Thursday, September 20, 2007

What I did, and how I did it

For an SP accepting an IdP's assertion that some user has authenticated, the 'what & how' will often matter. All else being equal, an assertion issued after the user authenticated with an OTP is 'better' that one resulting from presentation of a password, better in the degree of confidence that the SP can ascribe to it.

Frameworks that enable the SP & the IDP to have the discussion of the 'what & how' (whether that discussion happens in a board room with the suits or 'on the wire') can be categorized as:
  1. those that simply provide a syntax for describing technologies & processes that impact assurance, (e.g. SAML 2.0 Authentication Context)
  2. those that define buckets into which combinations of technologies & processes can be placed, (e.g. SAML 2.0 AC classes)
  3. those that define buckets into which combinations of technologies & processes can be placed, distinguished by the security characteristics they can provide (e.g OpenID PAPE)
  4. those that define buckets into which combinations of technologies & processes can be placed, distinguished by the level of assurance they can provide (e.g NIST 800-63 combined with OMB 04-04
I'd argue that 1) is the most powerful/flexible, 4) is the simplest.

4 comments:

Eric Norman said...

I think the "what and how" that relying parties care most about is what happened during he registration / enrollment / identity proofing process, not how that is communicated to the relying party and not how "authentication" was performed during this transaction. In legal terms, will the identity provider assume liability if the testimony they provide turns out to be false?

NIST SP 800-63 has a lot to say about this. And I think that's what really distingishes the various levels of assurance, not the technology. So I would say that 4 is the most important, and also the most difficult, at least for higher levels of assurance.

George Fletcher said...

In addition, "what & how" is only useful if the RP can trust the IdP to be "truthful".

This of course is not a problem in most SAML deployments because the COTs are based on business agreements with "liability clauses" (as Eric mentions).

It is a bigger problem with "open" networks where there is no agreement or liability arrangement. In this case the RP assumes the risk of the transaction.

Eric Norman said...

Increasing confidence that an IdP is truthful about its practices is why independent audits are done, right?

George Fletcher said...

True, but that "independent audit" needs to be communicated at the protocol layer in a way that can be trusted by the RP in order for the "independent audit" to do it's job.

At this point, there is no way for the RP to dynamically check the "truthfulness" of an IdP.