No subject
Tue Jun 2 17:05:09 UTC 2009
nice to have those attributes scored using a commonly defined criteria so
when OP returns a certain set of attributes relying party could trust them
according to the score that OP gave them.
Motivations
Openid is moving towards being the de facto standard for authentication on
the web. There are some other solutions to deal with attributes but it would
be nice to have a single technology, empowered by the use of their plugins,
to deal with identity.
Scenario
Here we'll expose an example of the messages exchanged during certificate
attributes fetching.
FetchRelying party
openid.ns.ax=http://openid.net/srv/ax/1.0 #To be redefined if a new release
of the protocol is created
openid.ax.mode=fetch_request
openid.ax.type.age=http://axschema.org/birthDate
openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
OpenidProvider
openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response
openid.ax.type.age=http://axschema.org/birthDate
openid.ax.value.age=23
*openid.ax.score.age=3*
*openid.ax.receipt = #Some kind of receipt certifying the methods used to
certify the attribute and that could be used for further processes*
openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Store
In our approach OP deals with attribute certification processes : validating
certificates, contacting with attribute certification authorities ... so
there's no sense to allow the store of attributes from others than OP.
Store is applied only to non certified attributes, this is score 0.
What are scores
Scores works in the same way PAPE levels does. They measure the way
attributes are certified and how the data being certified have been
collected.
For example: attributes that have been gathered from a *qualified
certificate* (according to EU Directive on electronic Signatures) that is
stored inside a SSCD the score will be 4 (means high). On the other hand, a
name that has been alegated in a web form will have the score 0, means low.
Between 0 and 4 you have all the ways you can certify an attribute from 0
(no certification) to 4. We made a brief definition of the score concept
that you could find here (https://www.tractis.com/tractis_score_policy) and
the mapping to real methods could be found here (
https://www.tractis.com/tractis_score_mapping<https://www.tractis.com/tractis_score_policy>).
As we indicate in these documents, we (Tractis) have not invented neither
the classification nor the score policy but used previous work by the NIST
and EU.
Problems to be solved
In Openid attributes are alegated, so you don't have to trust the OP because
there's nothing to trust on. Dealing with certified attributes create a
problem : how could I, as a relying party, know that this OP *works* fine
and if it says "level 4" all criteria to consider were done the right way.
Our proposal, in the same way as PAPE, the Relying Party does not need to
trust the OP. The User is the one that needs to trust the OP. If problems
arises with certain OP, then relying parties could choose to use some OP and
exclude others with mechanisms like white/black lists.
Other problem not covered is the format of the receipt (attribute *
openid.ax.receipt*). Here we can proceed in 2 ways: (1) leaving this
responsibility to describe the message to the OP or (2) providing an spec
about it.
Our proposition is: let this field being a signed identifier holding the
transaction ID for the given fetch request.
There should be a way to connect this ID to the transaction performed on OP
(attribute fetching transaction) and to the information requested. OP should
make its best effort to handle as much evidences about the process as
possible including requested attributes, verified information and returned
response. But the detail of this evidential information is out of the scope
of this document.
--
David Garcia
CTO
Tractis - Online contracts you can enforce
http://www.tractis.com
--
Tel: (34) 93 551 96 60 (ext. 260)
Email: david.garcia at tractis.com
Blog: http://blog.negonation.com
Twitter: http://twitter.com/tractis
--000e0cd6ab720b9e03046b60fcaa
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
My company is starting a new Identity Management Service and we want to bui=
lt it's AX interface over OpenId AX profile. <br><br>I'll introduce=
myself at the very beginning. My name is Dave Garcia and I'm working i=
n a startup named Tractis in Spain. We have been offering online contracts =
using digital signatures for some years.=A0 We want to allow users to use t=
hird OPs to login in our site and we want to become an OP too.<br>
<br>Also we want to offer identity services some of them using attribute ex=
change.=A0 We are dealing with attributes being asserted by users and other=
are being certified by third parties (inside assertions, X509certificates.=
..). We want to make a difference between attributes being asserted and tho=
se certified the same way authentication methods have different assurance l=
evels PAPE profile. <br>
<br>Please let me paste here the briefing of what I'm talking about. <b=
r><br>Disclaimer : the following document is in a very early stage, comment=
s and suggestions are highly welcome. <br><br>Many thanks for everybody rea=
ding :)<br>
<br>Dave<br><br>
=20
=20
<h1 id=3D"tc3">Short briefing for certified-AX profile for OpenId</h1=
><h1 id=3D"tc4">Abstract</h1><p id=3D"tc2">Openid
AX profile for openid provides a way to exchange attributes between
relying parties and OP. Those attributes are simple key-value where the
keys are commonly agreed identifiers and values are encoded strings.
This approach works fine when dealing with "alegated attributes" =
like
email, name ... but a problem arises when we need to trust this
information ("certified attributes").</p><p id=3D"tc7">There are =
some
services that works fine using alegated identities but some specially
sensitive services, such as banking, don't. In these sensitive
scenarios, we need to ensure the quality/trustworthiness of those
attributes. Making a parallelism with existing open specs we need to
apply mechanisms analogous to those defined on the PAPE for OP
authentication but for attribute exchange.</p><p id=3D"tc1">From out
point of view, and regarding to this existent needs, it would be nice
to have those attributes scored using a commonly defined criteria so
when OP returns a certain set of attributes relying party could trust
them according to the score that OP gave them.</p><h2 id=3D"tc9">Motivation=
s</h2><p id=3D"tc10">Openid
is moving towards being the de facto standard for authentication on the
web. There are some other solutions to deal with attributes but it
would be nice to have a single technology, empowered by the use of
their plugins, to deal with identity.</p><h2 id=3D"tc5">Scenario</h2><p id=
=3D"tc11">Here we'll expose an example of the messages exchanged during=
certificate attributes fetching.</p><h2 id=3D"tc42">Fetch</h2><h3 id=3D"tc=
14">
Relying party</h3><p id=3D"tc6">openid.ns.ax=3D<a href=3D"http://openid.net=
/srv/ax/1.0">http://openid.net/srv/ax/1.0</a> #To be redefined if a new rel=
ease of the protocol is created</p><p id=3D"tc12">openid.ax.mode=3Dfetch_re=
quest</p>
<p id=3D"tc20">openid.ax.type.age=3D<a href=3D"http://axschema.org/birthDat=
e">http://axschema.org/birthDate</a></p><p id=3D"tc13">openid.ax.update_url=
=3D<a href=3D"http://idconsumer.com/update?transaction_id=3Da6b5c41">http:/=
/idconsumer.com/update?transaction_id=3Da6b5c41</a></p>
<h3 id=3D"tc25">OpenidProvider</h3><p id=3D"tc15">openid.ns.ax=3D<a href=3D=
"http://openid.net/srv/ax/1.0">http://openid.net/srv/ax/1.0</a> openid.ax.m=
ode=3Dfetch_response</p><p id=3D"tc16">openid.ax.type.age=3D<a href=3D"http=
://axschema.org/birthDate">http://axschema.org/birthDate</a></p>
<p id=3D"tc21">openid.ax.value.age=3D23</p><p id=3D"tc22">
<b>openid.ax.score.age=3D3</b>
</p><p id=3D"tc24">
<b>openid.ax.receipt
=3D #Some kind of receipt certifying the methods used to certify the
attribute and that could be used for further processes</b>
</p><p id=3D"tc23">openid.ax.update_url=3D<a href=3D"http://idconsumer.=
com/update?transaction_id=3Da6b5c41">http://idconsumer.com/update?transacti=
on_id=3Da6b5c41</a></p><h2 id=3D"tc40">Store</h2><p id=3D"tc39">In
our approach OP deals with attribute certification processes :
validating certificates, contacting with attribute certification
authorities ... so there's no sense to allow the store of attributes
from others than OP.</p><p id=3D"tc17">Store is applied only to non certifi=
ed attributes, this is score 0.</p><h2 id=3D"tc28">What are scores</h2><p i=
d=3D"tc18">Scores
works in the same way PAPE levels does. They measure the way attributes
are certified and how the data being certified have been collected.</p><p i=
d=3D"tc26">For example: attributes that have been gathered from a <i>qualif=
ied certificate</i>
(according to EU Directive on electronic Signatures) that is stored
inside a SSCD the score will be 4 (means high). On the other hand, a
name that has been alegated in a web form will have the score 0, means
low.</p><p id=3D"tc27">Between 0 and 4 you have all the ways you can
certify an attribute from 0 (no certification) to 4. We made a brief
definition of the score concept that you could find here (<a href=3D"https:=
//www.tractis.com/tractis_score_policy">https://www.tractis.com/tractis_sco=
re_policy</a>) and the mapping to real methods could be found here (<a href=
=3D"https://www.tractis.com/tractis_score_policy">https://www.tractis.com/t=
ractis_score_mapping</a>).
As we indicate in these documents, we (Tractis) have not invented
neither the classification nor the score policy but used previous work
by the NIST and EU.</p><h3 id=3D"tc32">Problems to be solved</h3><p id=3D"t=
c29">In
Openid attributes are alegated, so you don't have to trust the OP
because there's nothing to trust on. Dealing with certified attributes
create a problem : how could I, as a relying party, know that this OP <b><i=
>works</i></b> fine and if it says "level 4" all criteria to cons=
ider were done the right way.</p><p id=3D"tc30">Our
proposal, in the same way as PAPE, the Relying Party does not need to
trust the OP. The User is the one that needs to trust the OP. If
problems arises with certain OP, then relying parties could choose to
use some OP and exclude others with mechanisms like white/black lists.</p><=
p id=3D"tc31">Other problem not covered is the format of the receipt (attri=
bute <b>openid.ax.receipt</b>).
Here we can proceed in 2 ways: (1) leaving this responsibility to
describe the message to the OP or (2) providing an spec about it.</p><p id=
=3D"tc33">Our proposition is: let this field being a signed identifier hold=
ing the transaction ID for the given fetch request.</p><p id=3D"tc43">There
should be a way to connect this ID to the transaction performed on OP
(attribute fetching transaction) and to the information requested. OP
should make its best effort to handle as much evidences about the
process as possible including requested attributes, verified
information and returned response. But the detail of this evidential
information is out of the scope of this document.</p>
=20
=20
=20
<br><br clear=3D"all"><br>-- <br>David Garcia<br>CTO<br><br>Tractis - O=
nline contracts you can enforce<br><a href=3D"http://www.tractis.com">http:=
//www.tractis.com</a><br>--<br>Tel: (34) 93 551 96 60 (ext. 260) <br><br>Em=
ail: <a href=3D"mailto:david.garcia at tractis.com">david.garcia at tractis.com</=
a><br>
Blog: <a href=3D"http://blog.negonation.com">http://blog.negonation.com</a>=
<br>Twitter: <a href=3D"http://twitter.com/tractis">http://twitter.com/trac=
tis</a><br>
--000e0cd6ab720b9e03046b60fcaa--
More information about the specs
mailing list