Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authority Recognition GGF9

Published byCory Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "Authority Recognition GGF9"— Presentation transcript:

1 Authority Recognition GGF9
Monday Oct 6/2003

2 IPR Statement

3 Definition Authority Recognition: the act by which a relying party accepts the assertions of a particular authority as valid for a specific application. Just to be clear, this is what I mean by “governance model”.

4 Agenda Trust & Expectations Authorities Authority Advertisement
QIK Model ARRG

5 Trust ‘Generally, an entity can be said to trust a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects’ (X.509) Essence of trust lies in the probability for disappointment of a trusting party’s reasonable expectation of another’s behaviour (Hurt factor) Trust then is dependent on each actor being confident that the other actors will behave in a defined manner for specific circumstances.

6 Trust/Expectations Examples of expectations in a simple PKI Issuer
Notification of revocation Conduct quality processes Notification of issuance Notification of revocation Publish the certificate and CRLs Query for revocation Rely within limits Protect private key Use appropriately Trust this is from me Relying Party Subscriber Use within limits Notification of revocation

7 Expectations/Obligations/Liabilities
An obligation is a legally binding commitment to an enforceable duty. An expectation can become an obligation if the actor concerned makes a legally binding commitment to perform (or not) the relevant operation If an obligation is breached, then it may be decided that a liability is assumed by the negligent party. The conversion of an obligation into a liability requires a dispute-resolution system; the output of this system will be a judgment or reward

8 Expectations/Obligations/Liabilities 
Failed expectation

9 Agenda Trust & Expectations Authorities Authority Advertisement ARRG

10 Authorities Trust between entities in many transactions is enabled by a separate authority issuing assertions (e.g. X.509 certificates, SAML assertions, Kerberos tickets, etc) regarding the identity and/or other characteristics of the actors involved The assertions issued by an authority must be recognized as valid and appropriate to its requirements before a party will rely on them

11 Examples SAML SSO WS-Trust Introduction X.509 certificate
Authority is SAML Authority Assertion is SAML Authentication Assertion WS-Trust Introduction Authority is Security Token Service (STS) Assertion is Security Token X.509 certificate Authority is CA Assertion is certificate

12 Recognition Whether or not an assertion from a particular authority will be recognized by a relying party as valid will depend on a number of factors, including The processes followed by the authority in issuing the assertion. the commitments the authority makes with respect to the assertion. the liabilities the authority is willing to assume. the obligations assumed by the relying party if they use the assertion.

13 Recognition Decision Authority Information

14 Authority Layers Trust in an authority (e.g. SAML Authority) may be enabled by ‘lower-level’ trust (e.g. in an X.509 CA) Question: are the recognition decisions separate?

15 Agenda Trust & Expectations Authorities Authority Advertisement ARRG

16 Authority ‘advertisement’
The authority must provide to a potential relying party sufficient information to facilitate the ‘recognition’ decision It is from the information that the STS makes available that an entity will, at least partially, base its expectations - and consequently its trust.

17 Objectives To achieve a proper understanding and equitable allocation of risk among the actors Make the risks commensurate with the benefits for all participants Expose risk Apportion liability Identify obligations

18 Authority information
Ultimately, the question a relying party must answer is:  “Knowing what I know about the other participants, is such an assertion appropriate for the application for which I intend to use it” What the relying party “knows” about the authority can take two general forms, differing in the nature of the commitment that the authority makes

19 Process vs. Business Process-oriented Business-oriented
The authority declares that their processes and practices under which this assertion was issued are as follows… Business-oriented The authority declares that their commitments with respect to the assertion along with the obligations assumed by any entity who uses the assertion are as follows …. Which is most appropriate will depend on the nature of the application and the relationships between the actors involved

20 Application Info Application Info If the authority is ignorant of the potential applications of its assertions it will be unable to claim that its assertions are appropriate for any specific application. The relying party will provide the application information as input to the recognition decision. Authorities can be ‘remote’ or ‘local’ wrt application knowledge. ‘Remote’ authority Assertion Info Authority Relying Party Application Info ‘Local’ authority Assertion Info Authority Relying Party

21 Agenda Trust & Expectations Authorities Authority Advertisement
QIK Model ARRG

22 7. Validates using public
QIK Process Flow 2 Publishes QIK 5. Downloads 1. Creates Validation String Key Owner Relying Party 3.Creates And Publishes 4.Obtains Signed Assertions 6. Sends 7. Validates using public Key and trust

23 Agenda Trust & Expectations Authorities Authority Advertisement
QIK Model ARRG

24 ARRG Ongoing Continue to explore QIK (Qualified Input of Keys) as ‘business-oriented’ mechanism Examine Liberty Authentication Context for ‘process-oriented’ mechanism Explore 3rd party rating systems (as in PingID) for relevance Determine mapping to Grid Federation work BOF Tuesday Oct 7 at 12

25 ARRG GridForge Email Please join and contribute!
Please join and contribute!

Download ppt "Authority Recognition GGF9"

Similar presentations

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Per Anders Eriksson

Per Anders Eriksson
Circulation of authentic instruments under Regulation 650/2012 speaker – Ivaylo Ivanov – Bulgarian Notary Chamber.

Circulation of authentic instruments under Regulation 650/2012 speaker – Ivaylo Ivanov – Bulgarian Notary Chamber.
Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.

Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, 01-03 October 2002 Marco Casassa Mont Richard.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
+1 (801) 877-2100 Standards for Registration Practices Statements IGTF Considerations.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

Similar presentations

Ads by Google