
    • www.gsmamobileconnect.com.
    • <rephrase>Mobile Connect service is a single, trusted, mobile phone number-based authentication solution</rephrase>
    • <quote>The standard-based Mobile Connect service will utilise the OpenID Connect protocol, offering broad interoperability across mobile operators and service providers, further ensuring a seamless experience for consumers. </quote>
    • Supporters: Axiata Group Berhad, China Mobile, China Telecom, Etisalat, KDDI, Ooredoo, Orange, Tata Teleservices, Telefónica, Telenor, Telstra, VimpelCom.
    • Users: Dailymotion, Deezer, Gemalto, Giesecke & Devrient, Morpho, Oberthur, VALID.
  • FIDO Alliance => unclear.


Via: backfill

Apache Cordova

Apache Cordova


<!DOCTYPE html>
<title>Device Properties Example</title>
<script type="text/javascript" charset="utf-8" src="cordova.js"></script>
<script type="text/javascript" charset="utf-8">
// Wait for device API libraries to load
document.addEventListener("deviceready", onDeviceReady, false);
// device APIs are available
function onDeviceReady() {
var element = document.getElementById('deviceProperties');
        element.innerHTML = 'Device Model: ' + device.model + '<>' +
                'Device Cordova: ' + device.cordova + '<br />' +
                'Device Platform: ' + device.platform + '<br />' +
                'Device UUID: ' + device.uuid + '<br/>' +
                'Device Version: ' + device.version + '<br />';
<p id="deviceProperties">Loading device properties...</p>

Intel Cloud Services Platform

Intel Cloud Services Platform, version 6.0, 2013-11-21

Release Notes

  • Intel Identity Services => FedID
  • Cultures
    • Android (2.2, Froyo onward)
    • iOS
    • JavaScript, HTML5
    • Windows
  • Baseline RESTful API
    • XML
    • JSON
  • Services
    • Analytics
    • Catalog,
    • Commerce
    • Curation,
    • Recommendation

Identity Services

  • Social Integration
    • Facebook API tokens
    • Yahoo! Social Login
  • Regulatory: COPPA
  • REST Developer’s Guide
  • Intel Identity Services REST API Reference
  • OAuth 2.0
    • ClientID + Client Secret
    • Access Token
    • https://api.intel.com/identityui/v2/auth
  • Concepts
    • Scopes
    • Redirect
    • Sync vs Async (urn:intel:identity:oauth:oob:async)
      • Web App Synchronous => http://localhost/callback.html
      • Mobile App Synchronous => (deep link) myapp://action
      • Web App Asynchronous => urn:intel:identity:
  • URN Support (i.e. deep links)
  • Badging

Analytics Services

  • Opt-Out
  • Session Tracking API
  • Custom Events API
  • Dashboards
  • Real-Time Analytics
  • User, device, session, and demographic Analysis

Commerce Services & API

  • Client ID
  • PayPal
  • Taxation computations
  • Subscription API
  • Cart & Order Management

Catalog Services

  • Datasets
  • Bulk Upload
  • POI Data
  • Schema Management

Context SDK

  • States
    • Location-based states:
      • Country,
      • City,
      • Semantic Place (Home/Work),
      • Nearby restaurants.
    • Time and date-based states:
      • Time zone,
      • Local time,
      • Weekday,
      • Part of day,
      • Holiday information in your location.
    • Device-based states:
      • Applications running,
      • Missed calls,
      • Battery level,
      • Music played.
  • Context states sensing
    • Environment weather.
    • Device terminal context.
    • Location semantic/geographic place.
    • Network connection.
    • Device contacts.
    • Device calendar.
    • Physical activity.
    • Audio classification.
    • Message (SMS).
    • Device information.
    • Installed applications.

Location-Based Services

  • Removed 2013-11-11


See Also

Genevieve Bell, Keynote Address; Intel IDF; 2013-09-12; 43 pages.

Via: backfill, backfill

User, device, session, and demographic Analysis

Forensic Identification of GSM Mobile Phones | Hasse, Gloe, Beck

Jakob Hasse, Thomas Gloe (dence), Martin Beck (T.U. Dresden); Forensic Identification of GSM Mobile Phones; In Proceedings of IH & MM Sec (huh?); 2013-06-17; 10 pages.


With the rapid growth of GSM telecommunication, special requirements arise in digital forensics to identify mobile phones operating in a GSM network. This paper introduces a novel method to identify GSM devices based on physical characteristics of the radio frequency hardware. An implementation of a specialised receiver software allows passive monitoring of GSM traffic along with physical layer burst extraction even for handover and frequency hopping techniques. We introduce time-based patterns of modulation errors as a unique device-dependent feature and carefully remove random effects of the wireless communication channel. Using our characteristics, we could distinguish 13 mobile phones at an overall success rate of 97.62% under realworld conditions. This work proves practical feasibility of physical layer identification scenarios capable of tracking or authenticating GSM-based devices.


  • Paul Marks; Any cellphone can be traced by its digital fingerprint; In New Scientist; 2013-08-01.

    • Jakob Hasse et al.
    • Technical University of Dresden
    • Testing: N=13 devices (the ones “laying around their lab”)
    • Scope: 2G phones
    • Precision: identify the source handset with an accuracy of 97.6 per cent.
    • Quotes, Jakob Hasse:
      • “Our method does not send anything to the mobile phones. It works completely passively and just listens to the ongoing transmissions of a mobile phone – it cannot be detected.”
      • [Results on 2G only but] “defects are present in every radio device, so it should also be possible to do this with 3G and 4G phones.”
    • Quotes. attributed to random other people, for color & balance:

Aldo Cortesi mitmproxy Announcements through mitmproxy 0.8





Aldo Cortesi on the Antisec UDID Leak

From His Blog Feed



OpenFeint closed 2012-12-14.