This document summarizes the main themes, key ideas, and facts presented at “OpenID Federation 1.0: The Trust Chain vs The x.509 Certificate Chain – OpenID Summit Tokyo 2024”.
Speaker: Vladimir Dzhuvinov
Overall theme:
We will compare the Trust Chain introduced in OpenID Federation with the x.509 certificate chain that has been used for many years, and discuss the advantages and future potential of the Trust Chain.
Key Points:
- x.509 Certificate Deployment and History: x.509 certificates are extremely popular, being widely embedded in credit cards and smartphones, but the standard was created in 1988, before the advent of concepts like the World Wide Web and APIs.
- "if I reach into my pocket where my credit card is there's a chip in here and inside this chip there is an x509 certificate so everybody here has one in his uh card and there are probably billions of cards around the world with such certificates inside."
- X.509 certificate success factors: The success of x.509 certificates lies in the simple concept of binding a name to a public key, and the ability to build a chain up to a trusted certificate authority.
- "what is the certificate it is a very simple binding cryptographic binding between a name this could be the name of a website and a public key and these bindings can be changed all the way up to a trusted certificate Authority"
- Enter the OpenID Trust Chain: In federation using OpenID Connect, the Trust Chain was developed to establish trust between OpenID providers and relying parties. The Trust Chain is constructed using JWT (JSON Web Token).
- Similarities between Trust Chain and x.509 certificate structures: The Trust Chain has similar fields to an x.509 certificate, such as issuer, subject, expiration date, and constraints.
- Additional Trust Chain features: The Trust Chain can embed metadata, metadata policies, and trustmarks, where the metadata is used to federate with OpenID providers and the trustmarks provide additional authentication information.
- "we have a field which is required for the metadata and the metadata is in there so that we Ed with the open ID Provider by presenting the trust chain then we also have metadata policies now the trust anchor The Authority might want to assert or Define policies in order to make the entities for example uh comply with the puppy profile right and we also have a bunch of embedded jots which can be thought of as accreditations which are called trust marks so they provide an additional Dimension."
- Benefits of Trust Chain: Trust Chain can express more complex trust relationships (such as multilateral federations), allows the insertion of trustmarks, and can build trust chains and traverse trust trees in real time using well-known URLs and Web APIs.
- “the trust chains enable much more complex trust relationships to be represented things like multilateral federations and they also enable the insertion of stress marks and this is good because it gives security Architects the ability to um to sort of represent and express real world trust relationships.”
- Future predictions for 2035: The presenter predicted that in 2035, a new version of OAuth 2.0 will be released, replacing the x.509 certificate chain with Trust Chain. He envisioned a future in which the IRS (Internal Revenue Service) will become a trust anchor, allowing users to access legal information about companies through their website certificates.
- “the IRS then turn intern Revenue Service of the United States has decided to become a trust hker so every company or nonprofit in the states that is registered um Can automatically also enroll its public keys and when it does that what happens the websites when you click on the padlog you can immediately see what the legal entity is behind the website and you can find things like tax tax number”
- The Future of the OpenID Foundation: It has been suggested that the OpenID Foundation could join multiple federations and display trust marks such as bank accounts, ISO certification, carbon neutrality and completion of survival training.
in conclusion:
The presenter claims that the Trust Chain introduced in OpenID Federation overcomes the limitations of x.509 certificate chains and provides a more flexible and expressive trust model. Trust Chain enables real-time trust relationship construction through cooperation with Web APIs, allowing security architects to more accurately express real-world trust relationships.
補足:
The presenter emphasized that this is a future prediction and is not definitive information at this time.