[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [trust-el] Four-eyes principle method
It was implemented at the application level, which is not complicated. But I wonder if it would be easy to provide it as a generalized security service in a federation. I remember another variant of the 'confirm authorization' use case that is also an edge case, because it can be seen as temporal provisioning or as an elevation of authentication factors by another person: A doctor has a 2FA credential to access the EHR in a data center. If there is a problem with the smart card he/she will be provisioned with a temporal credential valid for a single session. The support staff in the call center will verify the caller id, will know the voice (it is a small business) and might do some KBA. Then a temporal credential - a one time password - is sent to the doctor's mobile phone. - Rainer Am 29.01.2012 um 23:13 schrieb Colin Wallis <Colin.Wallis@dia.govt.nz>: > So it's fair to say it's an 'edge' case as regards to scope then. > > And while it may be complicated to implement, it may be that Austria has implemented it, and therefore proven it at least to that extent. > > Can you confirm either way Rainer? > > IMHO 'edge cases' are fine if they add value, and don't create confusion about the overall intent of the TC's work. > > As Abbie said on last week's call, the upcoming F2F offers an opportunity to put some finer grained detail around the stated scope, which will help with discussing interesting contributions like this. > > Cheers > Colin > > -----Original Message----- > From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Massimiliano Masi > Sent: Thursday, 26 January 2012 10:25 p.m. > To: Colin Wallis > Cc: trust-el@lists.oasis-open.org > Subject: Re: [trust-el] Four-eyes principle method > > My opinion is that the workflow looks reasonable (elevating trust because two other users with different > roles and LoAs are vouching for you is a common and good idea). > > On the other hand, to let the app A to maintain a state for T1 looks complicated to have it > correctly implemented, IMHO. > > Having a sort of stateful app A that keeps track of two authorizations that can happen at different > time, requires to have a carefully designed and implemented app, that can be quite complicated without > detailed implementation details. > > > > Il giorno 26/gen/2012, alle ore 05:01, Colin Wallis ha scritto: > >> My feeling is that, useful as it is in the context of authorization and access control, it's outside of scope (which in the Statement of Purpose is pretty clear as being authentication). >> >> Cheers >> Colin >> >> >> -----Original Message----- >> From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Mary Ruddy >> Sent: Thursday, 26 January 2012 11:03 a.m. >> To: trust-el@lists.oasis-open.org >> Subject: RE: [trust-el] Four-eyes principle method >> >> Ranier, >> >> Thank you very much for suggesting this method. Having multiple levels of >> approval is also used for authorizing some financial transactions in the US. >> In your particular example, everything is at LOA-3, and risk (from fraud and >> errors) is reduced by increasing trust within that LOA-3. >> >> What do others think about the scope? >> >> -Mary >> >> -----Original Message----- >> From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] >> On Behalf Of Rainer Hoerbe >> Sent: Wednesday, January 25, 2012 3:22 PM >> To: trust-el@lists.oasis-open.org >> Subject: [trust-el] Four-eyes principle method >> >> I am not quite sure if that method is within the survey's scope, but I would >> like to leave it to the group to discuss this. >> >> Regards, >> Rainer >> >> >> ----- >> No virus found in this message. >> Checked by AVG - www.avg.com >> Version: 10.0.1416 / Virus Database: 2109/4765 - Release Date: 01/25/12 >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: trust-el-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: trust-el-help@lists.oasis-open.org >> >> ==== >> CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. >> ==== >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: trust-el-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: trust-el-help@lists.oasis-open.org >> > > -- > Massimiliano Masi > > Tiani "Spirit" GmbH > Guglgasse 6 > Gasometer A > 1110 Vienna > Austria/Europe > > ==== > CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. > ==== > > --------------------------------------------------------------------- > To unsubscribe, e-mail: trust-el-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: trust-el-help@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]