The problem of federated identity, the ability to sign-in across multiple services, has not been solved in a privacy-respecting or secure manner. We briefly analyze the design of OpenID Connect, as implemented by Google and Microsoft, and BrowserID as implemented by Mozilla Personae. Then we consider a capabilities-based approach to federated identity that posits identity to be a set of capabilities that a user can prove to a service that they possess, such as possession of the capability to check a particular email address. Then we show how we can extend existing federated identity approaches can be re-designed using capabilities verified by the use of key material.
展开▼