End to End Trust Forum

How should we enhance security on the Internet without undermining social values, such as privacy and anonymity?

Thu, 03 Apr 2008 21:54:07 Z

How should we enhance security on the Internet without undermining social values, such as privacy and anonymity?

Trust through Education and Responsibility

Fri, 27 Feb 2009 09:05:45 Z

It’s been seven years since Microsoft introduced the concept of Trustworthy Computing. As was the case back then, still remains the same today…a computing system is only as trustworthy as its weakest link. And the weakest link is all too frequently human—whether it be poorly designed products, misconfiguration, features over reliability or falling victim to the latest social engineering tactic. Recent focus group research conducted by Microsoft amongst three different generations—young adults, parents and professionals, and baby boomers, revealed a collective sense of resignation when it comes to control of personal information online. The notion being that once information is included online, control is invariably relinquished. And even more concerning was a clear gap that exists between general concern for online privacy, and the lack of understanding of the threats that exist online. While many participants disclosed they consider the privacy implications of their information sharing decisions, they take responsibility for their actions—albeit a shared responsibility at times—and the insights don’t necessarily change the online behavior.

On Jan. 28, National Data Privacy Day, Microsoft hosted a panel discussion with other industry experts at the SF Public Library that evaluated this focus group research. While it is clear that trust is central to helping ensure privacy and online safety, two of the key takeaways from the event focused on the important role of education and the consensus that achieving a trusted computing experience requires a shared responsibility.

Consumer security awareness programs and guidance, and more recently, online privacy awareness programs and guidance have been around since the dawning of the Internet area. With that in mind, what more can be done on the education front? Is it about going beyond prescriptive guidance? How can we connect with more people and catalyze a change in online behavior that further develops trust, but also enriches the computing experience? And at the end of the day, who should really be responsible?

What is this all about

Tue, 11 Aug 2009 17:53:38 Z

Hi. I would like to know. This End-to-end trust, what is it. Is a program, a service or a platform? And does it mean that MS controls and defines who you can and can't have in your "buddy list"?

virus will not tuon on

Fri, 07 Aug 2009 01:01:47 Z

i try to turn on yirfus protection nd nothing happens

How -- and who wants it?

Sun, 04 May 2008 09:51:20 Z

If we are going to have a safer end-to-end "trust" situation, who is going to decide who is trusted? (Microsoft, The U.S. Gov., Visa, News Corp, or Euro Card?)

We should filter the internet on the client (AKA your computer), as that way we are all free to filter as we wish, with no risk that others may know or decide. Unregulated communication is also known as free speech. Ban framework, Spam blacklist, and phishing filter are also known as censorship.

Enjoy!

Round Robin HA LB Certificate shares and CA spoofing on untrusted hardware

Wed, 24 Jun 2009 13:04:12 Z

With the dawn of Cloud computing I am trying to understand the strategic division of responsibilities where the cloud is involved. How is the CA enforced? Who would be the recovery key operators? and... at some point, how is the risk being assumed, and mitigated for Public holdings, and... In the US- aren't we tax funding the Public sector at some point? and... How do we embody the trust of the "an even and fair playing feild" without driving up costs? How do we invite the world or start the international parlez?

Moderators,
Thanks for this forum. I apoligize fo my previous comments. As an explaination, I thought the rudimentary issues were being missed and things were a bit like a Sunday Morning News, call-in show... since I am soon to be unemployed, I was wondering if you had a certificate tree for "post" pre-qualifiers [production assistant]? ...for the Doctor, Doctor, discussions.

Fellow Professionals,
I was hoping we could get past the gruntings that keep leading us back to the Verdun or Kursk and we could skip the whole WW3 thing. From our perspetive, you are biasing an economic and technical evolution in favor of your own society and it is not mature enough for that. From your perspective, given the history of man, you are probably wondering why we dont trust you as partners in that evolution. Our problems as I see it are;

1) Anonimity - value vs cost? Loaded gun syndrom... behave Gust!
2) Public Health and safety - Value to all stakeholders in the context of long term goals vs short term goals with a perspective from the GineaPig.
        a) Long Term - Fairness, Freedoms and access. Safety valves? Every pateint need an IV regulator and qualified nurse. So does that mean a new branch of millitary service? Homeland security basic training?
        b) Short Term - Public Investors, Degree and Institutional investments, Leavies and taxes. risk mitigation and scolarship funds.
        c) GineaPig - The undisclosed investors and risk takers. Joe, bob, and the rest of us not in the planning discussions and behind the board or chamber meetings. From our perspective, encryption was free until finacial institutions bought the patents and installed another hamster wheel. Could be for the best... glad i didnt see a "blood diamonds" equivalent on encryption. Then again... it isnt over. Bottom line, Winners and loosers?
3) Acting with moral aptitude over short term self-interests. - We can not ask the world to do what we ourselves are not willing to commit to. License your software. Stop downloading movies you didnt pay for. For the love of future humanity curb your genetic instincts and be civil.

Even if that means you become unemployed... like me.

Pappkartoosh

Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda

A Trusted Stack Enables Critical Infrastructure and Homeland Security Capabilities

Fri, 27 Feb 2009 14:33:35 Z

Securing critical infrastructures like banking, communications, energy, transportation and government services and delivering homeland security capabilities like border protection, emergency response and protecting against weapons of mass destruction requires that a broad set of stakeholders communicate, coordinate and execute time sensitive missions that depend on people, software, devices and data. The successful execution of those missions relies on one common element – trust.

Today, establishing trust across complex information technology systems and the Internet is almost impossible. The trust decisions we need to execute these operations are currently based on stated attributes of particular components such as a person or a device. Identities of people and devices are easily spoofed or faked. The ability of determined adversaries to erode trust in people, software, devices and data can have significant impact on operations. A breach of trust – bad data, counterfeit hardware, compromised software – can impede critical infrastructure operations and interrupt the flow of vital services or prevent the successful completion of homeland security operations.

The future of critical infrastructure protection and robust homeland security operations depends upon an industry wide effort to build a trusted stack encompassing hardware, operating systems, applications, data and people. Building a trusted stack will enable and enhance core capabilities in both the private sector and government. Emergency communication, information sharing, collaboration and operational response all benefit from a trusted stack.

The trusted stack cannot be built by one organization. It also cannot be rooted purely in technology. Infrastructure operators and governments have a role to play in advancing End to End Trust. What are the unique requirements of critical infrastructure and homeland security? What industry and research projects are already underway that may be a part of the trusted stack?

Global Action against Cyber crime

Fri, 10 Apr 2009 17:13:07 Z

Sir

Terrorism and criminal activities is there, was there and always will be there, they will change their method time to time and changes their faces as require, types and structure, and take the help of technology and so on. And for that we will have to be well prepared. We don’t know from where Terrorism might start but we will have to make a run time situation, where there will be no chance to start any chance of Terrorism, and even if it happens there will be enough footprints to catch them.

Types of Cyber Crime :

Types of cyber crime are like this

1).Un authorized Access in to any Computer or Server, Website, E-Mails of International Organizations, Government Organizations, Banks or personnel for collecting information.

2). Un Authorized use of name, logo, Format of International Organizations, Government Organizations, Banks for money transaction.

3).Fake E-Commerce Sites.

4).Building Porno sites.

5).Blackmailing people by making or collecting nude picture.

6).E-Mail threatening.

Any of these attempts can make the whole nation or individual’s life unstable.

Cyber crime protection :

Even though cyber crime detection and prevention is a tough thing but it is not impossible. For this we will have to work with a very big chain of government and technical organizations together. Cause a single person or a single country can’t do it. It should be taken step from the root level.

1). E-Mail id should be created and verified by Citizen ID card and Passport number and this database can be verified from anywhere for that particular person. Like I want to create one ID in Gmail – when I register for the email, they will verify my ID and Passport number from our country Citizen Database server. Like this from any country for any person this verification is very important.

2). Microsoft, IBM, SUN, Yahoo, Google, Intel and all other motherboard companies, should develop and upgrade this Fingerprint technology, and this technology will be built-in with each and every motherboard, every computer will run by its exact digital identity. E-Mail sites registration policy should be integrated for fingerprint verification, to take the image of fingerprint and save it into their database. Whenever any user wants to log, he will be verified by his fingerprint. So the email subscription and hardware system must be integrated together.

3). Serious punishment system for the crime, so the criminal will know if he or she commit any crime so that they knows that what will happen if they are caught.

4). Software and applications should be integrated with country government server globally, these applications can send and receive the data of daily new citizen ids, and the daily sales tax collection of every business and personnel. Globally ID Card database system still not integrated to share globally to verify any id from any location like from a bus station or any hospital.

These steps I can’t take it by my own. It should be proposed by every countries responsible ministry and come to a decision. I know it might be not possible for now, but some day this will be the only way and technology to stop cyber crime and detect every single individual in the web.

I am an IT Professional. Even though I don’t have that much institutional educational background about IT, cause before 10 years back IT institutes were only started their activities, they were not proper organized and was so costly, so I’d to build my IT career by myself.

I went to Saudi Arabia at 2001 and my age was like 25. I worked there, one of the biggest Furniture Company “ABDUL WAHED FURNITURE “as the IT Manager for 5 years. I developed their ERP (Enterprise Resource Planning) Application, which was 2 language supported (Arabic, English), and seven branches was connected with WAN at runtime. Now I am trying to build my own Software firm “Enterprisesoft”, and some IT Consultancies.

I work with VB.Net, C#, ASP.Net, VB6, Javascript, SQL Server, ORACLE, MYSQL, Photoshop, Illustrator, 3DMax. Can build any type of complex Windows and Web based Database related Application.

Thank you very much for your valuable time. May God keep all of you and us Safe, Happy, and Healthy.

Riaz Rashedul Hassan

Road : 30, House : 439, New DOHS (4^th floor), Mohakhali , Dhaka.

Phone : +8806662619432

E-Mail : enterprisesoft@yahoo.com

How and why have the prior attempts at building security into the Internet failed to achieve high user-adoption rates?

Fri, 11 Apr 2008 03:21:40 Z

What have the previous attempts at building security into the Internet been? (S/MIME, OpenPGP, SSL/TLS client authentication, DNSSEC, IPsec, kerberos, what others?) What have the essential characteristics of each been? What has been put into place, in each case, to mitigate the lack of adoption? What have people needed to do to implement them, that they haven't done?

Who have been involved with these prior attempts? Who had the money to throw at these prior attempts? Who had economic motivation to research it?

When were the prior attempts made? When were they standardized? How long have they been standardized?

Where have the prior attempts been made? Where have the highest adoption rates for each technology been? Where have the lowest adoption rates been?

How have the previous attempts at building security into the Internet failed to achieve high user-adoption rates?

Why have they failed to achieve high user-adoption rates?

To sum up the query of this post: What have the prior attempts done wrong?

trust, or protection?

Thu, 11 Sep 2008 20:08:11 Z

Funny to raise the question "how can we trust each other if we don't know each other." Usually the question is "how can we protect ourselves from each other." I don't think we can ever get to the point where no protection is required. For example, I'm concerned enough that any old kind of network scares me, let alone networks that include people I don't know. I'd love to get remote access to my work and home pcs, but am skeptical about others having a look at all my stuff.

Anyone can connect to Internet today and pollute the Internet

Tue, 09 Sep 2008 14:44:20 Z

It is sometimes good to compare with cars. Before you can bring a car to the market, one needs to go through severe quality tests. Once somebody bought the car, each two years there will be a checkup of the car to see whether it is still capable to drive our roads.
On the Internet anyone can connect. Compare it will a polluting car that distributes huge black dust clouds each time the gas pedal is pressed. Police enforcement would remove such a car from the highway.
On the Internet a badly managed or even bad developed PC can connect and be used as a gateway to infect or disturb other people on the Internet. Something has to be done.

A secure stack? Sure but that still leaves us with the huge ____ that will be used during the next ten years on the Internet? No one knows what the attack vectors will be by then and maybe the great protected systems of today will be turned into ____ also, leading to a status quo.

Why don't we educate people by giving them a license to run the Internet for the next six (,two, one?) months. When the license expires they need to go to the PC maintenance desk. This could be done automatically by the ISPs. They will check out the systems, assure they are well managed and secured before they get another license.

Something to think about
Regards

Lets get real! Ban end user servers!

Thu, 17 Apr 2008 02:19:37 Z

Would you support a ban from the net servers or countries that are unregulated and are known Phishers?

Beta Tester/ Check Press Technician

business transactions

Fri, 17 Apr 2009 19:01:31 Z

one end to end trust feature which would be helpful to online business transactions would be for financial institutions which allow their credit cards to be used for online purchasing, to figure out some way to allow for an electronic signature, which only the cardholder has access to, and can be provided for proof of ownership and authorization for online purchases. This signature would allow a company to be paid for products or services purchased online.

current situation:
client orders product from online company, pays with credit card.
Client receives product, contacts credit card company and cancels transaction saying "I didn't make that purchase".
Credit card company reverses the transaction to online company.
the online company has no recourse to recover the product or receive payment because the financial company which owns the credit card requires a signature, and online companies have no current ability to obtain an electronic signature.

Enabling Better Trust Decisions

Mon, 16 Feb 2009 18:45:49 Z

In the “Establishing End to End Trust” whitepaper Scott Charney discusses how a lack of accountability on the Internet ultimately makes it very difficult for users to make reasonable trust decisions (page 8, last paragraph).

Of course, there is plenty of data that supports the idea that sub-optimal trust decisions are being made all the time. For example, in the latest Microsoft Security Intelligence Report, one related data point that supports this is the explosive persistent growth the threat known as Zlob. Win32/Zlob spreads primarily through social engineering. It typically poses as a media codec a user must download to watch video content downloaded or streamed from the Internet. Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake “spyware warnings” that are actually advertisements for rogue security software. Since the first half of 2007, Win32/Zlob has been the malware family most detected by Microsoft products by a wide margin. In the first half of 2008, it was removed from more than twice as many computers worldwide as the second most prevalent family (8+ million compared to 3+ million).

There are many other examples of threats that are very successful at using social engineering tactics. Prior having the trusted stack as Scott outlines in the paper, and in the case of Zlob, where the user chooses to download and install a media codec, which typically involves accepting several prompts/warnings, what other information/data/warnings, etc do you think would be more effective in warning and protecting users from such threats? Are more visual clues really going to be successful or is user education the essential ingredient that will ultimately work? I.e. what does the industry have to do to enable better trust decisions in the short term?

nine ball virus am i protected

Sat, 20 Jun 2009 16:33:45 Z

Just recd advertisement from zone alarm warning about the 9 ball virus, How can I tell if i'm prortcred from a specific virus ??

nine ball redirects from good website to bad website that infects through adobe, quick time etc

copy/paste from zone alarm ad

Nine Ball targets legitimate websites to redirect users to malicious sites owned by the attacker and infects PCs through a number of exploits, including Adobe Reader and Quick Time, without the user's consent or knowledge. Once infected, anything the victim types can be monitored and used to commit identity theft, such as credit card numbers, passwords and more.

Caller ID on the Internet?

Mon, 30 Mar 2009 23:45:05 Z

We make trust decisions every day based on faces, past reputations, approaching cars, etc. As we’ve moved into new mediums we’ve had to build out new ways of making identifications and then make the appropriate trust decisions. Many of us every day get a call on our cell phone or at our house and instinctively look at the caller id to see who it is. Is it a friend, is it my boss, or is it someone I don’t know? With that one piece of information we have formed an opinion about whether we will answer the call, how we may greet the caller, and how much trust we’ll put into any conversation we have.

Today on the Internet there is no equivalent of Caller ID. There are email headers that claim to be everyone from Bill Gates to your own name offering fantastic deals or enticing you to a phishing site. There is no trusted way to establish the identity of that person that is sending you email, asking you to IM, or to visit their webpage. That ability to have a context to make a trust decision is lost without some definitive means to identify who it is that is contacting you.

The question is how do we bring identity and reputation functionality to the Internet in a way that not only enables trusted interactions but preserves choice and free speech? How do we get the equivalent of “call screening” where we can choose to only answer calls from people who identify themselves? How can we still allow the equivalent of “number withheld” to preserve anonymous free speech? In an End to End Trust world, do we need to have both?

Trust who? Trust why?

Sun, 13 Apr 2008 09:57:58 Z

That sounds easy, but it isn't. Trust works both ways. In general you will no be trusted on the internet, to manny people snooping around, to manny script kiddies having fun. But what about the things you don't see or hear about... All the traffic across the network is being monitored and judged. Not for snooping, but for things as trend watching and so on. You as a user will be a statistic.

What do you think about this line of thought...

John

Static Passwords: Public Enemy Number One?

Thu, 19 Mar 2009 17:25:22 Z

Capturing and misusing static passwords to spoof the identity of the victim is an all-too-common component of internet crime. The password might be captured by keystroke logging, a phishing or pharming attack, or by compromising an entire password database.

Consumers have a multitude of online accounts and most of these accounts require a username and a static password. Rather than struggling with creating and remembering a unique username and password pair for each account, most people resort to reusing a single username/password making them vulnerable to yet another attack vector: the honeypot.

Human nature prompts us to choose a password that is easy to remember so many passwords fall to simple dictionary attacks. But even cryptographically strong passwords are vulnerable to keystroke logging or other Man-In-the-Middle attacks.

Why haven’t more robust authentication solutions replaced the static password? Is it the cost of development/deployment versus the cost of compromised identities? What are the barriers to adoption blocking these more robust alternatives to static passwords? We can’t have all users carry multiple smart cards for two-factor authentication nor can we expect them to go through hoops every time they want to do something on the internet. So how can we remove these barriers and stop using this (static passwords) prevalent yet vulnerable means of authentication?

End to End Trust: Seeing the End from the Beginning

Thu, 05 Feb 2009 06:08:42 Z

A year ago last April, Scott Charney penned a new whitepaper around the vision of End to End Trust. He concluded with the following question: As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally connected, anonymous, untraceable Internet and be dependent on devices that run arbitrary code of unknown provenance? With growing concerns around the threat of cyber security in headlines, and online safety a major topic of focus at the World Economic Forum in Davos, Switzerland, it is clear the general public is becoming more acutely aware of these types of questions and how their lives are impacted, and how web security is evolving.

Such awareness is ultimately a good thing because out of this increased discussion and debate, we can begin to align the technology with the social, political and economic forces necessary to bring a greater level of trust to our online experiences, and that is the vision behind End to End Trust.

This forum was developed as an opportunity to ask all who care about online safety to join in a robust and meaningful discussion about building a more trusted Internet. The goal of End to End Trust is to further users’ control of their computing environments, increasing security and privacy, and preserving other values that we cherish such as anonymity and freedom of speech. In order to make that a reality, we must align social, economic and political requirements with IT capabilities.

As we look to address these challenges collectively as an industry, three questions have been top of mind at Microsoft and in the industry:

1) What are the appropriate ways to engage all of these disparate interests (social, economic, political and technological)?

2) How do we clearly identify and prioritize which problems need to be solved and in what spheres?

3) How can we catalyze the right actions (what) by the right parties (who) at the right times (when)?

About Microsoft Office Groove and End-to-End web security

Thu, 11 Sep 2008 16:17:10 Z

Today Microsoft has a terrific product on the market called Office Groove.

It is based on a digital identity and a set of security rules and mecanisms that can provide, today, end-to-end user security either for the Enterprise and SMBs. It is even cross-firewall and works intelligently with Microsoft Outlook and SharePoint.

Moreover data is not centralized and can not be indexed easily without explicit user's consent (authorization).

Microsoft Office Groove is also perfectly suited for "Social Computing for Business" if we consider that Microsoft Office is a long term on everybody's desktop...

Furthemore, Live Mesh, which does not have a clear business model yet, can be considered as "an entry level and consumer approach", which complements very well Groove as it extends it to some extend "non Windows devices"

Just have a look and download a free trial version of Microsoft Office Groove 2007 from here
http://r.office.microsoft.com/r/rlidGrooveC108?clid=en-us or see the application integration potential on http://www.grooveit.biz .

Microsoft Windows XP Security Issues

Thu, 05 Jun 2008 10:19:22 Z

I was just wondering how Microsoft keeps writing and saying in all different kinds of documentation that security is an important issue. It's the most thing that Microsoft recomends (secure your infrastructure).

At the same time all the security depends on the administrator password. I mean if anyone finds out the administrator password then he/she could break all the security that is applied.

What really concerns me is that the administrator password could be easily hacked. Just with the use of a cd-rom drive, using only the Windows XP installation cd.

My question is: Why recommend so much security and apply it all and then just have the administrator password be cracked in the simplest way possible?

A frank point about trust if this initiative is to be a success

Tue, 15 Apr 2008 08:42:38 Z

I think that if you (Microsoft) want to be successful in end-to-end trust (which reminds me of the initial memo Bill Gates wrote at the time of "trustworthy computing"), there is one VERY important you need to understand: to the "general" population, Microsoft and Windows (which are probably synonyms for most people) are held in low-to-averarage trust. And to succeed, this initiative needs to createaa average-to-high level of trust in MS and Windows, which are the de facto backbone of personal computing (Linux does not have this problem, not being strongly tied to money). If this condition is not satisfied for people, the initiative will fail, because as in security, trust relies on the weakest link. If the minimum level of trust is not "average", then there's a door open to doubt and mistrust, which tend to mess with your whole system given enough time.

To be more precise, since I'm using general ideas, I'd say that:
- the idea of Trusted Computing (a domain I've worked on for the last 2 years in one of the most successful European project) for personal computing is doomed to fail in its current shape, because (from the words of some of the TC proponents) it's targetted only at business applications
- MS must improve drasticaly its level of transparency (forums are a good start, but it won't work if MS does not create a real communication and debate), possibly explaining in a more open way why it took its decisions

I believe that MS can achieve this level of trust in the next decade, but it must really step up to the challenge by facing the current situation with courage and honesty: you're not viewed as "trustworthy" for a plethora of reasons that you must list and address. Only from there can you build a path to where you want to be.

.hack

How do we, and how should we, build a Trusted Stack that enables a safer, more trusted Internet?

Thu, 03 Apr 2008 23:03:03 Z

How do we, and how should we, build a Trusted Stack that enables a safer, more trusted Internet?

How do we create economic incentives to drive a more secure, and privacy-enabled Internet?

Thu, 03 Apr 2008 23:03:50 Z

How do we create economic incentives to drive a more secure, and privacy-enabled Internet?

Avoiding Multiple PII-aware Credential Stores by Reusing Email Logons as Credential Services

Mon, 21 Apr 2008 05:14:15 Z

The exposure of our PII (Personally Identifiable Information) is directly proportional to the number of locations at which we are required to share any part of it.

We are asked to share PII related to credentials over and over again because each resource store and service manages it's own credentials. Most sites require or request some level of contact information (name and address, phone etc), an email address (so the credentials setup workflow can get email 'certification') and some level of personal related data such as password recovery quesitions.

Whether or not we enter truthful information, this is invasive of privacy and many people do expose their email address and other information over and over again, and their address if necessary for delivery. Each PII exposure is another attack surface.

Part of the solution is therefore to reduce PII-aware credentials stores. Trusts are a critical enabling element.

My proposal is simple. Reduce PII exposure by reusing email logons as real-time Trusted credentials services.

Most credentials services already utilize email as a 'slow' Trusted Credential! How many websites and services have you used that have initial credentials setup workflow and password recovery workflow that flow through messages and responses via the person's email address? It is ALREADY assumed in other words, by a majority of 'secure' sites today, that the person's email logon service is the Trusted Credentials Service, because the person's email is as a matter of fact the primary means of establishing trustworthy identity and of maintaining password security. This is a very high threshold of Trust!

I like solutions that build on practices that are already accepted and infrastructure that is already in place. In this case, email based Trusted Credentials Services can very likely be enabled by simply reusing existing email services and existing SSL certificate stores and workflow practices with a bit of standards tweaking by a canonical industry group or government standard for Trusted Credentials Services certification.

Then Verisign and other Trusted Certification Groups can issue Trusted Credentials Service certificates, just as they do with SSL, and perhaps as a simple additional signature on existing SSL certificates, for email providers that meet industry or government established processing and policy standards for Trusted Credentials Services. Consumers of the Trusted Credentials Services certificates configure their systems to trust any certificate issued by a Trusted Certification Group, for example Verisign or Thawte, just as they do today with SSL certificates.

The workflow implementation is also simple. Email logon providers that meet the industry or government certified Trusted Credential Service standards, must allow logon workflow coming from another website or service to trigger display of an SSL secured logon page within the service's namespace, process the entry of user credentials within the email service's own SSL encrypted web page or alternative credentials workflow, and then return to the originating website or service with their Trusted Credentials Service digital certificate (just like SSL) plus a unique User ID within the Trusted Credential Service namespace. The User ID part is unique and constant but otherwise meaningless. This means the user logon provisioning and use at a Trusting website or service, does not require the user to share any PII at all to have a trusted identity within the accessed website or service, not even the user's actual email address, to complete a Trusted Credentials Service logon. This greatly reduces the PII and credentials exposure surface.

Each individual website or service can use the Trusted Credentials Service namespace plus the unique User ID, for example 08120438924084@gmail.com (this is NOT their email address!) to provision a unique account within the directory namespace and/or database(s) of that website or service. Each website and service does NOT need to have the user create a logon within their own namespace, or ask for or store any of the user's PII, or handle any user passwords or password recovery workflow. This offers a major relief to exposure risk, to each website and service.

The data collected within any particular website or service to establish specific user information, rights, and accounts within that individual website or service, can also therefore stay entirely within that website or service without ever sharing them outside that namespace. While perhaps worth doing in some cases as a customer service or business requirement, any provisions for doing so are beyond the scope of this proposal, and carry other risks and challenges.

Security and Privacy are inadequate conditions for Trust

Sat, 12 Apr 2008 18:41:31 Z

Although Scott Charney's whitepaper "Establishing End to End Trust" competently addresses many trust issues in the way of realizing the full potential value of the Internet, I am concerned that Microsoft's approach of trying to solve these broader trust issues by simply improving security and privacy is seriously misguided.

Risk management practices, such as information security, serve to protect existing levels of trust from eroding. They do not help to establish or develop trust. Authentication only establishes trust in the identity of the other party (that they are who they say they are). It says nothing about the validity of any other consequential information being communicated by that party. Similarly, most privacy protection practices primarily protect from undesirable use of personally identifiable information, but are relatively ineffective in helping individuals develop sufficient trust that their private information is being used appropriately.

End to End Trust needs to be founded on a comprehensive framework that addresses two overriding trust objectives: 1) Developing Trust; and 2) Protecting Trust. From what I have read so far, most of the discussion appears to focus on the latter.

- Alex
www.TrustEnablement.com

Optimizing stakeholder trust for breakthrough business performance

Certification Authorities and why they don't work -- and a proposal how to fix it

Fri, 11 Apr 2008 03:24:17 Z

INTRODUCTION

============

Under most certificate policies and certificate practice statements, it is extremely difficult to separate the notion of 'identity binding' from any concept of 'real-world identity'. RFC3647 reinforces this, by such language as "Identification refers to [...] establishing that a given name of an individual or organization corresponds to a real-world identity of an individual or organization[...]".

Unfortunately, many Internet communities exist which do not have any concept of "real-world identity" -- the closest they have is an account name and possibly an email address. If there was an insistence on "real-world" identity for binding (as there has up to this point), there are many ways that such an insistence would and could cause problems in end-user acceptance.

First, there is the notion of "identity theft." This is a class of criminal activity within which personal information about a person is obtained and used to open fraudulent credit accounts. This is a problem because X.509 certificates, by their very nature and reason for existence, have a fair amount of information about the identity they bind with the public key. This information is "public knowledge" to whom the principal chooses to attempt to authenticate to -- it is not protected by any kind of encryption when it is embedded into the certificate. This information exposure is much more severe than generally necessary to interact with others on the Internet.

Second, there is a notion of "social identity" -- the pseudonyms which people use for pseduonymity on the Internet, and the contexts within which they are used. Within the social spheres that users find themselves in, pseudonyms are often encouraged or mandated; the ability to use those pseudonyms is often protected by passwords or other authentication/authorization mechanisms. This is a natural outgrowth of the concept of "identity", as brought into the online realm. (When there is no protection of pseudonymous identity, there is no way to maintain a moniker or nym to protect others from sabotaging relationships formed in the online community -- a notion of "social identity theft".)

Third, because there is such a concept of pseudonymous interaction in Internet social spaces, there is no real way to use certificates issued under the guidance of RFC3647 to identify the person with whom you are interacting -- there is simply no way to know the real-world, legal name of the entity you interact with. Even if you know someone's email address, if you try to sign up to a site that uses your legal name and then invite someone you met and interacted with under a pseudonym to take part in that site, there's no way to distinguish that from a spam message from some random person they do not know. If your legal name never comes into play, your legal name is less useful than the pseudonym in the relationship you have with others who have interacted with your pseudonymous persona.

Fourth, there exist truly only a limited number of ways that legal, real-world names are truly necessary. All of them involve legal contexts -- contracts (such as eBay), credit applications, fiduciary relationships, warranty service, monetary transfers (and even then, cash generally has no identity requirement when it passes from hand to hand). The rest of the time, the legal identity is not necessary to divulge -- and given the social climate of our time, it could even be dangerous to divulge. (Bloggers have been fired for expressing opinions critical of their employers, and teachers have been warned not to use Myspace.com because it could "give the appearance of improper teacher-student relations", just to give two examples.)

Fifth, there's even confusion about what a digital signature is, what it obligates a party to, what it means, and what kind of liability it opens up. Various laws have been passed to make certain kinds of contracts enforceable if signed digitally, but no guidance has been given as to what it means or how to identify when a contract is being signed in a context that would be enforceable.

In light of these concepts, it is simply unthinkable that people are going to use cryptography with strong legal-identity binding tokens for anything but the most serious of contexts -- contexts which are usually handled offline anyway.

Because of this, there has been no clamor to obtain the digital equivalent of photo IDs; without the IDs being issued there has been no need to support the infrastructure required to make them workable. Free email services abound, such as Hotmail -- but Hotmail modifies messages that are sent through it. This makes it impossible to use S/MIME or message signing with it because it changes the content, and thus changes the message's hash from what was signed, thus causing verification errors.

When someone tries to use (for example) Thawte's Freemail email-signing certificates with Hotmail using Outlook Express, they get frustrated because it Just Doesn't Work. (I'm very good at getting cryptographic systems to work, but even I couldn't do it. I had to give up.)

So, I propose a new way of looking at identity. I propose a new way to make the system work, and be used much more often than it is now. I propose something I like to call "context-dependent identity".

CONTEXT-DEPENDENT IDENTITY

==========================

At its core, context-dependent identity is simply a recognition of the different contexts that we form relationships within.

Each context has an identity arbiter -- that is, an entity responsible for making sure that only the entity authorized to claim an identity can use that identity. (In most cases, this is the login server -- in Windows domains, it's the domain controller for the domain that a user's account is in; in HTTP parlance, it is the keeper of the passwords for the realm to which one authenticates, and so on.) There are several things to note about this setup:

1) Name/moniker collisions can occur between different contexts. This means that the name of the context MUST be made part of the full moniker, as well as the unique name within that context.

2) There is no necessary linkage of context-identity to real-world identity.

3) The legal, real-world identity is simply a named identity within the context of the legal system in the real world. The identity arbiter there is called "government".

4) "Context Identity Arbiter" abbreviates to CIA. I'm going to shorten that simply to "Context Arbiter", which not-so-coincidentally has the abbreviation CA. This is fortuitous, because the context arbiter already essentially performs the functions online that a Certification Authority does to enable identity verification offline.

It is also necessary to recognize that because there is no way to enforce a "high standard" for proof of authorization to use a given identity in any given context, the requirements for the Certifying Authorities in each context do not need to be artificially elevated. Indeed, another point about each context is this:

5) Every context is disconnected, and the identity arbiter of each context is sovereign.

What this means is simply that there is no reason to enforce that any commercial CA give its nod of approval to any context to operate. Every context should have and offer its own self-signed root, unless it wants to try to obtain delegated trust from a commercial CA with a wildly different certificate issuance policy. (Honestly, if a commercial CA were to delegate trust like this, I'd look askance at it and wonder how it could pass an audit.)

Now, you're probably thinking I'm nuts at this point -- "but root management is already a pain!" Well, yes. It is a pain. But, there is actually precedent here. Fairly recently, representatives of most of the commercial CAs and browser/security library vendors all got together to figure out The Problem Of SSL/TLS Certificate Trust. What they ended up creating was something called an "EV certificate", with the letters EV standing for Extended Validation. It is these certificates which are going to be used for banks and other entities with fiduciary trust. The roots which are allowed to sign EV certificates are marked specially inside the certificate stores of the browsers and security library vendors as being enabled for EV usage. EV certificates are marked with a specific, new (non-critical) object identifier and must be signed by an EV-enabled root.

In the same vein, I propose a new class of roots called "context validation" or "context sensitive validation" or maybe even "realm validation". (I daresay it'd come down to wanting to call it "CV", "CSV", or "RV" certificates -- "RV" does have the advantage of also expanding to "recreational vehicle", which might help unconsciously link the certificate type with the type of environment it is suited for.) These certificates would have several important behaviors:

1) be downloaded on a case-by-case basis from URLs embedded in their issued certificates

2) be untrusted-by-default, even when they're cached into the local certificate store

3) have only minimal trust assigned to them at all even if explicitly marked as trusted

4) automatically be put into the 'trusted' store (remember, minimally-trusted at the highest) if a certificate with a public key for which the store has a private key is put into the personal certificates store

Now, the reason why I say that identity arbiters are sovereign and thus should not need an external CA to sign them is simply because it's already very easy to just pick up a forum software and install it. Bam, you've got a username/password database with some metadata, and you can authenticate against it, and thus have a full identity context. Nobody's going to want to go through any process that raises the barrier to entry... but there's also the fact that you cannot know anything cross-context/cross-realm. Slashdot cannot know if 'winged' there is the same entity as 'winged' on Livejournal, and vice-versa. (they're not.) Or winged@slashdot.org being the same entity as winged@everything2.com. (they are.)

Because of this, it makes no sense to try to automatically trust all realm authorities by delegating trust from any central point. Because it's impossible to know whether a given name is the same across multiple realms... well, the only way that it can be treated is that they are two entirely separate identities. That brings up one of the limitations:

1) As a relying party, you absolutely cannot rely on consistency in self-reference by other entities. (Meaning, you cannot assume that other entities will automatically and always use the same identity from the same identity context every time they contact you.) They can change identity contexts -- and thus identities -- at the drop of a hat. This makes 'limit one free sample per customer' giveaways impossible to enforce, unless they are limited to one or two realms -- and even then, if those realms allow for multiple accounts by the same entity, it's impossible to rely on that for single-user-single-identity constraint.

2) You cannot automatically trust any community that you're not already a part of; you also cannot automatically distrust any community that you are already a part of. (If you have joined an identity context, you have stated essentially that you trust the identity arbiter to ensure that your identity in that context is solely yours.)

The reason for #2 is because anyone (and I do mean anyone) can just set up an identity arbiter. In fact, if we're going to look at a trusted network stack, everyone MUST. I would recommend that every computer that has user accounts have an identity arbiter CA set up, as well as allowing people to create their own easy-to-manage CAs for their own purposes -- and that network apps be able to request their own keys and their own certificates. This last could be a function of the 'proxy certificate' profile, expressing that a given identity is delegating user trust to the component that is performing the task that has been requested of it.

INTERACTIONS WITH FOREIGN CAs

=============================

For various reasons, it is sometimes necessary to have attributes with higher trust associated with these lowest-trust RV certificates. In order for this to occur, the same public key must be signed with multiple different certifications -- one of which asserts some aspect of the real-world identity (such as citizenship, whether at the time the certificate was signed the entity had the capacity to enter into legal contracts as a function of current residence address and age, whether the entity was subject to COPPA scrutiny [and perhaps who needed to be contacted for permission to store data about the COPPA-covered entity], or any number of other issues) and is signed by a higher-trust CA, another of which indicates membership in an online community and is signed by the context arbiter.

There currently exist no protocols for multi-CA token assertion. This is an area that requires more study and discussion.

Possible talking point: 'should the signed data block from the higher-trust provider be embedded into the certificate issued by the lower-trust context arbiter to prove that the context arbiter was aware of the more-trustworthy assertion related to the entity?'

Another: 'Should a higher-trust timestamp, such as one generated by Verisign's timestamping authority, be embedded into the lower-trust certificate to prove the time of certification by the context arbiter?' (Since time is one of the largest issues in the application of cryptography today, that question truly does need to be addressed.)

Another: 'Should a client that doesn't trust a given RV arbiter be able to extract the information from the embedded certifications made by higher-trust authorites and trust it, even without trusting the RVCA?'