Re: [VoT] Vectors of Trust: A Strawman
Joni Brennan <joni@kantarainitiative.org> Thu, 09 October 2014 16:11 UTC
Return-Path: <jonibrennan@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183891AD044 for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 09:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.123
X-Spam-Level:
X-Spam-Status: No, score=0.123 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxYQI8xBDY_s for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 09:11:15 -0700 (PDT)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3B61AD000 for <vot@ietf.org>; Thu, 9 Oct 2014 09:11:13 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id m15so1735489wgh.14 for <vot@ietf.org>; Thu, 09 Oct 2014 09:11:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Ra0S2+XtMN+FxR5NZ1YKhmD6THONx27LpHBuwmqiz7g=; b=kAG1TTos6jDf0OSdYI/cOPAISE28RMAMsSYRObLXMguGosMcsqBU/qRLfn1uZwmHNh LOclk1W7AySyn3DS7rDLPdz9husKwplmQ5R9Jr3wh8iDfgze6B95v98D4D1wqA0KNr9g A7T3cpqxLYOCiQDBJOlHiVl28yBgvx0j7npLuJSg76HjS1wL2qbyHrtwk3JIN3Tx82gZ 5D0j00h+ASp4xjetM8Knpv8Nyf52EJ/Sx8kaUTIAa0LoSl9lh0Yyg9z9flY5n18wel6k jxaDWaqG7ZW9hbRaXFhkjpFfb+f4KBHttYh8wra2xNgifQp1uWPh3dq8Js/qzG37r783 ak4A==
X-Received: by 10.181.12.14 with SMTP id em14mr5432320wid.9.1412871071988; Thu, 09 Oct 2014 09:11:11 -0700 (PDT)
MIME-Version: 1.0
Sender: jonibrennan@gmail.com
Received: by 10.216.113.74 with HTTP; Thu, 9 Oct 2014 09:10:40 -0700 (PDT)
In-Reply-To: <35fb02f6.00001b38.0000000c@MLINDEN-X220.windows.csc.fi>
References: <42FAEF9E-37A4-4F3A-84C0-63C1FBC22EC6@mitre.org> <542DCCA7.8070308@bluepopcorn.net> <277b9fa8ed8945cd919531b64834bb24@BL2PR08MB241.namprd08.prod.outlook.com> <82008C35-9F54-4E07-A0F6-FD0AF4BEF263@mitre.org> <35fb02f6.00001b38.0000000c@MLINDEN-X220.windows.csc.fi>
From: Joni Brennan <joni@kantarainitiative.org>
Date: Thu, 09 Oct 2014 09:10:40 -0700
X-Google-Sender-Auth: neA3IDs5aso5kAlzF1iy3QH0y0s
Message-ID: <CABbgLovf3oJW_i_Rz_UwNvCyUA+w4=7rqrq0J5SFP5xn_OujPQ@mail.gmail.com>
To: Mikael Linden <mikael.linden@csc.fi>
Content-Type: multipart/alternative; boundary="f46d04388e695c06550504ffae9f"
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/gviux3YOE3Q-NNeFOKOduM2b-Ac
Cc: Brian Arkills <barkills@uw.edu>, "Richer, Justin P." <jricher@mitre.org>, vot@ietf.org
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 16:11:20 -0000
This has been a great thread. I will spend more time to respond more deeply... I suggest that incident response could be very reasonable for a VoT. Ideally we are not specifying the "how" but that there is a process with reasonable rigor in place. best, - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director voice:+1 732-266-8994 email: joni @ kantarainitiative.org Connecting Identity for a more trustworthy Internet - Overview <http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351> On Mon, Oct 6, 2014 at 9:41 PM, Mikael Linden <mikael.linden@csc.fi> wrote: > >There are things in this space (like "disaster recovery") that an RP > could be able to discover ahead of time using a trust framework or assessor > type of setup (the last point in the strawman), > > > > CERN and the grid folks are pushing a framework for incident handling in > federations (A Security Incident Response Trust > > Framework for Federated Identity -- Sir-T-Fi). They would like to have > some assurance that the IdP admin is reactive (answers to mail, phone etc...) > when an RP has faced an incident and needs the IdP's co-operation to > resolve it. > > > > Is this another dimension for VoT? > > > > Cheers, > > mikael > > > > *From:* vot [mailto:vot-bounces@ietf.org] *On Behalf Of *Richer, Justin P. > *Sent:* 6. lokakuuta 2014 17:24 > *To:* Brian Arkills > *Cc:* vot@ietf.org > *Subject:* Re: [VoT] Vectors of Trust: A Strawman > > > > > > *[BA] It seems that the operational management vector has > intersections/overlaps with some of the other vectors, but maybe that's > just imagined on my part. If the operators of the component allow their > cert to expire that affects some of the other vectors. Likewise, if they > have very strong administrative practices, perhaps the credential strength > is better than another provider using the same technologies. I'm struggling > with whether I think it's good to represent this as a separate vector or if > this is just an aspect which influences the other vectors.* > > > > I agree that it's definitely different from the others, and originally I > only had the other three listed. The conversation in Utrecht had a lot of > input into this though. > > > > I think an important metric might be "what do I care about this at > runtime"? There are things in this space (like "disaster recovery") that an > RP could be able to discover ahead of time using a trust framework or > assessor type of setup (the last point in the strawman), but they're not > going to ever change on a per-transaction or per-user basis. Other items > like credential strength and proofing might be different each time though, > depending on the population of users being served. > > > > -- Justin > > > > > > > > On Oct 3, 2014, at 2:15 AM, Brian Arkills <barkills@uw.edu> wrote: > > > > *[BA] **First, thanks a ton for putting this list together and hoisting a > strawman to kick things off. I think a lot of people have been thinking > about the ways in which the existing LoA fall short, and I'm glad to see a > constructive effort at moving things forward. **J* > > > > *I've got a couple initial responses to parts of the proposal below ... * > > > > *Credential strength:* > > > > This covers how strongly bound the primary credential is to an individual > presenter, and how easily spoofed or stolen it is. > > > > 0: no credential / public > > 1: shared secret / password > > 2: proof of key possession > > 3: multiple factors [and probably higher definitions here as well -- but > we want to avoid all the little bespoke 2FA companies getting to define a > special snowflake "credential strength" value or else this becomes useless] > > > Anything here about how the secret key is protected? How about bearer > assertions like cookies? > > > *[BA] One of the stated aims of this vector is to reflect how easy it is > to steal the credential, but none of the values really represent that > aspect. One of the biggest security stories right now, the plethora of > retailers with credit card breaches over the past year, seem to share > several common elements, one of which involves leveraging the NTLM pass the > hash credential replay. And if you've been following the NTLM pass the hash > replay stuff, you'll have taken note of the fact that enabling 2 factor on > a given account doesn't mitigate it at all. Of course, that replay is first > dependent on compromising a system which has the desired credential, but > the fact that a replay attack is part of the underlying credential design > might mean your score should be lower here. You might have mitigations in > place which partially or totally neutralize that, in which case your score > should be less affected. I'm not yet sure how you'd represent this > complexity in a better way via the suggested description for the values but > I did want to call this out so better minds than mine could ponder it. * > *J* > > > > *Operational management:* > > > > This covers a variety of information about the identity provider and its > host organization. What's the OpSec policy of the IdP? Is there disaster > recovery in place? How mature is the hosting organization? What kind of > incident response can be expected? How strongly bound is a particular > attribute to a particular credential [though maybe this fits under identity > proofing]? You'll note that already this feels a lot less linear and a lot > less defined than the other three. > > > > *[BA] It seems that the operational management vector has > intersections/overlaps with some of the other vectors, but maybe that's > just imagined on my part. If the operators of the component allow their > cert to expire that affects some of the other vectors. Likewise, if they > have very strong administrative practices, perhaps the credential strength > is better than another provider using the same technologies. I'm struggling > with whether I think it's good to represent this as a separate vector or if > this is just an aspect which influences the other vectors.* > > > > Finally, I think we need to think about and discuss the notion of the > assessment and trustmarks that would be powering the trust in all of these > values. After all, if they're just self-asserted by the IdP, that doesn't > really help anyone. However, if we had a discovery mechanism whereby a > trustmark provider would be able to host a machine-readable definition of > what vectors a particular IdP has been proven to be able to claim for any > transaction, I think we've got a good leg up on the problem. > > > Yes: it's essential that we address the accreditation of the > authentication and attribute providers in this structure. It's not clear > that they're additional dimensions, though: a level 3 assertion from an > entity that's only accredited at level 2 should probably just be treated at > the lower level unless there's an indication of fraud. It's also possible > that some providers might be accredited at different levels for different > purposes: perhaps they have an accreditation at level 3 from the financial > community, but only level 2 for health care. We need to consider that. > > > *[BA] I also wonder about vectors of trust in chained assertion scenarios. > You assert X, then I assert X based on your assertion (and my evaluation of > your assertion). Or do I somehow encapsulate your assertion inside mine and > consuming apps know how to deal with this? Does the assertion's strength > change when I assert it (or encapsulate it) based on who I am?* > > > > *Brian Arkills* > > *University of Washington* > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot > >
- [VoT] Vectors of Trust: A Strawman Richer, Justin P.
- Re: [VoT] Vectors of Trust: A Strawman Jim Fenton
- Re: [VoT] Vectors of Trust: A Strawman Nat Sakimura
- Re: [VoT] Vectors of Trust: A Strawman Dave Crocker
- Re: [VoT] Vectors of Trust: A Strawman Brian Arkills
- Re: [VoT] Vectors of Trust: A Strawman Leif Johansson
- Re: [VoT] Vectors of Trust: A Strawman Rainer Hoerbe
- Re: [VoT] Vectors of Trust: A Strawman Richer, Justin P.
- Re: [VoT] Vectors of Trust: A Strawman Mikael Linden
- Re: [VoT] Vectors of Trust: A Strawman Joni Brennan
- Re: [VoT] Vectors of Trust: A Strawman Nicole Harris
- Re: [VoT] Vectors of Trust: A Strawman Cantor, Scott