Thanks Colin
Editors please let us review
regards
From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org]
On Behalf Of Colin Wallis
Sent: Monday, January 11, 2016 11:46 PM
To: trust-el@lists.oasis-open.org
Subject: [trust-el] FW: Comment on 30 day Public Review: 'Authentication Step-Up Protocol and Metadata Version 1.0'
Folks
I am forwarding some feedback from a colleague.
Seems that he’s picked up some inconsistencies that have crept in along the way..
Our Editor is already aware..
J.
Cheers
Colin
PS: I have attached the Sequence diagram referred to below in case it does not render correctly in-line in the email (thanks Andrew!).
…………………………………………………………………
Hi Colin
As discussed briefly.
I have reviewed the Committee Specification Draft 01 / Public Review Draft 01 dated 12 November 2015, and found the Page 23 “6.1.3.2 Transaction 1 Sequence” is inconsistent with the
models or patterns previously described and also the 6.1.1 Description on page 20. In the Sequence the data flow is “Subject” <-> “Resource” <-> “Authorization Services”
There are a number of earlier
diagrams named as models or patterns in the standard where the data flow is “Subject” <-> “Authorization Services” <-> “Resource”;
·
Page 11 Attribute Based Control Model
·
Page 12 Trust Elevation Architecture as ABAC Pattern
·
Page 16 Trust Elevation Architecture
Then we have on page 20 the description of the Use Case for Online Banking Transactions:
……………………………………………………..
6.1 Use Case: Online banking transactions
6.1.1 Description
A bank customer (Subject) initially logs on to the bank site (through a browser or mobile app) to view their
account balance. Then, they decide to perform a higher risk transaction that requires a higher level of
authentication: a funds transfer of $X.
6.1.2 Pre-conditions
·
Subject has an existing relationship with the bank (i.e., is an account holder)
·
Subject has previously registered their authentication methods (e.g., password, device, biometric)
·
There are three Authentication Levels defined by the bank (the Relying Party)
………………………………………………………….
My feedback is that the sequence ought to be “Subject” <-> “Authorization Services” <-> “Resource”; as per the 6.1.1 description; “A bank customer
(Subject) initially logs on to the bank site (through a browser or mobile app)”. Instead we have a Subject [Initial State LoA Not-Logged-In] immediately requesting to “CheckAccountBalance(T1). This is inconsistent with all the
foregoing
models and patterns and the description. Until the Subject has accessed the site they do not have an option to check account balance.
Note I have checked with the Bank of America site
(for example)
and just like my NZ ASB bank, you must 1st log on to the application
from your mobile
or directly at the bank’s site to get an option to check balance.
So as written,
this sequence is inconsistent with the real life use cases and
this specification itself, prior to the appearance of this
sequence.
Regards
Jim
Jim Clendon | Senior Enterprise Architecture Modeler | Service
and System Transformation | System Transformation | Government Enterprise Architecture
The Department of Internal Affairs Te Tari Taiwhenua
Direct Dial: +64 4 8164078| Extn: 6078 | Mobile: +64 27 452 7463
46 Waring Taylor Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz