OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [trust-el] Use-case for Trust Elevation TC

Dear all,

Here is a skeleton of a use case I demoed at the European Identity Conference last May 2011.

The challenge: user / customer conversion

The story: a business, typically a bank with an online app, wants to convert visitors to their websites to actual customers. Depending on the authentication level of the users, they can see more or less information. A user not logged in at all would see publicly available information. A user would have the choice to authenticate using a publicly available IdP such as Google via common standards such as in this case OpenID. The fact they are logged in gives them a better experience and grants them access to more content.
In a final step, a user could request to become a customer to create an account with the said business. Since they are already authenticated, some information could already be filled in.

How we did it:
I implemented the scenario with a colleague from Ping Identity. We used Ping Federate and the Axiomatics XACML Policy Server to achieve context-based access control (depending on the source of the authentication).

In the demo, the way attributes were collected and converted was via code we wrote - there is currently no standard there. There is no standard in XACML on how to take into account trust elevation (or augmented credentials)

Also, Google (for instance) doesn't release a lot of information because it doesn't trust the requestor (in this case the decision point or 'PDP'). The PDP would need to strengthen its trust relationship with the IdP in order to retrieve more attributes.

I hope this use case helps.

David.

On Wed, Nov 9, 2011 at 2:15 PM, Mary Ruddy <mary@meristic.com> wrote:
Hi Tom,

Thanks for submitting this.  It adds an important dimension to the
discussion.

I encourage all members to submit a (draft) use case for the Face-to-face
meeting on Thursday.

-Mary

-----Original Message-----
From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org]
On Behalf Of Thomas Hardjono
Sent: Wednesday, November 09, 2011 12:43 PM
To: trust-el@lists.oasis-open.org
Subject: [trust-el] Use-case for Trust Elevation TC


Hi Abbie,

The following is a summary of the use-case I would like to introduce to
the TC.  Hopefully it is of interest to the TC.

/thomas/

-----------------------
Summary: Trust Elevation Based on Integrity Measurements

A user on a client computer seeks to gain access to resources located at
Cloud Provider (eg. Saas, PaaS).  In addition to being authenticated by
an Identity Provider (IdP), the client computer needs to be
integrity-evaluated by the a trusted Integrity Measurement Service
(IMS). The IMS is assumed to be a participant under the same Trust
Framework.

As part of the trust level evaluation by the IdP, the IdP re-directs the
client to the IMS service.  The client and the IMS service then execute
the integrity measurement protocol (single round or multi-round),
resulting in the IMS service establishing (assigning) a "trust score"
for the client platform (hardware and software). The IMS service then
returns the trust score to the IdP (eg. via back channel), in the form
of a signed assertion.

The IdP then includes the client's trust score when the IdP computes the
trust level (eg. LOA) assigned to the user on the client computer.

This approach allows the consumer of the LOA assertions/claims (eg. a
service provider) to obtain a better picture about the human user (eg.
her/his identity) as well as the different client platforms that she/he
is connecting form (eg. PC computer, iPad, mobile phone, etc).


-------------------------



__________________________________________
Thomas Hardjono
MIT Kerberos Consortium
email:  hardjono[at]mit.edu
mobile: +1 781-729-9559
desk:   +1 617-715-2451
__________________________________________



---------------------------------------------------------------------
To unsubscribe, e-mail: trust-el-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: trust-el-help@lists.oasis-open.org




--
David Brossard, M.Eng, SCEA, CSTP
VP Product Marketing & Customer Relations
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]