FW: [id-cloud] Gap Analysis Use Case 21: Mobile Customers' Identity Authentication Using a Cloud Provider (WS-Trust standard)

["Nguyen, Dominique V" <dominique.v.nguyen@bankofamerica.com>]

 

This discussion thread is to start an on-list discussion on the Gap

 Analysis of individual use cases. Use case numbers refer to the use

 cases as described in the 'OASIS Identity in the Cloud TC Use Cases'

 Version 1.0, Working Draft 02, 15 December 2011, which is available at

 http://www.oasis-open.org/committees/document.php?document_id=44915&wg_abbrev=id-cloud

 

 

The information below describes the current state. You are invited to

 respond on-list to this thread with any comments, insights, additions, etc.

All input will be gathered from the list and consolidated into the

 next revision of the Gap Analysis document.

---

 

Use Case 21: Mobile Customers' Identity Authentication Using a Cloud Provider

 

Short description:

Feature the need to have a standard secure authentication in order to use Cloud service

to authenticate mobile users

 

Relevant applicable standards:

- SAML

- OAuth

- XSPA

- WS-Trust

- PMRM

 

WS-Trust Gap summary:

 

Does not appear to have any gaps.

 

Terms used in Ws-Trust and notes indicating no gaps:

 

* Claim: A statement made about a client, service or other resource (e.g. name, identity, key, group, privilege, capability, etc.

* Security Token: A security token represents a collection of claims

* Security Token Service (STS): A  web service that issues security tokens, making assertions based on evidence that it trusts, to whoever trusts it.  To communicate trust, a service requires proof, such as a signature to prove knowledge of a security token or set of security tokens.  A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement.  This forms the basis of trust brokering.

* Trust: The characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.

* Signed Security Token: cryptographically endorsed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket).

* Proof-of-Possession Token (POP):  A security token that contain secret data that can be used to demonstrate authorized use of an associated security token.  Typically, the POP information is encrypted with a key known only to the recipient of the POP token.

* Digest: A cryptographic checksum of an octet stream.

 

Standard / Protocol	Credentials & Token Exchange	Authenticating Exchange	Key Distribution	Web  Service Trust Model
WS-Trust 1.4	The service support a variety of key types, sizes and algorithms to protect token.  Key exchange is an integral part of the token acquisition. Security token issuance must be signed and time-stamped to prevent tampering. For multiple –message exchange, each leg should include confirmation of the previous leg to confirm that the message is not tampered by a successful man-in-the middle attack. of each leg.	After an exchange  both parties have a shared knowledge of a key that can then be used to secure messages. Option to support cases where the issuer must prove to the requestor that it knows the key and that the returned metadata is valid prior to the requestor using the data.	Both direct key transfer between 2 parties or through a third party are supported.  The proof-of-possession token contains the same key encrypted for the requestor.	1.Verify that the claims in the token are sufficient to comply with the policy and that the message conforms to the policy. 2.Verify that the attributes of the claimant are proven by the signatures. 3.Verify that the issues of the security tokens are trusted to issue the claims they have made.

 

Regards,

Dominique

---------------------------------------------------------------------

To unsubscribe, e-mail: id-cloud-unsubscribe@lists.oasis-open.org

For additional commands, e-mail: id-cloud-help@lists.oasis-open.org

 

---

This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited.
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law.
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses.

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link:
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.