Difference between revisions of "Trusted Location"

From MgmtWiki
Jump to: navigation, search
m (Solutions)
(References)
 
(6 intermediate revisions by the same user not shown)
Line 42: Line 42:
 
|}
 
|}
  
It may be that some of these terms (like list of attributes) are better listed on the [[Trusted Identifier].
+
It may be that some of these terms (like list of attributes) are better listed on the [[Trusted Identifier]].
  
 
==References==
 
==References==
Line 49: Line 49:
 
*[https://www.iana.org/assignments/well-known-uris/well-known-uris.xml Existing .well-known additions to URLs] can be seen for examples.  .well-known/tloc could be a possible use.
 
*[https://www.iana.org/assignments/well-known-uris/well-known-uris.xml Existing .well-known additions to URLs] can be seen for examples.  .well-known/tloc could be a possible use.
 
*A [https://tools.ietf.org/html/draft-hunt-oauth-software-statement-00 draft rfc has been published for a software statement].  A  software statement is a JWT assertion used by an OAuth client to provide both informational and OAuth protocol related assertions that aid service providers to recognize OAuth client software and its expected behaviour within an OAuth Framework protected resource environment.
 
*A [https://tools.ietf.org/html/draft-hunt-oauth-software-statement-00 draft rfc has been published for a software statement].  A  software statement is a JWT assertion used by an OAuth client to provide both informational and OAuth protocol related assertions that aid service providers to recognize OAuth client software and its expected behaviour within an OAuth Framework protected resource environment.
 +
*The [https://kantarainitiative.org/confluence/display/infosharing/Standard+Information+Sharing+Label Standard Information Sharing Label] is presented on web pages or by browsers at the point of sharing information through the use of the Information Sharing Icon, design to be determined. The Icon shall be present, either on the web page, in the browser chrome, or on mouseover of the button which triggers information sharing, e.g., the submit button of a form. Clicking on the Icon shall trigger the [https://standardlabel.org/ display of the Label]. It does not seem to comprehend that the user may have a choice about which information to share.
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 +
[[Category:Trust]]

Latest revision as of 13:53, 25 April 2019

Full Title or Meme

A Trusted Location is one that will display a well-known tag showing who they are and what they intend.

Context

Problems

  • A spoofed URL describes one website that poses as another website. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. During such an attack, a computer user innocently visits a web site and sees a familiar URL in the address bar such as http://www.wikipedia.org but is, in reality, sending information to an entirely different location that would typically be monitored by an information thief.
  • A common attack is to replace one character with a similar character, say a 1 (one) for an l (ell) or a Turkish e for a Latin e. Most users will not be able to recognize the changes and will assume the site is one that is familiar to them.
  • The following site attempts to train users how to spot fraudulent sites and lists many of the ways that a user can be fooled into believing a site is valid when it is not. The problem here is that the description is long and the instructions highly technical. This is another example of blaming the user for their inability to spot fraud when the problem is the very complexity of the web and the endlessly inventive ways that it can be misused.
  • The current trust system for SSL certificates is not as good as it may seem. Google has discovered serveral problems with the trust hierarchy. In the paper How a 2011 Hack You’ve Never Heard of Changed the Internet’s Infrastructure they describe the first breach although others have been discovered since.

Solutions

  1. Every Web Site will have one place on that site for making an Identity statement.
  2. That Identity statement MUST be accessed by a URL at a well-known location under the hostname. See RFC 5785 for information on well-known additions to URL.
  3. That Identity statement MAY be accessed at multiple locations that are locale specific for language or other purposes.
  4. That Web Site will be part of one or more frameworks that represent a set of rules that the Web Site agrees to follow in all of its online transactions.

Contents of site at the well-known page for the Trusted Location will be available in machine and human readable form.

No, Name Typical use User Experience
1 SSL Identifier URL with wild cards *.example.com
2 List of required user attributes always needed proof of presence (for example)
3 List of requested user attributes above and beyond the above passport, drivers license
4 Privacy policy URL DOI or URN
5 Terms of use URL DOI or URN
6 Trusted Identifier URN TID:framework:LUID
7 Software in use Determine the location's expected behavior
8 Contact information structure(locale) mailto: phone fax, etc.
9 Signature Type fixed list RSA2048 (for example)
10 Signature hex value 134bbead23d908e0a3221bc

It may be that some of these terms (like list of attributes) are better listed on the Trusted Identifier.

References

  • The wiki page on Cookies provides some alternate solutions.
  • The wiki page on Trusted Identifier can be used to bind a URL with a Trusted Location to a real-world Entity.
  • Existing .well-known additions to URLs can be seen for examples. .well-known/tloc could be a possible use.
  • A draft rfc has been published for a software statement. A software statement is a JWT assertion used by an OAuth client to provide both informational and OAuth protocol related assertions that aid service providers to recognize OAuth client software and its expected behaviour within an OAuth Framework protected resource environment.
  • The Standard Information Sharing Label is presented on web pages or by browsers at the point of sharing information through the use of the Information Sharing Icon, design to be determined. The Icon shall be present, either on the web page, in the browser chrome, or on mouseover of the button which triggers information sharing, e.g., the submit button of a form. Clicking on the Icon shall trigger the display of the Label. It does not seem to comprehend that the user may have a choice about which information to share.