| Summary: | OpenID Connect (OIDC) is a widely used authentication standard for the Web. In this work, we define a new Identity Certification Token (ICT) to enable end-to-end user authentication by using and extending OIDC’s native mechanisms. An ICT can be thought of as a JSON-based, short-lived user certificate for end-to-end user authentication without the need for cumbersome key management. A user can request an ICT from his OpenID Provider (OP) and use it to prove his identity to other users that trust the OP. We call this approach Open Identity Certification with OpenID Connect (OIDC2) and compare it to other well-known end-to-end authentication methods. Unlike certificates, OIDC2 does not require installation and can be easily used on multiple devices, making it more user-friendly. We outline protocols for implementing OIDC2 based on existing standards. We discuss the trust relationship between entities involved in OIDC2, propose a classification of OPs’ trust level, and propose authentication with multiple ICTs from different OPs. We explain how different applications such as video conferencing, instant messaging, and email can benefit from ICTs for end-to-end authentication and recommend validity periods for ICTs. To test OIDC2, we provide a simple extension to existing OIDC server software and evaluate its performance.
|
|---|