[VoT] Credential usage, presentation and verification
Robin Wilton <wilton@isoc.org> Tue, 04 August 2015 10:53 UTC
Return-Path: <wilton@isoc.org>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95EDE1B379F for <vot@ietfa.amsl.com>; Tue, 4 Aug 2015 03:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TLAVzNaUuFd for <vot@ietfa.amsl.com>; Tue, 4 Aug 2015 03:53:11 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0059.outbound.protection.outlook.com [65.55.169.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 680201B379C for <vot@ietf.org>; Tue, 4 Aug 2015 03:53:11 -0700 (PDT)
Received: from SN1PR06MB1839.namprd06.prod.outlook.com (10.162.133.18) by SN1PR06MB1840.namprd06.prod.outlook.com (10.162.133.15) with Microsoft SMTP Server (TLS) id 15.1.225.19; Tue, 4 Aug 2015 10:53:07 +0000
Received: from SN1PR06MB1839.namprd06.prod.outlook.com ([10.162.133.18]) by SN1PR06MB1839.namprd06.prod.outlook.com ([10.162.133.18]) with mapi id 15.01.0225.018; Tue, 4 Aug 2015 10:53:07 +0000
From: Robin Wilton <wilton@isoc.org>
To: "vot@ietf.org" <vot@ietf.org>
Thread-Topic: Credential usage, presentation and verification
Thread-Index: AQHQzqO/oFoecV6rT0ilHVMwCwr8Vg==
Date: Tue, 04 Aug 2015 10:53:07 +0000
Message-ID: <D0316675-FECE-4A6E-A52D-8E1437E9852C@isoc.org>
References: <mailman.309.1438650857.3844.vot@ietf.org>
In-Reply-To: <mailman.309.1438650857.3844.vot@ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=wilton@isoc.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [94.174.34.240]
x-microsoft-exchange-diagnostics: 1; SN1PR06MB1840; 5:KegUn13N49xP/N+CxtzqEzRrF6EiMYC30i51bKsKdSRetyL5fxrWYTkwkvGiaK51sHInrLiEQEEK7SLuzJcI0R+pRwCh4cd/+myZlm1CyZBwSbHO/7JV9WQTzRx3SM91z5L07QBrWCYBLzhthDJZfQ==; 24:k2L3nxR6nzE52DnAKPTSZ8d7/aBQyEvN26p91923Y3go70jLltmoVCeOM6hhRqdhJVXtD72IKsTVPugmNyDFhkzfQsglEjztbJ58DQ0Zgjo=; 20:TnnvI2sRVyrOW6DFM7sQvh10+9qpz/G+zG38Fe2H4ClJtSPwr4a4JvOOgc/ptzvGOE+m9twXPjdhu8VgIkCiXw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR06MB1840;
x-microsoft-antispam-prvs: <SN1PR06MB1840D839EE5050B6E6FA7C77BF760@SN1PR06MB1840.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:SN1PR06MB1840; BCL:0; PCL:0; RULEID:; SRVR:SN1PR06MB1840;
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(243025005)(124975003)(199003)(189002)(377454003)(24454002)(501624003)(377424004)(479174004)(66066001)(87936001)(76176999)(110136002)(54356999)(106356001)(5001960100002)(86362001)(105586002)(2351001)(68736005)(19617315012)(102836002)(16236675004)(106116001)(107886002)(36756003)(64706001)(99286002)(229853001)(2501003)(5001830100001)(2420400006)(5001860100001)(77096005)(77156002)(189998001)(62966003)(50986999)(101416001)(82746002)(81156007)(19580405001)(46102003)(33656002)(83716003)(97736004)(15975445007)(4001540100001)(2656002)(2900100001)(92566002)(122556002)(2950100001)(5002640100001)(19580395003)(40100003)(99936001)(450100001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR06MB1840; H:SN1PR06MB1839.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
Content-Type: multipart/signed; boundary="Apple-Mail=_FEC0EE2E-AE56-48B5-A825-2516C089ECC2"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2015 10:53:07.5344 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR06MB1840
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/xZx-IwpQIvCpR85cr76pRbh02vU>
Subject: [VoT] Credential usage, presentation and verification
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 10:53:17 -0000
Apologies for top-posting, but I wanted to make some comments which refer partly to both Joanne’s and Jim’s preceding posts, and there wasn’t a neat way to do so inline. If you look at the whole credential lifecycle, there are trust factors (not vectors!) throughout it. VoT looks at a subset of them: - how reliably the issuing party establishes the identity of the applicant; - how strongly the credential is bound to the applicant; - how reliably the credential is presented. However, there are significant trust factors at other stages in the lifecycle: - how reliably the credential is verified when it is presented (by analogy, think of the cursory check a retail clerk gives your “signature” compared to the one on your credit card) - how robust the processes are for amending, revoking and/or destroying a credential. Of these two, the second could be put neatly under the heading of “credential management” and represented by the same vector. The first (reliability of the credential verification process upon presentation) is harder to account for, and I think this is because it is generally partly or wholly outside the control of the IDP. (Again, by analogy, think of Point of Sale terminals; these are, essentially, an attempt by the IDP [card issuer] to retain control over the verification step, essentially taking the RP out of the loop. But they do so at the cost of significant effort, and the ‘remote’ part of the process is still susceptible to subversion.) I am not yet sure it can be sensibly formalised in a vector - but I think it’s worth considering, because it’s a significant trust factor in the over-all lifecycle. Here’s a straw-man use case, just to kick around… An IDP issues electronic credentials, and offers RPs a range of verification alternatives: when one of our credentials is presented, 3 - you will verify it using a black box that we require you to install at your premises, and which not only checks the credential itself, it also “phones home” to do a real-time revocation check or 2 - there’s no black box; we will provide you with a software verification module that you run, to verify the credential and do a revocation check or 1 - we’ll expose a web services API at our end, for credential verification and revocation status or 0 - we just issue the credentials; how you verify them on presentation is up to you The IDP’s liability model would vary accordingly. One issue with this straw-man is that the IDP is telling the RP stuff that they both already know… On the other hand, exchanging a message to that effect does create an audit trail, which might be useful for compliance purposes. Any thoughts? R > > From: Joanne Knight <Joanne.Knight@dia.govt.nz> > Subject: Re: [VoT] Vectors of Trust I-D feedback > Date: 4 August 2015 01:05:17 BST > To: 'Jim Fenton' <fenton@bluepopcorn.net>, Nat Sakimura <sakimura@gmail.com>, Rainer Hoerbe <rainer@hoerbe.at> > Cc: "vot@ietf.org" <vot@ietf.org>, Justin Richer <jricher@mit.edu> > > > ISO/IEC 29115 has been nothing but a headache for me for a number of years. > > If we want to be evolutionary I would not constrain myself to trying to be consistent with it – especially since it is currently being reviewed. I have also suggested that it look this way ;-) rather than the other way around. > > I am still out to lunch on Assertion Presentation. Just because it exists in my framework and has (thanks to Justin) got a label, I have not had time to think through exactly what it is and means. It may be that it is a series of aspects that must be added to the other Vectors. They may not be measurable, in which case they become guidance. > > As it was Nat who lit the spark that there is this other ‘thing’ in the mix, I am hoping for a flu free ISO meeting to have an academic brainstorm. Jim, I seem to have missed your review of I-D, so would appreciate if you can send me your thoughts on Assertion Presentation. > > Cheers > > Joanne > > From: Jim Fenton [mailto:fenton@bluepopcorn.net] > Sent: Tuesday, 4 August 2015 10:32 a.m. > To: Nat Sakimura; Rainer Hoerbe > Cc: vot@ietf.org; Justin Richer > Subject: Re: [VoT] Vectors of Trust I-D feedback > > To be entirely consistent with ISO/IEC 29115, we would need to rename Identity Proofing as Enrolment, and Credential Usage as Authentication. > > But ISO/IEC 29115 refers to these as phases: they occur at different times (or, in the case of Credential Management, over a long period of time) and have different threat models. But I would like to ask under which circumstances a Relying Party would act differently to an indication of less secure Credential Management vs. less secure Authentication. There are credential management practices that would make a credential unsuitable for highly secure authentication, but why not just represent that as less secure authentication? VoT should be only as complex as required; it should not represent aspects of the process that the relying party does not need. > > Also, Enrolment includes aspects of the credentialing process that go far beyond identity proofing and the binding of those attributes in a credential. It's the reliability of that attribute assertion that's orthogonal to authentication strength, and not all of the other aspects of enrolment. > > Finally, I'll repeat my comment that's buried in my review of the I-D the other day that Assertion Presentation should be visible to the RP already. For example, if the assertion is encrypted in transit, the RP will know that without being told. There may be need for the RP to specify how it wants assertions to be presented to it, but that seems like more of a general option to me and not part of the Vector. > > -Jim > > On 8/2/15 2:59 AM, Nat Sakimura wrote: > I agree that we should split out the credential management and the credential usage. > Each should have different "grades". > > Right now, -00 has: > > 3.1. Identity Proofing > 3.2. Credential Management > 3.3. Assertion Presentation > > Instead, it could be > > 3.1 Identity Proofing > 3.2 Credential Management > 3.3 Credential Usage > 3.4 Assertion Presentation > > Then, 3.1 - 3.3 aligns with X.1254 and ISO/IEC 29115, which is good. > Note: they are missing 3.4. > > We also need to define vtm. > I imagine that vtm uri would point to the policy documents of the trust framework, > but that is not explicitly there. > > Best, > > Nat > > > > > > > From: Nat Sakimura <sakimura@gmail.com> > Subject: Re: [VoT] Vectors of Trust I-D feedback > Date: 4 August 2015 01:53:44 BST > To: Jim Fenton <fenton@bluepopcorn.net> > Cc: Rainer Hoerbe <rainer@hoerbe.at>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org> > > > Right, X.1254 | ISO/IEC 29115 says: > 8.1 Enrolment phase > > 8.2 Credential management phase > > 8.3 Entity authentication phase > > It also has > 9 Management and organizational considerations. > > My point is that this I-D seems to use "Credential Management" for "Entity Authentication" (BTW, at one point of the draft, it was called "Credential Usage", or at least, JP NB proposed the name because this entire framework is "Entity Authentication" and not this specific phase.) > > 2015-08-04 7:31 GMT+09:00 Jim Fenton <fenton@bluepopcorn.net>: > To be entirely consistent with ISO/IEC 29115, we would need to rename Identity Proofing as Enrolment, and Credential Usage as Authentication. > > But ISO/IEC 29115 refers to these as phases: they occur at different times (or, in the case of Credential Management, over a long period of time) and have different threat models. But I would like to ask under which circumstances a Relying Party would act differently to an indication of less secure Credential Management vs. less secure Authentication. There are credential management practices that would make a credential unsuitable for highly secure authentication, but why not just represent that as less secure authentication? VoT should be only as complex as required; it should not represent aspects of the process that the relying party does not need. > > Also, Enrolment includes aspects of the credentialing process that go far beyond identity proofing and the binding of those attributes in a credential. It's the reliability of that attribute assertion that's orthogonal to authentication strength, and not all of the other aspects of enrolment. > > Finally, I'll repeat my comment that's buried in my review of the I-D the other day that Assertion Presentation should be visible to the RP already. For example, if the assertion is encrypted in transit, the RP will know that without being told. There may be need for the RP to specify how it wants assertions to be presented to it, but that seems like more of a general option to me and not part of the Vector. > > -Jim > > On 8/2/15 2:59 AM, Nat Sakimura wrote: >> I agree that we should split out the credential management and the credential usage. >> Each should have different "grades". >> >> Right now, -00 has: >> >> 3.1. Identity Proofing >> 3.2. Credential Management >> 3.3. Assertion Presentation >> >> Instead, it could be >> >> 3.1 Identity Proofing >> 3.2 Credential Management >> 3.3 Credential Usage >> 3.4 Assertion Presentation >> >> Then, 3.1 - 3.3 aligns with X.1254 and ISO/IEC 29115, which is good. >> Note: they are missing 3.4. >> >> We also need to define vtm. >> I imagine that vtm uri would point to the policy documents of the trust framework, >> but that is not explicitly there. >> >> Best, >> >> Nat >> >> > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > > From: Nat Sakimura <sakimura@gmail.com> > Subject: Re: [VoT] Vectors of Trust I-D feedback > Date: 4 August 2015 02:14:11 BST > To: Joanne Knight <Joanne.Knight@dia.govt.nz> > Cc: Jim Fenton <fenton@bluepopcorn.net>, Rainer Hoerbe <rainer@hoerbe.at>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org> > > > Hi. > > I think X.1254 | ISO/IEC 29115 is actually quite good if you read deeply into it especially from private sector point of view. It has departed from the government centric approach as it should be as an industry standard, and the applicability was widened considerably. > > What's really good about it is its departure from the notion that identity is {name, dob, address + some other attributes}. It is policy based so that the policy in the framework should decide what needs to be verified to achieve "identity proofing." In the private sector usage, it may just be a validity of payment instrument and contact method. > > 29115 is not being reviewed at this time. There is an SP but it is just an SP (study period) and not review. Review is supposed to start in December 2016. > > Sort of assertion presentation has been in SP800-63 for sometime. > In the most recent one [SP800-63], it is clause 9. > > > [SP800-63] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf, > > > > 2015-08-04 9:05 GMT+09:00 Joanne Knight <Joanne.Knight@dia.govt.nz>: > ISO/IEC 29115 has been nothing but a headache for me for a number of years. > > If we want to be evolutionary I would not constrain myself to trying to be consistent with it – especially since it is currently being reviewed. I have also suggested that it look this way ;-) rather than the other way around. > > I am still out to lunch on Assertion Presentation. Just because it exists in my framework and has (thanks to Justin) got a label, I have not had time to think through exactly what it is and means. It may be that it is a series of aspects that must be added to the other Vectors. They may not be measurable, in which case they become guidance. > > As it was Nat who lit the spark that there is this other ‘thing’ in the mix, I am hoping for a flu free ISO meeting to have an academic brainstorm. Jim, I seem to have missed your review of I-D, so would appreciate if you can send me your thoughts on Assertion Presentation. > > Cheers > > Joanne > > From: Jim Fenton [mailto:fenton@bluepopcorn.net] > Sent: Tuesday, 4 August 2015 10:32 a.m. > To: Nat Sakimura; Rainer Hoerbe > Cc: vot@ietf.org; Justin Richer > Subject: Re: [VoT] Vectors of Trust I-D feedback > > To be entirely consistent with ISO/IEC 29115, we would need to rename Identity Proofing as Enrolment, and Credential Usage as Authentication. > > But ISO/IEC 29115 refers to these as phases: they occur at different times (or, in the case of Credential Management, over a long period of time) and have different threat models. But I would like to ask under which circumstances a Relying Party would act differently to an indication of less secure Credential Management vs. less secure Authentication. There are credential management practices that would make a credential unsuitable for highly secure authentication, but why not just represent that as less secure authentication? VoT should be only as complex as required; it should not represent aspects of the process that the relying party does not need. > > Also, Enrolment includes aspects of the credentialing process that go far beyond identity proofing and the binding of those attributes in a credential. It's the reliability of that attribute assertion that's orthogonal to authentication strength, and not all of the other aspects of enrolment. > > Finally, I'll repeat my comment that's buried in my review of the I-D the other day that Assertion Presentation should be visible to the RP already. For example, if the assertion is encrypted in transit, the RP will know that without being told. There may be need for the RP to specify how it wants assertions to be presented to it, but that seems like more of a general option to me and not part of the Vector. > > -Jim > > On 8/2/15 2:59 AM, Nat Sakimura wrote: > I agree that we should split out the credential management and the credential usage. > Each should have different "grades". > > Right now, -00 has: > > 3.1. Identity Proofing > 3.2. Credential Management > 3.3. Assertion Presentation > > Instead, it could be > > 3.1 Identity Proofing > 3.2 Credential Management > 3.3 Credential Usage > 3.4 Assertion Presentation > > Then, 3.1 - 3.3 aligns with X.1254 and ISO/IEC 29115, which is good. > Note: they are missing 3.4. > > We also need to define vtm. > I imagine that vtm uri would point to the policy documents of the trust framework, > but that is not explicitly there. > > Best, > > Nat > > > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > vot mailing list > vot@ietf.org > https://www.ietf.org/mailman/listinfo/vot
- [VoT] Credential usage, presentation and verifica… Robin Wilton
- Re: [VoT] Credential usage, presentation and veri… Joanne Knight