User Agent Assurance
Full Title or Meme
This is an abstract concept that covers any combination of software and hardware that can be assured to faithfully represent any part of a user's presence or intentions on the web.
Context
- This extends a prior effort to specify a means to report Software Compliance Attestation for Native Apps for US Healthcare to Web Apps and devices like FIDO2.
- There are two relevant standards, both of which are up for review on 2021-01-01
- ISO/IEC 29115 Entity Authentication Assurance
- Nist SP 800-63-3B
Solutions
The following are just the current thinking about how to accommodate the known variants of User Agent.
Native Apps
- This certifies that the named app has been certified according to all listed trust-registries.
- This cert is tied to one particular software version.
{ "id": 1, "name": "us.trustworthy.agent", "version": "1", "platform": "Android", "min_platform": "23", "source": null, "jurisdiction": "us-wa", "user_authn": null, "dateRegistered": 1576358115, "url": "https://trustregistry.us/csp", "trust_registry": "US Healthcare Assurance Framework" },
Web Apps
- This MAAS gives "Fred's software shop' the certification and binding to a signing key based on the rules of all listed trust registries.
- The developer certifies that code loaded from this site is conformant to the acceptance criteria.
{ "id": 1, "name": "us.trustworthy.agent", "version": "1", "platform": "ServiceWorker", "min_platform":null, "source": { "developer":"Fred's software shop', "key": "...key..." } "jurisdiction": "us-wa", "user_authn": null, "dateRegistered": 1576358115, "url": "https://trustregistry.us/csp", "trust_registry": "US Healthcare Assurance Framework" },
Browser as User Agent
In general browser trust is built by the company that provides it. The user is responsible for picking the browsers that is most likely to meet their needs.
FIDO Authenticators
The user selects the authenticator. Each authenticator needs an assurance statement.
References
- Device Integrity supporting User Authentication Use case from 2013