Difference between revisions of "Native User Agent"

From MgmtWiki
Jump to: navigation, search
(Full Title or Meme)
m (Which Device is accessing the web?)
 
(9 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
 
==Context==
 
==Context==
*The best [[User Agent]] on an internet connected device is a [[User]] [[Trusted Browser]] to work only in the user's best interests.
+
*Today the best [[User Agent]] on an internet connected device is a [[User]] [[Trusted Browser]] to work only in the user's best interests.
*When discussing the use of the internet by a user, what is really meant is the presence of the user's agent on an internet connection.
+
*Any [[Native App]] can create a HTTP Get request and claim to be a [[User Agent]] in the HTTP header.
*Typically the [[Native App]] will run on a [[User Device]] in the user's physical possession, but it is possible that the agent is running on a service in [[The Cloud]]. Usually this would not be detected by a [[Web Site]].
+
*This page discusses the creation of a [[Native App]] that really can be trusted by the user to act in the user's best interests as it understands them.
*For details on creation of a [[Native User Agent]] that really can be trusted by the user see the wiki page [[Native User Agent]].
 
  
 
==Problems==
 
==Problems==
 +
*The user should trust that when they are using a computing device to access the web, that it is truly acting on their behave. In other words is the collection of hardware and software faithfully representing then on the web? As yet user cannot connect themselves to the internet, so a faithful agent is required.
 +
*When a request comes in from the web, the following are the kinds of questions that the [[Web Site]] might wish to know.
 +
===Which User is accessing the Web?===
 +
*The primary function of [[Authentication]] is to associate a use with a secure (HTTPS) channel. This association is maintained by the use of cookies.
 +
 +
===Which Device is accessing the web?===
 +
* Many of today's user held devices, including [[Smart Phone]]s and [[Late Binding Token]]s can hold user credentials securely so that they will not be compromised when used on the web.
 +
 +
===Where is the Device?===
 +
* This particular question is related to legal jurisdiction as well as  [[Security Risk]] evaluation. It will not be further explored here.
 +
 +
===Which Software is accessing the web?===
 
*Nearly any application running on a user's device is allowed to access the internet and claim that it represents the user. There is no built-in mechanism to test this assertion by an internet connected service. The internet was designed to connect computer systems, and that is all it can be relied upon to do.
 
*Nearly any application running on a user's device is allowed to access the internet and claim that it represents the user. There is no built-in mechanism to test this assertion by an internet connected service. The internet was designed to connect computer systems, and that is all it can be relied upon to do.
 
*Any [[Web Site]] that wishes to create a [[Persistent]] [[Identifier]] for a [[User]] will need to take responsibility for any necessary [[Assurance]] that the program running on the user's device really does reflect the will of the user.
 
*Any [[Web Site]] that wishes to create a [[Persistent]] [[Identifier]] for a [[User]] will need to take responsibility for any necessary [[Assurance]] that the program running on the user's device really does reflect the will of the user.
 
*Most of the larger enterprises operating on [[The Web]] prefer to supply a [[Native App]] to the users device to improve the [[User Experience]] for that site.
 
*Most of the larger enterprises operating on [[The Web]] prefer to supply a [[Native App]] to the users device to improve the [[User Experience]] for that site.
*To be sure that the [[User Agent]] really is operating on the user's behalf, the [[Web Site]] needs to know the level of [[Assurance]] that can be assigned to the user's device as well as the [[User Agent]].
 
 
*Nearly every browser shipped lies their [http://www.webapps-online.com/online-tools/user-agent-strings/dv/ User Agent String] to get the most web sites to accept them. The problem is that when they have different characteristics it is hard for the [[Web Site]] to determine which characteristics to use.
 
*Nearly every browser shipped lies their [http://www.webapps-online.com/online-tools/user-agent-strings/dv/ User Agent String] to get the most web sites to accept them. The problem is that when they have different characteristics it is hard for the [[Web Site]] to determine which characteristics to use.
 +
===Is the User Actually Present?===
 +
* The user can have access to a credential in their possession that proves that it is currently active and valid. For example a [[Late Binding Token]] or even the [[Smart Phone]].
  
 
==Solutions==
 
==Solutions==
Line 21: Line 33:
  
 
==References==
 
==References==
 
+
<references />
 +
* The Kantara Identity Incubator support development of solutions including the [https://kantarainitiative.org/trustoperations/kantara-identity-privacy-incubator/mobile-authentication-for-first-responders/ Mobile Authentication for First Responders]
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 
[[Category:Trust]]
 
[[Category:Trust]]
 
[[Category:Agent]]
 
[[Category:Agent]]
 +
[[Category: User Agent]]

Latest revision as of 06:57, 25 March 2021

Full Title or Meme

A trusted digital Entity that is operating at the consent and authority of the user.

Context

  • Today the best User Agent on an internet connected device is a User Trusted Browser to work only in the user's best interests.
  • Any Native App can create a HTTP Get request and claim to be a User Agent in the HTTP header.
  • This page discusses the creation of a Native App that really can be trusted by the user to act in the user's best interests as it understands them.

Problems

  • The user should trust that when they are using a computing device to access the web, that it is truly acting on their behave. In other words is the collection of hardware and software faithfully representing then on the web? As yet user cannot connect themselves to the internet, so a faithful agent is required.
  • When a request comes in from the web, the following are the kinds of questions that the Web Site might wish to know.

Which User is accessing the Web?

  • The primary function of Authentication is to associate a use with a secure (HTTPS) channel. This association is maintained by the use of cookies.

Which Device is accessing the web?

  • Many of today's user held devices, including Smart Phones and Late Binding Tokens can hold user credentials securely so that they will not be compromised when used on the web.

Where is the Device?

  • This particular question is related to legal jurisdiction as well as Security Risk evaluation. It will not be further explored here.

Which Software is accessing the web?

  • Nearly any application running on a user's device is allowed to access the internet and claim that it represents the user. There is no built-in mechanism to test this assertion by an internet connected service. The internet was designed to connect computer systems, and that is all it can be relied upon to do.
  • Any Web Site that wishes to create a Persistent Identifier for a User will need to take responsibility for any necessary Assurance that the program running on the user's device really does reflect the will of the user.
  • Most of the larger enterprises operating on The Web prefer to supply a Native App to the users device to improve the User Experience for that site.
  • Nearly every browser shipped lies their User Agent String to get the most web sites to accept them. The problem is that when they have different characteristics it is hard for the Web Site to determine which characteristics to use.

Is the User Actually Present?

  • The user can have access to a credential in their possession that proves that it is currently active and valid. For example a Late Binding Token or even the Smart Phone.

Solutions

  • The most common way for Users to access a Web Site is with a web browser from some well-know browser provider either within a device operated by the user, or on a cloud computer under user control.
  • While current web browsers do allow Web Sites to include programs as JavaScript to run within the browser, they do provide a very restricted Sandbox where the script must run for security reasons.

References