[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [trust-el] Updated sample analysis
|
Thanks Mary I have a couple of comments FWIW... I don’t know to what extent the existing example (end point Identity) referenced the threat/control matrix in Section 10 of the DIS of ITU x.1254/ISO 29115 Entity Authentication
Assurance Framework, but I did a quick cross check and found the following threat/control items missing in the sample analysis: Theft Phishing Credential Duplication Session Highjacking Now it could be that these are not relevant for end point identity (Hmmm...).. But regardless it might make sense to include them in this matrix, to help fill out other methods, as well as offering some consistency across the standards space. I am also wondering now, if the question: which party is performing the method? Is sufficient, as I foresee that there may be several actors involved, perhaps one of which
is the principal actor/initiating actor... Thoughts anyone? Lastly, I like the attempt at trying to chart how the trust elevation method lifts the NIST LoA. But I think the NIST Authentication LoA (800-63-1) table is more relevant for readers of this work than the OMB Risk/Assurance table (which is more relevant when you are determining
what LoA to pitch your service at, which then gives an indicator as to what NIST Authentication LoA you need to require, for users to access your resources/service). Cheers Colin From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org]
On Behalf Of Mary Ruddy Attached is an updated sample analysis for the end point identity method. Please review and provide additional comments and inputs about where
more detail is needed. Please also pick another method, let the list know which one you picked and make a pass on completing it. This should help us identity additional
areas where detail is needed. So far the following assignments have been made: 1.3.1 What you have End Point Identity - Existing sample
1.3.4 What you have OTP - Abbie 1.5.1 Context Geo location - Shaheen Feel free to contact me with questions, Mary CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]