OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [trust-el] Updated sample analysis

Thanks Mary


I have a couple of comments FWIW...


I don’t know to what extent the existing example (end point Identity) referenced the threat/control matrix in Section 10 of the DIS of ITU x.1254/ISO 29115 Entity Authentication Assurance Framework, but I did a quick cross check and found the following threat/control items missing in the sample analysis:




Credential Duplication

Session Highjacking


Now it could be that these are not relevant for end point identity (Hmmm...)..

But regardless it might make sense to include them in this matrix, to help fill out other methods, as well as offering some consistency across the standards space.


I am also wondering now, if the question: which party is performing the method? Is sufficient, as I foresee that there may be several actors involved, perhaps one of which is the principal actor/initiating actor... Thoughts anyone?


Lastly, I like the attempt at trying to chart how the trust elevation method lifts the NIST LoA.

But I think the NIST Authentication LoA (800-63-1) table is more relevant for readers of this work than the OMB Risk/Assurance table  (which is more relevant when you are determining what LoA to pitch your service at, which then gives an indicator as to what NIST Authentication LoA you need to require, for users to access your resources/service).





From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Mary Ruddy
Sent: Saturday, 14 July 2012 2:17 a.m.
To: trust-el@lists.oasis-open.org
Subject: [trust-el] Updated sample analysis


Attached is an updated sample analysis for the end point identity method.  Please review and provide additional comments and inputs about where more detail is needed.


Please also pick another method, let the list know which one you picked and make a pass on completing it.  This should help us identity additional areas where detail is needed.  So far the following assignments have been made:


1.3.1        What you have                   End Point Identity                         - Existing sample             

1.3.4          What you have                 OTP                                                     - Abbie

1.5.1          Context                                Geo location                                   - Shaheen



Feel free to contact me with questions,




CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]