Difference between revisions of "Trust Service"
From MgmtWiki
(→German Proposal for Identity and Trust Services) |
(→German Proposal for Identity and Trust Services) |
||
| Line 37: | Line 37: | ||
# start & end datetime | # start & end datetime | ||
# id of cert | # id of cert | ||
| − | # signature | + | # signature (including kid - which is bound to the issuer and the site authority) |
# validation URL (like ocsp, or the federation validation URL) | # validation URL (like ocsp, or the federation validation URL) | ||
Revision as of 10:11, 16 November 2018
Contents
Full Title or Meme
Any Web Site that reports on the depth of support that other sites or documents have for the principles of the Framework Profiles that they claim to support.
Context
- Any Web Site that wishes to acquire User Information should first present Assurance as to their trustworthiness to the User.
Problem
- There are few functional trust services today, for example:
- DOI
- DNSSEC
Solution
Compare with other solutions like:
- Attempts to make a trusted connection from a user to Web Site have included EV Certs and other attempt to over come the failings inherent in trusting any connection based on the URL have all failed. See the page Bearer Tokens Considered Harmful for details.
- Create a Trusted Identifier as a URN for web sites and then bind the token to that URN.
German Proposal for Identity and Trust Services
- Draft Instrument on Cross-Border Legal Recognition of Identity Management and Trust Services — Proposal by Germany (2018-11)
- There was a lot of irrelevant stuff from a technological standpoint, including an attempt to include block chain. The following seems to map to the technology:
- Extract from Pramble:
Assuming that uniform rules shall be based on respect for the freedom of parties to choose appropriate media, technologies, identification and trust services, taking into account the principles of technological neutrality and functional equivalence, to the extent in which the means selected by the parties are relevant to the purpose of the existing law; Recognizing the opportunity and feasibility of both centralized and decentralized systems of trust, and their utilization to accelerate progress and digital economy, including the trusted implementation of e-commerce and transport, electronic dispute settlement, creation of e-government and electronic public services, development of online training courses, e-healthcare, various electronic registries, electronic financial services
- Para 1 3 - The transboundary environment of trust includes the following segments: Centralized, Self-regulating.
- Para 2 1(1) - “Participants in the transboundary environment of trust” means public authorities, the Coordinating Council, trust service operators, distributed databases operators, and individuals and organizations;
- Para 2 1(6) - “Trust services” mean services which confirm the veracity and genuineness of electronic documents and/or their details, including but not limited to services related to the creation and use of electronic signatures, electronic seals, electronic timestamps, electronic delivery and authentication of websites.
- Para 2 1(10) - “Trust service operator” means an individual or a legal entity which complies with the requirements established by the Coordinating Council, holds a confirmation of compliance obtained through a procedure established by the Coordinating Council, and provides trust services within the centralized segment of the transboundary environment of trust;
- Para 2 1(12) - “User” means a public authority, an individual, or an organization which is a sender or a receiver of electronic messages and/or electronic documents, including those sent through the services provided within the self-regulatory segment of the transboundary environment of trust
- Para 2 1 (19) - “A qualified website authentication certificate” means an electronic confirmation that allows website authentication linking websites to a physical person or legal entity to which this confirmation was issued by the trust service operator which passed the conformity procedure pursuant to article 8, paragraph 6, of this [draft instrument], and which complies with the requirements of the Coordinating Council
- Para 2 1 (30) - “Member” (of Coordinating Council) means a legal entity (i) possessing the legal power and authority in the context of the related national law for executing the legal recognition of identity management and trust services, and (ii) having formally recognized all provisions of this [draft instrument].
- Para 9 1 - Only the trust service operators that have passed an independent audit of compliance shall have the right to provide trust services.
- Para 9 2 - The bodies or institutions authorized in accordance with the procedure established by the Coordinating Council may carry out the compliance auditing.
- Para 9 3 - The trust service operators provide civil liability insurance in accordance with the requirements established by the Coordinating Council.
- Para 14 - Users are required to make their own provisions for compliance of the software and hardware used in the transboundary electronic interaction with the requirements of the trust service operators.
- Para 19 1 - contents of cert
- purpose is clear - to authn the web site
- trust service operator
- subject identifier
- official address (not at all clear if it needs to be validated)
- domain name (this should be the URN rather than the URL - the spec is unclear)
- start & end datetime
- id of cert
- signature (including kid - which is bound to the issuer and the site authority)
- validation URL (like ocsp, or the federation validation URL)
