Trusted Location
From MgmtWiki
Full Title or Meme
A Trusted Location is one that will display a well-known tag showing who they are and what they intend.
Context
- As a part of having a Trusted Identity in Cyberspace a series of Framework Profiles have been created to allow digital Entities to give users a statement about the policies that they support.
Problems
- A spoofed URL describes one website that poses as another website. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. During such an attack, a computer user innocently visits a web site and sees a familiar URL in the address bar such as http://www.wikipedia.org but is, in reality, sending information to an entirely different location that would typically be monitored by an information thief.
- A common attack is to replace one character with a similar character, say a 1 (one) for an l (ell) or a Turkish e for a Latin e. Most users will not be able to recognize the changes and will assume the site is one that is familiar to them.
- The following site attempts to train users how to spot fraudulent sites and lists many of the ways that a user can be fooled into believing a site is valid when it is not. The problem here is that the description is long and the instructions highly technical. This is another example of blaming the user for their inability to spot fraud when the problem is the very complexity of the web and the endlessly inventive ways that it can be misused.
- The current trust system for SSL certificates is not as good as it may seem. Google has discovered serveral problems with the trust hierarchy. In the paper How a 2011 Hack You’ve Never Heard of Changed the Internet’s Infrastructure they describe the first breach although others have been discovered since.
Solutions
- Every Web Site will have one place on that site for making an Identity statement.
- That Identity statement MUST be accessed by a URL at a well-known location under the hostname. See RFC 5785 for information on well-known additions to URL.
- That Identity statement MAY be accessed at multiple locations that are locale specific for language or other purposes.
- That Web Site will be part of one or more frameworks that represent a set of rules that the Web Site agrees to follow in all of its online transactions.
Contents of site at the well-known page for the Trusted Location will be available in machine and human readable form.
No, | Name | Typical use | User Experience |
1 | SSL Identifier | URL with wild cards | *.example.com |
2 | List of required user attributes | always needed | proof of presence (for example) |
3 | List of requested user attributes | above and beyond the above | passport, drivers license |
4 | Privacy policy | URL | DOI or URN |
5 | Terms of use | URL | DOI or URN |
6 | Trusted Identifier | URN | TID:framework:LUID |
7 | Software in use | Determine the location's expected behavior | |
8 | Contact information | structure(locale) | mailto: phone fax, etc. |
9 | Signature Type | fixed list | RSA2048 (for example) |
10 | Signature | hex value | 134bbead23d908e0a3221bc |
It may be that some of these terms (like list of attributes) are better listed on the Trusted Identifier.
References
- The wiki page on Cookies provides some alternate solutions.
- The wiki page on Trusted Identifier can be used to bind a URL with a Trusted Location to a real-world Entity.
- Existing .well-known additions to URLs can be seen for examples. .well-known/tloc could be a possible use.
- A draft rfc has been published for a software statement. A software statement is a JWT assertion used by an OAuth client to provide both informational and OAuth protocol related assertions that aid service providers to recognize OAuth client software and its expected behaviour within an OAuth Framework protected resource environment.
- The Standard Information Sharing Label is presented on web pages or by browsers at the point of sharing information through the use of the Information Sharing Icon, design to be determined. The Icon shall be present, either on the web page, in the browser chrome, or on mouseover of the button which triggers information sharing, e.g., the submit button of a form. Clicking on the Icon shall trigger the display of the Label. It does not seem to comprehend that the user may have a choice about which information to share.