IETF Logo Mail Archive

Re: [VoT] Vectors of Trust: A Strawman

Nat Sakimura <sakimura@gmail.com> Thu, 02 October 2014 23:36 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3CB71ACFA0 for <vot@ietfa.amsl.com>; Thu, 2 Oct 2014 16:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cexe8D1SbLGX for <vot@ietfa.amsl.com>; Thu, 2 Oct 2014 16:36:05 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4291ACF9C for <vot@ietf.org>; Thu, 2 Oct 2014 16:36:04 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id mk6so120565lab.29 for <vot@ietf.org>; Thu, 02 Oct 2014 16:36:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Yhuc1vN5M2PBLN66io/+FDxBKqX2iaKIiQWygXTI2pY=; b=g06aoOReob7YlfxDDP4u+1NMR+OQexB69/jPpV5AauH0XBtKAAxGFXWHQt0qyOLV3k ZiprCXErnpYXCWw4zWnplGs/BM46mLTWfXB1yvLtw6Q7EDoGUyHU5UNhhildqfmH/oQd m1QckgLTw0zg5+6Rc58CBztJ5V97yh4y0DxpbT0ZnRqDQnSh6FJjo8KW0f04HopcGESt bTwjbWNIgrU+uHM+M+a9VuIZvIAsDb0vQoyRAiefDwngfQpFYzXbmlei84Fymy/1ndSh 3nXMe014XZWsdFsjZ+jwJvlD00bZqyGVn82nq1ukDC8QtZvHuFhKZoptEAOemrNa++5i ji/w==
MIME-Version: 1.0
X-Received: by 10.112.140.137 with SMTP id rg9mr1574022lbb.93.1412292963056; Thu, 02 Oct 2014 16:36:03 -0700 (PDT)
Received: by 10.112.166.10 with HTTP; Thu, 2 Oct 2014 16:36:03 -0700 (PDT)
In-Reply-To: <542DCCA7.8070308@bluepopcorn.net>
References: <42FAEF9E-37A4-4F3A-84C0-63C1FBC22EC6@mitre.org> <542DCCA7.8070308@bluepopcorn.net>
Date: Fri, 03 Oct 2014 08:36:03 +0900
Message-ID: <CABzCy2CHJ7iZaORCvr0OkwCP_s8kHa-G9o-Osps00N_Vx_=mgA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Content-Type: multipart/alternative; boundary="001a11c2b34661c33605047914f0"
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/J3oXV9WC6lVluXpZkjcpefOdmt0
Cc: vot@ietf.org
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 23:36:08 -0000

2014-10-03 7:07 GMT+09:00 Jim Fenton <fenton@bluepopcorn.net>:

>  Hi Justin,
>
> Good kickoff!
>

+1


>
>
> On 10/2/14 2:10 PM, Richer, Justin P. wrote:
>
>
> The first question is what vectors should there be? Embedded in this is
> how many there should be in the first place. Too few vectors and we end up
> with the overly-simplified and usually-misused problem that LoA has today.
> Too many vectors and we end up with an un-navigable set of values where
> everybody's niche concern is a special snowflake. We need to stay allergic
> to both cases and shoot for something "in the middle". In particular, my
> own personal gut instinct says we should shoot for 3 to 5 vectors. I'm
> going to propose 4 here, all of them linear scales. As a side note, it's a
> question whether all of these are even linear scales, but I think it's
> important that we define comparison metrics on each vector element as well
> as the overall values.
>
>
> I'd suggest s/vectors/dimensions/
>
> But what you're saying is that within each dimension, the relationships
> are well-ordered.
>
>
>
>
>  So what vectors should we have? The LoA definition in 800-63 gives us a
> few to work from as starting points, as well as some work that's been done
> in the UK.
>
>
> A bit of history: 800-63 is a response to OMB M-04-04, which defined 4
> levels of assurance. 800-63 is a response to the OMB document describing
> how each of the assurance levels should be achieved. During the 800-63-1
> revision, there was some discussion about doing something different,
> particularly to support the NSTIC strategy's vision of separate identity
> and attribute providers. Also, it would have been a major change and it
> would have made it less clear how 800-63 is responsive to M-04-04, which is
> its primary official purpose. So a paragraph was added to the introduction
> (although it doesn't explicitly mention LoA):
>
> Current government systems do not separate functions related to identity
> proofing in registration from credential issuance. In some applications,
> credentials (used in authentication) and attribute information (established
> through identity proofing) could be provided by different parties. While a
> simpler model is used in this document, it does not preclude agencies from
> separating these functions.
>
>
>
>
>
>
>  *Identity proofing: *
>
>  This covers how sure the IdP is of various attributes about the user on
> the way in, and how much they're willing to vouch for those attributes.
>
>  0: self-asserted / anonymous / randomized / no idea
> 1: consistent over time / pseudonymous
> 2: proofed in person
> 3: contractually bound
>
>
> "consistent over time/pseudonymous" is probably also self-asserted.
>

Not sure about it. There can be pseudonymous - time consistent identifier
which is based on well vetted core identity. A prime example is Austrian
eID. A sector specific pseudonym is generated from LoA4 Qualified
Certificate.


>
> I notice that you don't have a value for online identity proofing. Was
> that an intentional omission?
>

Right. Also, having proofed in person / online and the assurance level of
the proofing is kind of orthogonal. There are many cases of lousy in-person
proofing, and there are cases of excellent online proofing.

The same is true for the contractual binding. It depends on the quality of
contract.

OK. I am running out of time. I will respond to the below at a later time.

Cheers,

Nat


>
> I'm curious what "contractually bound" is beyond in-person proofing.
>
>
>  *Credential strength:*
>
>  This covers how strongly bound the primary credential is to an
> individual presenter, and how easily spoofed or stolen it is.
>
>  0: no credential / public
> 1: shared secret / password
> 2: proof of key possession
> 3: multiple factors [and probably higher definitions here as well -- but
> we want to avoid all the little bespoke 2FA companies getting to define a
> special snowflake "credential strength" value or else this becomes useless]
>
>
> Anything here about how the secret key is protected? How about bearer
> assertions like cookies?
>
>
>  *Assertion presentation:*
>
>  This covers how much the federation protocol leaks information over the
> network to various parties, and how much of that information could be
> tampered in transit without the RP noticing.
>
>  0: no protection / leaky
> 1: signed & verifiable through browser
> 2: signed & verifiable through back channel
> 3: target-encrypted to RP's own key
>
>
> 3 seems like it's addressing a different problem (secrecy) rather than the
> verifiability of the assertion.
>



>
>
>
>  *Operational management:*
>
>  This covers a variety of information about the identity provider and its
> host organization. What's the OpSec policy of the IdP? Is there disaster
> recovery in place? How mature is the hosting organization? What kind of
> incident response can be expected? How strongly bound is a particular
> attribute to a particular credential [though maybe this fits under identity
> proofing]? You'll note that already this feels a lot less linear and a lot
> less defined than the other three.
>
>
>  It is probably a mistake to try and smush these back into a linear scale
> like LoA, since that's exactly what we're trying to get away from. However,
> it would probably be a good and enlightening exercise to map the existing
> LoA definitions into these vectors.
>
>
> I think this is very important, to be able to use vectors of trust with
> legacy LOA-based systems. I made an effort to do a mapping like this a
> couple of years back, based on a somewhat different vector:
> http://www.slideshare.net/jim_fenton/nstic-loa (at slide 9).
>
>
>
>
>  Finally, I think we need to think about and discuss the notion of the
> assessment and trustmarks that would be powering the trust in all of these
> values. After all, if they're just self-asserted by the IdP, that doesn't
> really help anyone. However, if we had a discovery mechanism whereby a
> trustmark provider would be able to host a machine-readable definition of
> what vectors a particular IdP has been proven to be able to claim for any
> transaction, I think we've got a good leg up on the problem.
>
>
> Yes: it's essential that we address the accreditation of the
> authentication and attribute providers in this structure. It's not clear
> that they're additional dimensions, though: a level 3 assertion from an
> entity that's only accredited at level 2 should probably just be treated at
> the lower level unless there's an indication of fraud. It's also possible
> that some providers might be accredited at different levels for different
> purposes: perhaps they have an accreditation at level 3 from the financial
> community, but only level 2 for health care.  We need to consider that.
>
> -Jim
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email