IETF Logo Mail Archive

Re: [VoT] Vectors of Trust: A Strawman

Brian Arkills <barkills@uw.edu> Fri, 03 October 2014 06:16 UTC

Return-Path: <barkills@uw.edu>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66A91A008B for <vot@ietfa.amsl.com>; Thu, 2 Oct 2014 23:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NtWFlqicgJfh for <vot@ietfa.amsl.com>; Thu, 2 Oct 2014 23:16:03 -0700 (PDT)
Received: from mxout11.cac.washington.edu (mxout11.cac.washington.edu [140.142.32.201]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F2881A0081 for <vot@ietf.org>; Thu, 2 Oct 2014 23:16:03 -0700 (PDT)
Received: from uwit-hub10.exchange.washington.edu (uwit-hub10.exchange.washington.edu [128.95.155.53]) by mxout11.cac.washington.edu (8.14.4+UW14.03/8.14.4+UW14.04) with ESMTP id s936F9Io026168 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK) for <vot@ietf.org>; Thu, 2 Oct 2014 23:15:09 -0700
Received: from UWIT-EX2K13-01.mso.uw.edu (128.95.155.33) by uwit-hub10.exchange.washington.edu (128.95.155.53) with Microsoft SMTP Server (TLS) id 14.3.181.6; Thu, 2 Oct 2014 23:15:09 -0700
Received: from UWIT-EX2K13-01.mso.uw.edu (128.95.155.33) by uwit-ex2k13-01.mso.uw.edu (128.95.155.33) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 2 Oct 2014 23:15:08 -0700
Received: from na01-by2-obe.outbound.protection.outlook.com (207.46.163.236) by UWIT-EX2K13-01.mso.uw.edu (128.95.155.33) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Frontend Transport; Thu, 2 Oct 2014 23:15:08 -0700
Received: from BL2PR08MB241.namprd08.prod.outlook.com (10.242.199.12) by BL2PR08MB242.namprd08.prod.outlook.com (10.242.199.23) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Fri, 3 Oct 2014 06:15:06 +0000
Received: from BL2PR08MB241.namprd08.prod.outlook.com ([169.254.10.121]) by BL2PR08MB241.namprd08.prod.outlook.com ([169.254.10.121]) with mapi id 15.00.1044.008; Fri, 3 Oct 2014 06:15:06 +0000
From: Brian Arkills <barkills@uw.edu>
To: "vot@ietf.org" <vot@ietf.org>
Thread-Topic: [VoT] Vectors of Trust: A Strawman
Thread-Index: AQHP3oU+4p9DXTurHEG17GSReQzTfJwdXX+AgAB+crA=
Date: Fri, 03 Oct 2014 06:15:06 +0000
Message-ID: <277b9fa8ed8945cd919531b64834bb24@BL2PR08MB241.namprd08.prod.outlook.com>
References: <42FAEF9E-37A4-4F3A-84C0-63C1FBC22EC6@mitre.org> <542DCCA7.8070308@bluepopcorn.net>
In-Reply-To: <542DCCA7.8070308@bluepopcorn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [216.254.31.77]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR08MB242;
x-forefront-prvs: 0353563E2B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(86362001)(4396001)(551934003)(110136001)(89122001)(88552001)(19300405004)(19625215002)(19580395003)(15975445006)(16236675004)(21056001)(561944003)(122386001)(97736003)(46102003)(74316001)(95666004)(90282001)(80022003)(2501002)(92566001)(85306004)(75432002)(64706001)(77096002)(106116001)(107046002)(20776003)(120916001)(106356001)(105586002)(76176999)(101416001)(108616004)(54356999)(50986999)(107886001)(33646002)(66066001)(76482002)(87936001)(99396003)(551544002)(85852003)(76576001)(2656002)(15202345003)(99286002)(10300001)(2351001)(31966008)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR08MB242; H:BL2PR08MB241.namprd08.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_277b9fa8ed8945cd919531b64834bb24BL2PR08MB241namprd08pro_"
MIME-Version: 1.0
X-OriginatorOrg: uw.edu
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.10.3.60321
X-PMX-Server: mxout11.cac.washington.edu
X-Uwash-Spam: Gauge=XI, Probability=11%, Report=' TO_IN_SUBJECT 0.5, HTML_50_70 0.1, RCVD_FROM_IP_DATE 0.1, SUPERLONG_LINE 0.05, BODYTEXTH_SIZE_10000_LESS 0, BODY_SIZE_10000_PLUS 0, ECARD_WORD 0, FROM_EDU_TLD 0, NO_URI_FOUND 0, SPF_NEUTRAL 0, WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_XOIP 0, __HTML_FONT_BLUE 0, __IN_REP_TO 0, __MIME_HTML 0, __MIME_VERSION 0, __SANE_MSGID 0, __STYLE_RATWARE_NEG 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TAG_EXISTS_HTML 0, __TO_IN_SUBJECT 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0'
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/jzHF_AwEOsNCbuy4zjOqaLZDeOw
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 06:16:08 -0000

[BA] First, thanks a ton for putting this list together and hoisting a strawman to kick things off. I think a lot of people have been thinking about the ways in which the existing LoA fall short, and I'm glad to see a constructive effort at moving things forward. :)

I've got a couple initial responses to parts of the proposal below ...

Credential strength:

This covers how strongly bound the primary credential is to an individual presenter, and how easily spoofed or stolen it is.

0: no credential / public
1: shared secret / password
2: proof of key possession
3: multiple factors [and probably higher definitions here as well -- but we want to avoid all the little bespoke 2FA companies getting to define a special snowflake "credential strength" value or else this becomes useless]

Anything here about how the secret key is protected? How about bearer assertions like cookies?

[BA] One of the stated aims of this vector is to reflect how easy it is to steal the credential, but none of the values really represent that aspect. One of the biggest security stories right now, the plethora of retailers with credit card breaches over the past year, seem to share several common elements, one of which involves leveraging the NTLM pass the hash credential replay. And if you've been following the NTLM pass the hash replay stuff, you'll have taken note of the fact that enabling 2 factor on a given account doesn't mitigate it at all. Of course, that replay is first dependent on compromising a system which has the desired credential, but the fact that a replay attack is part of the underlying credential design might mean your score should be lower here. You might have mitigations in place which partially or totally neutralize that, in which case your score should be less affected. I'm not yet sure how you'd represent this complexity in a better way via the suggested description for the values but I did want to call this out so better minds than mine could ponder it. :)

Operational management:

This covers a variety of information about the identity provider and its host organization. What's the OpSec policy of the IdP? Is there disaster recovery in place? How mature is the hosting organization? What kind of incident response can be expected? How strongly bound is a particular attribute to a particular credential [though maybe this fits under identity proofing]? You'll note that already this feels a lot less linear and a lot less defined than the other three.

[BA] It seems that the operational management vector has intersections/overlaps with some of the other vectors, but maybe that's just imagined on my part. If the operators of the component allow their cert to expire that affects some of the other vectors. Likewise, if they have very strong administrative practices, perhaps the credential strength is better than another provider using the same technologies. I'm struggling with whether I think it's good to represent this as a separate vector or if this is just an aspect which influences the other vectors.

Finally, I think we need to think about and discuss the notion of the assessment and trustmarks that would be powering the trust in all of these values. After all, if they're just self-asserted by the IdP, that doesn't really help anyone. However, if we had a discovery mechanism whereby a trustmark provider would be able to host a machine-readable definition of what vectors a particular IdP has been proven to be able to claim for any transaction, I think we've got a good leg up on the problem.

Yes: it's essential that we address the accreditation of the authentication and attribute providers in this structure. It's not clear that they're additional dimensions, though: a level 3 assertion from an entity that's only accredited at level 2 should probably just be treated at the lower level unless there's an indication of fraud. It's also possible that some providers might be accredited at different levels for different purposes: perhaps they have an accreditation at level 3 from the financial community, but only level 2 for health care.  We need to consider that.

[BA] I also wonder about vectors of trust in chained assertion scenarios. You assert X, then I assert X based on your assertion (and my evaluation of your assertion). Or do I somehow encapsulate your assertion inside mine and consuming apps know how to deal with this? Does the assertion's strength change when I assert it (or encapsulate it) based on who I am?

Brian Arkills
University of Washington

v2.23.0 | Report a Bug | By Email