Re: [VoT] Vectors of Trust I-D
"Jones, Mark B" <Mark.B.Jones@uth.tmc.edu> Tue, 30 June 2015 16:04 UTC
Return-Path: <prvs=9623bc1f25=mark.b.jones@uth.tmc.edu>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88E11ACD4F for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 09:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.221
X-Spam-Level:
X-Spam-Status: No, score=-2.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBaa3Cq0hI1o for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 09:04:02 -0700 (PDT)
Received: from mta6.uth.tmc.edu (mta6.uth.tmc.edu [129.106.163.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E34D41ACD4E for <vot@ietf.org>; Tue, 30 Jun 2015 09:04:01 -0700 (PDT)
Received: from pps.filterd (mta6.uth.tmc.edu [127.0.0.1]) by mta6.uth.tmc.edu (8.15.0.59/8.15.0.59) with SMTP id t5UFjuhg006626; Tue, 30 Jun 2015 11:03:52 -0500
Received: from uthmail4.uthouston.edu ([129.106.175.240]) by mta6.uth.tmc.edu with ESMTP id 1va0phc141-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 30 Jun 2015 11:03:52 -0500
Received: from UTHMAIL1.uthouston.edu ([fe80::c1d2:3f6a:4f56:4fa4]) by UTHMAIL4.uthouston.edu ([fe80::c5ef:d941:6689:80df%21]) with mapi id 14.03.0210.002; Tue, 30 Jun 2015 11:03:51 -0500
From: "Jones, Mark B" <Mark.B.Jones@uth.tmc.edu>
To: Justin Richer <jricher@mit.edu>, Jim Fenton <fenton@bluepopcorn.net>
Thread-Topic: [VoT] Vectors of Trust I-D
Thread-Index: AQHQsIeG59OZHqfCD0icaga7zerMgZ3FYpmAgAAqOwD//62ZoA==
Date: Tue, 30 Jun 2015 16:03:50 +0000
Message-ID: <38AAF00EA635514CA6667ACA60C7F0A548AF141C@UTHMAIL1.uthouston.edu>
References: <4DF01AF4-CD33-4BB7-958B-FFECD37C8AFE@mit.edu> <55929843.2030104@bluepopcorn.net> <A202983A-96F5-498B-9096-B6C3523A1C14@mit.edu>
In-Reply-To: <A202983A-96F5-498B-9096-B6C3523A1C14@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [129.106.8.25]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01DD_01D0B324.7157ABF0"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-06-30_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1506180000 definitions=main-1506300240
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/QgR2NgvtI09b9y-K8OhEo8n4k3U>
Cc: "vot@ietf.org" <vot@ietf.org>
Subject: Re: [VoT] Vectors of Trust I-D
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 16:04:06 -0000
'Credential' is just as overloaded as 'token'. I think you just need to pick a term and make sure it is well defined in the document. The External Identity working group decided to use the term 'authenticator'. https://spaces.internet2.edu/display/EXTID/External+Identities+Working+Group +Report From: vot [mailto:vot-bounces@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, June 30, 2015 10:54 AM To: Jim Fenton Cc: vot@ietf.org Subject: Re: [VoT] Vectors of Trust I-D Leif and I went back and forth on this one and decided to put a stake in the ground to start at. One of the biggest challenges in LoA-style systems has always been the overloading of the linear scale model. I've seen passionate arguments about the ordering of otherwise similar components, with people willing to die for the cause on both sides. I think that we can side step that with the technology expression while still keeping the "common sense semantics" of ordinals. In that "2 is probably better than 1 for most values of better but mostly they're just different". I'm also afraid of the growth of the space for each component, but hopefully by having a few definitions set good examples (like the spec itself) we can encourage people to summarize the categories appropriately, as Josh talks about in his response. While I agree that naming things is hard, and I'm open to new names, I'm very strongly against the use of "token" here. It's already far too overloaded a term. OAuth issues tokens, FIDO calls their devices tokens, the IETF's "token binding" is calling something (that I'm not even sure what it is) tokens, even the WS-* folks have started to re-cast all the WS-* stuff as "tokens". I think the more precise term is "primary credential" or "primary user credential". Neither of these have anything to do with the attributes, but they do speak to how strongly bound the credential is to the account. Still, I'm open to better names. Thanks for the feedback, - Justin On Jun 30, 2015, at 9:23 AM, Jim Fenton <fenton@bluepopcorn.net> wrote: Justin and Leif, thanks for getting things moving with this draft. The biggest surprise to me is that (section 2.2, last paragraph) the components of the vector do not have ordinal properties; i.e., they are just an enumerated list. Aside from confusing people that are expecting a vector to be a set of scalars, it also requires Relying Parties, for example, to enumerate all of the types of credential management they will accept rather than "C2 or better". This isn't a huge problem at the current scale, but I'm concerned that the number of choices might grow. I also have some problem with the use of the term "credential" because it encompasses management of attributes as well as tokens, which then overlaps with the identity proofing dimension which is, more generally, the question of how strongly the relying party can depend on attribute values. I'd rather that we use the term "token" rather than "credential" to keep these separate. -Jim On 6/26/15 8:15 PM, Justin Richer wrote: Hi Everyone, I have taken the initial strawman proposal along with a substantial number of edits and inputs from several folks and have created an initial I-D of the document: https://tools.ietf.org/id/draft-richer-vectors-of-trust-00 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_id_draf t-2Dricher-2Dvectors-2Dof-2Dtrust-2D00&d=BQMF-g&c=6vgNTiRn9_pqCD9hKx9JgXN1Va pJQ8JVoF8oWH1AgfQ&r=jgMu8DNgV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM&m=D7k8gb4TAu copdNmcdaifmXQtO1jWHH2uV_Cj6pmYHA&s=IwCJH7ghyIh0YTbpIPjpug1zmFhB0yPqQGbyYhqr mRw&e=> It's still a very drafty draft, but hopefully it's starting to make this a concrete thing. Please read it over and discuss it here on the list. I would like to propose a bar-BoF in Prague for VoT for anyone who would like to discuss this. If you're interested (and will be there in person), let me know! - Justin _______________________________________________ vot mailing list vot@ietf.org https://www.ietf.org/mailman/listinfo/vot <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_l istinfo_vot&d=BQMF-g&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=jgMu8DN gV_dycz0rYwkNbEQq36F0BI5_Zpblz7C5LhM&m=D7k8gb4TAucopdNmcdaifmXQtO1jWHH2uV_Cj 6pmYHA&s=X0ZbIaYx4wnBo5JKrUCwAlSMm0NP7vycKmcLkHZBw3I&e=>
- [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Josh Howlett
- Re: [VoT] Vectors of Trust I-D Jim Fenton
- Re: [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Jones, Mark B
- Re: [VoT] Vectors of Trust I-D Scott Shorter
- Re: [VoT] Vectors of Trust I-D Ira McDonald
- Re: [VoT] Vectors of Trust I-D Kelts, David
- Re: [VoT] Vectors of Trust I-D Jim Fenton