Re: [trust-el] IETF non-working group email list: Vectors of Trust

[Steve Olshansky <olshansky@isoc.org>]

Susan-
Yes, thanks for this. One of the outcomes of this effort may well be to develop a framework (or similar) to enable RPs to calculate some relevant calculation of assurance based upon their particular business needs, and this will presumably vary from RP to RP as they give different weighting to different factors, using their own algorithms. And as with anything else, RPs would be free to use or ignore this as they choose and as they find appropriate for their situations.

It has also come up in several recent conversations that more are becoming aware that identity attributes go beyond those that are stored in directories etc., to include contextual and transitory attributes that are being used in e.g. KBA and similar, including things like geolocation, cookies found (or not), IP address seen before (or not), actions immediately preceding a request, etc.

I should have also pointed out that NIST is engaged in this discussion, and FYI this may be of interest to the group:
http://secureidnews.com/news-item/nist-may-revise-four-levels-of-assurance/

This effort is an attempt to knit together the various work underway, although making no claim to being the best or definitive. I encourage anyone interested to subscribe to the mailing list and join the conversation.
	Steve

--
Steve Olshansky
Trust & Identity Program Lead
Internet Society
www.internetsociety.org

On Oct 29, 2014, at 9:50 AM, Schreiner, Susan F. <sschreiner@mitre.org> wrote:

> All –
>  
> I’m just getting up to speed on the VOT thread, but a couple of thoughts & questions.  I know work is in process on various pieces of what I’m listing below, but it strikes me that many of us are working (separately) on the same problems: 1) Defining identity attributes bundles which may be used in either/both identity resolution or identity assurance; 2) Defining algorithms to calculate identity assurance based upon those identity attributes.   
>  
> ·        Given that identity attributes are the basis of calculating either a VOT or a LOA  is it worthwhile to start at that very basic level, i.e. work toward defining an agreed upon set of identity attributes that may be used to calculate identity assurance?  We’ve seen this starting with what NASPO IDPV bundles of attributes and associated identity resolution. 
> o   Focus on defining an identity attribute catalog that will have some level of acceptance across (fill in the blank) various different groups -
> o   Focus on developing algorithms to use those very basic elements (identity attributes) which a user can voluntarily provide to an IdP to calculate more fine-grained levels of assurance those currently in use (while still mapping to those as well)
> ·        While many groups are working on the items above, the work doesn’t seem to gain enough traction and another group goes off and starts it again.  This may be starting to change, but it seems like a very good expenditure of everyone’s effort would be to step back and focus on some foundational, building block elements, e.g. identity attribute catalogs, gain some level of consensus, and then build upon that.  I realize given various international and non-governmental players involved there will be different flavors of identity attribute bundles required for different levels of identity assurance.  
>  
> Anyway – food for thought. 
>  
> Susan
>  
>  
> From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Barbir, Abbie
> Sent: Tuesday, October 28, 2014 4:04 PM
> To: Peter Alterman; Steve Olshansky
> Cc: trust-el@lists.oasis-open.org
> Subject: Re: [trust-el] IETF non-working group email list: Vectors of Trust
>  
> thanks
>  
> Abbie Barbir, PhD
> VP Senior Architect, Global Information Security
> +1 613 291 3253
> Bank of America
>  
> <image001.png>
>  
>  
>  
> From: Peter Alterman <palterman@safe-biopharma.org>
> Date: Tuesday, October 28, 2014 at 3:50 PM
> To: Steve Olshansky <olshansky@isoc.org>
> Cc: Abbie Barbir <abbie.barbir@bankofamerica.com>, "trust-el@lists.oasis-open.org" <trust-el@lists.oasis-open.org>
> Subject: Re: [trust-el] IETF non-working group email list: Vectors of Trust
>  
> happy to discuss
> 
> ------------------------------------------------------------
> Peter Alterman, Ph.D.
> Chief Operating Officer
> SAFE-BioPharma Association
> cell: 301-943-7452
> 
>  
> On Tue, Oct 28, 2014 at 3:35 PM, Steve Olshansky <olshansky@isoc.org> wrote:
> Unfortunately I am at a conference and unable to attend the Thursday call, as well as the one after that which overlaps with IETF. Obviously feel free to discuss in my absence, and I will join in on a call when I can.
> 
> PeterA is on the list and may have something to say on this, and I would encourage you all to review the list archive to catch up on the discussion to date:
> http://www.ietf.org/mail-archive/web/vot/
> 
> Cheers-
>         Steve
> 
> --
> Steve Olshansky
> Trust & Identity Program Lead
> Internet Society
> www.internetsociety.org
> 
> On Oct 28, 2014, at 3:01 PM, Barbir, Abbie <abbie.barbir@bankofamerica.com> wrote:
> 
> > Steve
> > Great input
> > Can we discuss it Thursday
> > regards
> > ________________________________________
> >
> >
> > Abbie Barbir, PhD
> > VP Senior Architect, Global Information Security
> > +1 613 291 3253
> > Bank of America
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 10/28/14, 2:51 PM, "Steve Olshansky" <olshansky@isoc.org> wrote:
> >
> >> I know some of you are aware of this, but I don't recall seeing this go
> >> out to this list. I am passing this along in the interest of recruiting
> >> interested participants and expanding the conversation.
> >>
> >> Subscription info is below.
> >>      Steve
> >>
> >> --
> >> Steve Olshansky
> >> Trust & Identity Program Lead
> >> Internet Society
> >> www.internetsociety.org
> >>
> >> Begin forwarded message:
> >>
> >>> From: IETF Secretariat <ietf-secretariat@ietf.org>
> >>> Subject: New Non-WG Mailing List: vot -- Vectors of Trust discussion
> >>> list
> >>> Date: September 11, 2014 at 3:29:02 PM MDT
> >>> To: IETF Announcement List <ietf-announce@ietf.org>
> >>> Cc: <leifj@sunet.se>, <olshansky@isoc.org>, <vot@ietf.org>
> >>> Reply-To: <ietf@ietf.org>
> >>>
> >>> A new IETF non-working group email list has been created.
> >>>
> >>> List address: vot@ietf.org
> >>> Archive: http://www.ietf.org/mail-archive/web/vot/
> >>> To subscribe: https://www.ietf.org/mailman/listinfo/vot
> >>>
> >>> Purpose:
> >>>
> >>> Since the publication of RFC 2527 there have been several attempts to
> >>> standardize technology-independent frameworks for describing the
> >>> concerns that go into a determination of inter-organizational and
> >>> transactional trust.
> >>>
> >>> Notable examples include NIST SP 800-63, The Kantara Identity Assurance
> >>> Framework (historically originating from the Liberty Alliance and
> >>> Electronic Authentication Partnership) and ISO 29115. These documents
> >>> have been profiled and reworked a number of times in the last few years.
> >>>
> >>> The vot@ietf.org list is for discussion of a common set of baseline
> >>> "vectors of trust": common, orthogonal aspects of organization,
> >>> technology and policy that help to determine the level of assurance
> >>> that
> >>> can be placed in a deployment of digital identity technology. Work will
> >>> draw on deployment experience related to web identity technology (eg
> >>> SAML, OAUTH and OpenID Connect) as well as experience with current
> >>> state
> >>> of the art in identity assurance.
> >>>
> >>> For additional information, please contact the list administrators.
> >
> > ----------------------------------------------------------------------
> > This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
> 
>  
> This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail