IETF Logo Mail Archive

Re: [VoT] Vectors of Trust I-D

Jim Fenton <fenton@bluepopcorn.net> Thu, 30 July 2015 20:15 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4373F1ACE56 for <vot@ietfa.amsl.com>; Thu, 30 Jul 2015 13:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.69
X-Spam-Level:
X-Spam-Status: No, score=0.69 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nzM2RMWRAls for <vot@ietfa.amsl.com>; Thu, 30 Jul 2015 13:15:33 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0B291ACE54 for <vot@ietf.org>; Thu, 30 Jul 2015 13:15:32 -0700 (PDT)
Received: from splunge.local (c-50-136-244-117.hsd1.ca.comcast.net [50.136.244.117]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.3/8.14.3/Debian-9.4) with ESMTP id t6UKFUUC016801 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <vot@ietf.org>; Thu, 30 Jul 2015 13:15:32 -0700
To: vot@ietf.org
References: <4DF01AF4-CD33-4BB7-958B-FFECD37C8AFE@mit.edu> <55929843.2030104@bluepopcorn.net>
From: Jim Fenton <fenton@bluepopcorn.net>
X-Enigmail-Draft-Status: N1110
Message-ID: <55BA85F0.6020909@bluepopcorn.net>
Date: Thu, 30 Jul 2015 13:15:44 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <55929843.2030104@bluepopcorn.net>
Content-Type: multipart/alternative; boundary="------------030507080406010403080400"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1438287332; bh=uhAYjiAgX73FbfnXMcUTd7PXyTegQSD/0QysMuZ3XfM=; h=Subject:To:References:From:Date:In-Reply-To; b=sk6d+DfMTMx0Bc+1yUEro9bXpnaY2oB/gBGaFtQDabBJSMe8eEyElqxg/QT/5E+cA uSd+vJ7kSuwa3mbA5mXbjGvTayLAxLa/zI3mDZLNfDfIcK1CuXzZobcsU3PsCP7p0T 5/G2xEcKOxm4cxXpcIwMud2rIMO/Q5yIUo+VYW1w=
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/e9-ACdxZxfyG-gCvd68aECCvpUg>
Subject: Re: [VoT] Vectors of Trust I-D
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 20:15:35 -0000

I made another pass through the document and have some more comments.
I'll leave out the grammatical nits, although I'm happy to pass them
along to the authors if they want them.


1.1 Terminology

Credential - I understand that "token" has conflicting usage, but
credential does too. At a minimum, a definition stating what this
document means by credential is needed.

Identity Provider - Manages "identity information".  What's that?  Seems
a bit circular. In many circumstances, assertions of attributes might
come from different parties than the one that authenticates the user. I
hope we can accommodate separation of authentication and attributes here.

Relying Party - "logging users in".  Additional attributes might also be
consumed for authorizing further access beyond the initial login.  I'd
prefer "authenticating users and authorizing their actions".

Trustmark - "has proved". My mind immediately went to some sort of
cryptographic proof. You seem to mean "is expected", "is deemed", or
something like that.

2. Background and Motivation

"attributes about an identity transaction": Attributes has a conflicting
meaning. How about "aspects of an identity transaction"?

Paragraph 2, last sentence.  I don't really understand what this is
saying, but identity proofing should be able to be done after token
issuance, and perhaps by a different party than the issuer.

2.1 last paragraph: I don't understand what point this is trying to
make, but binding of credential and the user is a "representation of the
identity proofing process" doesn't quite make sense.

3.2 Credential Management should be titled Credential Binding to be
consistent with earlier text.

use the "credential" to denote the credential: circular definition

3.3 Assertion Presentation: Doesn't the RP have direct visibility on how
the assertion is presented? For example, it shouldn't be necessary to
say something like "Token encrypted to the relying party's key" because
the relying party already knows that. There is perhaps some need for a
way for the RP to specify how the assertion is to be delivered, however.

4. Component Definitions

C5 is an example that is particularly troubling: equating a sealed
hardware token with a trusted biometric or TPM-backed keys. If the C
specification is an enumerated list, perhaps each of them should have a
C number. But if the components are that fine-grained, a requesting
vector (section 6) might be quite long and complex to represent all the
combinations of components that are acceptable. I personally prefer an
ordered set of value within each vector component that would be
necessarily more coarse-grained than this. In that case, the requesting
vector could be something like "P2.C2" which would mean P >= 2 AND C >= 2.

Eventually, the syntax will need to be nailed down further, probably
using ABNF.  For example, can P2.C2 be used as well as C2.P2?

The initial C values don't say anything about multifactor authentication.

5. Communicating vector values to RPs: I wonder if these values should
always be encrypted on the wire to protect against attackers looking for
high-value targets.

7.1 Trustmark

Trustmarks have enough usefulness independent of VoT that we should
consider whether they should be an independent specification.

Trustmarks are needed for attribute providers as well as IdPs. And
probably for attribute providers and brokers (like connect.gov) as well.

As specified, anyone who has a valid TLS certificate for the trust
framework can assert the trustmark, including rogue CAs. This might not
be good enough where substantial liability exposure is involved. Perhaps
the trustmark should be signed as well, maybe using keys verified with DANE.

-Jim

On 6/30/15 6:23 AM, Jim Fenton wrote:
> Justin and Leif, thanks for getting things moving with this draft.
>
> The biggest surprise to me is that (section 2.2, last paragraph) the
> components of the vector do not have ordinal properties; i.e., they
> are just an enumerated list. Aside from confusing people that are
> expecting a vector to be a set of scalars, it also requires Relying
> Parties, for example, to enumerate all of the types of credential
> management they will accept rather than "C2 or better". This isn't a
> huge problem at the current scale, but I'm concerned that the number
> of choices might grow.
>
> I also have some problem with the use of the term "credential" because
> it encompasses management of attributes as well as tokens, which then
> overlaps with the identity proofing dimension which is, more
> generally, the question of how strongly the relying party can depend
> on attribute values.  I'd rather that we use the term "token" rather
> than "credential" to keep these separate.
>
> -Jim

v2.23.0 | Report a Bug | By Email