Re: [VoT] Security Problem with Primary Credential Usage

Julian White <> Fri, 13 May 2016 07:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C7B412D0E9 for <>; Fri, 13 May 2016 00:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gQTwG1R7S9cm for <>; Fri, 13 May 2016 00:53:17 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EEE0212D0E6 for <>; Fri, 13 May 2016 00:53:16 -0700 (PDT)
Received: by with SMTP id g17so15776764wme.1 for <>; Fri, 13 May 2016 00:53:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=nud; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6RORb0DYnSBJNzOdTLb6sr1ZvTuJq7Izca782DuAoU8=; b=TRyLYx1C0g55PSrikZ/Wtk7dS37wPQTPnV47SEQfp7M9yY9LrY38qtdIGVf4qn3Yve drUVfjoYNc4yVR8Ggr7idyjUoub+dw86k2G1B1fd70DdzSHZAWTbYMk7XEbkvCnTSa34 2qeWP91THnc87VOuymOH9KKwch68AHLzbZJ7s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6RORb0DYnSBJNzOdTLb6sr1ZvTuJq7Izca782DuAoU8=; b=FFscqPasckStmG3xIrUkeRvoI8WHQWAkeWPiHHyrbWm9r023Akf3TU8IEEVVmRs+rH sDqaiBbdA95uKl679Z6ijPE3Py2D+nldficKEfA9RPRc9NNVabTZlrQAjNV+NJJ3rwv/ uwk52E4gi8IrA2UvyaIKyL4bib9gJ3dNXtwx+kJb0fwVhcM7IPAo1b6jRbpByrWgpxRz x8TuRAwxUPH+5xqxAYnjL2fRR7qCPY2hWw/9VI9ggaQpK6gDa2jmVjWnojnV3QMuDHQb ho4yi0CvnUOAWB69zCvBNwicJt5T9TygwT2c7KBAoBUIFtRSZIXt0GKkk2lQ0ZX0qm84 BIRQ==
X-Gm-Message-State: AOPr4FWTPjGDxPNi1Mmlb5kxBApzwZDlxNHCT9BKQlf//hL2GXzf5lUXF9DnAExZVjZAFvOmecH74/PclP7qlUYn
X-Received: by with SMTP id qr9mr14081115wjc.61.1463125995497; Fri, 13 May 2016 00:53:15 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 13 May 2016 00:52:55 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Julian White <>
Date: Fri, 13 May 2016 08:52:55 +0100
Message-ID: <>
To: Justin Richer <>
Content-Type: multipart/alternative; boundary=001a11c3a52a3941690532b491b3
Archived-At: <>
Cc: Chris <>,
Subject: Re: [VoT] Security Problem with Primary Credential Usage
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Vectors of Trust discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 May 2016 07:53:20 -0000


For my own clarity, can the RP pass a request for a specific trustmark, or
list of trustmarks that it will accept? The text seems to imply that they
will get whatever trustmark the IdP sends and have to make a decision based
on that each time. In reality, since the evaluation of the trustmark is a
cumbersome manual process I suspect RP's will whitelist trustmarks that
they will accept so then it seems inefficient for and IdP to return a
response under a trustmark the RP won't accept.



On 12 May 2016 at 19:49, Julian White <>; wrote:

> That makes sense, tho that didn't come across in the description of the
> trustmark.
> Julian
> On 12 May 2016 19:45, "Justin Richer" <>; wrote:
>> We explicitly left those kinds of things out of the vector as they’d
>> really be related to the IdP itself and not the authentication transaction
>> to which the VoT refers. In other words, the security of the IdP is related
>> to the trust framework and assessment of the IdP and it can be published as
>> part of the IdP’s discovery documents and associated trust marks. This is
>> information that is going to remain the same regardless of the transaction.
>> This is also part of why you need to have a trustmark context to
>> interpret the VoT in.
>>  — Justin
>> On May 12, 2016, at 11:11 AM, Julian White <>; wrote:
>> Hi,
>> I have a number of comments and questions (see attached), many of which
>> are related to the issues raised by Chris, some maybe my misunderstanding
>> coming in half way through the drafting tho.
>> I, like Chris, also think there needs to be something more explicit
>> around the "security" of the IdP authentication which includes the measures
>> to try and detect 'odd' things (like MITM). I would also go one step
>> further in that I also want to know about the maturity of the IdP's
>> "security", its of no use to me if they have really good credentials but
>> store all the data in the clear on their website or have a load of
>> administrative back-doors that could let anyone generate a valid
>> authentication response.
>> It feels like we need to do more work in this area.
>> Regards,
>> Julian.
>> On 8 May 2016 at 13:24, Chris <>; wrote:
>>> Hi All,
>>> I think there is a critical flaw in section 3.2 of
>>> (Primary
>>> Credential Usage)
>>> Mutual-authentication is missing.  When no provision is made to prevent
>>> man-in-the-middle, credential harvesting, spoof, phishing, malware, or
>>> other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce,
>>> Cf, and others *equally* untrustworthy.
>>> We should consider inclusion either for the overall strength of the
>>> authentication process, or some breakdown of either all the techniques used
>>> or the strength of protection employed to thwart at least common attack
>>> scenarios.
>>> This problem gets tricky quite fast:
>>> Do we identify the authentication technology vendor? (if yes - who works
>>> out their resistance strength to common attacks?  what about different
>>> modes?)
>>> Do we broadly identify the techniques (whos opinions count as to whether
>>> or not the technique is effective and against what threats?)
>>> Do we identify or classify the threats and indicate which ones were
>>> mitigated (who should be trusted to decide if these really were mitigated?)
>>> For example - tamper-proof hardware digital certificate devices with
>>> biometrics unlocks are totally useless, if the user paid no attention to a
>>> broken SSL warning, or has malware.  They're also equally useless in most
>>> corporate environments that use deep-packet inspection firewalls - and
>>> "unexpected certificates" (eg. from DPI or malicious) carry their own
>>> privacy problems (eg: passwords are not as "protected" as you think).  Much
>>> more common authentication "protection" of course, are two-step or sms one
>>> time codes - which are equally useless when an end user can be tricked into
>>> revealing them to spoof sites.
>>> 91% of successful break-ins start from phishing.  Right now, every
>>> vector is pointing one way - we need at least one "Vector of Trust" to
>>> point *back* the other way!
>>> How about a 5th vector - "S" for "Security", which somehow allows an RP
>>> a level of confidence in the protection afforded to the user's actual
>>> authentication process, in terms of (or at least considering) a wide range
>>> of (and all common) modern threats.
>>> Chris.
>>> _______________________________________________
>>> vot mailing list
>> <draft-richer-vectors-of-trust-02.docx>
>> _______________________________________________
>> vot mailing list