OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [trust-el] Use-case for Trust Elevation TC

Hi Tom,

Thanks for submitting this.  It adds an important dimension to the
discussion.

I encourage all members to submit a (draft) use case for the Face-to-face
meeting on Thursday.

-Mary

-----Original Message-----
From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org]
On Behalf Of Thomas Hardjono
Sent: Wednesday, November 09, 2011 12:43 PM
To: trust-el@lists.oasis-open.org
Subject: [trust-el] Use-case for Trust Elevation TC


Hi Abbie,

The following is a summary of the use-case I would like to introduce to 
the TC.  Hopefully it is of interest to the TC.

/thomas/

-----------------------
Summary: Trust Elevation Based on Integrity Measurements

A user on a client computer seeks to gain access to resources located at 
Cloud Provider (eg. Saas, PaaS).  In addition to being authenticated by 
an Identity Provider (IdP), the client computer needs to be 
integrity-evaluated by the a trusted Integrity Measurement Service 
(IMS). The IMS is assumed to be a participant under the same Trust 
Framework.

As part of the trust level evaluation by the IdP, the IdP re-directs the 
client to the IMS service.  The client and the IMS service then execute 
the integrity measurement protocol (single round or multi-round), 
resulting in the IMS service establishing (assigning) a "trust score" 
for the client platform (hardware and software). The IMS service then 
returns the trust score to the IdP (eg. via back channel), in the form 
of a signed assertion.

The IdP then includes the client's trust score when the IdP computes the 
trust level (eg. LOA) assigned to the user on the client computer.

This approach allows the consumer of the LOA assertions/claims (eg. a 
service provider) to obtain a better picture about the human user (eg. 
her/his identity) as well as the different client platforms that she/he 
is connecting form (eg. PC computer, iPad, mobile phone, etc).


-------------------------



__________________________________________
Thomas Hardjono
MIT Kerberos Consortium
email:  hardjono[at]mit.edu
mobile: +1 781-729-9559
desk:   +1 617-715-2451
__________________________________________

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]