IETF Logo Mail Archive

Re: [VoT] Vectors of Trust I-D

Ira McDonald <blueroofmusic@gmail.com> Tue, 30 June 2015 17:37 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D3A1B2A0A for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 10:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IqdMFx-OEzs for <vot@ietfa.amsl.com>; Tue, 30 Jun 2015 10:37:52 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CADA1B2A09 for <vot@ietf.org>; Tue, 30 Jun 2015 10:37:52 -0700 (PDT)
Received: by wiwl6 with SMTP id l6so139943667wiw.0 for <vot@ietf.org>; Tue, 30 Jun 2015 10:37:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7UELqoLhiHPtRDo7G7Mei+SVXgF6Ra7Bb3ddcPfIA1w=; b=zDzubKoGHU03aLqBahm8UChKzAQgHV78IWvyys+U7gszS1LpyJ8mK+tJk87QQEh8PP gkef+Td29d9XKOI9VZaMONp7La1COCrqv0HA/Wxs4TO0358QJOCS+1Ltho3fgeEg8bQh CIAScRZg7lolrey1nXKBmJ6X9Urlo+uLvG0IyXe3nBTDa+cgETQfWQsJZDyqK74hc6K1 +VW7RhYEe1FjnnKw8BVwdIaUKg9J8KtO1SwsFvKeG+SjziY721/Pa325R/YZOGj7AlU7 wnxErNx8PV8GF7qFDzafLP+X+bUxW2FyGsCHnO32ZFYlkeEInsg10/LqBoKgSuJnoh40 S33Q==
X-Received: by 10.194.175.65 with SMTP id by1mr44229268wjc.152.1435685870512; Tue, 30 Jun 2015 10:37:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.53.205 with HTTP; Tue, 30 Jun 2015 10:37:31 -0700 (PDT)
In-Reply-To: <CAKAzxEv59DJYoRdLNYu2hJ9Y5DhZ8vsKeaTk9-jKf-XfDP8A7Q@mail.gmail.com>
References: <4DF01AF4-CD33-4BB7-958B-FFECD37C8AFE@mit.edu> <DB3PR07MB138FDE12ED039C4C8CA9968BCA90@DB3PR07MB138.eurprd07.prod.outlook.com> <3F524C09-C71B-49DA-ADD2-AE57610C6C89@mit.edu> <CAKAzxEv59DJYoRdLNYu2hJ9Y5DhZ8vsKeaTk9-jKf-XfDP8A7Q@mail.gmail.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Tue, 30 Jun 2015 13:37:31 -0400
Message-ID: <CAN40gStnZ2dR=U+9RuEXQV+=D1LDCZPb5i71Sfg-KCiKQZhmew@mail.gmail.com>
To: Scott Shorter <sshorter@electrosoft-inc.com>, Ira McDonald <blueroofmusic@gmail.com>
Content-Type: multipart/alternative; boundary="089e013d196a52344f0519bfaae5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/bM5kJn9qgST5QIEvRnKh4dGGZio>
Cc: Josh Howlett <Josh.Howlett@jisc.ac.uk>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org>
Subject: Re: [VoT] Vectors of Trust I-D
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 17:37:56 -0000

Hi,

Thanks Justin and Leif for a really thought-provoking document.

Thanks Scott for a compact equation for trust.

About terminology:

Coming from the mobile device and automotive perspectives, the use
of *anonymized* identity for privacy protection is a major requirement.

In biometrics especially, devices should send anonymized user identity
authentication info as a "token".  But the common English definition of
"credential" precludes any such anonymization.

I suggest shifting to "token" and stressing the need for anonymous (but
highly reliable through Trusted Third Parties) device and user identities.

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
Winter  579 Park Place  Saline, MI  48176  734-944-0094
Summer  PO Box 221  Grand Marais, MI 49839  906-494-2434


On Tue, Jun 30, 2015 at 12:25 PM, Scott Shorter <
sshorter@electrosoft-inc.com> wrote:

> Great discussion all.  I don't know if I've said it here before, but my
> equation for trust goes like this:
>
>      trust = 1 / risk
>
> If we are trying to measure risk, what if this were considered a "risk
> score" that is calculated from "risk metrics"?  Identity risk score, if we
> want to get crazy.
>
> I get the notion from the Common Vulnerability Scoring System (CVSS,
> version 3 draft is available here
> <https://www.first.org/_assets/downloads/cvss/cvss-v30-preview2-metricvectorstring-december-2014.pdf>).
> I think that there's a lot of similarities between vulnerability management
> and credential management.  Vulnerabilities represent potential risks to
> systems, and CVSS provides a way of expressing those risks.  Similarly
> every credential issued represents a marginal increased risk, and our
> strawperson document currently looks a lot like CVSS.
>
> I don't know whether more harm is done by unmanaged credentials or
> unmitigated vulnerabilities, but each of those should be captured in an
> organization's risk registry.
>
> My 0.02USD,
> Scott
>
> On Tue, Jun 30, 2015 at 12:01 PM, Justin Richer <jricher@mit.edu> wrote:
>
>> Josh, thanks for the great comments. Responses inline:
>>
>> On Jun 30, 2015, at 7:22 AM, Josh Howlett <Josh.Howlett@jisc.ac.uk>
>> wrote:
>>
>>  Justin, Leif,
>>
>>
>>
>> Thanks for this draft. I only have some general comments at this point.
>> The first two concern the use of language; I might be hair-splitting: YMMV.
>> The final comment is more substantive.
>>
>>
>>
>> 1. Vectors have a very specific formal meaning in mathematics. Given that
>> this is an engineering community, I think there’s a possibility of creating
>> confusion from the use of this language. You correctly try to disambiguate
>> this in 2.2, but the use of different language would make this unnecessary.
>>
>>
>> When we picked the name “vectors of trust” we knew that both “vector” and
>> “trust” were terms that were going to confuse some people but could be
>> explained fairly succinctly in this context and help get the point across.
>> I’m honestly welcome to renaming the whole shebang but for now I’ve yet to
>> hear a better set of terms.
>>
>>
>>
>> 2. The draft talks of vectors of trust but actually describes types of
>> evidence and attributes that can be associated with these. As you discuss
>> in section 7.1, there is a specific trust context which confers semantics
>> on these attributes ex post facto. Thus this evidence and their attributes
>> can inform runtime outcomes, in the context of a given trust context, but
>> do not define it. I think it might be helpful to reconsider the description
>> of this work, so that its goal is clearer to the reader; and set out the
>> fundamental role of the trust context within the introduction/background.
>>
>>
>> It was only in this latest draft that we really started to set out the
>> importance of context for a given VoT value, so I think your comments here
>> are valid.
>>
>>
>>
>> 3. The goal of the draft, as I understand it, is to enable RPs and IdPs
>> to share a common vocabulary of evidence and their attributes. This avoids
>> the “bundling” of different kinds of evidence by allowing for
>> decomposability. This evidence, now unbundled, can be employed in different
>> trust contexts, facilitating interoperability across trust framework. So
>> far so good? However I’ll note that the evidences and attributes described
>> in section 3 are often themselves bundles (“C5 Sealed hardware token /
>> trusted biometric / TPM-backed keys). So, playing devil’s advocate, what is
>> to stop actors from decomposing the core elements described in section 3?
>> Indeed I think it’s actually a goal of this document to permit that through
>> extensions. I wonder therefore whether an excess of decomposability will
>> actually aggravate interoperability between trust contexts. Clearly this
>> could be addressed by setting norms, but then you’ve reinvented NIST
>> 800-63. Alternatively you could imagine a taxonomy of evidence, with
>> classes and (through extensions) sub-classes allowing for greater
>> specificity, while providing for a general interpretation if actors do not
>> share the same vocabulary. I hesitate to describe this as fractal, but I
>> hope you can see what I’m driving at.
>>
>>
>>
>>
>> It could definitely be fractal, but I think it’s important that we
>> capture something at the right level. Aggregate a bunch of vector values
>> together and you get a definition like 800-63, which is still useful but
>> only in its intended consequences. Break apart the vector components and
>> you get into the specifics of a full trust framework definition, like the
>> high granularity in the GTRI work (or Steve’s “everything is an attribute”
>> utopia). I think there’s value in each of those, but the value doesn’t
>> really come at runtime when you need to make a contextual decision. That’s
>> where I think that the VoT approach can really shine. It’s more granular
>> than the broad sweeping definitions that authentication guidelines would
>> have, but it’s less granular than a sea of attributes. We want something
>> that an RP can hope to process and make sense of, and to do that we need to
>> walk a fine line.
>>
>>  — Justin
>>
>> Josh.
>>
>>   *From:* vot [mailto:vot-bounces@ietf.org <vot-bounces@ietf.org>] *On
>> Behalf Of *Justin Richer
>> *Sent:* 27 June 2015 04:15
>> *To:* vot@ietf.org
>> *Subject:* [VoT] Vectors of Trust I-D
>>
>>
>>
>> Hi Everyone,
>>
>>
>>
>> I have taken the initial strawman proposal along with a substantial
>> number of edits and inputs from several folks and have created an initial
>> I-D of the document:
>>
>>
>>
>> https://tools.ietf.org/id/draft-richer-vectors-of-trust-00
>>
>>
>>
>> It’s still a very drafty draft, but hopefully it’s starting to make this
>> a concrete thing. Please read it over and discuss it here on the list.
>>
>>
>>
>> I would like to propose a bar-BoF in Prague for VoT for anyone who would
>> like to discuss this. If you’re interested (and will be there in person),
>> let me know!
>>
>>
>>
>>  — Justin
>>
>> Jisc is a registered charity (number 1149740) and a company limited by
>> guarantee which is registered in England under Company No. 5747339, VAT No.
>> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
>> Bristol, BS2 0JA. T 0203 697 5800.
>>
>> Jisc Services Limited is a wholly owned Jisc subsidiary and a company
>> limited by guarantee which is registered in England under company number
>> 2881024, VAT number GB 197 0632 86. The registered office is: One Castle
>> Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>>
>>
>>
>> _______________________________________________
>> vot mailing list
>> vot@ietf.org
>> https://www.ietf.org/mailman/listinfo/vot
>>
>>
>
>
> --
> ==============================================================
> *Scott Shorter, Principal Security Engineer*
> Electrosoft *–* Fueling Customer Success Through Outstanding Value and
> Trust!
> *Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2 *
> 1893 Metro Center Drive; Ste 228; Reston, VA 20190
> sshorter@electrosoft-inc.com (Email);   http://www.electrosoft-inc.com
>  (Web)
> ==============================================================
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>

v2.23.0 | Report a Bug | By Email