Trusted Location
From MgmtWiki
Full Title or Meme
A Trusted Location is one that will display a well-known tag showing who they are and what they intend.
Context
- As a part of having a Trusted Identity in Cyberspace a series of Framework Profiles have been created to allow digital Entities to give users a statement about the policies that they support.
Problems
- A spoofed URL describes one website that poses as another website. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. During such an attack, a computer user innocently visits a web site and sees a familiar URL in the address bar such as http://www.wikipedia.org but is, in reality, sending information to an entirely different location that would typically be monitored by an information thief.
- A common attack is to replace one character with a similar character, say a 1 (one) for an l (ell) or a Turkish e for a Latin e. Most users will not be able to recognize the changes and will assume the site is one that is familiar to them.
- The following site attempts to train users how to spot fraudulent sites and lists many of the ways that a user can be fooled into believing a site is valid when it is not. The problem here is that the description is long and the instructions highly technical. This is another example of blaming the user for their inability to spot fraud when the problem is the very complexity of the web and the endlessly inventive ways that it can be misused.
- The current trust system for SSL certificates is not as good as it may seem. Google has discovered serveral problems with the trust hierarchy. In the paper How a 2011 Hack You’ve Never Heard of Changed the Internet’s Infrastructure they describe the first breach although others have been discovered since.
Solutions
- Every Web Site will have one place on that site for making an Identity statement.
- That Identity statement MUST be accessed by a URL at a well-known location under the hostname.
- That Identity statement MAY be accessed at multiple locations that are locale specific for language or other purposes.
- That Web Site will be part of one or more frameworks that represent a set of rules that the Web Site agrees to follow in all of its online transactions.
Contents of site at the URL for the Trusted Identifier will be available in machine and human readable form.
| N0, | Name | Typical use | User Experience |
| 1 | Identifier | URN | TID:framework:LUID |
| 2 | List of required user attributes | always needed | proof of presence (for example) |
| 3 | List of requested user attributes | above and beyond the above | passport, drivers license |
| 4 | Privacy policy | URL | DOI or URN |
| 5 | Terms of use | URL | DOI or URN |
| 6 | Identifier | URN | TID:framework:LUID |
| 7 | |||
| 8 | Contact information | structure(locale) | mailto: phone fax, etc. |
| 9 | Signature Type | fixed list | RSA2048 (for example) |
| 10 | Signature | hex value | 134bbead23d908e0a3221bc |
It may be that some of these terms (like list of attributes) are better listed on the [[Trusted Identifier].
References
- The wiki page on Cookies provides some alternate solutions.
- The wiki page on Trusted Identifier can be used to bind a URL with a Trusted Location to a real-world Entity.
