Attestation: Difference between revisions
| Line 9: | Line 9: | ||
*Framework - in this wiki a trust framework that provides principles. | *Framework - in this wiki a trust framework that provides principles. | ||
*Profile - details on the application of the framework to a specific vertical or horizontal group of entities. | *Profile - details on the application of the framework to a specific vertical or horizontal group of entities. | ||
*Service - a web site or collection of sites that offers services to entities, both digital and real-world | *Service - a web site or collection of sites or endpoints that offers services to entities, both digital and real-world | ||
*Endpoint - a single address providing a specified set of services | *Endpoint - a single address providing a specified set of services | ||
*Application - a collection of software that provides a service to entities, both digital and real-world | *Application - a collection of software that provides a service to entities, both digital and real-world | ||
Revision as of 20:26, 21 May 2019
Full Title
Attestation is a certified form of access checking or labeling that gives users or services the information needed to ascertain the trustworthiness of an entity.
Context
Goals
Components
This is a taxonomy of the components, that might be attested, ordered in increasing levels of specificity.
- Framework - in this wiki a trust framework that provides principles.
- Profile - details on the application of the framework to a specific vertical or horizontal group of entities.
- Service - a web site or collection of sites or endpoints that offers services to entities, both digital and real-world
- Endpoint - a single address providing a specified set of services
- Application - a collection of software that provides a service to entities, both digital and real-world
- Device - a specific type of computing hardware with specific features specified in the framework.
- Instance - an identified application on an identified device or endpoint
Problems
It is far too easy for a web site to make a set of claims or mimic a well know brand to trick a user into performing actions that are against their intentions or best interests.
Solutions
The best attestations are performed by a Trusted Third Party that is known to a community of users. This will involved at least a framework profile and a service. As the service branches out to increasing levels of security and privacy it is likely that more levels of specificity, as outlined above, will be desirable.
Self Attestation
All attestation regimes start with a list of "features" that must be supported in order to gain the right to display an attestation mark.
Audited Attestation
Example Device-App
Most mobile devices, like smart phones, have a strict policy of attestation before they will allow apps to be offered for down-load on their app stores. It is always possible to find other ways to load apps on smart phone, but it is deliberately difficult so that ordinary users will not bother with loading any app that is not attested by the O/S vendor, Android and Apple for smart phones. The Framework that each uses is unique to the O/S vendor, but the underlying framework for the web is coordinated by a common underlying platform that nearly all now support.
Example Authentication
The OpenID Foundation has a framework for authentication called [ OpenID Connect] they also work with industry teams to create specific profiles for industries like the [ Financial Grade API] profile. Th