{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,9,9]],"date-time":"2024-09-09T12:59:01Z","timestamp":1725886741267},"reference-count":18,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"3","license":[{"start":{"date-parts":[[2017,7,1]],"date-time":"2017-07-01T00:00:00Z","timestamp":1498867200000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017,7,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Authentication delegation is a major function of the modern web. Identity Providers (IdP) acquired a central role by providing this function to other web services. By knowing which web services or web applications access its service, an IdP can violate the enduser privacy by discovering information that the user did not want to share with its IdP. For instance, WebRTC introduces a new field of usage as authentication delegation happens during the call session establishment, between two users. As a result, an IdP can easily discover that Bob has a meeting with Alice. A second issue that increases the privacy violation is the lack of choice for the end-user to select its own IdP. Indeed, on many web-applications, the end-user can only select between a subset of IdPs, in most cases Facebook or Google. In this paper, we analyze this phenomena, in particular why the end-user cannot easily select its preferred IdP, though there exists standards in this field such as OpenID Connect and OAuth 2? To lead this analysis, we conduct three investigations. The first one is a field survey on OAuth 2 and OpenID Connect scope usage by web sites to understand if scopes requested by websites could allow for user defined IdPs. The second one tries to understand whether the problem comes from the OAuth 2 protocol or its implementations by IdP. The last one tries to understand if trust relations between websites and IdP could prevent the end user to select its own IdP. Finally, we sketch possible architecture for web browser based identity management, and report on the implementation of a prototype.<\/jats:p>","DOI":"10.1515\/popets-2017-0029","type":"journal-article","created":{"date-parts":[[2017,7,8]],"date-time":"2017-07-08T10:01:47Z","timestamp":1499508107000},"page":"75-89","source":"Crossref","is-referenced-by-count":4,"title":["Why can\u2019t users choose their identity providers on the web?"],"prefix":"10.56553","volume":"2017","author":[{"given":"Kevin","family":"Corre","sequence":"first","affiliation":[{"name":"Orange Labs \/ IRISA"}]},{"given":"Olivier","family":"Barais","sequence":"additional","affiliation":[{"name":"IRISA\/INRIA"}]},{"given":"Gerson","family":"Suny\u00e9","sequence":"additional","affiliation":[{"name":"INRIA"}]},{"given":"Vincent","family":"Frey","sequence":"additional","affiliation":[{"name":"Orange Labs"}]},{"given":"Jean-Michel","family":"Crom","sequence":"additional","affiliation":[{"name":"Orange Labs"}]}],"member":"35752","published-online":{"date-parts":[[2017,7,6]]},"reference":[{"key":"2021040703311909712_j_popets-2017-0029_ref_001_w2aab2b8b5b1b7b1ab1ab1Aa","doi-asserted-by":"crossref","unstructured":"[1] L. Lynch, \u201cInside the identity management game,\u201d IEEE Internet computing, vol. 15, no. 5, p. 78, 2011.","DOI":"10.1109\/MIC.2011.119"},{"key":"2021040703311909712_j_popets-2017-0029_ref_002_w2aab2b8b5b1b7b1ab1ab2Aa","doi-asserted-by":"crossref","unstructured":"[2] D. Florencio and C. Herley, \u201cA large-scale study of web password habits,\u201d in Proceedings of the 16th international conference on World Wide Web. ACM, 2007, pp. 657\u2013666.","DOI":"10.1145\/1242572.1242661"},{"key":"2021040703311909712_j_popets-2017-0029_ref_003_w2aab2b8b5b1b7b1ab1ab3Aa","unstructured":"[3] A. J\u00f8sang, M. A. Zomai, and S. Suriadi, \u201cUsability and privacy in identity management architectures,\u201d in Proceedings of the fifth Australasian symposium on ACSW frontiers-Volume 68. Australian Computer Society, Inc., 2007, pp. 143\u2013152."},{"key":"2021040703311909712_j_popets-2017-0029_ref_004_w2aab2b8b5b1b7b1ab1ab4Aa","doi-asserted-by":"crossref","unstructured":"[4] D. Reed, L. Chasen, and W. Tan, \u201cOpenid identity discovery with xri and xrds,\u201d in Proceedings of the 7th symposium on Identity and trust on the Internet. ACM, 2008, pp. 19\u201325.","DOI":"10.1145\/1373290.1373294"},{"key":"2021040703311909712_j_popets-2017-0029_ref_005_w2aab2b8b5b1b7b1ab1ab5Aa","unstructured":"[5] D. Mills, \u201cIntroducing browserid: a better way to sign in,\u201d 2011."},{"key":"2021040703311909712_j_popets-2017-0029_ref_006_w2aab2b8b5b1b7b1ab1ab6Aa","unstructured":"[6] \u201cWebRTC 1.0: Real-time Communication Between Browsers.\u201d [Online]. Available: https:\/\/www.w3.org\/TR\/webrtc\/"},{"key":"2021040703311909712_j_popets-2017-0029_ref_007_w2aab2b8b5b1b7b1ab1ab7Aa","unstructured":"[7] E. Rescorla, \u201cWebRTC Security Architecture,\u201d 2015."},{"key":"2021040703311909712_j_popets-2017-0029_ref_008_w2aab2b8b5b1b7b1ab1ab8Aa","doi-asserted-by":"crossref","unstructured":"[8] A. Vapen, N. Carlsson, A. Mahanti, and N. Shahmehri, \u201cInformation sharing and user privacy in the third-party identity management landscape,\u201d in IFIP International Information Security Conference. Springer, 2015, pp. 174\u2013188.","DOI":"10.1007\/978-3-319-18467-8_12"},{"key":"2021040703311909712_j_popets-2017-0029_ref_009_w2aab2b8b5b1b7b1ab1ab9Aa","doi-asserted-by":"crossref","unstructured":"[9] S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov, \u201cWhat Makes Users Refuse Web Single Sign-on?: An Empirical Investigation of OpenID,\u201d in Proceedings of the Seventh Symposium on Usable Privacy and Security, ser. SOUPS \u201911. ACM, 2011, pp. 4:1\u20134:20.","DOI":"10.1145\/2078827.2078833"},{"key":"2021040703311909712_j_popets-2017-0029_ref_010_w2aab2b8b5b1b7b1ab1ac10Aa","unstructured":"[10] M. Sporny, T. Inkster, H. Story, B. Harbulot, and R. Bachmann-Gm\u00fcr, \u201cWebid 1.0: Web identification and discovery,\u201d Editor\u2019s draft, W3C, 2011."},{"key":"2021040703311909712_j_popets-2017-0029_ref_011_w2aab2b8b5b1b7b1ab1ac11Aa","doi-asserted-by":"crossref","unstructured":"[11] M. Jones, J. Bradley, and N. Sakimura, \u201cJson web signature (jws), rfc 7515,\u201d Internet Engineering Task Force (IETF), Tech. Rep., 2014.","DOI":"10.17487\/RFC7515"},{"key":"2021040703311909712_j_popets-2017-0029_ref_012_w2aab2b8b5b1b7b1ab1ac12Aa","unstructured":"[12] N. Sakimura, J. Bradley, and M. Jones, \u201cOpenID Connect Discovery 1.0,\u201d 2013."},{"key":"2021040703311909712_j_popets-2017-0029_ref_013_w2aab2b8b5b1b7b1ab1ac13Aa","unstructured":"[13] \u2014\u2014, \u201cOpenID Connect Dynamic Client Registration 1.0,\u201d 2013."},{"key":"2021040703311909712_j_popets-2017-0029_ref_014_w2aab2b8b5b1b7b1ab1ac14Aa","doi-asserted-by":"crossref","unstructured":"[14] P. Jones, J. Smarr, G. Salgueiro, and M. Jones, \u201cWebfinger,\u201d 2013.","DOI":"10.17487\/rfc7033"},{"key":"2021040703311909712_j_popets-2017-0029_ref_015_w2aab2b8b5b1b7b1ab1ac15Aa","unstructured":"[15] \u201cISO\/IEC 29115:2013 - Information technology \u2013 Security techniques \u2013 Entity authentication assurance framework.\u201d [Online]. Available: http:\/\/www.iso.org\/iso\/iso_catalogue\/catalogue_tc\/catalogue_detail.htm?csnumber=45138"},{"key":"2021040703311909712_j_popets-2017-0029_ref_016_w2aab2b8b5b1b7b1ab1ac16Aa","unstructured":"[16] K. Cameron, \u201cThe laws of identity,\u201d Microsoft Corp, 2005."},{"key":"2021040703311909712_j_popets-2017-0029_ref_017_w2aab2b8b5b1b7b1ab1ac17Aa","unstructured":"[17] \u201cIntroducing Windows CardSpace.\u201d [Online]. Available: https:\/\/msdn.microsoft.com\/en-us\/library\/aa480189.aspx"},{"key":"2021040703311909712_j_popets-2017-0029_ref_018_w2aab2b8b5b1b7b1ab1ac18Aa","doi-asserted-by":"crossref","unstructured":"[18] M. Nottingham and E. Hammer-Lahav, \u201cDefining well-known uniform resource identifiers (uris),\u201d Tech. Rep., 2010.","DOI":"10.17487\/rfc5785"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/content.sciendo.com\/view\/journals\/popets\/2017\/3\/article-p75.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.sciendo.com\/article\/10.1515\/popets-2017-0029","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:29:48Z","timestamp":1658334588000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2017\/popets-2017-0029.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,1]]},"references-count":18,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2017,7,6]]},"published-print":{"date-parts":[[2017,7,1]]}},"alternative-id":["10.1515\/popets-2017-0029"],"URL":"https:\/\/doi.org\/10.1515\/popets-2017-0029","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,7,1]]}}}