Re: [security-services] DAON Slide Thoughts

[Rainer Hoerbe <rainer@hoerbe.at>]

Am 03.02.2014 um 23:05 schrieb Hal Lockhart <hal.lockhart@oracle.com>:

> 
>>>> Slide 12, bullet #4 brings up geolocation within an authn request.
>>>> This is something we recently started needing here at Covisint as
>> well.
>>>> Might be worth discussing on a call.
>>> 
>>> At least it is worth getting a clear statement of the usecase. Does
>> this imply we have to treat a smart phone as a trusted device? If not,
>> who is the Authority for this data? How much assurance is required? How
>> fresh does it have to be?
>> 
>> The Trust Elevation TC published V1.0 of their framework that puts
>> things like geolocation into context. Maybe the question could be
>> deferred to them.
>> 
> 
> As it happens I am speaking to them on Thursday about support for step up Authentication in SAML.
> 
> However I see almost nothing on geo location in the Framework.
> https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/52021/trust-el-framework-v1.0-csd01.html
> 
> Even their Survey of methods ... and Analysis of methods ... documents contain only passing mention of geo location in combination with other methods and no discussion of the assurance of geo location data at all.
> 
> https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/48317/AnalysisMethods-v1%200-wd01%20v0.5.docx
> https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/46987/trust-el-survey-v1.0-wd01.doc
> 
> Did you have some other document in mind?

No, I was referring to this document. First it provides a framework that considers geolocation as a trust elevation technique in the threat analysis. Second it shows that the TC has this on the agenda, so we might want to avoid duplication of work. But I did not want to stall the discussion in the SSTC.

Rainer