I just learned about the Liberty Identity Assurance Framework project. It seems that there are thoughts about the problem that I described earlier, see my remarks about a trust model for identity providers. The framework consists of an XML schema, that (in fact) describes several standard claims about the use of identity information. You might say, my proposed 'authlevel' and 'authmethod' claims. And the framework states that there is the need for a certification method for websites that deliver identity services.
Problem solved. Or is it? As far as I can see Liberty does mention the certification requirements for identity assurance functions, but I feel that this is not exactly what I wanted, IAF looks like a heavy, perhaps even overweight solution. Pity that there is so little expertise in The Netherlands, or I might have known earlier and perhaps reviewed stuff.
Mike Jones mentions a verified age certification service. This too looks like a promising development. But it demonstrates the problem that I described: who is IDology and what kind of assurance do they provide? Please don't see this as an attack on them, but their verification process is based on accessing public verification information, like name and address. But they don't know me, only the information that I provide, like an address. Unless I'm wrong, this is not enough. The idea of providing assurance for just a limited claimset seems ok, though.
Besides, why should I trust such a third party? It would mean that a service provider/relying party registers IDology on their own 'white list'.
I will look into both developments (there's a lot of information) and report my findings.
zondag 29 juni 2008
vrijdag 27 juni 2008
Trust model for Identity Providers
A few weeks ago I blogged about the problem of identifying the trust level of an identity provider. See my blogpost earlier. Since, I've been pondering about this problem and discussing it with a few experts.
In PKI the trust problem is solved. There are root-level CA's, who trust eachother by means of cross certification. And that is a heavily secured environment with underpinning contracts, certification schemes and more. Anyway, it means that a certificate holder of one CA, can trust a certificate holder from another CA, even though they don't know eachother.
We can reuse digital identities from one identity provider (be it an OpenId or an Infocard provider), but these digital identities only replace the proprietary userid/password identities at service providers/relying parties. A service provider cannot know if the identity presented is a real or a fake one. Even a 'managed' Infocard has no meaning, because there is no standard way of identifying the real identity. You can't even prove the trust level of an identity provider, leave alone the identities provided.
A service provider could use a white list of trusted IP's, but there goes the openness. Every SP should do it for himself. You could also use federation, but that means making trust agreements between IP's and SP's. But there goes the openness too.
What if we could verify the trust level of an identity provider that we don't know? In that case the identity provider might also provide the trust level of an identity. Was the digital identity proven by means of a official physical passport, or was it only provided through a web form and is the trust level of the digital identity low?
There should be a third party certifying the trust level of Identity Providers. Here's a scenario:
- A user supplies a digitalid to a service provider.
- The SP identifies the IP.
- If the IP is on a certified 'white list' of IP's with a certain trust level, then the digitalid 'inherits' the trustlevel of the IP.
And if the digitalid contains a claim by the IP that the digitalid was provided to a user after validation of an official passport, than you might conclude that the digitalid is correct. The authentication level could be considered High.
So:
- There should be a classification scheme with trust levels (trust high or low, or mayby only just high level IP's)
- There must be a public white list referring Identity providers (and mayby also their trust level)
- We need a 'white list' trust level-protocol that can be used to check the trust level of IP's from a white list provider
- The White list owner needs an accreditation scheme to certify IP trust level (and perhaps we also need an accreditation scheme to certify the 'white list' providers if there are more than just the one white list)
- There should be a standard claimtype that states the authentication level used by the IP (also something like low: no auth, medium: just passport number, high passport presented by subject and a copy archived by the IP).
- There might be a standard claimtype that states the authentication method of the digitalid (also a code like low: userid/password, medium: two factor, high: biometrics)
result:
digitalid by IP1 claims: authclass high, authmethod medium
Check trust level of IP1 (using the trust level protocol)
If the trust level of IP1 is high (it can be found using the trust level protocol), then the IP can be trusted and the digitalid provided by IP1 is valid and can be give the authorisation that belongs to the owner of digitalid.
If the trust level of IP1 is low, of unproven, then the digitalid cannot be trusted, the digitalid should be treated like any userid/password combination.
Perhaps this will mean that a trusted IP can provide several types of trusted digitalids with authlevel low-med-high and authmethod low-med-high at different costs. There must be a business model for this.
Well, I will just keep on dreaming :)
This might be a solution, but I fear that it may take some time and it will cost a lot of money. And perhaps this has already been taken care of. Please let me know.
In PKI the trust problem is solved. There are root-level CA's, who trust eachother by means of cross certification. And that is a heavily secured environment with underpinning contracts, certification schemes and more. Anyway, it means that a certificate holder of one CA, can trust a certificate holder from another CA, even though they don't know eachother.
We can reuse digital identities from one identity provider (be it an OpenId or an Infocard provider), but these digital identities only replace the proprietary userid/password identities at service providers/relying parties. A service provider cannot know if the identity presented is a real or a fake one. Even a 'managed' Infocard has no meaning, because there is no standard way of identifying the real identity. You can't even prove the trust level of an identity provider, leave alone the identities provided.
A service provider could use a white list of trusted IP's, but there goes the openness. Every SP should do it for himself. You could also use federation, but that means making trust agreements between IP's and SP's. But there goes the openness too.
What if we could verify the trust level of an identity provider that we don't know? In that case the identity provider might also provide the trust level of an identity. Was the digital identity proven by means of a official physical passport, or was it only provided through a web form and is the trust level of the digital identity low?
There should be a third party certifying the trust level of Identity Providers. Here's a scenario:
- A user supplies a digitalid to a service provider.
- The SP identifies the IP.
- If the IP is on a certified 'white list' of IP's with a certain trust level, then the digitalid 'inherits' the trustlevel of the IP.
And if the digitalid contains a claim by the IP that the digitalid was provided to a user after validation of an official passport, than you might conclude that the digitalid is correct. The authentication level could be considered High.
So:
- There should be a classification scheme with trust levels (trust high or low, or mayby only just high level IP's)
- There must be a public white list referring Identity providers (and mayby also their trust level)
- We need a 'white list' trust level-protocol that can be used to check the trust level of IP's from a white list provider
- The White list owner needs an accreditation scheme to certify IP trust level (and perhaps we also need an accreditation scheme to certify the 'white list' providers if there are more than just the one white list)
- There should be a standard claimtype that states the authentication level used by the IP (also something like low: no auth, medium: just passport number, high passport presented by subject and a copy archived by the IP).
- There might be a standard claimtype that states the authentication method of the digitalid (also a code like low: userid/password, medium: two factor, high: biometrics)
result:
digitalid by IP1 claims: authclass high, authmethod medium
Check trust level of IP1 (using the trust level protocol)
If the trust level of IP1 is high (it can be found using the trust level protocol), then the IP can be trusted and the digitalid provided by IP1 is valid and can be give the authorisation that belongs to the owner of digitalid.
If the trust level of IP1 is low, of unproven, then the digitalid cannot be trusted, the digitalid should be treated like any userid/password combination.
Perhaps this will mean that a trusted IP can provide several types of trusted digitalids with authlevel low-med-high and authmethod low-med-high at different costs. There must be a business model for this.
Well, I will just keep on dreaming :)
This might be a solution, but I fear that it may take some time and it will cost a lot of money. And perhaps this has already been taken care of. Please let me know.
maandag 2 juni 2008
Trusting cards
A lot of fuss about a claimed hack of Microsoft Cardspace by some German researchers. Microsoft acted quickly and they should, trust is vital. Users have to trust security measures before they use them. And they should understand why and how these measures work.
Glad that the matter of the hack is solved. But there is still the problem of users who are not aware of the why and how.
Glad that the matter of the hack is solved. But there is still the problem of users who are not aware of the why and how.