IETF Logo Mail Archive

Re: [VoT] Vectors of Trust: A Strawman

"Cantor, Scott" <cantor.2@osu.edu> Fri, 10 October 2014 01:30 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAF5B1AD049 for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 18:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kl1zJR8o8-lN for <vot@ietfa.amsl.com>; Thu, 9 Oct 2014 18:30:26 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0701.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:701]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0BC21AD04A for <vot@ietf.org>; Thu, 9 Oct 2014 18:30:25 -0700 (PDT)
Received: from BL2FFO11FD020.protection.gbl (10.173.160.33) by BL2FFO11HUB067.protection.gbl (10.173.161.167) with Microsoft SMTP Server (TLS) id 15.0.1039.16; Fri, 10 Oct 2014 01:29:56 +0000
Received: from cio-tnc-pf08.osuad.osu.edu (164.107.81.222) by BL2FFO11FD020.mail.protection.outlook.com (10.173.161.38) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Fri, 10 Oct 2014 01:29:57 +0000
Received: from CIO-TNC-HT07.osuad.osu.edu (cio-tnc-ht07.osuad.osu.edu [164.107.81.174]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by cio-tnc-pf08.osuad.osu.edu (Postfix) with ESMTPS id 774FD2E0076; Thu, 9 Oct 2014 21:29:56 -0400 (EDT)
Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT07.osuad.osu.edu ([fe80::3ca1:e895:a165:1359%10]) with mapi id 14.03.0174.001; Thu, 9 Oct 2014 21:29:55 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: "Richer, Justin P." <jricher@mitre.org>, "vot@ietf.org" <vot@ietf.org>
Thread-Topic: [VoT] Vectors of Trust: A Strawman
Thread-Index: AQHP5CmyMbnSVgj9dkKOx7btT3InPw==
Date: Fri, 10 Oct 2014 01:29:55 +0000
Message-ID: <D05CAAD3.11F99%cantor.2@osu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.14.94]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <677944E37D876A4AAEEC3B317391EC54@osu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:164.107.81.222; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(377454003)(479174003)(24454002)(199003)(51704005)(189002)(2501002)(6806004)(19580395003)(64706001)(19580405001)(88552001)(90282001)(46406003)(4396001)(31966008)(89122001)(47776003)(36756003)(109096001)(551934003)(77096002)(20776003)(99396003)(23726002)(95666004)(75432002)(50986999)(97756001)(80022003)(46102003)(85852003)(21056001)(66066001)(86362001)(106466001)(85306004)(92566001)(50466002)(107046002)(107886001)(44976005)(106116001)(120916001)(2656002)(54356999)(87936001)(76482002)(93346002)(92726001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2FFO11HUB067; H:cio-tnc-pf08.osuad.osu.edu; FPR:; MLV:sfv; PTR:cio-tnc-pf08.osuad.osu.edu; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2FFO11HUB067;
X-Forefront-PRVS: 03607C04F0
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.222 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.222; helo=cio-tnc-pf08.osuad.osu.edu;
Authentication-Results: spf=pass (sender IP is 164.107.81.222) smtp.mailfrom=cantor.2@osu.edu;
X-OriginatorOrg: osu.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/vot/vkaUqN2F2bat_f_WCMohNeQCmzo
Subject: Re: [VoT] Vectors of Trust: A Strawman
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Oct 2014 01:30:27 -0000

On 10/2/14, 5:10 PM, "Richer, Justin P." <jricher@mitre.org> wrote:

>I'm going to propose 4 here, all of them linear scales. As a side note,
>it's a question whether all of these are even linear scales, but I think
>it's important that we define comparison metrics on each vector element
>as well as the overall values.

As I said in another note, I'm not sure any of them are really linear or
that reducing them to that is an accurate way of communicating anything
useful, but I'm also not sure there's an alternative that's palatable.
It's a question of how lossy it's possible to be and not lose the signal I
guess.

>Identity proofing:
>
>This covers how sure the IdP is of various attributes about the user on
>the way in, and how much they're willing to vouch for those attributes.

Are we proposing that this is intrinsically per-attribute? Something that
people have been dancing around for years, really.

As others mentioned, I think it's even better to avoid the word identity
entirely. There is no well-defined notion of "physical identity" in the
digital space, only poorly expressed approximations. I think there are
only attributes.

>Credential strength:
>This covers how strongly bound the primary credential is to an individual
>presenter, and how easily spoofed or stolen it is.

Maybe the word "and" in that sentence demonstrates that there are multiple
vectors in play there.

>Assertion presentation:
>
>This covers how much the federation protocol leaks information over the
>network to various parties, and how much of that information could be
>tampered in transit without the RP noticing.
>
>0: no protection / leaky
>1: signed & verifiable through browser
>2: signed & verifiable through back channel
>3: target-encrypted to RP's own key

I think somebody else noted those are themselves orthogonal.
Confidentality and integrity/strength are tunable independently.


>Operational management:
>
>This covers a variety of information about the identity provider and its
>host organization. What's the OpSec policy of the IdP? Is there disaster
>recovery in place? How mature is the hosting organization? What kind of
>incident response can be expected?
> How strongly bound is a particular attribute to a particular credential
>[though maybe this fits under identity proofing]? You'll note that
>already this feels a lot less linear and a lot less defined than the
>other three.

It's much more well defined IMHO, but decidedly less linear.

>Finally, I think we need to think about and discuss the notion of the
>assessment and trustmarks that would be powering the trust in all of
>these values. After all, if they're just self-asserted by the IdP, that
>doesn't really help anyone. However, if we had a discovery mechanism
>whereby a trustmark provider would be able to host a machine-readable
>definition of what vectors a particular IdP has been proven to be able to
>claim for any transaction, I think we've got a good leg up on the problem.

Yes, we've been using SAML metadata to do these kinds of things for a
while now.

-- Scott

v2.23.0 | Report a Bug | By Email