IETF Logo Mail Archive

Re: [VoT] Vectors of Trust I-D feedback

Nat Sakimura <sakimura@gmail.com> Tue, 04 August 2015 07:07 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47A861B3694 for <vot@ietfa.amsl.com>; Tue, 4 Aug 2015 00:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBnCkGgDPhcj for <vot@ietfa.amsl.com>; Tue, 4 Aug 2015 00:07:07 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C620D1B3693 for <vot@ietf.org>; Tue, 4 Aug 2015 00:07:06 -0700 (PDT)
Received: by wicgj17 with SMTP id gj17so136169156wic.1 for <vot@ietf.org>; Tue, 04 Aug 2015 00:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=XV71dqqHRSI+e26ktjQ5MdvQxQ0e/d/gIZOhTxiexNY=; b=KewD9+1nw+4Ssmv0z6CvuPkuls6Yx6tu9JW5Q7WZcCE1V9TtUNXcCt1aiDIopOvoKb CdenWKrkZ8qbBBC0L/ftJjBZTexhjCpBtOwyO+MRWtQI83iFH1TVvbdqsQyDRHlT1Y+7 aKBjBwB/MUL5HHns8IG+VZ8cdkOAcxaIQmuSr4E1yxqwinDLZP0UUT4IjThJ/2r8LVzX 4VJqNyhn6hvPw5JYLKkFPePetbXs2ewj1NIIk839D/L4si3Z/AaLPlF5wReMWO1paS2H C+/w6foZS7YwRJGVIxDxcZxpsf4vRb9o8wdW2K784wZ1UGbxny8uHeGnSSdk2SPrdbxg Z+Rg==
MIME-Version: 1.0
X-Received: by 10.194.206.65 with SMTP id lm1mr4726631wjc.117.1438672025547; Tue, 04 Aug 2015 00:07:05 -0700 (PDT)
Received: by 10.28.144.85 with HTTP; Tue, 4 Aug 2015 00:07:05 -0700 (PDT)
In-Reply-To: <b7ac111fe780ea9a3949cd2ce0890967@imap.gmail.com>
References: <569AD906E45DB44A8AFF11D61F5DA791014ADE44CF@WLGPRDMBX02.dia.govt.nz> <39A67012-222A-4C23-B92A-B7AB55744B2D@hoerbe.at> <55BA14B2.3070105@mit.edu> <C9563753-E9E2-4990-9B7C-3AFEE232BD01@hoerbe.at> <CABzCy2AUA4ycTcj0-kgu_YaceduJRJYjruXs=X2zE1nowryGEQ@mail.gmail.com> <55BFEBC2.7070209@bluepopcorn.net> <10CB72ED-E445-4972-A851-D311FD5F883B@hoerbe.at> <b7ac111fe780ea9a3949cd2ce0890967@imap.gmail.com>
Date: Tue, 04 Aug 2015 16:07:05 +0900
Message-ID: <CABzCy2CXC4qYzfRidPU3wODL3t-b+-=7qhtAFQ3ErtO=EL1KEg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: "vot@ietf.org" <vot@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b8739d207fa89051c76ef19"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/T2zJZ12K9qg3pz6m4sggE3mIWcA>
Subject: Re: [VoT] Vectors of Trust I-D feedback
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 07:07:09 -0000

Sorry, I have been experiencing network problems that the signal went up /
down many times.
Apparently, the web mail was reloading each time that happened and somehow
sending out the message each time.

I sincerely apologize it.

Nat

2015-08-04 15:44 GMT+09:00 sakimura <sakimura@gmail.com>:

> 2015-08-04 15:12 に Rainer Hoerbe さんは書きました:
>
>> Am 04.08.2015 um 00:31 schrieb Jim Fenton <fenton@bluepopcorn.net>:
>>
>>>
>>> To be entirely consistent with ISO/IEC 29115, we would need to rename
>>> Identity Proofing as Enrolment, and Credential Usage as Authentication.
>>>
>>
> Actually, renaming it as Enrollment may have some merit. Identity Proofing
> is only a process within Enrollment.
> There are whole bunch of other stuff that has to happen then.
> Even if the Identity Proofing was done perfectly, if the act of creating
> the record to the identity register is broken, it is broken.
>
>
>>> But ISO/IEC 29115 refers to these as phases: they occur at different
>>> times (or, in the case of Credential Management, over a long period of
>>> time) and have different threat models. But I would like to ask under which
>>> circumstances a Relying Party would act differently to an indication of
>>> less secure Credential Management vs. less secure Authentication.
>>>
>> For a targeted attack the weak credential recovery will lower the
>> adversary’s effort significantly, whereas in large numbers a 2F AuthN
>> combined will still reduce the overall risk.
>>
>
> +1. That is one of the reason I feel it is worthwhile to differentiate
> them.
>
>
>> There are credential management practices that would make a credential
>>> unsuitable for highly secure authentication, but why not just represent
>>> that as less secure authentication? VoT should be only as complex as
>>> required; it should not represent aspects of the process that the relying
>>> party does not need.
>>>
>>
>> +1. However, I remember a discussion at IIW where someone argued that
>> an important use case for VoT is the combination of C4 (U2F) with  P1
>> (self-asserted) for social ids. But social networks are prioritizing
>> usability over security with a weak recovery mechanism.
>>
>
> In private sector, there are lots of cases where identity proofing in the
> traditional sense does not
> matter but the secure authentication matters. I actually co-authored a
> paper on it last month.
>
>
>> - Rainer
>>
>> _______________________________________________
>> vot mailing list
>> vot@ietf.org
>> https://www.ietf.org/mailman/listinfo/vot
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email