Re: [VoT] Vectors of Trust I-D
Ira McDonald <blueroofmusic@gmail.com> Tue, 30 June 2015 17:37 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D3A1B2A0A for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 10:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IqdMFx-OEzs for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 10:37:52 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CADA1B2A09 for <vot@ietf.org>; Tue, 30 Jun 2015 10:37:52 -0700 (PDT)
Received: by wiwl6 with SMTP id l6so139943667wiw.0 for <vot@ietf.org>; Tue, 30 Jun 2015 10:37:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7UELqoLhiHPtRDo7G7Mei+SVXgF6Ra7Bb3ddcPfIA1w=; b=zDzubKoGHU03aLqBahm8UChKzAQgHV78IWvyys+U7gszS1LpyJ8mK+tJk87QQEh8PP gkef+Td29d9XKOI9VZaMONp7La1COCrqv0HA/Wxs4TO0358QJOCS+1Ltho3fgeEg8bQh CIAScRZg7lolrey1nXKBmJ6X9Urlo+uLvG0IyXe3nBTDa+cgETQfWQsJZDyqK74hc6K1 +VW7RhYEe1FjnnKw8BVwdIaUKg9J8KtO1SwsFvKeG+SjziY721/Pa325R/YZOGj7AlU7 wnxErNx8PV8GF7qFDzafLP+X+bUxW2FyGsCHnO32ZFYlkeEInsg10/LqBoKgSuJnoh40 S33Q==
X-Received: by 10.194.175.65 with SMTP id by1mr44229268wjc.152.1435685870512; Tue, 30 Jun 2015 10:37:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.53.205 with HTTP; Tue, 30 Jun 2015 10:37:31 -0700 (PDT)
In-Reply-To: <CAKAzxEv59DJYoRdLNYu2hJ9Y5DhZ8vsKeaTk9-jKf-XfDP8A7Q@mail.gmail.com>
References: <4DF01AF4-CD33-4BB7-958B-FFECD37C8AFE@mit.edu> <DB3PR07MB138FDE12ED039C4C8CA9968BCA90@DB3PR07MB138.eurprd07.prod.outlook.com> <3F524C09-C71B-49DA-ADD2-AE57610C6C89@mit.edu> <CAKAzxEv59DJYoRdLNYu2hJ9Y5DhZ8vsKeaTk9-jKf-XfDP8A7Q@mail.gmail.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Tue, 30 Jun 2015 13:37:31 -0400
Message-ID: <CAN40gStnZ2dR=U+9RuEXQV+=D1LDCZPb5i71Sfg-KCiKQZhmew@mail.gmail.com>
To: Scott Shorter <sshorter@electrosoft-inc.com>, Ira McDonald <blueroofmusic@gmail.com>
Content-Type: multipart/alternative; boundary="089e013d196a52344f0519bfaae5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/bM5kJn9qgST5QIEvRnKh4dGGZio>
Cc: Josh Howlett <Josh.Howlett@jisc.ac.uk>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org>
Subject: Re: [VoT] Vectors of Trust I-D
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 17:37:56 -0000
Hi, Thanks Justin and Leif for a really thought-provoking document. Thanks Scott for a compact equation for trust. About terminology: Coming from the mobile device and automotive perspectives, the use of *anonymized* identity for privacy protection is a major requirement. In biometrics especially, devices should send anonymized user identity authentication info as a "token". But the common English definition of "credential" precludes any such anonymization. I suggest shifting to "token" and stressing the need for anonymous (but highly reliable through Trusted Third Parties) device and user identities. Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com Winter 579 Park Place Saline, MI 48176 734-944-0094 Summer PO Box 221 Grand Marais, MI 49839 906-494-2434 On Tue, Jun 30, 2015 at 12:25 PM, Scott Shorter < sshorter@electrosoft-inc.com> wrote: > Great discussion all. I don't know if I've said it here before, but my > equation for trust goes like this: > > trust = 1 / risk > > If we are trying to measure risk, what if this were considered a "risk > score" that is calculated from "risk metrics"? Identity risk score, if we > want to get crazy. > > I get the notion from the Common Vulnerability Scoring System (CVSS, > version 3 draft is available here > <https://www.first.org/_assets/downloads/cvss/cvss-v30-preview2-metricvectorstring-december-2014.pdf>). > I think that there's a lot of similarities between vulnerability management > and credential management. Vulnerabilities represent potential risks to > systems, and CVSS provides a way of expressing those risks. Similarly > every credential issued represents a marginal increased risk, and our > strawperson document currently looks a lot like CVSS. > > I don't know whether more harm is done by unmanaged credentials or > unmitigated vulnerabilities, but each of those should be captured in an > organization's risk registry. > > My 0.02USD, > Scott > > On Tue, Jun 30, 2015 at 12:01 PM, Justin Richer <jricher@mit.edu> wrote: > >> Josh, thanks for the great comments. Responses inline: >> >> On Jun 30, 2015, at 7:22 AM, Josh Howlett <Josh.Howlett@jisc.ac.uk> >> wrote: >> >> Justin, Leif, >> >> >> >> Thanks for this draft. I only have some general comments at this point. >> The first two concern the use of language; I might be hair-splitting: YMMV. >> The final comment is more substantive. >> >> >> >> 1. Vectors have a very specific formal meaning in mathematics. Given that >> this is an engineering community, I think there’s a possibility of creating >> confusion from the use of this language. You correctly try to disambiguate >> this in 2.2, but the use of different language would make this unnecessary. >> >> >> When we picked the name “vectors of trust” we knew that both “vector” and >> “trust” were terms that were going to confuse some people but could be >> explained fairly succinctly in this context and help get the point across. >> I’m honestly welcome to renaming the whole shebang but for now I’ve yet to >> hear a better set of terms. >> >> >> >> 2. The draft talks of vectors of trust but actually describes types of >> evidence and attributes that can be associated with these. As you discuss >> in section 7.1, there is a specific trust context which confers semantics >> on these attributes ex post facto. Thus this evidence and their attributes >> can inform runtime outcomes, in the context of a given trust context, but >> do not define it. I think it might be helpful to reconsider the description >> of this work, so that its goal is clearer to the reader; and set out the >> fundamental role of the trust context within the introduction/background. >> >> >> It was only in this latest draft that we really started to set out the >> importance of context for a given VoT value, so I think your comments here >> are valid. >> >> >> >> 3. The goal of the draft, as I understand it, is to enable RPs and IdPs >> to share a common vocabulary of evidence and their attributes. This avoids >> the “bundling” of different kinds of evidence by allowing for >> decomposability. This evidence, now unbundled, can be employed in different >> trust contexts, facilitating interoperability across trust framework. So >> far so good? However I’ll note that the evidences and attributes described >> in section 3 are often themselves bundles (“C5 Sealed hardware token / >> trusted biometric / TPM-backed keys). So, playing devil’s advocate, what is >> to stop actors from decomposing the core elements described in section 3? >> Indeed I think it’s actually a goal of this document to permit that through >> extensions. I wonder therefore whether an excess of decomposability will >> actually aggravate interoperability between trust contexts. Clearly this >> could be addressed by setting norms, but then you’ve reinvented NIST >> 800-63. Alternatively you could imagine a taxonomy of evidence, with >> classes and (through extensions) sub-classes allowing for greater >> specificity, while providing for a general interpretation if actors do not >> share the same vocabulary. I hesitate to describe this as fractal, but I >> hope you can see what I’m driving at. >> >> >> >> >> It could definitely be fractal, but I think it’s important that we >> capture something at the right level. Aggregate a bunch of vector values >> together and you get a definition like 800-63, which is still useful but >> only in its intended consequences. Break apart the vector components and >> you get into the specifics of a full trust framework definition, like the >> high granularity in the GTRI work (or Steve’s “everything is an attribute” >> utopia). I think there’s value in each of those, but the value doesn’t >> really come at runtime when you need to make a contextual decision. That’s >> where I think that the VoT approach can really shine. It’s more granular >> than the broad sweeping definitions that authentication guidelines would >> have, but it’s less granular than a sea of attributes. We want something >> that an RP can hope to process and make sense of, and to do that we need to >> walk a fine line. >> >> — Justin >> >> Josh. >> >> *From:* vot [mailto:vot-bounces@ietf.org <vot-bounces@ietf.org>] *On >> Behalf Of *Justin Richer >> *Sent:* 27 June 2015 04:15 >> *To:* vot@ietf.org >> *Subject:* [VoT] Vectors of Trust I-D >> >> >> >> Hi Everyone, >> >> >> >> I have taken the initial strawman proposal along with a substantial >> number of edits and inputs from several folks and have created an initial >> I-D of the document: >> >> >> >> https://tools.ietf.org/id/draft-richer-vectors-of-trust-00 >> >> >> >> It’s still a very drafty draft, but hopefully it’s starting to make this >> a concrete thing. Please read it over and discuss it here on the list. >> >> >> >> I would like to propose a bar-BoF in Prague for VoT for anyone who would >> like to discuss this. If you’re interested (and will be there in person), >> let me know! >> >> >> >> — Justin >> >> Jisc is a registered charity (number 1149740) and a company limited by >> guarantee which is registered in England under Company No. 5747339, VAT No. >> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, >> Bristol, BS2 0JA. T 0203 697 5800. >> >> Jisc Services Limited is a wholly owned Jisc subsidiary and a company >> limited by guarantee which is registered in England under company number >> 2881024, VAT number GB 197 0632 86. The registered office is: One Castle >> Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. >> >> >> >> _______________________________________________ >> vot mailing list >> vot@ietf.org >> https://www.ietf.org/mailman/listinfo/vot >> >> > > > -- > ============================================================== > *Scott Shorter, Principal Security Engineer* > Electrosoft *–* Fueling Customer Success Through Outstanding Value and > Trust! > *Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2 * > 1893 Metro Center Drive; Ste 228; Reston, VA 20190 > sshorter@electrosoft-inc.com (Email); http://www.electrosoft-inc.com > (Web) > ============================================================== > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > >
- [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Josh Howlett
- Re: [VoT] Vectors of Trust I-D Jim Fenton
- Re: [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Justin Richer
- Re: [VoT] Vectors of Trust I-D Jones, Mark B
- Re: [VoT] Vectors of Trust I-D Scott Shorter
- Re: [VoT] Vectors of Trust I-D Ira McDonald
- Re: [VoT] Vectors of Trust I-D Kelts, David
- Re: [VoT] Vectors of Trust I-D Jim Fenton