IETF Logo Mail Archive

Re: [VoT] Vectors of Trust I-D feedback

Nat Sakimura <sakimura@gmail.com> Mon, 03 August 2015 23:45 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886621AD06C for <vot@ietfa.amsl.com>; Mon, 3 Aug 2015 16:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaRdVEOD3cgv for <vot@ietfa.amsl.com>; Mon, 3 Aug 2015 16:45:23 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C441B29AF for <vot@ietf.org>; Mon, 3 Aug 2015 16:45:23 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so154484755wic.0 for <vot@ietf.org>; Mon, 03 Aug 2015 16:45:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ie+qhgpwS6PD9vHOnMXE7VaH+dcM8DvpR0YnxzS+eMA=; b=j0D/Wl39rst4MZCrwlv6j5NyFyul0b5Na+1w8+MhG0LXnnjqpiXFT1q6nyMgxPzRUx 4qkg0cei/IcxM34qnbgPkHiT4hwElq5ZtPMc+KRE0DpRcB1hKyfiDhL+9q01xsP9jOjM Fear5mIoeml4EVz1DYefBbWd3Wcej4iVKbdXLebjEn9fXvyaNpQ0z5FjLKdCWU2ZbzTd yoNluIHOtgVZhuM163gJTz8xT+w6K1Mg8gmJ1fs2Bo0YltFfYyvwMQnyd6+zOfAGuaYc TFKZy0jjSsLNfAFcE6j45dMEpM7vdjaewtSazl0WdtpYpoac0nbnFDNlajwQCc8zg/mN u7PA==
MIME-Version: 1.0
X-Received: by 10.194.119.161 with SMTP id kv1mr1150784wjb.157.1438645521803; Mon, 03 Aug 2015 16:45:21 -0700 (PDT)
Received: by 10.28.144.85 with HTTP; Mon, 3 Aug 2015 16:45:21 -0700 (PDT)
In-Reply-To: <CAN40gSv9PD9MUnvnNS1H3hu2Ook7BV+BZP34uUtk8NRMv-8sKA@mail.gmail.com>
References: <569AD906E45DB44A8AFF11D61F5DA791014ADE44CF@WLGPRDMBX02.dia.govt.nz> <39A67012-222A-4C23-B92A-B7AB55744B2D@hoerbe.at> <55BA14B2.3070105@mit.edu> <C9563753-E9E2-4990-9B7C-3AFEE232BD01@hoerbe.at> <CABzCy2AUA4ycTcj0-kgu_YaceduJRJYjruXs=X2zE1nowryGEQ@mail.gmail.com> <55BFEBC2.7070209@bluepopcorn.net> <CAN40gSv9PD9MUnvnNS1H3hu2Ook7BV+BZP34uUtk8NRMv-8sKA@mail.gmail.com>
Date: Tue, 04 Aug 2015 08:45:21 +0900
Message-ID: <CABzCy2An+Lt7k3u++M5DJBQtpHTU8XQ21iYcj4uktH0he8V6iA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Ira McDonald <blueroofmusic@gmail.com>
Content-Type: multipart/alternative; boundary="089e01227ba048f039051c70c31f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/5RB3ZAW7Vb-a27zW_6HXts4S30g>
Cc: Jim Fenton <fenton@bluepopcorn.net>, Rainer Hoerbe <rainer@hoerbe.at>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org>
Subject: Re: [VoT] Vectors of Trust I-D feedback
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2015 23:45:25 -0000

Yup. If I remember correctly, only three words are different between X.1254
and ISO/IEC 29115. X.1254 can be downloaded from here:
https://www.itu.int/rec/T-REC-X.1254-201209-I/en

2015-08-04 8:22 GMT+09:00 Ira McDonald <blueroofmusic@gmail.com>:

> Hi,
>
> And for those who forgot (I did), ISO 29115 is technically equivalent to
> ITU-T X.1254 (and the latter's available online for free download in PDF).
>
> Cheers,
> - Ira
>
>
> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic
> http://sites.google.com/site/highnorthinc
> mailto: blueroofmusic@gmail.com
> Winter  579 Park Place  Saline, MI  48176  734-944-0094
> Summer  PO Box 221  Grand Marais, MI 49839  906-494-2434
>
>
> On Mon, Aug 3, 2015 at 6:31 PM, Jim Fenton <fenton@bluepopcorn.net> wrote:
>
>> To be entirely consistent with ISO/IEC 29115, we would need to rename
>> Identity Proofing as Enrolment, and Credential Usage as Authentication.
>>
>> But ISO/IEC 29115 refers to these as phases: they occur at different
>> times (or, in the case of Credential Management, over a long period of
>> time) and have different threat models. But I would like to ask under which
>> circumstances a Relying Party would act differently to an indication of
>> less secure Credential Management vs. less secure Authentication. There are
>> credential management practices that would make a credential unsuitable for
>> highly secure authentication, but why not just represent that as less
>> secure authentication? VoT should be only as complex as required; it should
>> not represent aspects of the process that the relying party does not need.
>>
>> Also, Enrolment includes aspects of the credentialing process that go far
>> beyond identity proofing and the binding of those attributes in a
>> credential. It's the reliability of that attribute assertion that's
>> orthogonal to authentication strength, and not all of the other aspects of
>> enrolment.
>>
>> Finally, I'll repeat my comment that's buried in my review of the I-D the
>> other day that Assertion Presentation should be visible to the RP already.
>> For example, if the assertion is encrypted in transit, the RP will know
>> that without being told. There may be need for the RP to specify how it
>> wants assertions to be presented to it, but that seems like more of a
>> general option to me and not part of the Vector.
>>
>> -Jim
>>
>> On 8/2/15 2:59 AM, Nat Sakimura wrote:
>>
>> I agree that we should split out the credential management and the
>> credential usage.
>> Each should have different "grades".
>>
>> Right now, -00 has:
>>
>> 3.1. Identity Proofing
>> 3.2. Credential Management
>> 3.3. Assertion Presentation
>>
>> Instead, it could be
>>
>> 3.1 Identity Proofing
>> 3.2 Credential Management
>> 3.3 Credential Usage
>> 3.4 Assertion Presentation
>>
>> Then, 3.1 - 3.3 aligns with X.1254 and ISO/IEC 29115, which is good.
>> Note: they are missing 3.4.
>>
>> We also need to define vtm.
>> I imagine that vtm uri would point to the policy documents of the trust
>> framework,
>> but that is not explicitly there.
>>
>> Best,
>>
>> Nat
>>
>>
>>
>>
>> _______________________________________________
>> vot mailing list
>> vot@ietf.org
>> https://www.ietf.org/mailman/listinfo/vot
>>
>>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email