Re: [trust-el] Questions for Trust Elevation draft reviewers

[Peter Alterman <palterman@safe-biopharma.org>]

Interesting questions, Andrew.  

Since people think about these things using different mental models, it's hard to answer them. Regarding the models, I would suggest that we find out whether we can normalize incoming ones with the generic one at the beginning of the section. That will tell us a lot.

Regarding an example policy for use cases, I wonder if we really need one in this document.  I think the information is sufficiently clear that a use case will only cause confusion, and anyone who might need one in order to grok the concept is beyond help and would only confuse the specific with the generalized.

Regarding the final question, I'm not at all sure it's relevant.  Perhaps you can provide me with some of your thinking here.

Peter

------------------------------------------------------------

Peter Alterman, Ph.D.

Chief Operating Officer
SAFE-BioPharma Association

cell: 301-943-7452

On Thu, Aug 6, 2015 at 5:14 PM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:

For those of you reviewing the Trust Elevation draft, here are some questions that might help generate comments. The questions assume that you have a reference protocol that you are comparing Trust Elevation to.

• Section 4.2 diagram - what would this diagram look like when represented in the protocol that you are comparing to?
  
• Does your protocol have the ability to retry authentication if the current authentication level is not sufficient?
• 1: does the protocol need to be extended in order to be able to express it at all?
• 2: do normal implementations have an ‘orchestration’ facility that can go back for more information, attributes or authentication events?
• Can you write an example policy for the use cases that handle the Step Up or Missing Attributes situations?
  
• How does your protocol handle composite subjects (meaning Person, Device and Software Client)?