Difference between revisions of "Trusted Identifier"
From MgmtWiki
(→Context) |
(→Context) |
||
| Line 9: | Line 9: | ||
*Legal entities, like corporations, are not permitted to hide their real world [[Identity]] although many jump though many legal loopholes to try to distance themselves from discovery. | *Legal entities, like corporations, are not permitted to hide their real world [[Identity]] although many jump though many legal loopholes to try to distance themselves from discovery. | ||
*A [https://tools.ietf.org/html/rfc7591#section-2.3 software statement] is a [https://tools.ietf.org/html/rfc7519 JSON Web Token (JWT)] that asserts metadata values about the client software as a bundle. It is also defined in the [https://openbanking.atlassian.net/wiki/spaces/DZ/pages/36667724/The+OpenBanking+OpenID+Dynamic+Client+Registration+Specification+-+v1.0.0-rc2#TheOpenBankingOpenIDDynamicClientRegistrationSpecification-v1.0.0-rc2-SoftwareStatementAssertion(SSA) UK Open banking standards.] Whatever it might have been designed to accomplish, it has been used to identifier the owner of a [[Web Site]] endpoint. It will typically include some sort of GUID for the specific instance, but that is often incidental to its real use as a [[Web Platform Identifier]]. | *A [https://tools.ietf.org/html/rfc7591#section-2.3 software statement] is a [https://tools.ietf.org/html/rfc7519 JSON Web Token (JWT)] that asserts metadata values about the client software as a bundle. It is also defined in the [https://openbanking.atlassian.net/wiki/spaces/DZ/pages/36667724/The+OpenBanking+OpenID+Dynamic+Client+Registration+Specification+-+v1.0.0-rc2#TheOpenBankingOpenIDDynamicClientRegistrationSpecification-v1.0.0-rc2-SoftwareStatementAssertion(SSA) UK Open banking standards.] Whatever it might have been designed to accomplish, it has been used to identifier the owner of a [[Web Site]] endpoint. It will typically include some sort of GUID for the specific instance, but that is often incidental to its real use as a [[Web Platform Identifier]]. | ||
| + | * While [[Trusted Identifier]]s were the focus of [https://www.nist.gov/itl/applied-cybersecurity/tig NIST Trusted Identity]] and the IDESG, the term have fallen out of favor since [[NSTIC]] fell out of favor with the change in administrations. | ||
===The Goal=== | ===The Goal=== | ||
Revision as of 15:06, 5 September 2021
Full Title or Meme
A Trusted Identifier is deployed by Entities that wish to have Identifiers on the internet related to the real-world Identity that enable Recovery in the case of loss of access.
Context
- It is common by 2020 for all web sites to have a TLS (SSL) certificate so that they can establish a trusted connection between the User Agent (typical the local browser) and the web site. This trusted connection prevents tampering or eavesdropping on the connection which solves some of the security and privacy issues on the open web. This wiki page looks at the issues associated with the users' trust of the web site that is needed before sharing User Private Information with the site.
- Individuals have Identifiers that must be associated with the real world person even if access to that Identifier is lost for any reason. Health care is one good requirement for a high assurance Health Care Digital Identity.
- Individuals have rights to Privacy that do not apply to enterprises and so are treated on other wiki pages. This wiki page focus on user's need to understand the identity and reputation of the web site that is asking for access to their information.
- Other wiki pages focus on digital endpoints that are called Web Platform Identifier or Trusted Locations. This page is focused on the link from the digital entity to the real-world entity that the user can trust.
- Legal entities, like corporations, are not permitted to hide their real world Identity although many jump though many legal loopholes to try to distance themselves from discovery.
- A software statement is a JSON Web Token (JWT) that asserts metadata values about the client software as a bundle. It is also defined in the UK Open banking standards. Whatever it might have been designed to accomplish, it has been used to identifier the owner of a Web Site endpoint. It will typically include some sort of GUID for the specific instance, but that is often incidental to its real use as a Web Platform Identifier.
- While Trusted Identifiers were the focus of NIST Trusted Identity] and the IDESG, the term have fallen out of favor since NSTIC fell out of favor with the change in administrations.
The Goal
is to give the user an identifier that can be used to link that web platform to a real-world entity that has consistently shown good behavior in the past.
Problems
- See the wiki page on Trusted Location for a list of the ways that a URL can be spoof to see why it is a bad idea to expect users to get a Trusted Identifier from the web site's URL.
- EV Certs were introduced to give user's good knowledge of who was behind a web site. They didn't work out as planned as shown on the EV Cert wiki page.
Solutions
- As a part of having a Trusted Identity in Cyberspace a series of Framework Profiles have been created to allow digital Entities to give users a statement about the policies that they support.
- Every real world Entity, be it a legal Entity or a legal name, like a Brand will have one place on the web for making an Identity statement.
- That Identity statement MUST be accessed by a URL at a well-known location in a relevant domain.
- That Identity statement MAY be accessed at multiple locations that are locale specific for language or other purposes.
- That Entity will have a standard URN of the form TID:framework:LUID, where the framework will represent a set of rules that the Entity agrees to follow in all of its online transactions.
- For example, in the US health care framework, TID:USHHS:CMS:3KW0-JW2-MY06 could represent an entity in the US under Medicare.
Contents of site at the URL for the Trusted Identifier will be available in machine and human readable form.
| N0, | Name | Typical use | User Experience |
| 1 | Identifier | URN | TID:framework:LUID |
| 2 | List of required user attributes | always needed | proof of presence (for example) |
| 3 | List of requested user attributes | above and beyond the above | passport, drivers license |
| 4 | Privacy policy | URL | DOI or URN |
| 5 | Terns of use | URL | DOI or URN |
| 6 | Legal Name | string(locale) | Company name registered with state |
| 7 | Legal Address | structure(locale) | street, city, country |
| 8 | Contact information | structure(locale) | mailto: phone fax, etc. |
| 9 | Signature Type | fixed list | RSA2048 (for example) |
| 10 | Signature | hex value | 134bbead23d908e0a3221bc |
It may be that some of these terms (like list of attributes) are better listed on the Trusted Location.
References
- The wiki page Trusted Location describes a solution to the problem on not knowing the trustworthiness or intent of a web page that is displayed on a user's browser window.
- Existing .well-known additions to URLs can be seen, for example, .well-known/tid could be a possible use for getting the Trusted Identifier statement as an HTTP URL. Normally it would use the TID:... as the URL.
- A Verified Claim can carry some of the same information that might be found in an Identifier Statement.
