User Agent Assurance: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
No edit summary
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Full Title or Meme==
==Full Title or Meme==
This is an abstract concept that covers any combination of software and hardware that can be assured to faithfully represent any part of a user's presence on the web.
This is an abstract concept that covers any combination of software and hardware that can be assured to faithfully represent any part of a user's presence or intentions on the web.


==Context==
==Context==
* This extends a prior effort to specify a means to report [[Software Compliance Attestation]] for [[Native Apps for US Healthcare]] to Web Apps and devices like FIDO2.
* This extends a prior effort to specify a means to report [[Software Compliance Attestation]] for [[Native Apps for US Healthcare]] to Web Apps and devices like FIDO2.
* There are two relevant standards, both of which are up for review on 2021-0-01
* There are two relevant standards, both of which are up for review on 2021-01-01
** [[ISO/IEC 29115 Entity Authentication Assurance]]
** [[ISO/IEC 29115 Entity Authentication Assurance]]
** Nist SP 800-63-3B
** Nist SP 800-63-3B
==Solutions==
The following are just the current thinking about how to accommodate the known variants of User Agent.
===Native Apps===
* This certifies that the named app has been certified according to all listed trust-registries.
* This cert is tied to one particular software version.
  {
    "id": 1,
    "name": "us.trustworthy.agent",
    "version": "1",
    "platform": "Android",
    "min_platform": "23",
    "source": null,
    "jurisdiction": "us-wa",
    "user_authn": null,
    "dateRegistered": 1576358115,
    "url": "https://trustregistry.us/csp",
    "trust_registry": "US Healthcare Assurance Framework"
  },
===Web Apps===
* This MAAS gives "Fred's software shop' the certification and binding to a signing key based on the rules of all listed trust registries.
* The developer certifies that code loaded from this site is conformant to the acceptance criteria.
  {
    "id": 1,
    "name": "us.trustworthy.agent",
    "version": "1",
    "platform": "ServiceWorker",
    "min_platform":null,
    "source":
        {
        "developer":"Fred's software shop',
          "key": "...key..."
        }
    "jurisdiction": "us-wa",
    "user_authn": null,
    "dateRegistered": 1576358115,
    "url": "https://trustregistry.us/csp",
    "trust_registry": "US Healthcare Assurance Framework"
  },
===Browser as User Agent===
In general browser trust is built by the company that provides it. The user is responsible for picking the browsers that is most likely to meet their needs.
===FIDO Authenticators===
The user selects the authenticator. Each authenticator needs an assurance statement.


==References==
==References==
Line 12: Line 58:


[[Category: Assurance]]
[[Category: Assurance]]
[[Category: Profile]]

Latest revision as of 22:05, 14 January 2021

Full Title or Meme

This is an abstract concept that covers any combination of software and hardware that can be assured to faithfully represent any part of a user's presence or intentions on the web.

Context

Solutions

The following are just the current thinking about how to accommodate the known variants of User Agent.

Native Apps

  • This certifies that the named app has been certified according to all listed trust-registries.
  • This cert is tied to one particular software version.
 {
   "id": 1,
   "name": "us.trustworthy.agent",
   "version": "1",
   "platform": "Android",
   "min_platform": "23",
   "source": null,
   "jurisdiction": "us-wa",
   "user_authn": null,
   "dateRegistered": 1576358115,
   "url": "https://trustregistry.us/csp",
   "trust_registry": "US Healthcare Assurance Framework"
 },

Web Apps

  • This MAAS gives "Fred's software shop' the certification and binding to a signing key based on the rules of all listed trust registries.
  • The developer certifies that code loaded from this site is conformant to the acceptance criteria.
 {
   "id": 1,
   "name": "us.trustworthy.agent",
   "version": "1",
   "platform": "ServiceWorker",
   "min_platform":null,
   "source": 
       {
        "developer":"Fred's software shop',
         "key": "...key..."
        }
   "jurisdiction": "us-wa",
   "user_authn": null,
   "dateRegistered": 1576358115,
   "url": "https://trustregistry.us/csp",
   "trust_registry": "US Healthcare Assurance Framework"
 },

Browser as User Agent

In general browser trust is built by the company that provides it. The user is responsible for picking the browsers that is most likely to meet their needs.


FIDO Authenticators

The user selects the authenticator. Each authenticator needs an assurance statement.

References