[WG-OTTO] Draft OTTO Minutes 8/12/15

Rainer Hoerbe rainer at hoerbe.at
Tue Aug 18 07:15:55 CDT 2015


> Am 18.08.2015 um 13:53 schrieb Janusz Ulanowski <janusz.ulanowski at heanet.ie>:
> 
> Hi,
> just my little quick comment related to the last call.
> I guess that merkle hash tree was meant by blockchain data structure? I think this is great idea!
Yes, that is the preferred implementation of an append-only data structure. Block chains like bitcoins provide anonymous log proofs without central instance, which is not required for these use cases.

> I haven't had a chance to find out what would be the cost of singing the whole metadata - which could happen quite often (metadata for single entity is modified).
The public log proof does not alleviate the need to have metadata signed by a trustworthy 3rd party. But it can happen in a more distributed and transparent manner.

> I presume that every entity will be treated as single piece of data, which then will be hashed.
> So this looks like flat structure, where all data pieces are leaves in that tree - what about other potential information ?
If there are confidential (or at least "non-public“) data elements, then their digests may be published instead. The clear data would be released only between the parties that want to transact. However, that would limit the transparency significantly, because data can only be checkt by parties having received the clear data. Therefore there is a need to strike a balance between confidentiality and public proof.

- Rainer Hörbe

> With this scenario parties checking for entities' metadata can easily validate them.
> If we have Registration Authority which allows to register entities for multi-federation purpose and they use single repository then
> what about trust verification - this still doesn't tell us if there is trust between to parties? should a specific query be allowed to verify the trust?
> 
> 
> Janusz Ulanowski
> Edugate: http://www.edugate.ie
> HEAnet Limited, Ireland's Education and Research Network
> 1st Floor, 5 George's Dock, IFSC, Dublin 1
> D01 X8N7
> 
> Registered in Ireland, no 275301
> tel: +353-1-660 9040 fax: +353-1-660 3666
> web: http://www.heanet.ie/
> 
> On 12/08/15 18:01, Mike Schwartz wrote:
>> 
>> Draft Meeting minutes are available on Github:
>> https://github.com/KantaraInitiative/wg-otto/blob/master/minutes/015-otto_minutes-8-12-2015.md
>> 
>> 
>> Please make any changes or additions directly there. As this was the
>> first meeting where quorum was achieved, we can approve at next week's
>> meeting.
>> 
>> --------------------------------------------------------------------
>> 
>> OTTO WG Minutes 8/12/15
>> STATUS: Draft
>> 
>> ## Voting Members Attending:
>> - Mike Schwartz
>> - Judith Bush
>> - Keith Hazelton
>> - Janusz Ulanowski
>> 
>> ## Non-voting members
>> - Rainer Hoerbe
>> 
>> 
>> ## Topics discussed
>> 
>> NOMINATIONS / VOTING
>> We will open nominations for roles the week of 9/2 - 9/8, hold voting
>> the week of 9/9-9/15.
>> Roles will be two co-chairs and specification editor.
>> 
>> DISCUSSION of RFC 6962 - Certificate Transparency
>> https://tools.ietf.org/html/rfc6962
>> This RFC enables PKI CA's to publish their root certificates into a
>> public ledger, so a
>> certificate holder can verify the integrity of the root certificate. The
>> technology could be
>> applied to non-certificate data.
>> 
>> Judith thinks that the ability to query the metadata is important. Would
>> we lose the ability to query
>> the metadata, so organizations wouldn't have to download the whole
>> metadata. Rainer mentioned that the
>> key-value data structure is ok for obtaining an individual entity's
>> metadata, but not for SQL-like
>> queries, like "give me all the entities with a certain attribute."
>> 
>> George is wondering if the complexity--is it necessary for the concern
>> of signed metadata. Its cool
>> and more secure, but does it outweigh the cost?
>> 
>> Rainer says its appropriate for high assurance identity management, and
>> not so for low assurance
>> trust frameworks. Rainer is working on a small-scale implemenation for
>> the Austrian government.
>> Also, how distributed?
>> 
>> Mike posed the question: Is it the goal of OTTO for very centralized
>> management? If so, it might
>> not be worth the trouble.
>> 
>> Not being a crypto-mathemetician, Mike asked if RFC 6962 has been
>> validated. Google has code
>> available in several languages:
>> https://github.com/google/certificate-transparency
>> Rainer also mentioned that there is an open source Erlang implementation
>> available. In the IETF,
>> for an RFC to advance to Internet Standard there have to be two separate
>> implementations, widespread use.
>> But indications are that it looks good.
>> 
>> Example of InCommon Federation Metadata aggregate:
>>  https://spaces.internet2.edu/display/InCFederation/Metadata+Aggregates
>> 
>> Example of CACert Root Cert Publication:
>>    http://www.cacert.org/index.php?id=3
>> 
>> There was a discussion of trustmarks--a mechanism to enable the
>> federation to issue a signed JSON token
>> that would indicate membership in a federation. Mike was concerned that
>> by addressing trust marks, it
>> would just delay the delivery of the solution for entity metadata
>> publication and discovery.
>> 
>> 
>> -------------------------------------------------------------------------------------
>> 
>> 
>> Next week's Meeting Details - same time / same place!
>> 
>> -------------------------------------------------------------------------------------
>> 
>> 
>> Screen Sharing: https://global.gotomeeting.com/join/162399285
>> 
>> Audio: Skype: +99051000000481
>> North America Toll: +1 (805) 309-2350
>> Alternate Toll: +1 (714) 551-9842
>> International Toll: http://www.turbobridge.com/international.html
>> 
>> Conference ID: 613-2898
>> 
>> Command Menu: 0 Plays menu of Keypad Commands *3 Promote to Host (if
>> non-host) *5 Raise your hand *6 Mute yourself
>> (toggle on/off) *# Private roll call of participants *\ Mute
>> music-on-hold (toggle on/off)
>> 
>> TurboPhone (beta): https://www.turbobridge.com/join.html Works with
>> Internet Explorer on Windows only
>> 
>> SIP Access (using IP phone or soft phone) sip:bridge at turbobridge.com
>> SIP URL details: https://www.turbobridge.com/help/Index.html?context=180
>> 
>> _______________________________________________
>> WG-OTTO mailing list
>> WG-OTTO at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-otto
> _______________________________________________
> WG-OTTO mailing list
> WG-OTTO at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-otto



More information about the WG-OTTO mailing list