Trust Service

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Any Web Site that reports on the depth of support that other sites or documents have for the principles of the Framework Profiles that they claim to support.

Context

Problem

  • There are few functional trust services today, for example:
  1. DOI
  2. DNSSEC

Solution

Compare with other solutions like:

  • Attempts to make a trusted connection from a user to Web Site have included EV Certs and other attempt to over come the failings inherent in trusting any connection based on the URL have all failed. See the page Bearer Tokens Considered Harmful for details.
  1. Create a Trusted Identifier as a URN for web sites and then bind the token to that URN.

German Proposal for Identity and Trust Services

Assuming that uniform rules shall be based on respect for the freedom of parties to choose appropriate media, technologies, identification and trust services, taking into account the principles of technological neutrality and functional equivalence, to the extent in which the means selected by the parties are relevant to the purpose of the existing law; Recognizing the opportunity and feasibility of both centralized and decentralized systems of trust, and their utilization to accelerate progress and digital economy, including the trusted implementation of e-commerce and transport, electronic dispute settlement, creation of e-government and electronic public services, development of online training courses, e-healthcare, various electronic registries, electronic financial services
  • Para 1 3 - The transboundary environment of trust includes the following segments: Centralized, Self-regulating.
  • Para 2 1(1) - “Participants in the transboundary environment of trust” means public authorities, the Coordinating Council, trust service operators, distributed databases operators, and individuals and organizations;
  • Para 2 1(6) - “Trust services” mean services which confirm the veracity and genuineness of electronic documents and/or their details, including but not limited to services related to the creation and use of electronic signatures, electronic seals, electronic timestamps, electronic delivery and authentication of websites.
  • Para 2 1(10) - “Trust service operator” means an individual or a legal entity which complies with the requirements established by the Coordinating Council, holds a confirmation of compliance obtained through a procedure established by the Coordinating Council, and provides trust services within the centralized segment of the transboundary environment of trust;
  • Para 2 1(12) - “User” means a public authority, an individual, or an organization which is a sender or a receiver of electronic messages and/or electronic documents, including those sent through the services provided within the self-regulatory segment of the transboundary environment of trust
  • Para 2 1 (19) - “A qualified website authentication certificate” means an electronic confirmation that allows website authentication linking websites to a physical person or legal entity to which this confirmation was issued by the trust service operator which passed the conformity procedure pursuant to article 8, paragraph 6, of this [draft instrument], and which complies with the requirements of the Coordinating Council
  • Para 2 1 (30) - “Member” (of Coordinating Council) means a legal entity (i) possessing the legal power and authority in the context of the related national law for executing the legal recognition of identity management and trust services, and (ii) having formally recognized all provisions of this [draft instrument].
  • Para 9 1 - Only the trust service operators that have passed an independent audit of compliance shall have the right to provide trust services.
  • Para 9 2 - The bodies or institutions authorized in accordance with the procedure established by the Coordinating Council may carry out the compliance auditing.
  • Para 9 3 - The trust service operators provide civil liability insurance in accordance with the requirements established by the Coordinating Council.
  • Para 14 - Users are required to make their own provisions for compliance of the software and hardware used in the transboundary electronic interaction with the requirements of the trust service operators. (pure evil - this will enable the relying party to blame the user for all security lapses)
  • Para 19 1 - contents of cert (this seems be be single level - no concept of chain of trust)
  1. purpose is clear - to authn the web site
  2. trust service operator (aka the issuer)
  3. subject identifier (aka the web site authority)
  4. official address (not at all clear if it needs to be validated)
  5. domain name (this should be the URN rather than the URL - the spec is unclear)
  6. start & end datetime
  7. id of cert
  8. signature (including kid - which is thereby bound to the issuer and the site authority)
  9. validation URL (like ocsp, or the federation validation URL)

Reference