[mdx] what to trust

Ian Young ian at iay.org.uk
Tue May 5 08:18:52 PDT 2009 

On 4 May 2009, at 22:28, Leif Johansson wrote:

>
> So I've been playing around trying to model the architecture and I'm  
> trying
> to understand how to model trust. Specifically I'm working with a  
> simple
> model
>
> * EntityMetadata
> 	- carries the actual metadata
> * Location
> 	- a place where metadata resides
> * Authentication
> 	- a reason to trust metadata
>
> Right now my feeling is that EntityMetadata is associated with 1 or  
> more
> Location (an EntityDescriptor can come from several places) and that a
> Location is associated with 0 or more Authentication instances, i.e  
> trust
> in metadata is dependent on both what is used to establish technical
> trust (eg a signature) aswell as the location from which the metadata
> was obtained.

I'm not sure whether the concept you want is "location" (where you  
happened to get the metadata from, say some URL) so much as let's say  
"origin" (where the metadata came from).  One difference is that I  
don't think we'd want to take much trust out of where you happened to  
get an aggregate from, given DNS vulnerabilities and a reluctance to  
get trust out of TLS.  Integrity of the channel shouldn't be important.

The way I think I'd look at it is that the signature is evidence  
you're using to bind the metadata you've received to a publisher and  
their practice statement, which works independently of the way the  
metadata gets from the publisher to you.

One place that turns out to be a little wrinkled is the case of a  
publisher with multiple practice statements.  That's not common today,  
but what Josh is talking about may fall into this category and of  
course the case of a federation operator who wants to co-locate  
registration and publishing with different guarantees is similar.

You could distinguish the practice statement associated with an  
aggregate by the key used for signing, if the publisher had many keys.

Alternatively you might use the EntitiesDescriptor/@Name to  
distinguish: for example, we might publish @Name='http://ukfederation.org.uk 
' to members under one practise statement and @Name='http://ukfederation.org.uk/registered' 
  to other aggregators under a second practise statement.  This second  
idea doesn't work, unfortunately, for single EntityDescriptor element  
documents as they don't have a "who says so" attribute separate from  
the @entityID.  I guess we could fix that by (in the new publishing  
protocol) always wrapping single entity documents in a separate  
EntitiesDescriptor, but that sounds pretty unpleasant too.

	-- Ian



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2448 bytes
Desc: not available
URL: <http://lists.iay.org.uk/pipermail/mdx-iay.org.uk/attachments/20090505/cd1b217c/attachment-0002.bin>

More information about the mdx mailing list