Re: [VoT] Vectors of Trust: A Strawman
Mikael Linden <mikael.linden@csc.fi> Tue, 07 October 2014 04:41 UTC
Return-Path: <mikael.linden@csc.fi>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04AEE1A9128 for <vot@ietfa.amsl.com>; Mon, 6 Oct 2014 21:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9wlmlK-Xv7F for <vot@ietfa.amsl.com>; Mon, 6 Oct 2014 21:41:43 -0700 (PDT)
Received: from smtp1.csc.fi (smtp1.csc.fi [IPv6:2001:708:10:6004::14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFF11A9125 for <vot@ietf.org>; Mon, 6 Oct 2014 21:41:41 -0700 (PDT)
Received: from tapir.csc.fi (tapir.csc.fi [86.50.27.201]) by smtp1.csc.fi (8.14.3/8.14.3/CSC) with ESMTP id s974fd6V006526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Oct 2014 07:41:39 +0300
Received: from tapir.csc.fi (localhost [127.0.0.1]) by tapir.csc.fi (Postfix) with ESMTPS id 1BE33BFA24; Tue, 7 Oct 2014 07:41:39 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1]) by tapir.csc.fi (Postfix) with ESMTP id 0EC8DBFA23; Tue, 7 Oct 2014 07:41:39 +0300 (EEST)
Received: from tapir.csc.fi ([127.0.0.1]) by localhost (tapir.csc.fi [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id BMX3xiwHTjsL; Tue, 7 Oct 2014 07:41:38 +0300 (EEST)
Received: from zebra.csc.fi (zebra.csc.fi [86.50.27.101]) by tapir.csc.fi (Postfix) with ESMTP id EB88BBFA22; Tue, 7 Oct 2014 07:41:38 +0300 (EEST)
From: Mikael Linden <mikael.linden@csc.fi>
To: "Richer, Justin P." <jricher@mitre.org>, Brian Arkills <barkills@uw.edu>
References: <42FAEF9E-37A4-4F3A-84C0-63C1FBC22EC6@mitre.org> <542DCCA7.8070308@bluepopcorn.net> <277b9fa8ed8945cd919531b64834bb24@BL2PR08MB241.namprd08.prod.outlook.com> <82008C35-9F54-4E07-A0F6-FD0AF4BEF263@mitre.org>
In-Reply-To: <82008C35-9F54-4E07-A0F6-FD0AF4BEF263@mitre.org>
Date: Tue, 07 Oct 2014 07:41:38 +0300
Message-ID: <35fb02f6.00001b38.0000000c@MLINDEN-X220.windows.csc.fi>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BD_01CFE202.1EAAB670"
X-Mailer: Microsoft Outlook 15.0
X-Mailer: Zimbra 8.5.0_GA_3047 (ZimbraConnectorForOutlook/8.0.6.1063)
Content-Language: fi
Thread-Index: a+vvD3Xi5fKFW1yLhicYulPn8Rx3RQ==
X-Originating-IP: [77.95.242.33]
Thread-Topic: Vectors of Trust: A Strawman
X-CanIt-Geo: ip=86.50.27.201; country=FI; latitude=64.0000; longitude=26.0000; http://maps.google.com/maps?q=64.0000,26.0000&z=6
X-CanItPRO-Stream: 00_Opt_Out (inherits from default)
X-Scanned-By: CanIt (www . roaringpenguin . com) on 86.50.27.145
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/gGyY7gZJ1BHASBGKkkfVB-ThoxE
Cc: vot@ietf.org
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 04:41:50 -0000
>There are things in this space (like "disaster recovery") that an RP could be able to discover ahead of time using a trust framework or assessor type of setup (the last point in the strawman), CERN and the grid folks are pushing a framework for incident handling in federations (A Security Incident Response Trust Framework for Federated Identity -- Sir-T-Fi). They would like to have some assurance that the IdP admin is reactive (answers to mail, phone etc.) when an RP has faced an incident and needs the IdP's co-operation to resolve it. Is this another dimension for VoT? Cheers, mikael From: vot [mailto:vot-bounces@ietf.org] On Behalf Of Richer, Justin P. Sent: 6. lokakuuta 2014 17:24 To: Brian Arkills Cc: vot@ietf.org Subject: Re: [VoT] Vectors of Trust: A Strawman [BA] It seems that the operational management vector has intersections/overlaps with some of the other vectors, but maybe that's just imagined on my part. If the operators of the component allow their cert to expire that affects some of the other vectors. Likewise, if they have very strong administrative practices, perhaps the credential strength is better than another provider using the same technologies. I'm struggling with whether I think it's good to represent this as a separate vector or if this is just an aspect which influences the other vectors. I agree that it's definitely different from the others, and originally I only had the other three listed. The conversation in Utrecht had a lot of input into this though. I think an important metric might be "what do I care about this at runtime"? There are things in this space (like "disaster recovery") that an RP could be able to discover ahead of time using a trust framework or assessor type of setup (the last point in the strawman), but they're not going to ever change on a per-transaction or per-user basis. Other items like credential strength and proofing might be different each time though, depending on the population of users being served. -- Justin On Oct 3, 2014, at 2:15 AM, Brian Arkills <barkills@uw.edu <mailto:barkills@uw.edu> > wrote: [BA] First, thanks a ton for putting this list together and hoisting a strawman to kick things off. I think a lot of people have been thinking about the ways in which the existing LoA fall short, and I'm glad to see a constructive effort at moving things forward. :) I've got a couple initial responses to parts of the proposal below . Credential strength: This covers how strongly bound the primary credential is to an individual presenter, and how easily spoofed or stolen it is. 0: no credential / public 1: shared secret / password 2: proof of key possession 3: multiple factors [and probably higher definitions here as well -- but we want to avoid all the little bespoke 2FA companies getting to define a special snowflake "credential strength" value or else this becomes useless] Anything here about how the secret key is protected? How about bearer assertions like cookies? [BA] One of the stated aims of this vector is to reflect how easy it is to steal the credential, but none of the values really represent that aspect. One of the biggest security stories right now, the plethora of retailers with credit card breaches over the past year, seem to share several common elements, one of which involves leveraging the NTLM pass the hash credential replay. And if you've been following the NTLM pass the hash replay stuff, you'll have taken note of the fact that enabling 2 factor on a given account doesn't mitigate it at all. Of course, that replay is first dependent on compromising a system which has the desired credential, but the fact that a replay attack is part of the underlying credential design might mean your score should be lower here. You might have mitigations in place which partially or totally neutralize that, in which case your score should be less affected. I'm not yet sure how you'd represent this complexity in a better way via the suggested description for the values but I did want to call this out so better minds than mine could ponder it. :) Operational management: This covers a variety of information about the identity provider and its host organization. What's the OpSec policy of the IdP? Is there disaster recovery in place? How mature is the hosting organization? What kind of incident response can be expected? How strongly bound is a particular attribute to a particular credential [though maybe this fits under identity proofing]? You'll note that already this feels a lot less linear and a lot less defined than the other three. [BA] It seems that the operational management vector has intersections/overlaps with some of the other vectors, but maybe that's just imagined on my part. If the operators of the component allow their cert to expire that affects some of the other vectors. Likewise, if they have very strong administrative practices, perhaps the credential strength is better than another provider using the same technologies. I'm struggling with whether I think it's good to represent this as a separate vector or if this is just an aspect which influences the other vectors. Finally, I think we need to think about and discuss the notion of the assessment and trustmarks that would be powering the trust in all of these values. After all, if they're just self-asserted by the IdP, that doesn't really help anyone. However, if we had a discovery mechanism whereby a trustmark provider would be able to host a machine-readable definition of what vectors a particular IdP has been proven to be able to claim for any transaction, I think we've got a good leg up on the problem. Yes: it's essential that we address the accreditation of the authentication and attribute providers in this structure. It's not clear that they're additional dimensions, though: a level 3 assertion from an entity that's only accredited at level 2 should probably just be treated at the lower level unless there's an indication of fraud. It's also possible that some providers might be accredited at different levels for different purposes: perhaps they have an accreditation at level 3 from the financial community, but only level 2 for health care. We need to consider that. [BA] I also wonder about vectors of trust in chained assertion scenarios. You assert X, then I assert X based on your assertion (and my evaluation of your assertion). Or do I somehow encapsulate your assertion inside mine and consuming apps know how to deal with this? Does the assertion's strength change when I assert it (or encapsulate it) based on who I am? Brian Arkills University of Washington _______________________________________________ vot mailing list vot@ietf.org <mailto:vot@ietf.org> https://www.ietf.org/mailman/listinfo/vot
- [VoT] Vectors of Trust: A Strawman Richer, Justin P.
- Re: [VoT] Vectors of Trust: A Strawman Jim Fenton
- Re: [VoT] Vectors of Trust: A Strawman Nat Sakimura
- Re: [VoT] Vectors of Trust: A Strawman Dave Crocker
- Re: [VoT] Vectors of Trust: A Strawman Brian Arkills
- Re: [VoT] Vectors of Trust: A Strawman Leif Johansson
- Re: [VoT] Vectors of Trust: A Strawman Rainer Hoerbe
- Re: [VoT] Vectors of Trust: A Strawman Richer, Justin P.
- Re: [VoT] Vectors of Trust: A Strawman Mikael Linden
- Re: [VoT] Vectors of Trust: A Strawman Joni Brennan
- Re: [VoT] Vectors of Trust: A Strawman Nicole Harris
- Re: [VoT] Vectors of Trust: A Strawman Cantor, Scott