[WG-UMA] For trust model geeks, part three

Eve Maler eve at xmlgrrl.com
Sun Nov 20 20:36:23 EST 2011

Begin forwarded message:

> From: Domenico Catalano <domenico.catalano at oracle.com>
> Subject: Re: Arise, Trust Model geeks!
> Date: 13 November 2011 8:13:20 AM PST
> To: Eve Maler <eve at xmlgrrl.com>, Kevin Cox <kevin.cox at edentiti.com>, Susan Morrow <susan.morrow at avocosecure.com>, "frankwray at cfl.rr.com Wray" <frankwray at cfl.rr.com>, "Salvatore D'Agostino" <sal at idmachines.com>
> Hi all,
> I've tried to explore some ideas and thoughts for the trust model user guide. 
> Attached a briefly presentation, mainly take a look at the slides 3 and 4.
> what do you think?
> Dom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UMA_TrustModel_Defv01.pdf
Type: application/pdf
Size: 225785 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-uma/attachments/20111120/caaf0a83/attachment-0001.pdf 
-------------- next part --------------
> On Nov 7, 2011, at 2:13 AM, Eve Maler wrote:
>> Belatedly… I can see I've found the right passionate people to carry this through. :-) Just a couple of thoughts:
>> #1 We really need your careful review of the existing Trust Model document, to see if it builds the kind of technical-to-contractual-to-legal framework that jilted parties can start to rely on when something goes wrong. Keep in mind that the usual discussions of "identity trust frameworks" focus on IdPs and RPs, not so much AMs, hosts, requesters, requesting parties, etc.
>> #2 What Rainer was suggesting we still need, beyond this document. is a kind of "user guide" for UMA deployers, to help them specify the missing pieces that bind UMA plumbing to their contractual choices. This could maybe be presented as a form/survey/questionnaire for each party, possibly accompanied by a template or instructions for an "UMA profile" that would ensconce choices in the technical layer.
>> Let me know what you think.
>> 	Eve
>> On 30 Oct 2011, at 4:24 PM, Kevin Cox wrote:
>>> If you build any trust system you also have the problem of what to do
>>> with people who cheat or who "break the trust we had in them".  The
>>> general approach is to "un-trust" them and we reduce those occasions
>>> when they are trusted and/or require them to do extra things in order
>>> to regain trust.
>>> Again what to do when trust is broken does not seem to appear in most
>>> trust frameworks.  It is assumed that the system will be built so that
>>> all transactions can be trusted. A more practical trust framework
>>> would assume that trust is sometimes broken.  The framework would
>>> indicate how broken trust is detected and what to do about those
>>> agents that prove untrustworthy.
>>> Our approach to detection is to make sure individuals know what has
>>> been done in their name and to give them ways of challenging those
>>> actions, and proving it was not them. They should have the ability to
>>> expunge the actions from their record and if possible move the
>>> responsibility to someone else.  If a person is found to have abused
>>> trust then they are not permitted to participate in that activity for
>>> some period of time.  This is normally punishment enough.
>>> Kevin
>>> On Mon, Oct 31, 2011 at 4:29 AM, Kevin Cox <kevin.cox at edentiti.com> wrote:
>>>> In our implementation of an "identity provider" we have found the
>>>> trust in the representation of identity and trust in the integrity of
>>>> the system is not a sufficient on which to build a trust framework.
>>>> That is it is not only the data that is basis for trust. It is also
>>>> the trust that an individual has that the representation, and its use
>>>> as a representation of them, that is important.  If the representation
>>>> and its access is trusted by the person it represents then trust
>>>> follows.  If it is not then the edifice crumbles.
>>>> To give an example.  Let us say we have an implementation that
>>>> includes a "wallet". How do we know if this representation is trusted?
>>>> We know it is trusted if at the time it is accessed the individual
>>>> trusted it and agreed to the access. This is what UMA is all about but
>>>> it is also what is required if there are legal issues around the use
>>>> of an identity representation.  What is it that a judge will require
>>>> when determining who was responsible for an electronic action?  First
>>>> was the action taken by an electronic agent representing the person
>>>> and second did the individual authorise the action.  The first part is
>>>> the data part and is handled by encryption and trust in the integrity
>>>> of data stores. The second part is the trust we have in the system
>>>> (agent) that performed the action. It is this part that UMA addresses.
>>>> A judge will determine this based on whether the user knowingly gave
>>>> permission and this is where the details of the interaction of the
>>>> individual with the system becomes important.  Obviously we cannot
>>>> have a trust framework built on details of interactions.  But we can
>>>> generalise it to be if is reasonable to assume the individual trusted
>>>> the permission to gain access then it is reasonable for the individual
>>>> to take responsibility for the action, (This all assumes there is
>>>> trust in the integrity of the data stores and systems that hosted the
>>>> representation of the individual.)
>>>> Unfortunately I do not have a good bibliography to supply but in most
>>>> of what I have read the trust in data stores and trust in systems is
>>>> well covered.  What seems to be missing in trust framework discussions
>>>> is - was it reasonable for an individual to know the consequences of
>>>> the actions the system took on their behalf.
>>>> Kevin
>>>> On Sun, Oct 30, 2011 at 8:10 PM, Susan Morrow
>>>> <susan.morrow at avocosecure.com> wrote:
>>>>> HI Eve,
>>>>> Do you mean a bit like the open identity trust framework document (weren't
>>>>> you involved in that?) where it outlines the various aspects that make up
>>>>> the framework of the model?
>>>>> Maybe though we could also introduce our philosophy of thought around the
>>>>> merging of technology, policy and legal standpoints? (BTW that particular
>>>>> point, I feel, is one that is a turning point in the industry as a whole,
>>>>> I.e. The convergence of previously separated approaches).
>>>>> To this end, a guidance document which incorporates in its introduction, the
>>>>> philosophy behind the approach, should be integral. We can then get to the
>>>>> specifics of approach and talk about the pairwise relationships and
>>>>> importantly Dominico's work too.
>>>>> Susan
>>>>> From: Eve Maler <eve at xmlgrrl.com>
>>>>> Date: Sat, 29 Oct 2011 14:26:12 -0700
>>>>> To: "frankwray at cfl.rr.com Wray" <frankwray at cfl.rr.com>, Salvatore D'Agostino
>>>>> <sal at idmachines.com>, Susan Morrow <susan.morrow at avocosecure.com>, Kevin Cox
>>>>> <kevin.cox at edentiti.com>, Domenico Catalano <domenico.catalano at oracle.com>
>>>>> Subject: Re: Arise, Trust Model geeks!
>>>>> Oh, I also wanted to point you to this site, which Dazza Greenwood mentioned
>>>>> to me at IIW:
>>>>> http://idcubed.org/
>>>>> (Yes, once again, cubes. :-) )
>>>>> Eve
>>>>> On 28 Oct 2011, at 6:52 PM, Eve Maler wrote:
>>>>> The WG agreed on Thursday that we should start up a Trust Model
>>>>> best-practices/guidance document, since the current Trust Model document is
>>>>> more like a technical spec than a true helper for someone who wants to use
>>>>> UMA with trust frameworks, or in a legally enforceable way.
>>>>> Below is some food for thought. What would the structure of an actual
>>>>> instruction manual for specifying "trust-enabled" UMA usage look like? Can
>>>>> we bat around an outline, requirements, snippets of text., etc. and
>>>>> eventually turn it into a wiki page?
>>>>> Thanks for your thoughts! Let's plan to report back on our progress on
>>>>> Thursday.
>>>>> Eve
>>>>> http://kantarainitiative.org/confluence/display/uma/UMA+FAQ
>>>>> What is required to make an UMA deployment model "legal" from a privacy,
>>>>> consent, and agency standpoint?
>>>>> The embedding of user-dictated policy in UMA makes it an explicit "carrier"
>>>>> for user permission, even if consent is not gathered in real time. Taking
>>>>> into account implementation and UX choices, trust model considerations, and
>>>>> various strengths of "assurance" in any one deployed system, further
>>>>> profiling of UMA may be warranted to reduce unwanted variability.
>>>>> For example, the core UMA spec leverages OAuth for the authorizing user's
>>>>> introduction of the host to the AM. The core spec allows for both explicit
>>>>> (authorization coe) and implicit (SAML assertion) forms of user consent for
>>>>> this connection. Profiling may be warranted to require only explicit
>>>>> methods, and even to dictate user experiences for consent and authorization.
>>>>> As well, wherever various outside-of-UMA terms of service or strong
>>>>> authentication needs might come into play, such as in the authorizing user's
>>>>> mutual agreements forged with AM or host sites, or the strength of
>>>>> "assurance" about a requesting party's claims, profiling may be warranted to
>>>>> require certain terms of service or authentication or verification
>>>>> strengths, or alternatively membership in various trust frameworks that will
>>>>> dictate such answers.
>>>>> Finally, where interoperability within an ecosystem will demand that certain
>>>>> types of policies about certain claim types must be available, it may be
>>>>> wise to define a mandatory-to-support set of claims and claim assurance
>>>>> strengths.
>>>>> Further reading:
>>>>> UMA Trust Model
>>>>> W3C workshop position paper on Controlling Data Usage with UMA
>>>>> Eve Maler                                  http://www.xmlgrrl.com/blog
>>>>> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>>>>> Eve Maler                                  http://www.xmlgrrl.com/blog
>>>>> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>>>> --
>>>> 0413961090
>>>> Home +61 2 62410647
>>>> Skype cscoxk or +61 2 61003884
>>>> Fax +61 2 6103 0144
>>>> http://www.linkedin.com/in/kevinrosscox
>>> -- 
>>> 0413961090
>>> Home +61 2 62410647
>>> Skype cscoxk or +61 2 61003884
>>> Fax +61 2 6103 0144
>>> http://www.linkedin.com/in/kevinrosscox
>> Eve Maler                                  http://www.xmlgrrl.com/blog
>> +1 425 345 6756                         http://www.twitter.com/xmlgrrl

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

More information about the WG-UMA mailing list