IETF Logo Mail Archive

Re: [VoT] Vectors of Trust: A Strawman

Joni Brennan <joni@kantarainitiative.org> Thu, 09 October 2014 16:11 UTC

Return-Path: <jonibrennan@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183891AD044 for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 09:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.123
X-Spam-Level:
X-Spam-Status: No, score=0.123 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxYQI8xBDY_s for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 09:11:15 -0700 (PDT)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3B61AD000 for <vot@ietf.org>; Thu, 9 Oct 2014 09:11:13 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id m15so1735489wgh.14 for <vot@ietf.org>; Thu, 09 Oct 2014 09:11:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Ra0S2+XtMN+FxR5NZ1YKhmD6THONx27LpHBuwmqiz7g=; b=kAG1TTos6jDf0OSdYI/cOPAISE28RMAMsSYRObLXMguGosMcsqBU/qRLfn1uZwmHNh LOclk1W7AySyn3DS7rDLPdz9husKwplmQ5R9Jr3wh8iDfgze6B95v98D4D1wqA0KNr9g A7T3cpqxLYOCiQDBJOlHiVl28yBgvx0j7npLuJSg76HjS1wL2qbyHrtwk3JIN3Tx82gZ 5D0j00h+ASp4xjetM8Knpv8Nyf52EJ/Sx8kaUTIAa0LoSl9lh0Yyg9z9flY5n18wel6k jxaDWaqG7ZW9hbRaXFhkjpFfb+f4KBHttYh8wra2xNgifQp1uWPh3dq8Js/qzG37r783 ak4A==
X-Received: by 10.181.12.14 with SMTP id em14mr5432320wid.9.1412871071988; Thu, 09 Oct 2014 09:11:11 -0700 (PDT)
MIME-Version: 1.0
Sender: jonibrennan@gmail.com
Received: by 10.216.113.74 with HTTP; Thu, 9 Oct 2014 09:10:40 -0700 (PDT)
In-Reply-To: <35fb02f6.00001b38.0000000c@MLINDEN-X220.windows.csc.fi>
References: <42FAEF9E-37A4-4F3A-84C0-63C1FBC22EC6@mitre.org> <542DCCA7.8070308@bluepopcorn.net> <277b9fa8ed8945cd919531b64834bb24@BL2PR08MB241.namprd08.prod.outlook.com> <82008C35-9F54-4E07-A0F6-FD0AF4BEF263@mitre.org> <35fb02f6.00001b38.0000000c@MLINDEN-X220.windows.csc.fi>
From: Joni Brennan <joni@kantarainitiative.org>
Date: Thu, 09 Oct 2014 09:10:40 -0700
X-Google-Sender-Auth: neA3IDs5aso5kAlzF1iy3QH0y0s
Message-ID: <CABbgLovf3oJW_i_Rz_UwNvCyUA+w4=7rqrq0J5SFP5xn_OujPQ@mail.gmail.com>
To: Mikael Linden <mikael.linden@csc.fi>
Content-Type: multipart/alternative; boundary="f46d04388e695c06550504ffae9f"
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/gviux3YOE3Q-NNeFOKOduM2b-Ac
Cc: Brian Arkills <barkills@uw.edu>, "Richer, Justin P." <jricher@mitre.org>, vot@ietf.org
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 16:11:20 -0000

This has been a great thread.  I will spend more time to respond more
deeply...

I suggest that incident response could be very reasonable for a VoT.
Ideally we are not specifying the "how" but that there is a process with
reasonable rigor in place.

best,
- Joni

Best Regards,

Joni Brennan
Kantara Initiative | Executive Director
voice:+1 732-266-8994
email: joni @ kantarainitiative.org

Connecting Identity for a more trustworthy Internet - Overview
<http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351>




On Mon, Oct 6, 2014 at 9:41 PM, Mikael Linden <mikael.linden@csc.fi> wrote:

> >There are things in this space (like "disaster recovery") that an RP
> could be able to discover ahead of time using a trust framework or assessor
> type of setup (the last point in the strawman),
>
>
>
> CERN and the grid folks are pushing a framework for incident handling in
> federations (A Security Incident Response Trust
>
> Framework for Federated Identity -- Sir-T-Fi). They would like to have
> some assurance that the IdP admin is reactive (answers to mail, phone etc...)
> when an RP has faced an incident and needs the IdP's co-operation to
> resolve it.
>
>
>
> Is this another dimension for VoT?
>
>
>
> Cheers,
>
> mikael
>
>
>
> *From:* vot [mailto:vot-bounces@ietf.org] *On Behalf Of *Richer, Justin P.
> *Sent:* 6. lokakuuta 2014 17:24
> *To:* Brian Arkills
> *Cc:* vot@ietf.org
> *Subject:* Re: [VoT] Vectors of Trust: A Strawman
>
>
>
>
>
> *[BA] It seems that the operational management vector has
> intersections/overlaps with some of the other vectors, but maybe that's
> just imagined on my part. If the operators of the component allow their
> cert to expire that affects some of the other vectors. Likewise, if they
> have very strong administrative practices, perhaps the credential strength
> is better than another provider using the same technologies. I'm struggling
> with whether I think it's good to represent this as a separate vector or if
> this is just an aspect which influences the other vectors.*
>
>
>
> I agree that it's definitely different from the others, and originally I
> only had the other three listed. The conversation in Utrecht had a lot of
> input into this though.
>
>
>
> I think an important metric might be "what do I care about this at
> runtime"? There are things in this space (like "disaster recovery") that an
> RP could be able to discover ahead of time using a trust framework or
> assessor type of setup (the last point in the strawman), but they're not
> going to ever change on a per-transaction or per-user basis. Other items
> like credential strength and proofing might be different each time though,
> depending on the population of users being served.
>
>
>
>  -- Justin
>
>
>
>
>
>
>
> On Oct 3, 2014, at 2:15 AM, Brian Arkills <barkills@uw.edu> wrote:
>
>
>
> *[BA] **First, thanks a ton for putting this list together and hoisting a
> strawman to kick things off. I think a lot of people have been thinking
> about the ways in which the existing LoA fall short, and I'm glad to see a
> constructive effort at moving things forward. **J*
>
>
>
> *I've got a couple initial responses to parts of the proposal below ... *
>
>
>
> *Credential strength:*
>
>
>
> This covers how strongly bound the primary credential is to an individual
> presenter, and how easily spoofed or stolen it is.
>
>
>
> 0: no credential / public
>
> 1: shared secret / password
>
> 2: proof of key possession
>
> 3: multiple factors [and probably higher definitions here as well -- but
> we want to avoid all the little bespoke 2FA companies getting to define a
> special snowflake "credential strength" value or else this becomes useless]
>
>
> Anything here about how the secret key is protected? How about bearer
> assertions like cookies?
>
>
> *[BA] One of the stated aims of this vector is to reflect how easy it is
> to steal the credential, but none of the values really represent that
> aspect. One of the biggest security stories right now, the plethora of
> retailers with credit card breaches over the past year, seem to share
> several common elements, one of which involves leveraging the NTLM pass the
> hash credential replay. And if you've been following the NTLM pass the hash
> replay stuff, you'll have taken note of the fact that enabling 2 factor on
> a given account doesn't mitigate it at all. Of course, that replay is first
> dependent on compromising a system which has the desired credential, but
> the fact that a replay attack is part of the underlying credential design
> might mean your score should be lower here. You might have mitigations in
> place which partially or totally neutralize that, in which case your score
> should be less affected. I'm not yet sure how you'd represent this
> complexity in a better way via the suggested description for the values but
> I did want to call this out so better minds than mine could ponder it. *
> *J*
>
>
>
> *Operational management:*
>
>
>
> This covers a variety of information about the identity provider and its
> host organization. What's the OpSec policy of the IdP? Is there disaster
> recovery in place? How mature is the hosting organization? What kind of
> incident response can be expected? How strongly bound is a particular
> attribute to a particular credential [though maybe this fits under identity
> proofing]? You'll note that already this feels a lot less linear and a lot
> less defined than the other three.
>
>
>
> *[BA] It seems that the operational management vector has
> intersections/overlaps with some of the other vectors, but maybe that's
> just imagined on my part. If the operators of the component allow their
> cert to expire that affects some of the other vectors. Likewise, if they
> have very strong administrative practices, perhaps the credential strength
> is better than another provider using the same technologies. I'm struggling
> with whether I think it's good to represent this as a separate vector or if
> this is just an aspect which influences the other vectors.*
>
>
>
> Finally, I think we need to think about and discuss the notion of the
> assessment and trustmarks that would be powering the trust in all of these
> values. After all, if they're just self-asserted by the IdP, that doesn't
> really help anyone. However, if we had a discovery mechanism whereby a
> trustmark provider would be able to host a machine-readable definition of
> what vectors a particular IdP has been proven to be able to claim for any
> transaction, I think we've got a good leg up on the problem.
>
>
> Yes: it's essential that we address the accreditation of the
> authentication and attribute providers in this structure. It's not clear
> that they're additional dimensions, though: a level 3 assertion from an
> entity that's only accredited at level 2 should probably just be treated at
> the lower level unless there's an indication of fraud. It's also possible
> that some providers might be accredited at different levels for different
> purposes: perhaps they have an accreditation at level 3 from the financial
> community, but only level 2 for health care.  We need to consider that.
>
>
> *[BA] I also wonder about vectors of trust in chained assertion scenarios.
> You assert X, then I assert X based on your assertion (and my evaluation of
> your assertion). Or do I somehow encapsulate your assertion inside mine and
> consuming apps know how to deal with this? Does the assertion's strength
> change when I assert it (or encapsulate it) based on who I am?*
>
>
>
> *Brian Arkills*
>
> *University of Washington*
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>

v2.23.0 | Report a Bug | By Email