Presentation is loading. Please wait.

Presentation is loading. Please wait.

Karen Sollins MIT Communications Futures Program October 24, 2013 Trust: trustmarks, concepts, frameworks.

Published byFlorence Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Karen Sollins MIT Communications Futures Program October 24, 2013 Trust: trustmarks, concepts, frameworks."— Presentation transcript:

1 Karen Sollins MIT Communications Futures Program October 24, 2013 Trust: trustmarks, concepts, frameworks

2 Why should I trust you? Copyright Sibel Adali 10/23/13Sollins MIT CSAIL, Trust2

3 ► Registry of Motor Vehicles: name, address, birthdate ► Facebook: identification ► Bank: secure money ► Credit card company: payment ► DKIM certified email address: validity of email address ► Yelp, Angie’s List, other reviewing systems ► eBay ► … Who trusts whom for what? 10/23/13Sollins MIT CSAIL, Trust3

4 What does a “trustmark” tell me? 10/23/13Sollins MIT CSAIL, Trust4

5 ► Relationship between trustor and trustee ► Vulnerability or risk ► Model of: ► What is at risk ► How occurrence of risk will be addressed ► The “costs” of risk and mitigation of risk What is trust? 10/23/13Sollins MIT CSAIL, Trust5

6 ► Challenges: ► Many identities: management, privacy, usability, … ► Independent solutions ► Credit cards ► AAA protocols (IETF, network resource access) ► Education networks (REFED/TERENA and InCommon) ► Email ► … ► Are there really problems? A little background 10/23/13Sollins MIT CSAIL, Trust6

7 NSN studies (Tschofenig) 10/23/13Sollins MIT CSAIL, Trust7

8 ► Injection: send untrusted data to servers that then use it. Trick remote service into using it. ► Broken Authentication and Session management: incorrect or buggy implementations lead to password, key or session tokens being compromised. ► Cross-site scripting (XSS): applications send untrusted scripts to browser, allowing the attacker to access victim’s browser and information. ► In NSN customer survey, top concern (24%) was identity theft. What are the issues? 10/23/13Sollins MIT CSAIL, Trust8

9 The model for identification: where is the trust? Relying Party User Identity Provider Data exchange 10/23/13Sollins MIT CSAIL, Trust9

10 ► Performing an action vs. providing information ► Trust is networked: ► People to people ► People to systems ► Systems to people ► Composite of these ► Relationship: The trustor’s willingness to be vulnerable to the trustee under conditions of risk and interdependence ► A belief ► A social lubricant ► Dependent on context ► Literature identifies three axes: competence, integrity/trustworthiness, benevolence What do we mean by trust? (Sibel Adali) 10/23/13Sollins MIT CSAIL, Trust10

11 ► Validated identity: Identity proofing ► Attributes: correctness, completeness, provenance ► Service related issues: ► Privacy ► Anonymity ► Accountability ► Availability ► Reliability Whom do we trust for what? Identity and attribute management 10/23/13Sollins MIT CSAIL, Trust11

12 ► Open Identity Exchange: “In digital identity systems, a trust framework is a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.” ► Kantara Initiative: ► Requirements: from the stakeholder (trust) community ► Specification ► Certification by accredited assessor organization ► Registration and availability: OIX Formalizing the basis for trust: trust frameworks 10/23/13Sollins MIT CSAIL, Trust12

13 OIX definition of Trust Framework ► Authority ► Name ► Version ► Purpose ► Scope ► Roles ► OIX Working Group (source) ► Levels of Assurance (LOA1-4) ► Levels of Protection (LOP1-4) ► Technical profiles ► Special legal terms and requirements ► Other special requirements ► Principles of Openness 10/23/13Sollins MIT CSAIL, Trust13 Each framework begins with a stakeholder or other responsible group defining the requirements and constraints for trust

14 ► Technical ► What capabilities are required ► How are they provided (encryption algorithms, protocols, etc.) ► Legal ► The basis for a legal infrastructure: the core issue is that this must be international ► Treaty ► Contract Two sides of the coin: technical and legal 10/23/13Sollins MIT CSAIL, Trust14

15 ► What do should it do? Meet the needs of the users (Note the similarity to the earlier model) ► Data subjects ► Relying parties ► Identity and attribute providers ► Commonalities: reliability, predictability, interoperability, usability, cost effectiveness, risk reduction, … ► The law: “Contracts document enforceable, mutually-dependent duties that can operate across jurisdictions and sectors, fostering risk-reduced interaction, security and privacy across the Internet, consistent with local law.” – Scott David ► Proposal: combine “technological tools and legal rules” into integrated framework How does one define such a contractually based system? 10/23/13Sollins MIT CSAIL, Trust15

16 ► Framework registries: OIX ► Combined legal/technical “framework” system: the nature of the contract: Scott David (and probably others) ► Assessment of trust providers: approval process by Kantara, Safe/BioPharma ► Frameworks being designed and evaluated ► International activity: (besides NSTIC in US) ► OECD ► ENISA ► Canada: ► “Privacy by Design” ► Cyber Authentication Renewal Initiative: SecureKey operating governmental federated online credential based identification with significantly more anonymity (and now have contract with USPS for similar service) ► and many others… Where we are now 10/23/13Sollins MIT CSAIL, Trust16

17 ► Hannes Tschofenig, NSN ► Don Thibeau, OIX ► Joni Brennan, Kantara Initiative ► Scott David, University of Washington ► Sibel Adali, Renssalear Polytechnic Institute ► Jean Camp, University of Indiana ► More speakers to come Credits: speakers in this series to date 10/23/13Sollins MIT CSAIL, Trust17

18 ► What is the relationship between trust and your business models? Examples? ► Within this space, are there issues, questions, or actions you would like to address within the CFP? ► Is there a role we can play in convening a stakeholder group in your community to examine the requirements for a trustframework for your community? Questions 10/23/13Sollins MIT CSAIL, Trust18

19 ► Future meetings ► Plenary same time next year ► Workshops and other events ► About this meeting: ► Videos will be available ► Follow-up with non-CFP members ► Contact with questions/issues/comments, etc. Natalie Klym, nklym@csail.mit.edu nklym@csail.mit.edu ► We are at http://cfp.mit.eduhttp://cfp.mit.edu Wrap up: Administrative 10/23/13Sollins MIT CSAIL, Trust19

20 ► Something striking: did something strike you during the day that deserves more attention? ► Questions for any of the speakers or the MIT CFP participants? ► Suggestions or other comments about topics, issues? Wrap up: About the content of the meeting 10/23/13Sollins MIT CSAIL, Trust20

Download ppt "Karen Sollins MIT Communications Futures Program October 24, 2013 Trust: trustmarks, concepts, frameworks."

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
TFTM 01-06 Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, 2014 1-14-2014IDESG TFTM Committee1.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.

Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.

Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Identity Relationship Management The Next Evolution of Identity and Access Management for the Internet of Everything.

Identity Relationship Management The Next Evolution of Identity and Access Management for the Internet of Everything.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google