Re: [VoT] Vectors of Trust I-D feedback

[Rainer Hoerbe <rainer@hoerbe.at>]

See my proposed changes in the attached word document.

Another point:  I wonder if there is consistent understanding wrt. Credential Management  levels. How do people grade strong credentials that rely on a weak recovery mechanisms like eMail and KBA? When multiple C-levels are asserted, they are reducing the risk, but joining session authentication and credential recovery is increasing the risk. I think that VoT should be include a rule how to handle this.

- Rainer

> Am 30.07.2015 um 14:12 schrieb Justin Richer <jricher@mit.edu>:
> 
> Rainer,
> 
> Thanks for this input, this is helpful. When Leif and I picked the term "Vectors of Trust" we knew that each part of that phrase was problematic in some fashion, but we've yet to hear something that's more serviceable. This is the reasoning behind the explanatory     section at the beginning, actually. Can you suggest some text for a better way to situate the terms?
> 
>  -- Justin
> 
> On 7/30/2015 7:20 AM, Rainer Hoerbe wrote:
>> The term vector seems to stick since Bob Morgan’s visualization some years ago despite some resistance. However its connotation in „2.2 Component Architecture“ is misleading, because all the language about „mathematical construct“, „coordinate system“ and „must be orthogonal“ is not properly put into context by "need for simplicity“ and "somewhat elided model“.
>> 
>> I suggest to use stronger wording to make it clear to the newcomer that this kind of taxonomy is by its nature an oversimplification. Fitting a square peg into a round hole is the only option to reduce the complexity of trust frameworks. There should be an emphasis that the number of vectors, their orthogonality and composition will never be a clean and undisputed derivation from real trust models, but an extension and improvement from current practices like 800-63. VoT is taking facts that are measurable out of the trust framework leaving the amorphous rest to TLDR risk assessments.
>> 
>> - Rainer
>> 
>>> Am 30.07.2015 um 06:28 schrieb Joanne Knight <Joanne.Knight@dia.govt.nz <mailto:Joanne.Knight@dia.govt.nz>>:
>>> 
>>> Hi All
>>>  
>>> Due to workloads it has taken me a while to catch-up and I am sorry I was unable to make the Bar BoF.
>>>  
>>> I have attached a paper with my thoughts on the drafty draft as well as where my own framework has evolved to so far. I have recently latched on to a resource to aid me in progressing the Identity-related risk assessment so let me know if anyone is interested in the out-comes as not directly VoT related.
>>>  
>>> Thoughts only, take them at your whim.
>>>  
>>> Cheers
>>>  
>>> Joanne
>>>  
>>>  
>>>  
>>> From: Justin Richer [ <mailto:jricher@MIT.EDU>mailto:jricher@MIT.EDU <mailto:jricher@MIT.EDU>] 
>>> Sent: Saturday, 27 June 2015 3:15 p.m.
>>> To: vot@ietf.org <mailto:vot@ietf.org>
>>> Subject: [VoT] Vectors of Trust I-D
>>>  
>>> Hi Everyone,
>>>  
>>> I have taken the initial strawman proposal along with a substantial number of edits and inputs from several folks and have created an initial I-D of the document:
>>>  
>>> https://tools.ietf.org/id/draft-richer-vectors-of-trust-00 <https://tools.ietf.org/id/draft-richer-vectors-of-trust-00>
>>>  
>>> It’s still a very drafty draft, but hopefully it’s starting to make this a concrete thing. Please read it over and discuss it here on the list.
>>>  
>>> I would like to propose a bar-BoF in Prague for VoT for anyone who would like to discuss this. If you’re interested (and will be there in person), let me know!
>>>  
>>>  — Justin
>>> <VoT Feedback.docx>_______________________________________________
>>> vot mailing list
>>> vot@ietf.org <mailto:vot@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/vot <https://www.ietf.org/mailman/listinfo/vot>
>> 
> 
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot