Difference between revisions of "Attested"

From MgmtWiki
Jump to: navigation, search
(References)
(Problem)
Line 9: Line 9:
 
* When a secure operation is performed at a user location, the packet returned from that [[User Device]] needs to be trusted by the [[Site]] that receives it.
 
* When a secure operation is performed at a user location, the packet returned from that [[User Device]] needs to be trusted by the [[Site]] that receives it.
 
* The signing key for that packet will have a certificate that binds that signing key to a particular device.
 
* The signing key for that packet will have a certificate that binds that signing key to a particular device.
 +
* If the device reports a serial number, or (equivalently) a public key that is unique that that device, that can be used as a tracking number for the owner of the device.
  
 
==Solution ==
 
==Solution ==

Revision as of 20:44, 30 August 2018

Full Title or Meme

A statement is Attested if some Trusted Third Party can create a Validated Claim about a User Device used during either Authentication or Authorization.

Context

Problem

  • When a secure operation is performed at a user location, the packet returned from that User Device needs to be trusted by the Site that receives it.
  • The signing key for that packet will have a certificate that binds that signing key to a particular device.
  • If the device reports a serial number, or (equivalently) a public key that is unique that that device, that can be used as a tracking number for the owner of the device.

Solution

  • The certificate for the signing key from the User Device, and potentially the configuration information from the device, will need to be Attested by some Trusted Third Party.
  • Attestation can be complex for programmable computers, or simple for one function User Devices like Security Tokens.
  • An example of a single attestation program with associated metadata is described in the FIDO web site.
  • When a simple certificate is used, it typically is accompanied by a metadata statement, an example is this one at Yubico.

References

  1. Synonyms include: Assured Corroborated Validated.