Difference between revisions of "Native User Agent"
From MgmtWiki
(→Where is the Device?) |
(→References) |
||
| Line 33: | Line 33: | ||
==References== | ==References== | ||
| − | + | <references /> | |
| + | * The Kantara Identity Incubator support development of solutions including the [https://kantarainitiative.org/trustoperations/kantara-identity-privacy-incubator/mobile-authentication-for-first-responders/ Mobile Authentication for First Responders] | ||
[[Category:Glossary]] | [[Category:Glossary]] | ||
[[Category:Trust]] | [[Category:Trust]] | ||
[[Category:Agent]] | [[Category:Agent]] | ||
Revision as of 15:36, 7 June 2019
Contents
Full Title or Meme
A trusted digital Entity that is operating at the consent and authority of the user.
Context
- Today the best User Agent on an internet connected device is a User Trusted Browser to work only in the user's best interests.
- Any Native App can create a HTTP Get request and claim to be a User Agent in the HTTP header.
- This page discusses the creation of a Native App that really can be trusted by the user to act in the user's best interests as it understands them.
Problems
- The user should trust that when they are using a computing device to access the web, that it is truly acting on their behave. In other words is the collection of hardware and software faithfully representing then on the web? As yet user cannot connect themselves to the internet, so a faithful agent is required.
- When a request comes in from the web, the following are the kinds of questions that the Web Site might wish to know.
Which User is accessing the Web?
- The primary function of Authentication is to associate a use with a secure (HTTPS) channel. This association is maintained by the use of cookies.
Which Device is accessing the web?
- Many of today's user held devices, including Smart Phones and Late Binding Tokens can hold user credentials securely so that they will not be compromised when used on the web.
Where is the Device?
- This particular question is related to legal jurisdiction as well as security risk evaluation. It will not be further explored here.
Which Software is accessing the web?
- Nearly any application running on a user's device is allowed to access the internet and claim that it represents the user. There is no built-in mechanism to test this assertion by an internet connected service. The internet was designed to connect computer systems, and that is all it can be relied upon to do.
- Any Web Site that wishes to create a Persistent Identifier for a User will need to take responsibility for any necessary Assurance that the program running on the user's device really does reflect the will of the user.
- Most of the larger enterprises operating on The Web prefer to supply a Native App to the users device to improve the User Experience for that site.
- Nearly every browser shipped lies their User Agent String to get the most web sites to accept them. The problem is that when they have different characteristics it is hard for the Web Site to determine which characteristics to use.
Is the User Actually Present?
- The user can have access to a credential in their possession that proves that it is currently active and valid. For example a Late Binding Token or even the Smart Phone.
Solutions
- The most common way for Users to access a Web Site is with a web browser from some well-know browser provider either within a device operated by the user, or on a cloud computer under user control.
- While current web browsers do allow Web Sites to include programs as JavaScript to run within the browser, they do provide a very restricted Sandbox where the script must run for security reasons.
References
- The Kantara Identity Incubator support development of solutions including the Mobile Authentication for First Responders
