IETF Logo Mail Archive

Re: [VoT] Vectors of Trust I-D feedback

Nat Sakimura <sakimura@gmail.com> Sun, 02 August 2015 09:59 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74591A89C7 for <vot@ietfa.amsl.com>; Sun, 2 Aug 2015 02:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtyECMya8toU for <vot@ietfa.amsl.com>; Sun, 2 Aug 2015 02:59:51 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5D31A89B5 for <vot@ietf.org>; Sun, 2 Aug 2015 02:59:50 -0700 (PDT)
Received: by wibxm9 with SMTP id xm9so79888257wib.1 for <vot@ietf.org>; Sun, 02 Aug 2015 02:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mcbHC3innqmRM6ATAYanKZJFDVo+pNLH2wH+9FTq2HY=; b=pZK/MbSTjLaqGr1FJSnT7toqUgKZo682T4Jvm5aFkp1FAfW3ow/kI8woTaEd3QaQ11 abjcMDnyIXyRFLGKovjOaTAkiCJDigQTXFuxterCtTwEweOX0rF58OFfiQrgC2ZPyPkE uzztVStGgLfxxWm9iZgUsYNUsVyj2MRYBJwDVdOTH8Vk5UJyFHIzcFTkRbXcL9D2YxpY yckLkmdy21jmwrHSKZ9KuIIiBfFpzmYnATDHkV46+kSHkYygvxAaPLXXQObjcxO+sCd8 +dA3phnP1RKZT+eTLMRuGIfX5wVUnvi1Dmf/DSf7xstA1I0MEknEQIwmTeaOjZyWjWUb uAyQ==
MIME-Version: 1.0
X-Received: by 10.180.107.70 with SMTP id ha6mr22480598wib.20.1438509589230; Sun, 02 Aug 2015 02:59:49 -0700 (PDT)
Received: by 10.28.144.85 with HTTP; Sun, 2 Aug 2015 02:59:49 -0700 (PDT)
In-Reply-To: <C9563753-E9E2-4990-9B7C-3AFEE232BD01@hoerbe.at>
References: <569AD906E45DB44A8AFF11D61F5DA791014ADE44CF@WLGPRDMBX02.dia.govt.nz> <39A67012-222A-4C23-B92A-B7AB55744B2D@hoerbe.at> <55BA14B2.3070105@mit.edu> <C9563753-E9E2-4990-9B7C-3AFEE232BD01@hoerbe.at>
Date: Sun, 02 Aug 2015 18:59:49 +0900
Message-ID: <CABzCy2AUA4ycTcj0-kgu_YaceduJRJYjruXs=X2zE1nowryGEQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Rainer Hoerbe <rainer@hoerbe.at>
Content-Type: multipart/alternative; boundary="e89a8f234d09127c71051c511d17"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/xMZ4vjhJFiFcXybZ_c8FmqfLrjQ>
Cc: "vot@ietf.org" <vot@ietf.org>, Justin Richer <jricher@mit.edu>
Subject: Re: [VoT] Vectors of Trust I-D feedback
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 09:59:53 -0000

I agree that we should split out the credential management and the
credential usage.
Each should have different "grades".

Right now, -00 has:

3.1. Identity Proofing
3.2. Credential Management
3.3. Assertion Presentation

Instead, it could be

3.1 Identity Proofing
3.2 Credential Management
3.3 Credential Usage
3.4 Assertion Presentation

Then, 3.1 - 3.3 aligns with X.1254 and ISO/IEC 29115, which is good.
Note: they are missing 3.4.

We also need to define vtm.
I imagine that vtm uri would point to the policy documents of the trust
framework,
but that is not explicitly there.

Best,

Nat





2015-07-31 17:44 GMT+09:00 Rainer Hoerbe <rainer@hoerbe.at>:

> See my proposed changes in the attached word document.
>
> Another point:  I wonder if there is consistent understanding wrt.
> Credential Management  levels. How do people grade strong credentials that
> rely on a weak recovery mechanisms like eMail and KBA? When multiple
> C-levels are asserted, they are reducing the risk, but joining session
> authentication and credential recovery is increasing the risk. I think that
> VoT should be include a rule how to handle this.
>
> - Rainer
>
>
> Am 30.07.2015 um 14:12 schrieb Justin Richer <jricher@mit.edu>:
>
> Rainer,
>
> Thanks for this input, this is helpful. When Leif and I picked the term
> "Vectors of Trust" we knew that each part of that phrase was problematic in
> some fashion, but we've yet to hear something that's more serviceable. This
> is the reasoning behind the explanatory section at the beginning, actually.
> Can you suggest some text for a better way to situate the terms?
>
>  -- Justin
>
> On 7/30/2015 7:20 AM, Rainer Hoerbe wrote:
>
> The term vector seems to stick since Bob Morgan’s visualization some years
> ago despite some resistance. However its connotation in „2.2 Component
> Architecture“ is misleading, because all the language about „mathematical
> construct“, „coordinate system“ and „must be orthogonal“ is not properly
> put into context by "need for simplicity“ and "somewhat elided model“.
>
> I suggest to use stronger wording to make it clear to the newcomer that
> this kind of taxonomy is by its nature an oversimplification. Fitting a
> square peg into a round hole is the only option to reduce the complexity of
> trust frameworks. There should be an emphasis that the number of vectors,
> their orthogonality and composition will never be a clean and undisputed
> derivation from real trust models, but an extension and improvement from
> current practices like 800-63. VoT is taking facts that are measurable out
> of the trust framework leaving the amorphous rest to TLDR risk assessments.
>
> - Rainer
>
> Am 30.07.2015 um 06:28 schrieb Joanne Knight <Joanne.Knight@dia.govt.nz>:
>
> Hi All
>
>
> Due to workloads it has taken me a while to catch-up and I am sorry I was
> unable to make the Bar BoF.
>
>
> I have attached a paper with my thoughts on the drafty draft as well as
> where my own framework has evolved to so far. I have recently latched on to
> a resource to aid me in progressing the Identity-related risk assessment so
> let me know if anyone is interested in the out-comes as not directly VoT
> related.
>
>
> Thoughts only, take them at your whim.
>
>
> Cheers
>
>
> Joanne
>
>
>
>
> *From:* Justin Richer [ <jricher@MIT.EDU>mailto:jricher@MIT.EDU
> <jricher@MIT.EDU>]
> *Sent:* Saturday, 27 June 2015 3:15 p.m.
> *To:* vot@ietf.org
> *Subject:* [VoT] Vectors of Trust I-D
>
>
>
> Hi Everyone,
>
>
>
> I have taken the initial strawman proposal along with a substantial number
> of edits and inputs from several folks and have created an initial I-D of
> the document:
>
>
>
> https://tools.ietf.org/id/draft-richer-vectors-of-trust-00
>
>
>
> It’s still a very drafty draft, but hopefully it’s starting to make this a
> concrete thing. Please read it over and discuss it here on the list.
>
>
>
> I would like to propose a bar-BoF in Prague for VoT for anyone who would
> like to discuss this. If you’re interested (and will be there in person),
> let me know!
>
>
>
>  — Justin
> <VoT Feedback.docx>_______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>
>
> _______________________________________________
> vot mailing list
> vot@ietf.org
> https://www.ietf.org/mailman/listinfo/vot
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email