Tuesday, October 21, 2008

The other assurance

The default SAML SSO model has a RP trusting a possibly unknown User based on the IDP (which the RP does know and trust) saying 'He is OK'.

The hard line user-centric model has an RP trusting a possibly unknown OP based on the User (which the RP may know and trust) saying 'He is OK'.

Of course, it is meaningless to say 'trust' without adding 'to do X', i.e. trusting someone means believing they will act in a certain way in a certain situation.

A SAML RP trusts the IDP to identity proof the User initially, to run a good ship with respect to internal processes, and to authenticate the User in an appropriate manner. Importantly, there are mechanisms and syntax by which the IDP's abilities in these respects can be quantified, in order to allow RPs to make graded trust decisions about the IDP (and consequently about the Users).

In the hardline user-centric model, the burden of assessing the OP's security processes would seem to fall on the User, i.e. it's the User who will vouch for the IDP to the RP by saying the equivalent of 'I've checked out their server farm, we're good to go'.

Unfortunately, there does not yet exist a framework by which the skills and expertise of different typical Users for performing security reviews could be quantized and assessed in order to allow the RPs to make an informed trust decision about the User (and consequently about an ertswhile unknown IDP).

Here is a rough first draft of such an assurance framework

  • Level 0 - the User has absolutely no expertise in assessing the security processes of IDPs
  • Level 1 - there is no Level 1
  • Level 2 - there is no Level 2
  • Level 3 - see Level 2

Were an RP to be armed with this information, the hard line model is viable.

I imagine a browser extension advertising User's assurance levels to the RPs they visit, so as to inform the RP's decision to trust that User's expertise in reviewing the OP that they present. There could even be certification programs run at local high schools, etc. Perhaps even badges?

No comments: