Episode 110 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Federating Identity is Difficult, Expensive, and Unnecessary?
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Alan Karp, Distributed Systems Architect
Channels
Description
"Identity" is a cybersecurity cottage industry. And while uniquely naming things--like people and software entities--is clearly important for audit records, we shouldn't conflate naming with access control. Alan is a long-time access control expert, who proposed ZBAC in 2010, which was perhaps before its time. In this episode, we're going to use the context of the recent letter from Chase CISO Patrick Opet to discuss the challenges of modern access control which crosses domain boundaries. Is federation unnecessary? Or are the expectations for the problems it solves too expansive? Prof Karp always has an interesting opinion on these things! Join us to find out!
Homework
- An open letter to third-party suppliers from Patrick Opet, Chase CISO
- Mike Schwartz's response to the above
Takeaways
-
⚡ A car key is the best example of capabilities based access control--you're car doesn't care who you are. You have the key--it turns on. If you've give someone your key--you've delegated the capability to drive your car.
-
⚡ If you base access control on identity, people will share credentials.
-
⚡ JWT tokens are well suited to convey capabilities, especially across domain boundaries.
-
⚡ Capability based access control is better suited to protect privacy. You may need reference identifiers to track back a transaction to the original domain. But you don't necessarily need the human identity data.