Re: [VoT] IPR disclosures

Justin Richer <> Sun, 26 November 2017 03:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6A29C128C82 for <>; Sat, 25 Nov 2017 19:02:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.211
X-Spam-Status: No, score=-2.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8UXoIxU4cD5R for <>; Sat, 25 Nov 2017 19:02:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4DE9126DFB for <>; Sat, 25 Nov 2017 19:02:04 -0800 (PST)
X-AuditID: 1209190f-d99ff7000000581b-7a-5a1a2eabeb8b
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 6F.4A.22555.BAE2A1A5; Sat, 25 Nov 2017 22:02:03 -0500 (EST)
Received: from (OUTGOING-AUTH-1.MIT.EDU []) by (8.13.8/8.9.2) with ESMTP id vAQ3217G029917; Sat, 25 Nov 2017 22:02:02 -0500
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id vAQ31xRe006448 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 25 Nov 2017 22:02:00 -0500
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4FA0465E-B429-4166-917E-983016B5E3D1"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sat, 25 Nov 2017 22:01:58 -0500
In-Reply-To: <>
Cc: "Paul A. Grassi" <>, John Bradley <>, Leif Johansson <>, "" <>
To: Phil Hunt <>
References: <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOKsWRmVeSWpSXmKPExsUixCmqrLtaTyrKYG+fqsWC3q3MFsv75SwW zG9kt1h99y+bRcPPB6wOrB5Llvxk8rh28i+rx8ent1g89m7qY/e4fXsjSwBrFJdNSmpOZllq kb5dAlfGlfNPmAt+NDBVbDl2gqmBcfIjxi5GTg4JAROJ5sNHWbsYuTiEBBYzSUya8ZEdwtnI KNEyZQYzhHONSWLDir8sIC1sAqoS09e0MIHYvAJWEheWNgGN4uBgFkiSePYuB8TkFdCX6H0O tkBYQEni4fQ3YNUsQJ1L7x5lBinhFLCTWPsyGWQ6s8A0RonOqyfAposIqEh8u3qdEWLtR2aJ Dw93MUNcKitxa/Yl5gmM/LMQts1C2DYLqIhZQFti2cLXzBC2psT+7uUsmOIaEp3fJrIuYGRb xSibklulm5uYmVOcmqxbnJyYl5dapGuil5tZopeaUrqJERwTkvw7GOc0eB9iFOBgVOLh3XFE MkqINbGsuDL3EKMkB5OSKG9Hv3iUEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFeLhGpKCHelMTK qtSifJiUNAeLkjjvtqBdkUIC6YklqdmpqQWpRTBZGQ4OJQnedF2gRsGi1PTUirTMnBKENBMH J8hwHqDhP3RAhhcXJOYWZ6ZD5E8xhnNsuHn3DxPHPjC57vQ9INm27T6Q3PD9AZB8NvN1AzPH tKutTcwc845/a2IWYsnLz0uVEudtBhknADIuozQPbiMoPbqvs7N4xSgODABhXjOQw3iAqRVu 5yugc5iAznl6UhzknJJEhJRUA+OEw1Xq+QW73QUmZftUzHxn/yY/+PzDp2lX3OS/OZQemrP/ ZX+7UlLI6947GjVXWuYvyhc8fKBeKSq54PpnLh//W0m3Hv3QeNF6+KqTbO7bvcZ9vimtN9Yz ft/efyd1erbR44UneL8fW73OdX7rjst7ZW7eC9E78C7TcWfrpCluUcIfNXbunHlbiaU4I9FQ i7moOBEAs3IJ62oDAAA=
Archived-At: <>
Subject: Re: [VoT] IPR disclosures
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Vectors of Trust discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 26 Nov 2017 03:02:08 -0000

From a technical standpoint, this is done by configuration. I get a vector and a trustmark URL. As an RP, I can look at the trustmark URL and do a simple string comparison against a list of trustmark URLs that I’ve been configured to trust — much the same way that RPs that talk to multiple IdPs do so today with issuer URLs (in both OIDC and SAML worlds). You’re absolutely right that deciding what goes on that list is a business decision, and more philosophical than technical. However, as a technical spec, VoT seeks to solve the technical problem of how to convey the information of what the IdP thinks about the current user and the current transaction. It does not seek to solve the question of how the RP determines if the IdP is allowed to make those claims or not, but instead gives the IdP a means of making these claims (a means that doesn’t exist otherwise). It’s not the end-goal that you are seeking, but it’s a major step forward. 

Per John’s request, here’s the introduction text that I’ve been working on this week as the draft goes forward:

Methods for measuring trust in digital identity transactions have historically fallen into two main categories: either all measurements are combined into a single scalar value, or trust decisions are calculated locally based on a highly detailed set  of attribute metadata. This document defines a method of conveying trust information that is more expressive than a single value but less complex than comprehensive attribute metadata. 

Prior to the third edition published in 2017, NIST Special Publication 800-63 used a single scalar measurement of trust called a Level of Assurance (LoA). An LoA can be used to compare different transactions within a system at a coarse level. For instance, an LoA4 transaction is generally considered more trusted (across all measured categories) than an LoA2 transaction. The LoA for a given transaction is computed by the identity provider (IdP) and is consumed by a relying party (RP). Since the trust measurement is a simple numeric value, it’s trivial for RPs to process and compare. However, since each LoA encompasses many different aspects of a transaction, it can’t express many real-world situations. For instance, an anonymous user account might have a very strong credential, such as would be common of a whistle-blower or political dissident. Despite the strong credential, the lack of identity proofing would make any transactions conducted by the account to fall into a low LoA. Furthermore, different use cases and domains require subtly different definitions for their LoA categories, and one group’s LoA2 is not equivalent or even comparable to another group’s LoA2. 

Attribute based access control (ABAC) systems used by RPs may need to know details about a user’s attributes, such as how recently the identity data was verified and by whom. Attribute metadata systems are capable of expressing a large and detailed amount of detail about the transaction. However, this approach requires the IdP to collect, store, and transmit all of this attribute data for the RP’s consumption. The RP must process this data, which may be prohibitive even for the most trivial security decisions. 

Vectors of Trust (VoT) seeks a balance between these two alternatives by allowing expression of multiple aspects of an identity transaction (including but not limited to identity proofing, credential strength, credential management, and assertion strength), without requiring full attribute metadata descriptions. This method of measurement gives more actionable data and expressiveness than an LoA, but is still relatively easy to process and calculate by the RP. It is anticipated that VoT can be used alongside more detailed attribute metadata systems. The RP can use the vector value for most basic decisions but be able to query the IdP for additional attribute metadata where needed. Furthermore, it is anticipated that some trust frameworks will provide a simple mapping between certain sets of vector values to LoAs, for RPs that do not have a need for the vector’s higher level of detail.

This document defines a data model for these vectors and an on-the-wire format for conveying them between parties, anchored in a trust definition. Additionally, this document defines a general-purpose component values and a mechanism for defining custom vector components which can be used by systems that need something more specific. 

Happy to hear feedback about the new intro and if it situates this work better. I still believe that you (Phil) want a different solution to a different problem than what VoT solves. Namely, I think you want the attribute metadata solution which would augment VoT, as described above. That’s great, and I look forward to seeing progress in that area as well. However, VoT shouldn’t be held up from solving the 90% use case that Paul mentions because the other 10% is going to take a lot more work. You want a surgical scalpel. We just need a good, sharp paring knife. Right now, everyone’s using a pointy stick and hoping for the best. VoT was never meant to solve what you’re asking it to solve, nor do I believe it should try to do so. Let other good work do that, and let this solve what it’s meant for. 

— Justin

> On Nov 24, 2017, at 12:52 AM, Phil Hunt <> wrote:
> What you described to me before required an RP to set up policy manually based on the reputation of the asserting party (eg its main business) in order to divine the meaning of its identity proofing. 
> If that is the case, VoT as a standard does not improve interop, it causes more confusion because the spec does not define how a system may interpret the value other than in a philosophical sense. "Is John really John?" just isn't useful if it isn't the right John.
> Phil
> On Nov 23, 2017, at 7:27 PM, Grassi, Paul A. (Fed) < <>> wrote:
>> Fine. But as I have said you want a unicorn when we just want a car that can drive in the same Lane as SAML. Your unicorn is coming, as the phases of igov include international agreement on vot vectors/values and attribute metadata to assert 'assurance' of attributes that are unrelated to proofing. 
>> I happy for your contribution don't take unicorn comment poorly. Just a quick post turkey dinner way of making a point. Happy US Thanksgiving. 
>> Sent from my iPhone
>> On Nov 23, 2017, at 5:25 PM, Phil Hunt < <>> wrote:
>>> The issue i am concerned about then is that by leaving out the issue of claims than the vot is incomplete and would require a separate statement. 
>>> This leads to a lot of interop and complexity problems down the road.  Which value wins etc given they would overlap. 
>>> The vot does not have to address it now but it should have the capability to do so (that may not be possible without a model). 
>>> This is a lot like when we found loa was actually multi dimensional and it had to dramatically change.  IAL falls into the same problem. 
>>> Phil
>>>> On Nov 23, 2017, at 2:08 PM, Leif Johansson < <>> wrote:
>>>>> On 2017-11-23 21:23, John Bradley wrote:
>>>>> Authors,
>>>>> As part of the write-up for the Vectors of trust document, we need an
>>>>> IPR disclosure from all of you.
>>>>> Are you aware of any IPR related to the following VOT document?
>>>>> <>
>>>>> Please reply to the list.  
>>>>> Regards
>>>>> John B. 
>>>> I am not.
>>>> _______________________________________________
>>>> vot mailing list
>>>> <>
>>>> <>
>>> _______________________________________________
>>> vot mailing list
>>> <>
>>> <>
>> _______________________________________________
>> vot mailing list
>> <>
>> <>