Hi All,
Rainer has come back with some suggestions, etc. regarding the Trust Model – I’ve answered his queries in blue but you may be able to elaborate more?
Susan
Just in answer to some of your queries, I’ve added some info below in blue
- Patrick suggested that we substitute "liable actor" by "asserting actor", because asserting actor was already coined somewhere, and the asserting actor might not be liable in a legal sense with lower LoAs.
OK I can change that, but we may have to change in the UMA outline too as its specified as such there.
- TR-1 What does "COPS" stand for?
It’s the Common Open Policy Service for communicating the policies between the host and the AM -using a PDP and PEP (the Host and AM respectively)
- TR2/TR3 "policy application/enforcement": It is probably clear from the context that this is the access policy. However, if we combine the various bits and pieces of the complete TF, this context will be lost. Therefore I would suggest to cal this the user managed access policy, short UMA policy.
OK I think that should be fine and I understand your logic
- TR-4 Entity AuthN without context includes humans as well - I would suggest Service AuthN as more precise term
OK will do
- TR-8 "Cross recognition of users" - who recognizes what?
It must be via programmatic authentication – in which case should it be rolled into entity auth as you suggested above?
- Susan
Hi All,Rainer has come back with some suggestions, etc. regarding the Trust Model – I’ve answered his queries in blue but you may be able to elaborate more?SusanJust in answer to some of your queries, I’ve added some info below in blue- Patrick suggested that we substitute "liable actor" by "asserting actor", because asserting actor was already coined somewhere, and the asserting actor might not be liable in a legal sense with lower LoAs.OK I can change that, but we may have to change in the UMA outline too as its specified as such there.
- TR-1 What does "COPS" stand for?It’s the Common Open Policy Service for communicating the policies between the host and the AM -using a PDP and PEP (the Host and AM respectively)
- TR2/TR3 "policy application/enforcement": It is probably clear from the context that this is the access policy. However, if we combine the various bits and pieces of the complete TF, this context will be lost. Therefore I would suggest to cal this the user managed access policy, short UMA policy.OK I think that should be fine and I understand your logic
- TR-4 Entity AuthN without context includes humans as well - I would suggest Service AuthN as more precise termOK will do
- TR-8 "Cross recognition of users" - who recognizes what?It must be via programmatic authentication – in which case should it be rolled into entity auth as you suggested above?
- BUT... Another way to distinguish the relationships would be temporal. Is it useful to split some of the actors into "untrusted" and "trusted" phases? For example, the requester/requesting party spends a considerable amount of time interacting with other UMA parties before it's actually given any access authorizations, and (say) the AM should be liable for such authorizations yet. Should we treat this as a whole other "actor"? (I don't think any other parties deserve this distinctive treatment, but could be convinced otherwise.)
There is only one Trust Framework. It is the web
of trust necessary for a full range of transactions to occur. It already
exists in that we know (even though we have yet to articulate) all of the
considerations that we need addressed in order to trust all of the
counterparties in a transaction. The counterparties include not only an IdP and an RP, but also
the network providers, federation operators, assessors and auditors, etc.
Our current mission is to articulate the Trust Framework in order to document
the "real" requirements which are those policies, tools, processes,
and legal structures (potentially a subset of processes) necessary to create
trust among all of the parties. Think of the Trust Framework as a
skeleton of an ancient dinosaur. The species has only a single structure,
but since all members of the species are long dead, we have never actually seen
one to know what the structure is. We are like paleontologists unearthing
bone fragments and trying to piece together what the whole thing looks
like.
Our problem is that various groups among us are digging in different places (using different use cases) and unearthing different fragments – only some of which are common to those found by other groups.
Each group is imagining a different structure to the
creature based on their limited sampling of bone fragments. One group
believes it flies, another that it crawls or walks, and yet another that it
swims. One group believes it is a carnivore; another an herbivore.
Their conclusions are all consistent with their subset of the evidence that
each has unearthed. But because they haven't combined their knowledge,
each has too small a portal to imagine the fully articulated skeleton.
Until we can amalgamate all of our fragments, it is unlikely that we will be able to create the correct model. And by failing to acknowledge all of the other pieces of the puzzle, we are creating science that is likely not only to lead us astray (e.g., create poor and conflicting regulations), but also cause each group to dig in its heels to defend their current model. This will forestall our ability to “get it right.”
_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
1. - Does it make sense to distinguish the different things being relied on in separate TRs for the same pair of actors, or should they be considered as multiple elements of the single trust relationship between them? E.g., TR-3 and TR-4 both refer to some aspect of trust between the host and requester. Is it better to combine them, since all trust between them gets forged through the exact same process?
I believe that we need to articulate the TRs at the most granular level because it may require different solutions to address the different variations. We don't actually trust another party. We trust another party to act a certain way. Trusting one a party to perform one action does not imply universal trust of that party to perform all actions. E.g., even within the same form of trust, we may be willing to trust screwyu.com to deliver our ordered merchandise for a small purchase, but not trust them for a larger transaction.
2. Re: creating a constellation for each and every user story.
While for the subset of transactions that UMA will support, you may well be able to get by with a limited articulation of the trust model. But, ultimately, I think it is vital to articulate the full model in order to align all of the various identity/privacy/security/notice efforts to the same set of requirements. This will allow us to specify not only the system-of-systems requirements that apply to each subset, but it will also allow us to clearly scope the boundaries of these various subsets to keep them from either solving the same problem different ways or leaving a critical gap that falls between the cracks.
My personal view of the trust framework is that:There is only one Trust Framework. It is the web of trust necessary for a full range of transactions to occur. It already exists in that we know (even though we have yet to articulate) all of the considerations that we need addressed in order to trust all of the counterparties in a transaction. The counterparties include not only an IdP and an RP, but also the network providers, federation operators, assessors and auditors, etc.
I’ve read and re-read your comments trying to assimilate them all but one thing kept jumping into my mind.
Rainers work is based on a ternary relationship and the trust model is broken down into 3N-1 i.e. a pairwise model
So logically if UMA is a quaternary model and using the same principle, then the trust model should shake out to be 4N-1 , i.e. a ternary model
Am I making sense?
i.e. instead of pairwise actors you would have a trio of actors all interacting at any given scenario – this of course adds another dimension of complexity into the trust model – going from essentially x, y to x,y,z
The table would need to reflect this so we could then call on this to tease out each scenario
What do you think, am I barking up the wrong tree, or if not, making it to complex for this particular task?
I’m on a train for 6 hours tomorrow and I’ll take all your comments and try and pull together another version of the initial attempt I made for us to look at before Thursday
Susan
p.s. I still think that privacy and security could be layered into the model as separate considerations and although we may not do that in the first pass we could make reference to this as an extension of the initial model??
Fair point and it would complicate things massively without necessarily adding benefit. I had to follow the train of logic though to see what popped up
I guess that ultimately every relationship is based on two and the third party is just an extension of that – I suppose a pair wise table, if comprehensive would take any extraneous relationships into account anyway – just in a more 2D way
Fair point and it would complicate things massively without necessarily adding benefit. I had to follow the train of logic though to see what popped up
I guess that ultimately every relationship is based on two and the third party is just an extension of that – I suppose a pair wise table, if comprehensive would take any extraneous relationships into account anyway – just in a more 2D way
From: Eve Maler [mailto:e...@xmlgrrl.com]
Sent: 14 February 2011 14:43
To: Susan Morrow
Hi Jeff,
Thanks for this.
I’m meeting with Rainer on Monday so I’m sure he’ll go into the details of how to mimic your meta model so we can apply it to UMA.
We discussed similar things on the UMA call last night too with regards to the trust relationships and teasing them out so we have the right ones to work with. It seems to be the pivot upon which the model will stand.
Best wishes
Susan